DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 20th August 2013
frcc frcc is online now
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, etc-Texas
Posts: 41
Thanked 0 Times in 0 Posts
Default ifconfig and ssh question

We have an internet server on an openbsd box (ver 5.3)
receiving traffic on port 80 from the wan to various virtual hosts.

traffic is directed to this machine via an off the shelf router.
(only because i have not completely figured how to write the
pf redirection code)

The internal internet server only serves port 80 traffic unless it is
generated statefully outbound from itself.
I have set up a pf.conf file filtering traffic on this server.

I currently ssh into this box via fxp0 along with internet traffic.
PF is set to only allow ssh traffic from lan and is configured with
antispoof entries.

All our servers have many nic cards.
Question:
Would if help security to ssh into this box using fxp1 instead of fxp0
i.e. physically seperating WAN internet and ssh traffic.
adding entries into pf.conf as necessary. ?????

.AND. if so
What would be the diff in doing that with using an alias on fxp0 ??????


thankyou in advance.....
Reply With Quote
  #2   (View Single Post)  
Old 20th August 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,609
Thanked 214 Times in 189 Posts
Default

Quote:
..Would if help security to ssh into this box using fxp1 instead of fxp0
i.e. physically seperating WAN internet and ssh traffic...
You don't want to have two NICs on the same subnet. From a network design perspective, that's not recommended.

If your SSH use is conducted using best practices, there would be no security implication to having its traffic use the same network segment, or having your SSH service accessible from the Internet. Mine are.

Best practices are key
. The default sshd_config has two options which are present for ease of remote installation and initial configuration of the OS, but are not commonly considered best practice:
  • PermitRootLogin yes
  • PasswordAuthentication yes
The general recommendation is to set both of these to "no". This prevents access using passwords as an authentication method entirely, and prevents authentication attacks on the superuser account.

Personally, I like two authentication methods: 1) public key authentication with a passphrase, which provides two-factor authentication, and 2) S/Key one-time-pads when I'm using workstations I don't control. There are other methods available as well.

Using PF, you could restrict SSH access to the server so that access is only permitted by addresses on your LAN, but that would not prevent an attack vector coming from your LAN -- which is always possible, if a platform on your LAN were compromised.
Quote:
What would be the diff in doing that with using an alias on fxp0 ?????
Network architecture is a separate subject. In general, you don't want to have a device with two NICs on the same subnet. Aliases work, that doesn't.
Reply With Quote
  #3   (View Single Post)  
Old 20th August 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,609
Thanked 214 Times in 189 Posts
Default

If you've not used Public Key Authentication before, here's a simple "how to":

http://www.daemonforums.org/showthre...3067#post22743
Reply With Quote
  #4   (View Single Post)  
Old 21st August 2013
frcc frcc is online now
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, etc-Texas
Posts: 41
Thanked 0 Times in 0 Posts
Default

thankyou
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ifconfig athn0 marconi OpenBSD General 6 25th March 2012 02:39 PM
PF - ifconfig problem ripp3r OpenBSD Security 5 12th December 2010 04:10 PM
need some basic help on ifconfig daemon-dd FreeBSD General 4 29th July 2008 03:21 PM
FreeBSD's Ifconfig for WEP tz24 FreeBSD General 15 13th June 2008 02:17 AM
ifconfig problem ichigo OpenBSD General 3 20th May 2008 10:59 PM


All times are GMT. The time now is 11:04 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick