DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd November 2020
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default Openbsd NAT router + pf + suricata

I will update this post a I progress toward working setup. So I myself can use it next time i re install, or might somebody else googling.
I am no expert. Hope somebody will find a thing or two to improve, and comment on it.

I have a OpenBSD firewall with PF. It get fiber broadband in on em3.
I have a network internal usage em2 (dont want tor / p2p, )
I have a network for guests re0 (dont want tor / p2p )



Thanks to :

https://www.solrac.nl/openbsd-firewall-pf/


Part 1: Enable NAT

/etc/sysctl.conf

Code:
net.inet.ip.forwarding=1
Use this code to check it is enabled:
(I used hours trying different pf.conf, when this was the problem)

Code:
sysctl | grep forward
Should read :

Code:
net.inet.ip.forwarding=1


Part 2 : PF

/etc/pf.conf

Code:
# Create blocks that are variable
ext_if="em3"
int_if="em2"
int_if2="re0"
icmp_types="echoreq"


# Bruters

table <bruters> persist file "/etc/bruters"

block quick from <bruters>

#Badhosts -DE
table <badhosts> persist file "/etc/badhosts"

block in quick on egress from <badhosts> 


#Badstuff
table <badstuff> persist file "/etc/badstuff"

block drop out log (all) quick on $ext_if from any to <badstuff>

#Max new ssh connections 4 pr 7200s, pr ip
pass quick proto tcp from any to any port 22 \
        flags S/SA keep state \
        (max-src-conn 5, max-src-conn-rate 4/7200, \
        overload <bruters> flush global)
 
# Skip all loopback traffic
set skip on lo
 
# Perform NAT on external interface
match out on $ext_if from $int_if:network to any nat-to $ext_if
match out on $ext_if from $int_if2:network to any nat-to $ext_if

# Define default behavior
block in
pass out keep state
 
# Allow inbound traffic on internal interface
pass quick on $int_if
pass quick on $int_if2

 
# Protect against spoofing
antispoof quick for { lo $int_if $int_if2 }
 
# Allow other traffic
pass in on $ext_if proto tcp to ($ext_if) port ssh flags S/SA keep state

# Let suricata listen
pass out quick on egress inet proto tcp to port 80 divert-packet port 700
Part 3

Script to download IP of bad actors from blocklist.de and send these to badhosts.

Code:
#! /bin/ksh

ftp https://lists.blocklist.de/lists/all.txt

cat all.txt  > /etc/badhosts

pfctl -f /etc/pf.conf

exit


Part 4 Suricata

Code:
pkg_add suricata
Code:
suricata-update
Code:
rcctl set suricata flags -i em3


[/HTML]

Last edited by psypro; 5th November 2020 at 07:15 PM.
Reply With Quote
  #2   (View Single Post)  
Old 3rd November 2020
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

With this command suricata will start in command line.

Code:
suricata -c suricata.yaml -s signatures.rules -i re0
Code:
 
3/11/2020 -- 19:28:15 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - could not open: "/etc/suricata/classification.config": No such file or directory
3/11/2020 -- 19:28:15 - <Error> - [ERRCODE: SC_ERR_OPENING_FILE(40)] - please check the "classification-file" option in your suricata.yaml file
3/11/2020 -- 19:28:15 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/etc/suricata/reference.config": No such file or directory
3/11/2020 -- 19:28:15 - <Error> - [ERRCODE: SC_ERR_OPENING_FILE(40)] - please check the "reference-config-file" option in your suricata.yaml file
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/app-layer-events.rules
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/decoder-events.rules
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/dns-events.rules
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/files.rules
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/http-events.rules
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/smtp-events.rules
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/stream-events.rules
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/tls-events.rules
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern signatures.rules
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 9 rule files specified, but no rule was loaded at all!
3/11/2020 -- 19:28:15 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
But rcctl suricata fails.

Code:
rcctl start suricata              
suricata(failed)
Code:
 rcctl -d start suricata           
doing _rc_parse_conf
doing _rc_quirks
suricata_flags >-i em3rcctl set suricata flags -i em3<
doing rc_check
suricata
doing rc_start
doing _rc_wait start
doing rc_check
3/11/2020 -- 19:40:16 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
3/11/2020 -- 19:40:16 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via ioctl for 'em3rcctl': Device not configured (6)
3/11/2020 -- 19:40:16 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via ioctl for 'em3rcctl': Device not configured (6)
3/11/2020 -- 19:40:16 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata.pid. Aborting!
doing _rc_rm_runfile
(failed)

Last edited by psypro; 3rd November 2020 at 06:41 PM.
Reply With Quote
  #3   (View Single Post)  
Old 3rd November 2020
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

rm suricata pid file. Then it starts witt rcctl.

suricata is starting to fil in information in /var/log/suricata/fastlog
Reply With Quote
  #4   (View Single Post)  
Old 4th November 2020
jb_daefo jb_daefo is offline
Spam Deminer
 
Join Date: May 2008
Posts: 303
Default

Can you detail the types of NIC on that machine that are involved in this router setup?
__________________
FreeBSD 13-STABLE
Reply With Quote
  #5   (View Single Post)  
Old 5th November 2020
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

Code:
ifconfig
(removed public ip)

Code:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
	index 7 priority 0 llprio 3
	groups: lo
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
	inet 127.0.0.1 netmask 0xff000000
em0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
	lladdr 00:1b:21:18:10:18
	index 1 priority 0 llprio 3
	media: Ethernet autoselect (none)
	status: no carrier
em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
	lladdr 00:1b:21:18:10:19
	index 2 priority 0 llprio 3
	media: Ethernet autoselect (none)
	status: no carrier
em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	lladdr 00:1b:21:18:10:20
	index 3 priority 0 llprio 3
	media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
	status: active
	inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
em3: flags=808843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF4> mtu 1500
	lladdr XXXXXXXXXXX
	index 4 priority 0 llprio 3
	groups: egress
	media: Ethernet autoselect (100baseTX full-duplex)
	status: active
	inet XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	lladdr c0:3f:d5:ee:9d:0b
	index 5 priority 0 llprio 3
	media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
	status: active
	inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
enc0: flags=0<>
	index 6 priority 0 llprio 3
	groups: enc
	status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136
	index 8 priority 0 llprio 3
	groups: pflog
Reply With Quote
  #6   (View Single Post)  
Old 5th November 2020
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

I added :
stream:
checksum-validation: auto


Auto will turn off checksum-validation if it keep giving errors from what I understand.
Why is it recommended to turn in ON? and then drop the packages.
If one are to use checksum-validation it cant be offloaded to hardware, and in OpenBSD this is stander for hardware with intel em driver and re driver to do.



Code:
Outbound packets don't have a correct checksum yet due to checksum offloading,
therefore suricata will log "SURICATA TCPv4 invalid checksum" and ignore these
packets. To workaround this set the following in suricata.yaml:

	stream:
	  checksum-validation: yes

Also adjust the configuration to drop packets:

	- drop:
	  enabled: yes
Reply With Quote
  #7   (View Single Post)  
Old 5th November 2020
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

Part from suricata.yaml

Add own IP.

Code:
## Step 1: inform Suricata about your network
##

vars:
  # more specific is better for alert accuracy and performance
  address-groups:
    HOME_NET: "[192.168.1.0/24,192.168.0.0/24]"
    #HOME_NET: "[192.168.0.0/16]"
    #HOME_NET: "[10.0.0.0/8]"
    #HOME_NET: "[172.16.0.0/12]"
    #HOME_NET: "any"

    EXTERNAL_NET: "!$HOME_NET"
    #EXTERNAL_NET: "any"

    HTTP_SERVERS: "$HOME_NET"
    SMTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"
    DNS_SERVERS: "$HOME_NET"
    TELNET_SERVERS: "$HOME_NET"
    AIM_SERVERS: "$EXTERNAL_NET"
    DC_SERVERS: "$HOME_NET"
    DNP3_SERVER: "$HOME_NET"
    DNP3_CLIENT: "$HOME_NET"
    MODBUS_CLIENT: "$HOME_NET"
    MODBUS_SERVER: "$HOME_NET"
    ENIP_CLIENT: "$HOME_NET"
    ENIP_SERVER: "$HOME_NET"

  port-groups:
    HTTP_PORTS: "80"
    SHELLCODE_PORTS: "!80"
    ORACLE_PORTS: 1521
    SSH_PORTS: 22
    DNP3_PORTS: 20000
    MODBUS_PORTS: 502
    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
    FTP_PORTS: 21
    VXLAN_PORTS: 4789
    TEREDO_PORTS: 3544
Reply With Quote
  #8   (View Single Post)  
Old 6th November 2020
SimpL SimpL is offline
Port Guard
 
Join Date: Nov 2020
Location: On a cloud;)
Posts: 31
Default

Hi psypro,

Did you write the suricata settings into /etc/rc.d/suricata? If you did not then rcctl daemon wont start, and it does not know where your config files are.
Hope this helps.

BR
SimpL

Last edited by SimpL; 9th November 2020 at 09:03 AM.
Reply With Quote
  #9   (View Single Post)  
Old 6th November 2020
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

#cat /etc/rc.conf.local
dhcpd_flags=
pkg_scripts=suricata
suricata_flags=-d 700
unbound_flags=

# rcctl check suricata
suricata(ok)
Reply With Quote
Old 9th November 2020
SimpL SimpL is offline
Port Guard
 
Join Date: Nov 2020
Location: On a cloud;)
Posts: 31
Default

Wrong file there Psypro
I ment this:
/etc/rc.d/suricata

#!/bin/ksh
#
# $OpenBSD: suricata.rc,v 1.2 2018/02/15 16:19:41 ajacoutot Exp $

daemon="/usr/local/bin/suricata -D -c /etc/suricata/suricata.yaml -s /var/suricata/rules/suricata.rules -i XXXXXXX(the network card u want suricata to run on)"

. /etc/rc.d/rc.subr

rc_cmd $1

This file is responsible for suricata daemon
If you dont set this then the daemon wont work properly
Reply With Quote
Old 3rd April 2021
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

With you rc.d guide I get suricata running. From command line.
But recomondation from pkg_readme does not work.
Running 6.9 beta.

/etc/rc.d/suricata
Code:
#!/bin/ksh
#
# $OpenBSD: suricata.rc,v 1.2 2018/02/15 16:19:41 ajacoutot Exp $

daemon="/usr/local/bin/suricata -D -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i re0"

. /etc/rc.d/rc.subr

rc_cmd $1

Code:
rcctl enable suricata                                                                       
rcctl: service suricata does not exist
Reply With Quote
Old 3rd April 2021
TronDD TronDD is offline
Spam Deminer
 
Join Date: Sep 2014
Posts: 304
Default

Did you make the rc file executable?

Actually, why are you modifying the rc.d/suricata file at all? Write all of your flags into the suricata_flags in rc.conf.local

Last edited by TronDD; 3rd April 2021 at 03:12 PM.
Reply With Quote
Old 3rd April 2021
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

Thank you TronDD. I was trying following advice : "Wrong file there Psypro
I ment this:
/etc/rc.d/suricata"


Was about to ask question about that. Reading webpage about it https://www.oreilly.com/library/view...d_scripts.html

I will revert back to orginal rc.d/suricata, and put changes into rc.conf.local

/etc/rc.conf.llocal
Code:
dhcpd_flags=
unbound_flags=
pkg_scripts="suricata"
suricata_flags="-c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i re0"

/etc/rc.d/suricata
Code:
#!/bin/ksh
#
# $OpenBSD: suricata.rc,v 1.3 2021/01/31 18:03:49 sthen Exp $

daemon="/usr/local/bin/suricata -D"

. /etc/rc.d/rc.subr

rc_pre() {
        /usr/bin/install -d -o _suricata -g _suricata -m 0750 /var/run/suricata
}

rc_cmd $1

Last edited by psypro; 3rd April 2021 at 03:43 PM.
Reply With Quote
Old 3rd April 2021
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

I can now start suricata with rcctl. But it "dies".I guess it happens when it goes from "root" user process to "suricata" user process. I see in "top" command.

Code:
Firestorm# rcctl start suricata               
suricata(ok)
Firestorm# top
Firestorm# nano /etc/rc.conf.local            
Firestorm# top                      
Firestorm# rcctl check suricata               
suricata(failed)
Is this user for _suricata correct?
Code:
_suricata:*:800:800:Suricata Account:/nonexistent:/sbin/nologin
Reply With Quote
Old 4th April 2021
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

I did not make any progress. Vacation ended. Might give it a try next vacation.

Last edited by psypro; 21st April 2021 at 02:28 PM.
Reply With Quote
Old 28th April 2021
SimpL SimpL is offline
Port Guard
 
Join Date: Nov 2020
Location: On a cloud;)
Posts: 31
Default

Hy again

Sorry was not on the forum for a while.
So.
rcctl enable suricata (run demon on startup)
rcctl start suricata
You get it working.
What im curious about is what happens when u do this:
rcctl stop suricata
suricata-update
rcctl restart suricata
If its not running then you can skip the stop. The update should run the update and see if you get the things you need to work.
If there is a problem maybe the directory access is not ok, and suricata cant write or read the dir.
If there is an error beside that then it is what you must check. Try checking the /var/log/messages. If there are any errors then post them and maybe we can see the problem there.

btw:
passwd:
Code:
_suricata:*:800:800:Suricata Account:/nonexistent:/sbin/nologin
Running:
Code:
_suricat xxx etcetcetc:) /usr/local/bin/suricata -D -c /etc/suricata/suricata.yaml -s /var/suricata/rules/suricata.rules -i em0 -F /etc/suricata
/etc/rc.d/suricata:
Code:
#!/bin/ksh
#
# $OpenBSD: suricata.rc,v 1.2 2018/02/15 16:19:41 ajacoutot Exp $

daemon="/usr/local/bin/suricata -D -c /etc/suricata/suricata.yaml -s /var/suricata/rules/suricata.rules -i em0 -F /etc/suricata/whitelist.bpf"

. /etc/rc.d/rc.subr

rc_cmd $1
Dont mind the whitelist (Not working.....)

rc.conf.local:
Code:
pkg_scripts=suricata
Its without quotes for me... (and the file is empty beside this line there is nothing in it on my server....)

Last edited by SimpL; 28th April 2021 at 02:39 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
VLAN's with OpenBSD router Zmyrgel OpenBSD Security 5 15th February 2019 11:41 AM
Using OpenBSD directly without a router bsd007 OpenBSD Security 21 2nd December 2017 03:19 PM
User rips OpenBSD as a router jjstorm OpenBSD General 5 17th April 2016 11:27 PM
OpenBSD 5.7 Router Issues Peter_APIIT OpenBSD General 8 18th June 2015 06:31 AM
Using OpenBSD as a second router paran0iaX OpenBSD Security 32 20th March 2009 04:51 AM


All times are GMT. The time now is 04:46 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick