Hi Guys,
We really need your assistance.
We have configured openbsd 7.1 as a firewall and gateway for our lan network. We are faced with an extreme hostile environment with constant attacks, and our lan devices were compromised with a spyware. I will send you the details of the nasty spyware later which targets linux. IDS/IPS were completely useless and could not detect the penetration.
The openbsd 7.1 updated, the file sets installed were as follow:
bsd, bsd.mp, bsd.rd, base71..tgz.
For a firewall, that was it.
Our network is extremely simple with no complications as follows:
lan_net > openbsd_firewall/gateway > internet
Abolutely no links were clicked to download the spyware, also, we do not use any servers {web, mail....etc) that require access from the internet, and sshd is completely disabled in rc.conf.local. The file sysctl is at default settings (even at securelevel=2 was useless). No wifi is used, all the network is hardwired, and the devices are linux dektop platforms.
When connecting to the internet, all the devices use openvpn/openssl with the latest updates utilizing only TCP protocol. The vpn is solid and quite secured, however, since the firewall was breached, and the lan was compromised, the encryption was bypassed. The spyware resides in the RAM of the linux desktops and devices. The spyware is not publicly known. I will later reveal the sypware to you, this will create a bomb shell in the UNIX community.
Below is the pf.conf file we configured, I suspect that I did some mis-configuration in the rules and commands...etc. that caused the breach of the firewall. Even with constant updates, the breach is still constantly present. We appreciate your advise on the below configurations, and suggestions on making the most secured rules/configurations to defend against the most and extremist hostile environment.
You can notice from the configurations below, we completely block any incoming, and only allow outgoing strictly to the vpn addresses with TCP protocol. The openvpn/openssl is generated by the devices, not by the firewall. Each device has openvpn/openssl configured with the latest updates and security patches. You may wonder that the vpn could cause the issue, but actually it was not. When the platform was revealed which is openbsd, the breach happened almost instantly. Meaning that the network was secured because the attacker could not know the platform, but once the attacker new that the platform was openbsd, the breach happened almost instantly, and bypassing any other security mechanism such as IDS/IPS...etc.
If you want me to send you the configurations of the other files such as the unbound.conf (TCP only vpndns), resolver.conf (TCP only vpndns), dhclient.conf, dhcpd.conf, sysctl, LOGS...etc or any additional information, please advise.
We appreciate your advise on the below configurations, and suggestions on making the maximum secured rules/configurations/firewall to defend against the most and extremist hostile environment.
If faced with extreme hostile environment and attacks as mentioned above, how should the firewall be configured based on the mentioned network. All the publications are at best of basic configuration for normal environment.
Thank you for your support.
======================================================================================================================================================================================
***********
* pf.conf *
***********
ext_if = "re0"
int_if = "em0"
lan_net = "192.x.x.0/xx"
table <abusive_hosts> persist
table <private_networks> const {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4, 100.64.0.0/10, 127.0.53.53, 192.0.0.0/24, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 255.255.255.255/32}
table <VPN_IPs> { #.#.#.#, #.#.#.#.#....etc }
VPN_DNS = "{ #.#.#.#, #.#.#.#.#....etc }"
VPN_TCP_Ports = "{ ####, ####, #### ...etc }"
VPN_DNS_Ports = "{ ###, ### ...etc }"
#Drop All on Block
set block-policy drop
set state-policy if-bound
#Reassemble Packets
set reassemble yes
#SKIP LOOPBACK
set skip on lo0
#SCRUB PACKETS
match in all scrub (no-df random-id max-mss 1440 reassemble tcp)
match all scrub (reassemble tcp)
#SET UP NAT:
#match out on $ext_if inet from !($ext_if) nat-to ($ext_if) # when behind a router
match out log (all) on $ext_if inet from $lan_net to any nat-to ($ext_if) # when facing the internet
# activate spoofing protection for all interfaces
block in from no-route
block in log (all) quick from urpf-failed
# BLOCK THE OBVIOUSLY BOGUS **QUICK**
block in quick log on $ext_if from any to $lan_net
block in quick log on $ext_if from no-route to any
block in quick log on $ext_if from any to 255.255.255.255
block in quick log on $ext_if from any to <private_networks>
block in quick log on $ext_if from <private_networks> to any
block return out quick log on $ext_if from any to <private_networks>
#This times out idle connections more quickly, reducing memory and processor use.
set optimization aggressive
#set ruleset-optimization
#ANTI-SPOOF **QUICK**
#antispoof log (all) quick for $ext_if
#antispoof log (all) quick for lo0
#antispoof log (all) quick for $int_if
#Block All Traffic
block log (all) all
#IPV6 CURRENTLY IRRELEVANT, DROP IT **QUICK**
block drop in quick inet6
block drop in quick on $ext_if from <abusive_hosts> to any
#Allow on LAN int_if
pass log (all) on $int_if inet proto tcp from $lan_net to <VPN_IPs> port $VPN_TCP_Ports modulate state \
(if-bound, max 200, source-track rule, max-src-nodes 3, max-src-states 3, \
max-src-conn 10, max-src-conn-rate 5/3, overload <abusive_hosts> flush global)
#DNS
pass log (all) on $int_if inet proto tcp from $lan_net to $VPN_DNS port $VPN_DNS_Ports modulate state \
(if-bound, max 200, source-track rule, max-src-nodes 3, max-src-states 3, \
max-src-conn 10, max-src-conn-rate 5/3, overload <abusive_hosts> flush global)
#Allow outbound on WAN ext_if
pass out log (all) on $ext_if inet proto tcp to <VPN_IPs> port $VPN_TCP_Ports modulate state (if-bound, max 200,\
source-track rule, max-src-nodes 2, max-src-states 3, max-src-conn 10, max-src-conn-rate 5/3,\
overload <abusive_hosts> flush global)
#DNS
pass out log (all) on $ext_if inet proto tcp to $VPN_DNS port $VPN_DNS_Ports modulate state \
(if-bound, max 200, source-track rule, max-src-nodes 3, max-src-states 3, \
max-src-conn 10, max-src-conn-rate 5/3, overload <abusive_hosts> flush global)
#===================================================================================================================
No comments:
Post a Comment