from a quick glance the firewall seems ok. However, if the clients in
your network route all their traffic through VPN OpenBSD on the local
firewall cannot help. And on those VPN_IPs, what are the firewall rules?
Hint: if the VPN_IPs are compromised traffic can be probably forwarded
to your hosts in the network which then might be the same as having
those client computers directly connected to the internet, without any
firewall. Also, restrict outgoing traffic on the VPN_IPs - it's quite
simple for a malware to e.g. make a reverse tunnel (like with ssh).
Be sure to have your linux desktop devices updated. What firewall was
compromised - your OpenBSD based firewall? ... hope you did a fresh
install from scratch on this device...
On 02.09.22 16:37, jonathon575 wrote:
> Hi Guys,
>
> We really need your assistance.
>
> We have configured openbsd 7.1 as a firewall and gateway for our lan network. We are faced with an extreme hostile environment with constant attacks, and our lan devices were compromised with a spyware. I will send you the details of the nasty spyware later which targets linux. IDS/IPS were completely useless and could not detect the penetration.
>
> The openbsd 7.1 updated, the file sets installed were as follow:
>
> bsd, bsd.mp, bsd.rd, base71..tgz.
>
> For a firewall, that was it.
>
> Our network is extremely simple with no complications as follows:
>
> lan_net > openbsd_firewall/gateway > internet
>
> Abolutely no links were clicked to download the spyware, also, we do not use any servers {web, mail....etc) that require access from the internet, and sshd is completely disabled in rc.conf.local. The file sysctl is at default settings (even at securelevel=2 was useless). No wifi is used, all the network is hardwired, and the devices are linux dektop platforms.
>
> When connecting to the internet, all the devices use openvpn/openssl with the latest updates utilizing only TCP protocol. The vpn is solid and quite secured, however, since the firewall was breached, and the lan was compromised, the encryption was bypassed. The spyware resides in the RAM of the linux desktops and devices. The spyware is not publicly known. I will later reveal the sypware to you, this will create a bomb shell in the UNIX community.
>
> Below is the pf.conf file we configured, I suspect that I did some mis-configuration in the rules and commands...etc. that caused the breach of the firewall. Even with constant updates, the breach is still constantly present. We appreciate your advise on the below configurations, and suggestions on making the most secured rules/configurations to defend against the most and extremist hostile environment.
>
> You can notice from the configurations below, we completely block any incoming, and only allow outgoing strictly to the vpn addresses with TCP protocol. The openvpn/openssl is generated by the devices, not by the firewall. Each device has openvpn/openssl configured with the latest updates and security patches. You may wonder that the vpn could cause the issue, but actually it was not. When the platform was revealed which is openbsd, the breach happened almost instantly. Meaning that the network was secured because the attacker could not know the platform, but once the attacker new that the platform was openbsd, the breach happened almost instantly, and bypassing any other security mechanism such as IDS/IPS...etc.
>
> If you want me to send you the configurations of the other files such as the unbound.conf (TCP only vpndns), resolver.conf (TCP only vpndns), dhclient.conf, dhcpd.conf, sysctl, LOGS...etc or any additional information, please advise.
>
> We appreciate your advise on the below configurations, and suggestions on making the maximum secured rules/configurations/firewall to defend against the most and extremist hostile environment.
>
> If faced with extreme hostile environment and attacks as mentioned above, how should the firewall be configured based on the mentioned network. All the publications are at best of basic configuration for normal environment.
>
> Thank you for your support.
>
> ======================================================================================================================================================================================
> ***********
> * pf.conf *
> ***********
>
> ext_if = "re0"
> int_if = "em0"
> lan_net = "192.x.x.0/xx"
>
> table <abusive_hosts> persist
>
> table <private_networks> const {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4, 100.64.0.0/10, 127.0.53.53, 192.0.0.0/24, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 255.255.255.255/32}
>
> table <VPN_IPs> { #.#.#.#, #.#.#.#.#....etc }
>
> VPN_DNS = "{ #.#.#.#, #.#.#.#.#....etc }"
>
> VPN_TCP_Ports = "{ ####, ####, #### ...etc }"
>
> VPN_DNS_Ports = "{ ###, ### ...etc }"
>
> #Drop All on Block
> set block-policy drop
>
> set state-policy if-bound
>
> #Reassemble Packets
> set reassemble yes
>
> #SKIP LOOPBACK
> set skip on lo0
>
> #SCRUB PACKETS
> match in all scrub (no-df random-id max-mss 1440 reassemble tcp)
> match all scrub (reassemble tcp)
>
> #SET UP NAT:
> #match out on $ext_if inet from !($ext_if) nat-to ($ext_if) # when behind a router
>
> match out log (all) on $ext_if inet from $lan_net to any nat-to ($ext_if) # when facing the internet
>
> # activate spoofing protection for all interfaces
> block in from no-route
> block in log (all) quick from urpf-failed
>
> # BLOCK THE OBVIOUSLY BOGUS **QUICK**
> block in quick log on $ext_if from any to $lan_net
> block in quick log on $ext_if from no-route to any
> block in quick log on $ext_if from any to 255.255.255.255
> block in quick log on $ext_if from any to <private_networks>
> block in quick log on $ext_if from <private_networks> to any
> block return out quick log on $ext_if from any to <private_networks>
>
> #This times out idle connections more quickly, reducing memory and processor use.
> set optimization aggressive
>
> #set ruleset-optimization
>
> #ANTI-SPOOF **QUICK**
> #antispoof log (all) quick for $ext_if
> #antispoof log (all) quick for lo0
> #antispoof log (all) quick for $int_if
>
> #Block All Traffic
> block log (all) all
>
> #IPV6 CURRENTLY IRRELEVANT, DROP IT **QUICK**
> block drop in quick inet6
>
> block drop in quick on $ext_if from <abusive_hosts> to any
>
> #Allow on LAN int_if
> pass log (all) on $int_if inet proto tcp from $lan_net to <VPN_IPs> port $VPN_TCP_Ports modulate state \
> (if-bound, max 200, source-track rule, max-src-nodes 3, max-src-states 3, \
> max-src-conn 10, max-src-conn-rate 5/3, overload <abusive_hosts> flush global)
>
> #DNS
> pass log (all) on $int_if inet proto tcp from $lan_net to $VPN_DNS port $VPN_DNS_Ports modulate state \
> (if-bound, max 200, source-track rule, max-src-nodes 3, max-src-states 3, \
> max-src-conn 10, max-src-conn-rate 5/3, overload <abusive_hosts> flush global)
>
> #Allow outbound on WAN ext_if
> pass out log (all) on $ext_if inet proto tcp to <VPN_IPs> port $VPN_TCP_Ports modulate state (if-bound, max 200,\
> source-track rule, max-src-nodes 2, max-src-states 3, max-src-conn 10, max-src-conn-rate 5/3,\
> overload <abusive_hosts> flush global)
>
> #DNS
> pass out log (all) on $ext_if inet proto tcp to $VPN_DNS port $VPN_DNS_Ports modulate state \
> (if-bound, max 200, source-track rule, max-src-nodes 3, max-src-states 3, \
> max-src-conn 10, max-src-conn-rate 5/3, overload <abusive_hosts> flush global)
>
> #===================================================================================================================
No comments:
Post a Comment