"Halted" firewall - is it a good idea as feature? or just a fun story
Hello, http://www.drdobbs.com/halted-firewalls/199101324 What do you think of it? :) any similar feature in OpenBSD? :D copied the short text: = Halted Firewalls By Mike Murray, January 08, 2002 Murray shows how to configure a Linux box so the firewall will continue to filter packets after the machine has been shut down. Halted Firewalls Mike Murray As systems administrators, it’s often funny how new and interesting information ends up in our hands. Sometimes, it’s through an intentional course of study; other times, it seems to arrive by accident. That’s exactly how the concept of using a halted Linux computer as a firewall occurred to me. I was at work, perusing an internal corporate mailing list and saw a message about something that was once present in Linux. The message referred to a method for shutting down a Linux box while ipchains is still running, and having the box continue to perform firewall tasks. My first response was to stifle a laugh — a firewall that works while in a halted state? I contacted the author (with a bit too much sarcasm in my letter), and was sent a link to an old discussion thread on the Firewalls list about a rumored feature in the 2.0.x kernels. This feature allowed you to run shutdown -h (halt) on the machine, and the firewall would remain active but with no drives mounted and no processes running. That is, the firewall would be in run level 0, but still be filtering packets. However, the list mentioned that this no longer worked in the 2.2.x series kernels. I knew that I couldn’t leave it alone, however. I set out to make a 2.2.x box perform a similar function, and I hoped that I would be able to do it without having to patch the kernel in any way. It turns out that I can. Perfect Security? I realized the security implications of such a possibility. Assuming that the firewall could be cleanly shut down, having removed all process space and file systems, there would be no way for any attacker to gain access to the system. This is because there is a complete lack of process space, and there are no drives mounted. Thus, an attacker could not run code on the system outside of code that he or she could directly introduce into kernel space. This would require writing shell code to produce the desired results, which would not be a trivial task. Note that this doesn’t make the firewall invulnerable to denial of service-type attacks. In fact, with respect to denial of service and resource-exhaustion attacks, this machine is no more secure than any ordinary Linux-based firewall. However, it can also be said that it is not significantly more vulnerable to that type of attacks. Because this method does ensure that no user will ever gain controlling access to the firewall itself, there is definitely a huge security benefit. It’s a step in the direction of the old adage that the only perfectly secure machine is one turned off and locked in a room. Implementation My test machine was an x86-based Red Hat 6.2 machine with two Ethernet cards. No special system or kernel modifications were made. To begin, I searched the run control scripts, thinking they would be the most likely place to find a hint of what was to come. Specifically, I focused upon the scripts for rc0 (the script that runs when halting the machine). It turns out that this was all I had to do. I started removing scripts, working entirely by trial-and-error. After a relatively short period of time, I concluded that for Red Hat Linux 6.2, removing the following scripts will allow this behavior to occur: /etc/rc.d/rc0.d/S00killall /etc/rc.d/rc0.d/K90network /etc/rc.d/rc0.d/K92ipchains Removing these three scripts keeps the network up, and keeps ipchains running. Note that removal of the killall script is necessary because its task is to recurse through the /etc/rc.d/rc0.d/ directory and run all scripts that start with a K. This script would run the K90 network and K92 ipchains scripts, which would kill the network and ipchains. Explanation The design of Linux is as a monolithic kernel. When the machine is halted, the kernel still resides in memory, even when the machine runs through the shutdown process. The usual method to prevent this from being evident is to kill all possible access to the kernel during the shutdown process, which is accomplished by killing all running processes, shutting down all of the machine’s network interfaces, and unmounting the filesystems. This prevents the kernel from performing any intentional tasks while the machine is “halted”. However, the kernel is still running as a scheduler and memory manager at that point. Because the kernel is still running, any kernel-based tasks that we can run in normal use can be run while halted. Of course, most tasks require some form of input and output, either through the shell (user input), the file system, or the network (as in this
Have a 1 Gbit connection but I not all devices are getting 1 Gbit speed from my ISP
Hello: Original question: https://superuser.com/questions/1332664/have-a-1-gbit-connection-but-i-not-all-devices-are-getting-1-gbit-speed-from-my I have 3 laptops and a 1 Gbit network connection to my ISP. But when I connect my ISPs cable to the laptops ethtool link/speedtest precisely says: Lenovo G500 with USB 3.0 Ethernet and OpenBSD 6.2 - 100mbit Lenovo T400 with motherboard Ethernet Ubuntu 14.04 - 100mbit Lenovo T560 with motherboard Ethernet Windows 10 - 1 Gbit All the HWs support 1 Gbit connection. The big question: Why cannot the Lenovo G500 and Lenovo T400 auto-negotiate to 1 Gbit? It is a 1 Gbit connection to my ISP, but I can only auto-negotiate with 1 Gbit with the Windows 10/T560 laptop. Maybe I need cross-cable? The ISP I think has a switch at the other end. This is the cable that I have from my ISP: https://i.stack.imgur.com/1rH37.jpg the USB 3.0 Gbit ethernet to USB is cdce. Anybody seen similar? What could cause the 100mbit connection instead of the Gbit? Thanks for any hint..
Re: Have a 1 Gbit connection but I not all devices are getting 1 Gbit speed from my ISP
no, just cat5e afaik Sent: Wednesday, June 20, 2018 at 12:28 PM From: flipchan To: misc@openbsd.org, "Kollar Arpad" Subject: Re: Have a 1 Gbit connection but I not all devices are getting 1 Gbit speed from my ISPDo u run cat 6 cables ? On June 20, 2018 9:25:56 AM UTC, Kollar Arpad wrote: Hello: Original question: https://superuser.com/questions/1332664/have-a-1-gbit-connection-but-i-not-all-devices-are-getting-1-gbit-speed-from-my I have 3 laptops and a 1 Gbit network connection to my ISP. But when I connect my ISPs cable to the laptops ethtool link/speedtest precisely says: Lenovo G500 with USB 3.0 Ethernet and OpenBSD 6.2 - 100mbit Lenovo T400 with motherboard Ethernet Ubuntu 14.04 - 100mbit Lenovo T560 with motherboard Ethernet Windows 10 - 1 Gbit All the HWs support 1 Gbit connection. The big question: Why cannot the Lenovo G500 and Lenovo T400 auto-negotiate to 1 Gbit? It is a 1 Gbit connection to my ISP, but I can only auto-negotiate with 1 Gbit with the Windows 10/T560 laptop. Maybe I need cross-cable? The ISP I think has a switch at the other end. This is the cable that I have from my ISP: https://i.stack.imgur.com/1rH37.jpg the USB 3.0 Gbit ethernet to USB is cdce. Anybody seen similar? What could cause the 100mbit connection instead of the Gbit? Thanks for any hint.. -- Take Care Sincerely flipchan layerprox dev
Re: Have a 1 Gbit connection but I not all devices are getting 1 Gbit speed from my ISP
UPDATE: I dd'ed an install63.fs to a flashdrive: sd2c, but only could boot the T400 with it (other Lenovo T61 and T560 just couldn't boot from it, strange). But the T400 booted the install63.fs, but.. it didn't recognized the cdce USB Gbit ethernet when I exited the Installer to Shell and plugged it in. any advice why didn't the .fs image didn't booted on the T560 and a T61? And how can I liveCD test with OpenBSD? Sent: Wednesday, June 20, 2018 at 3:14 PM From: "IL Ka" To: flipchan Cc: "OpenBSD General Misc" , "Kollar Arpad" Subject: Re: Have a 1 Gbit connection but I not all devices are getting 1 Gbit speed from my ISP > Lenovo G500 with USB 3.0 Ethernet and OpenBSD 6.2 - 100mbit > Lenovo T400 with motherboard Ethernet Ubuntu 14.04 - 100mbit > Lenovo T560 with motherboard Ethernet Windows 10 - 1 Gbit > Boot all 3 laptops with OpenBSD flashdrive to see if it is OS/driver issue of hardware issue.Try to set speen explicitly and see if it works
hostname.cdce0 not modifying MAC
Hello, I have the latest snapshot and cat /etc/hostname.cdce0 up lladdr xx:xx:xx:xx:xx:xx xx -> MAC, but censored. How come I have to do a "sh /etc/netstart cdce0" to make OpenBSD modify the MAC address in the ifconfig output when I plug out/in the USB Gbit ethernet device? Because of this (when plug out/in) the MAC address isn't updated for the cdce0 device, and thus the pppoe0 doesn't connects, because my ISP has MAC filtering and only allowed the one in the hostname.cdce0 file. If the USB Gbit ethernet device is plugged out/in, shouldn't it have the MAC configured in its hostname.cdce0 file, without me have to manually run the netstart? Or what am I missing? Thanks!
Re: hostname.cdce0 not modifying MAC
perfectly logical, thx, looks like I was tired > Sent: Saturday, June 30, 2018 at 5:24 PM > From: "Theo de Raadt" > To: "Kollar Arpad" > Subject: Re: hostname.cdce0 not modifying MAC > > Kollar Arpad wrote: > > > Hello, > > > > I have the latest snapshot and > > > > cat /etc/hostname.cdce0 > > up lladdr xx:xx:xx:xx:xx:xx > > > > > > xx -> MAC, but censored. > > > > How come I have to do a "sh /etc/netstart cdce0" to make OpenBSD modify the > > MAC address in the ifconfig output when I plug out/in the USB Gbit ethernet > > device? > > Because when the device isn't plugged in, it doesn't exist. > > > Because of this (when plug out/in) the MAC address isn't updated for the > > cdce0 device, and thus the pppoe0 doesn't connects, because my ISP has MAC > > filtering and only allowed the one in the hostname.cdce0 file. > > > > If the USB Gbit ethernet device is plugged out/in, shouldn't it have the > > MAC configured in its hostname.cdce0 file, without me have to manually run > > the netstart? Or what am I missing? > > netstart isn't automatically run when you install a device. That would be > crazy. >
OpenBGPD - Adding Diversity to the Route Server Landscape (ripe.net)
Hello, 1) fyi: https://news.ycombinator.com/item?id=18549983 -> https://labs.ripe.net/Members/claudio_jeker/openbgpd-adding-diversity-to-route-server-landscape 2) why the heck isn't there a https://openbgpd.org/ ? why is it only via plain http? I know httpS is not a holy grail, but at least it is something.. lets encrypt, like the other domains for OpenBSD? and what is with: https://openntpd.org/ - can we have https there too? Many thanks for reading. Great people! :)
The Dark Side of the ForSSHe - OpenSSH malwares
Hello, just a FYI, maybe you havent seent the study: https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/ ESET researchers discovered a set of previously undocumented Linux malware families based on OpenSSH. In the white paper, “The Dark Side of the ForSSHe”, they release analysis of 21 malware families to improve the prevention, detection and remediation of such threats PDF: https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf Any creative hints to defend against these kind of threats? Thinking of ex.: a new default option in the PermitRootLogin to only allow someone to log in for the first x times (where x = ex.: 3) with password for root, from that point, root is only allowed to log in with ssh key, until next sshd restart? Maybe that way more people would use key based auth and there would be less credential stealing? Or ex.: if an "rpm -V openssh-server" says that the original binaries were modified, sshd would show a warning before asking for credentials? Or how to ensure to not to run unsigned ELF/binaries/code? In OpenBSD or on Linux.. Or how to ensure that nothing can be installed with the same package name? How about blacklisting some often used passwords? ex.: https://github.com/eset/malware-ioc/tree/master/sshdoor (either used by humans often or by backdoors) When will "passwd" have option to give/generate passwords from 4 random english words from a 65k wordlist? Thanks, just loud thinking.
