Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 17 feb 2010, at 12.38, Peter Hessler wrote:

> On 2010 Feb 17 (Wed) at 07:51:03 +0100 (+0100), Per-Olov Sjvholm wrote:
> :Answer correctly or don't answer at all.
>
> It seems to me that people *did* answer correctly.  But, their answer
> was not what you wanted to hear.
>
> The answer: don't use port knocking, use a randomized url.
>
>
https://example.com/64482a3717737695e4dd254a4d57da4f6c0795f3e811e8b12347625fb
285.rss
>
> Google, Apple, etc use this scheme for webcal access.  I strongly doubt
> your rss feed requires more privacy than people's private calendars.
>
>
> --
> Beware of altruism.  It is based on self-deception, the root of all
> evil.
>


I know what I am doing and it's a simple test. A production environment will
for sure be more secured. As said. I _very_ much appreciate if people give
their opinion _and_ an answer to the actual question if the person know how to
do what I ask for. But what  I don't like about it is that some just reply to
tell it's done wrong, even though they don not know the context and the
tradeoffs that have been made and why. Professional people could nicely tell
their opinion and a hint to my question IF they have any clue. If they think I
should have provided more info, they could say so I am a member of a few
helicopter forums, some Dreambox HTPC forums (TuxBOX), a bunch of Linux forums
(i.e many different kind of forums). Nowehere they hack at each other like
they do at the OpenBSD lists. This is the only sad thing about OpenBSD, the
mailinglist. Therefor I don't use it as much as before. A few of my developer
friends share this sadness with me.

You are right, Peter.  My rss feed does not require more privacy (at this
stage) than private google calendars. However there are a few problems with
randomized urls that I simply want to spend time on later. This as I at this
stage just want to sell in the idea with a test containing less important data
and therefor use less work. A prod environment will be more secured to fulfill
the security policies etc.


Tnx to the people who contributed with something.

This thread is closed for me now

/Per-Olov
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4

Re: PF log parser and dynamic PF rules...

[Peter Hessler]

On 2010 Feb 17 (Wed) at 07:51:03 +0100 (+0100), Per-Olov Sjvholm wrote:
:Answer correctly or don't answer at all.

It seems to me that people *did* answer correctly.  But, their answer
was not what you wanted to hear.

The answer: don't use port knocking, use a randomized url.

https://example.com/64482a3717737695e4dd254a4d57da4f6c0795f3e811e8b12347625fb285.rss

Google, Apple, etc use this scheme for webcal access.  I strongly doubt
your rss feed requires more privacy than people's private calendars.


-- 
Beware of altruism.  It is based on self-deception, the root of all
evil.

Re: PF log parser and dynamic PF rules...

[Kenneth R Westerback]

On Wed, Feb 17, 2010 at 07:51:03AM +0100, Per-Olov Sj?holm wrote:
> On 17 feb 2010, at 02.07, Randal L. Schwartz wrote:
> 
> >> "Paul" == Paul de Weerd  writes:
> >
> > Paul> Jeez... As an asker, you don't really get to decide how or what other
> > Paul> people answer, or if they even answer at all.
> >
> > As I snipped off a Usenet group once:
> >
> >Get real!  This is a discussion group, not a helpdesk.  You post
> >something -- we discuss its implications.  If the discussion happens
> >to answer a question you've asked, that's incidental.  If you post a
> >question that implies that you've got a problem finding answers to
> >trivial questions in the manual, then it is perfectly reasonable for
> >us to discuss how to do that.
> >
> > --
> > Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
> >  http://www.stonehenge.com/merlyn/>
> > Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
> > See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion
> 
> I have been on this list for many years. Sometimes asking and sometimes
> helping others.
> 
> you are wrong
> 
> http://www.openbsd.org/mail.html
> --snip--
> User questions and answers, general questions
> --snip--
> 
> 
> Answer correctly or don't answer at all. A winning concept in real life as
> well.
> 
> ^d
> 
> Regards
> /Per-Olov
> --
> GPG keyID: 5231C0C4
> GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
> GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
> 

"I have been on this list for many years ..." and "Answer correctly
or don't answer at all.".

You've been on misc@ for many years and expect correct answers or
respectful silence? My goodness, your optimism seems impervious to
experience.

You've been on misc@ for many years, yell at several developers
giving you correct answers and expect to get better support?
Interesting approach.

Looks like my first post to misc@ was only in 1998 so perhaps I have
insufficient experience to opine.

 Ken

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 17 feb 2010, at 02.07, Randal L. Schwartz wrote:

>> "Paul" == Paul de Weerd  writes:
>
> Paul> Jeez... As an asker, you don't really get to decide how or what other
> Paul> people answer, or if they even answer at all.
>
> As I snipped off a Usenet group once:
>
>Get real!  This is a discussion group, not a helpdesk.  You post
>something -- we discuss its implications.  If the discussion happens
>to answer a question you've asked, that's incidental.  If you post a
>question that implies that you've got a problem finding answers to
>trivial questions in the manual, then it is perfectly reasonable for
>us to discuss how to do that.
>
> --
> Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
>  http://www.stonehenge.com/merlyn/>
> Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
> See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion

I have been on this list for many years. Sometimes asking and sometimes
helping others.

you are wrong

http://www.openbsd.org/mail.html
--snip--
User questions and answers, general questions
--snip--


Answer correctly or don't answer at all. A winning concept in real life as
well.

^d

Regards
/Per-Olov
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4

Re: PF log parser and dynamic PF rules...

[Randal L. Schwartz]

> "Paul" == Paul de Weerd  writes:

Paul> Jeez... As an asker, you don't really get to decide how or what other
Paul> people answer, or if they even answer at all.

As I snipped off a Usenet group once:

Get real!  This is a discussion group, not a helpdesk.  You post
something -- we discuss its implications.  If the discussion happens
to answer a question you've asked, that's incidental.  If you post a
question that implies that you've got a problem finding answers to
trivial questions in the manual, then it is perfectly reasonable for
us to discuss how to do that.

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
 http://www.stonehenge.com/merlyn/>
Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion

Re: PF log parser and dynamic PF rules...

[Paul de Weerd]

On Wed, Feb 17, 2010 at 12:40:02AM +0100, Per-Olov Sj?holm wrote:
| Amazing that so many people in this forum cannot read and therefor answer to B
| when I ask for A.

It's amazing that you get so much free (and good, imo) advice and then
not only completely ignore it, but even go out of your way to ridicule
the poeple spending their time to try and help you. Please, ask for C
on this list again. I hope enough people remember the gratitude you
showed to *NOT* give you an answer to C *or* D.

Jeez... As an asker, you don't really get to decide how or what other
people answer, or if they even answer at all. If you don't like the
replies you get, maybe you shouldn't be asking questions in the first
place - people here try to give sane advice, not hold your hand while
you try to shoot yourself in the foot. And I'll be explicit : the
people replying decide wether they consider what you're doing is
shooting yourself in the foot or not; if you want to debate their
considerations (better to ignore replies you do not consider useful
and draw your own conclusions when you're left with nothing), you
probably want to do that off-list.

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 17.17, Eugene Yunak wrote:

> 2010/2/16 Per-Olov Sjvholm :
>> Hi "misc"
>>
>> I am looking for a tool  use as a trigger for dynamically open PF ports
from
>> certain IP:s.
>>
>> I will access non critical info but want at least a port knocker as
security.
>>
>> If I access an IP on my DMZ that is not in use on a port that is fake I
want
>> to dynamically add a PF rule for a totally different purpose. Let's say I
>> access http://1.2.3.4:45321 which is blocked and logged in PF, what is the
>> easiest way to create a trigger from the PF log or the PF log device?
>>
>> A cron job with grep in the PF log and then run pfctl to add the rule is
from
>> many points of view a bad choice... I don't want to dig through the PF log
as
>> it can be huge, and I don't want to use a cron job as it takes to long..
>>
>> Any suggestions appreciated.
>>
>>
>> Thanks in advance
>> /Per-Olov
>>
>
> As many people have already suggested to you in this thread, you are
> doing it wrong. But if you _really_ want to do it that way, then
> probably you can simplify your configuration a bit.
>
> You can use "log (to pflog10)" to have a separate pflog device with
> only log entries about port-knocking attempts. Then you can have a
> small shellscript reading from tcpdump pflog10 in a cycle and adding
> IP addresses to a table of hosts with permitted access to your rss
> feed. This is much simpler and quicker than a cron job with full pflog
> parser.
>
> I would strongly encourage you to use per-user http authentication
> instead. Most rss readers i encountered actually _do_ support it, as
> they are all based on standard libraries, so you can just give them
> http://user:p...@host/path/file.rss url if they don't have a separate
> "authentication" field.
>
> --
> The best the little guy can do is what
> the little guy does right


Hi Eugene

Thanks.  As this is a test shoot only I will go for something home made in C
to feed a table for now. And I _really_ want to do it this way as it's a test.
a future production environment could maybe be totally different, who
knows I  have done security analysis since early -90 and asked a simple
question to this forum. When people does not know, they just mess up the
thread with garbage. If only more people were like you Eugene. That is point
out your opinion AND a way to do it. Not just the first. The opinion can be
right, but also wrong as everything must be set in its correct context. Also,
a security tradeoff can be rated differently by different people.

Amazing that so many people in this forum cannot read and therefor answer to B
when I ask for A.


/Per-Olov
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4

Re: PF log parser and dynamic PF rules...

[Eugene Yunak]

2010/2/16 Per-Olov SjC6holm :
> Hi "misc"
>
> I am looking for a tool  use as a trigger for dynamically open PF ports
from
> certain IP:s.
>
> I will access non critical info but want at least a port knocker as
security.
>
> If I access an IP on my DMZ that is not in use on a port that is fake I
want
> to dynamically add a PF rule for a totally different purpose. Let's say I
> access http://1.2.3.4:45321 which is blocked and logged in PF, what is the
> easiest way to create a trigger from the PF log or the PF log device?
>
> A cron job with grep in the PF log and then run pfctl to add the rule is
from
> many points of view a bad choice... I don't want to dig through the PF log
as
> it can be huge, and I don't want to use a cron job as it takes to long..
>
> Any suggestions appreciated.
>
>
> Thanks in advance
> /Per-Olov
>

As many people have already suggested to you in this thread, you are
doing it wrong. But if you _really_ want to do it that way, then
probably you can simplify your configuration a bit.

You can use "log (to pflog10)" to have a separate pflog device with
only log entries about port-knocking attempts. Then you can have a
small shellscript reading from tcpdump pflog10 in a cycle and adding
IP addresses to a table of hosts with permitted access to your rss
feed. This is much simpler and quicker than a cron job with full pflog
parser.

I would strongly encourage you to use per-user http authentication
instead. Most rss readers i encountered actually _do_ support it, as
they are all based on standard libraries, so you can just give them
http://user:p...@host/path/file.rss url if they don't have a separate
"authentication" field.

--
The best the little guy can do is what
the little guy does right

Re: PF log parser and dynamic PF rules...

[Floor Terra]

On Tue, Feb 16, 2010 at 12:27 PM, Per-Olov SjC6holm  wrote:

There is no authentication available in most RSS clients. If it was, i would
> of course prefer or at least consider that. I am not that stupid you know.
>
>
 https://example.com/feed.php?user=floort&passwd=SUPERSECRET
Every feed reader i know of can handle a url like this.
It's probably more secure and easier to implement than port-knocking.
And I wouldn't want to be the one who has to explain port-knocking to all
your customers and tell them they have to do this every time their feed
needs to refresh.

Floor

--
Floor Terra 
www: http://brobding.mine.nu/

Re: PF log parser and dynamic PF rules...

[Bret S. Lambert]

> So if anybody can come up with a better approach I will be very happy.

You've already been told, by multiple people, that a better approach is
to use the things that are available to you via the rich possibilities
of HTTP to solve this problem.

Sometimes, you're the lone genius who is misunderstood in his own time,
who future generations will admire for his foresight.

Most of the time, though, you're just Doing It Wrong(tm).

Re: PF log parser and dynamic PF rules...

[Peter N. M. Hansteen]

Per-Olov Sjvholm  writes:

> we have to use something that works from all places. The content is
> not a secret, but something you have to pay a little for. So... not
> critical. 

Being the lazy git that I am, I could imagine that simply generating a
sufficiently obfuscated set of file or directory names to put in the
URL, likely a per user basis, would achieve roughly what you are
talking about.  

Not exactly rocket science, but then neither are the other options.  I
fully understand the desire to write a PF log parser, though :)

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 12.06, Peter N. M. Hansteen wrote:

> Per-Olov Sjvholm  writes:
>
>> None said anything about a password.. From where did you get that? I don't
>> have a plain text password.
>
> A port knocking sequence is for most purposes a password, encoded in a
> 16 bit alphabet.  That's it - port numbers run from 0 through 64k,
> although the practical range for portknocking purposes would likely
> exclude the more commonly used ones, mainly in the lower parts.
>
> I've been in the process of almost getting around to writing an
> article about how this limits the usefulness of portknocking as a
> security measure, there's always the question of round tuits.
> keywords: is your password more secure if it's stored as unicode?, the
> well known password guessing botnets, and so forth.
>
> The question of proporitonality, as in the importance of your data vs
> the strength of your security measures is certainly relevant, but you
> should also take into consideration how much complexity any given
> security measure adds to your setup versus the actual gain in security.
> Hm. There might actually be an article in there.
>
> - P
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>

We want to lock RSS to our own clients floating around in cyberspace. As there
is not widely spread with authentication in RSS clients, authentication is not
usable. Therefor we have to come up with a different approach. As we want you
use Igoogle and phones etc we have to use something that works from all
places. The content is not a secret, but something you have to pay a little
for. So... not critical. Or course you could authenticate with a web browser
and then trigger to open in PF. Probably a little better than just the access
to a dummy IP on a dummy port. But still not as good as I would like.

SSH and authpf is as far as I know now not possible as the SSH client will
freeze in the Iphone (which is widely used here) when going into background
and swtiching to the RSS client.

So if anybody can come up with a better approach I will be very happy.
Otherwise I have to create my pflog device parser myself as obviously none in
this forum have seen anything similar.

Thanks
Per-Olov

--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4

Re: PF log parser and dynamic PF rules...

[Bret S. Lambert]

On Tue, Feb 16, 2010 at 12:27:44PM +0100, Per-Olov Sj?holm wrote:
> 
> On 16 feb 2010, at 12.07, Bret S. Lambert wrote:
> 
> > On Tue, Feb 16, 2010 at 11:44:12AM +0100, Per-Olov Sj?holm wrote:
> >> See my post to Peter H. You obviously have not worked with security
> > 
> > Why? Because I'm unwilling to endorse your preferred approach?
> > 
> >> and the tradeoffs you _always_ have to make.
> > 
> > Yes, you make tradeoffs, but you're asking for obscurity, not security.
> > It's a very important distinction to make, which you don't seem to be
> > doing.
> > 
> >> If you don't have anything to come up with, don't bother to post.
> > 
> > Okay, I'll bite:
> > 
> > You're trying to solve this at the wrong layer.
> > 
> > You're trying to use IP obfuscation.
> > 
> > You should be looking for HTTP authentication instead.
> 
> 
> There is no authentication available in most RSS clients.

No, but web servers don't run on crippled os'es (for certain values of
"crippled"), and are able to do thing with URLs that level3 things
can't. Floor had a good suggestion about adding something to the URL
which would then be acted upon by the RSS feed server to determine
if the feed should be served. Since the solution you propose is no
less secure, just require that a "?user=NOTABOT" or some such be
appended.

You're still looking at the wrong layer to solve this problem.

> If it was, i would of course prefer or at least consider that.

You haven't looked at this problem hard enough, then.

> I am not that stupid you know.

Why, oh why, dear lord, do you tempt me with such softballs?

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 12.07, Bret S. Lambert wrote:

> On Tue, Feb 16, 2010 at 11:44:12AM +0100, Per-Olov Sj?holm wrote:
>> See my post to Peter H. You obviously have not worked with security
>
> Why? Because I'm unwilling to endorse your preferred approach?
>
>> and the tradeoffs you _always_ have to make.
>
> Yes, you make tradeoffs, but you're asking for obscurity, not security.
> It's a very important distinction to make, which you don't seem to be
> doing.
>
>> If you don't have anything to come up with, don't bother to post.
>
> Okay, I'll bite:
>
> You're trying to solve this at the wrong layer.
>
> You're trying to use IP obfuscation.
>
> You should be looking for HTTP authentication instead.


There is no authentication available in most RSS clients. If it was, i would
of course prefer or at least consider that. I am not that stupid you know.

/Per-Olov
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 11.57, Stuart Henderson wrote:

> On 2010-02-16, Per-Olov Sj?holm  wrote:
>> The reason is to use and RSS reader that cannot autenticate. I want some
sort
>> of security for it even though it's not critical.
>
> https://some.host/super-sekrit-password-here/feed.rss gives more
> security than trying to use a web browser (which is highly likely
> to be proxied and logged by the carrier) as a port-knocking client.

that could be better... right..

>
> And with port-knocking, how do you even know the subsequent
> connection will be (natted to the same source address || coming
> from the same http proxy)?
>


I know it does from phones connecting thought the operators own network (at
least in sweden) and home broadband connected computers. But i don't from
stationary computers not sitting at home.

/Per-Olov

--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 12.06, Lars Nooden wrote:

> Per-Olov Sjvholm wrote:
>> ...Or did miss something here?
>
> You missed quite a lot.  I would recommend looking up the following
> before aggravating a larger public:
>   client - server architecture
>   client application
>   server (daemon)
>   rss
>   ssh
>   http, https
>   mod_auth_*
>
>
> Write back in a few days after you have more details about your project.
> Speculation is not fun.
>
> Regards,
> /Lars
>

You did now answer how to use authpf from an Iphone as you suggested as the
process will freeze when going into background.
It will freeze or not freeze. It's not any speculation, right?

I assume fugu or cyberduck as you suggested are dead ends with authpf


/Per-Olov

Re: PF log parser and dynamic PF rules...

[Lars Nooden]

Per-Olov Sjvholm wrote:
> ...Or did miss something here?

You missed quite a lot.  I would recommend looking up the following
before aggravating a larger public:
client - server architecture
client application
server (daemon)
rss
ssh
http, https
mod_auth_*


Write back in a few days after you have more details about your project.
 Speculation is not fun.

Regards,
/Lars

Re: PF log parser and dynamic PF rules...

[Peter N. M. Hansteen]

Per-Olov Sjvholm  writes:

> None said anything about a password.. From where did you get that? I don't
> have a plain text password. 

A port knocking sequence is for most purposes a password, encoded in a
16 bit alphabet.  That's it - port numbers run from 0 through 64k,
although the practical range for portknocking purposes would likely
exclude the more commonly used ones, mainly in the lower parts.  

I've been in the process of almost getting around to writing an
article about how this limits the usefulness of portknocking as a
security measure, there's always the question of round tuits.
keywords: is your password more secure if it's stored as unicode?, the
well known password guessing botnets, and so forth.

The question of proporitonality, as in the importance of your data vs
the strength of your security measures is certainly relevant, but you
should also take into consideration how much complexity any given
security measure adds to your setup versus the actual gain in security.  
Hm. There might actually be an article in there. 

- P
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: PF log parser and dynamic PF rules...

[Bret S. Lambert]

On Tue, Feb 16, 2010 at 11:44:12AM +0100, Per-Olov Sj?holm wrote:
> See my post to Peter H. You obviously have not worked with security

Why? Because I'm unwilling to endorse your preferred approach?

> and the tradeoffs you _always_ have to make.

Yes, you make tradeoffs, but you're asking for obscurity, not security.
It's a very important distinction to make, which you don't seem to be
doing.

> If you don't have anything to come up with, don't bother to post.

Okay, I'll bite:

You're trying to solve this at the wrong layer.

You're trying to use IP obfuscation.

You should be looking for HTTP authentication instead.

Re: PF log parser and dynamic PF rules...

[Jussi Peltola]

Just put your data on some funny port, then? Or give it a long and hard
to guess name, that might actually have sufficient entropy to be any
use.

A less-than-16-bit "random" port is rather easy to guess.

And, if you really want to do port blocking, read the pf man page. It is
possible with a rule that adds IPs to tables. Perhaps after more than
one knock for "added security..."

In any case, I really don't see a need for OpenBSD to support these
kinds of silly things, the people who really want to do them can find
their own ways.

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

Hi again Lars...

And important addition below


On 16 feb 2010, at 11.44, Lars Nooden wrote:

> Per-Olov Sjvholm wrote:
>> On 16 feb 2010, at 11.11, Lars Nooden wrote:
>>
>>> http://rsug.itd.umich.edu/software/fugu/
>>
>>
>> Noop. Can't see that these will work and all phones and computers
>> seamlessly with ease of use for the users.
>
> You appear to have asked about clients for the iphone, not all phones.
> Fugu and cyberduck are very easy to use.


But the SSH session will freeze when you switch to the RSS client that is the
main purpose to use, right? This as the Iphone is not multi tasking with third
party applications.

Then it's not usable without a jail brake of all company IPhones... Or did
miss something here?

/Per-Olov


>
>> The reason for the post was just to see if there is already any tools
>> for this purpose, which is to have log trigger in PF logfile or its
>> pflog0 device.
>
> authpf then.
>
> Note pf.conf allows you to apply filters to groups of users.  See the
> 'group' parameter about 17% of the way down through pf.conf(5)
>
> Something like this:
>   pass in log (to pflog2) group phoners
>
> /Lars

Re: PF log parser and dynamic PF rules...

[Stuart Henderson]

On 2010-02-16, Per-Olov Sj?holm  wrote:
> The reason is to use and RSS reader that cannot autenticate. I want some sort
> of security for it even though it's not critical.

https://some.host/super-sekrit-password-here/feed.rss gives more
security than trying to use a web browser (which is highly likely
to be proxied and logged by the carrier) as a port-knocking client.

And with port-knocking, how do you even know the subsequent
connection will be (natted to the same source address || coming
from the same http proxy)?

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 11.35, Bret S. Lambert wrote:

> On Tue, Feb 16, 2010 at 11:28:28AM +0100, Per-Olov Sj?holm wrote:
>>
>> On 16 feb 2010, at 11.17, Bret S. Lambert wrote:
>>
> There is a way to do port knocking in pf without any external help.
Maybe
> you can figure it out. I will not give more hints since port knocking is
a
> dumb idea better spend your time reading on authpf(8).
>
> --
> :wq Claudio
>

 How do you use authpf from a IPhone or similar...

 The reason is to use and RSS reader that cannot autenticate. I want some
sort
>>>
>>> An RSS reader that can't authenticate, but can ping a series of TCP/IP
ports?
>>
>> Where did you get that from? I didn't say it could... No but all devices
with an RSS client, even phones, have a web browser that can have a bookmarked
IP and obscure port.
>>>
 of security for it even though it's not critical. Therefor I want to just
have
>>>
>>> That word you keep using...I don't think it means what you think it
means.
>>> Unless you've got a mechanism to randomize the ports on every
port-knocking
>>> attempt, you're essentially using a plaintext password on the internet.
>>>
>>
>> None said anything about a password.. From where did you get that?
>
> I said that you're *essentially* using a plaintext password, not that
> you're *actually* using a plaintext password. My meaning was that you're
> effectively using a security model that's been known to be bad for as
> long as I've been in the tech industry.
>
>> forcing the clients to first open their browser and access a
>> specific IP and a specific port.
>
> Yes, because those are impossible for an attacker to guess.
>
>> But again, the data is not that critical.
>
> Then why care about "security" at all?
>
>> And it's not likely they will guess the link.
>
> Congratulations; I'm actually at a loss for words after reading that.


See my post to Peter H. You obviously have not worked with security and the
tradeoffs you _always_ have to make.

If you don't have anything to come up with, don't bother to post.


/Per-Olov

Re: PF log parser and dynamic PF rules...

[Lars Nooden]

Per-Olov Sjvholm wrote:
> On 16 feb 2010, at 11.11, Lars Nooden wrote:
> 
>> http://rsug.itd.umich.edu/software/fugu/
> 
> 
> Noop. Can't see that these will work and all phones and computers
> seamlessly with ease of use for the users.

You appear to have asked about clients for the iphone, not all phones.
Fugu and cyberduck are very easy to use.

> The reason for the post was just to see if there is already any tools
> for this purpose, which is to have log trigger in PF logfile or its
> pflog0 device.

authpf then.

Note pf.conf allows you to apply filters to groups of users.  See the
'group' parameter about 17% of the way down through pf.conf(5)

Something like this:
pass in log (to pflog2) group phoners

/Lars

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 11.44, Lars Nooden wrote:

> Per-Olov Sjvholm wrote:
>> On 16 feb 2010, at 11.11, Lars Nooden wrote:
>>
>>> http://rsug.itd.umich.edu/software/fugu/
>>
>>
>> Noop. Can't see that these will work and all phones and computers
>> seamlessly with ease of use for the users.
>
> You appear to have asked about clients for the iphone, not all phones.
> Fugu and cyberduck are very easy to use.

My mistake. Sorry!

It must be a solution for _any_ RSS client and a web browser.

>
>> The reason for the post was just to see if there is already any tools
>> for this purpose, which is to have log trigger in PF logfile or its
>> pflog0 device.
>
> authpf then.
>
> Note pf.conf allows you to apply filters to groups of users.  See the
> 'group' parameter about 17% of the way down through pf.conf(5)
>
> Something like this:
>   pass in log (to pflog2) group phoners
>
> /Lars



Yes, I have used that a few years ago. It's nice but is not doable on all
clients. But maybe I could set an SSH capable client as a company requirement.
Of course I agree it's a better solution if I only could limit the phones to
the ones that can use an SSH client.



/Per-Olov
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4

Re: PF log parser and dynamic PF rules...

[Bret S. Lambert]

On Tue, Feb 16, 2010 at 11:28:28AM +0100, Per-Olov Sj?holm wrote:
> 
> On 16 feb 2010, at 11.17, Bret S. Lambert wrote:
> 
> >>> There is a way to do port knocking in pf without any external help. Maybe
> >>> you can figure it out. I will not give more hints since port knocking is a
> >>> dumb idea better spend your time reading on authpf(8).
> >>> 
> >>> --
> >>> :wq Claudio
> >>> 
> >> 
> >> How do you use authpf from a IPhone or similar...
> >> 
> >> The reason is to use and RSS reader that cannot autenticate. I want some 
> >> sort
> > 
> > An RSS reader that can't authenticate, but can ping a series of TCP/IP 
> > ports?
> 
> Where did you get that from? I didn't say it could... No but all devices with 
> an RSS client, even phones, have a web browser that can have a bookmarked IP 
> and obscure port.
> > 
> >> of security for it even though it's not critical. Therefor I want to just 
> >> have
> > 
> > That word you keep using...I don't think it means what you think it means.
> > Unless you've got a mechanism to randomize the ports on every port-knocking
> > attempt, you're essentially using a plaintext password on the internet.
> > 
> 
> None said anything about a password.. From where did you get that? 

I said that you're *essentially* using a plaintext password, not that
you're *actually* using a plaintext password. My meaning was that you're
effectively using a security model that's been known to be bad for as
long as I've been in the tech industry.

> forcing the clients to first open their browser and access a
> specific IP and a specific port.

Yes, because those are impossible for an attacker to guess.

> But again, the data is not that critical.

Then why care about "security" at all?

> And it's not likely they will guess the link.

Congratulations; I'm actually at a loss for words after reading that.

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 11.17, Peter N. M. Hansteen wrote:

> Per-Olov Sjvholm  writes:
>
>> How do you use authpf from a IPhone or similar...
>
> There are ssh clients for iphones, just look in the app store.  The
> one i ended up installing has gone up in price it seems to (shock,
> horror) NOK 35 (about USD 6), but I see one at NOK 6 (about a dollar).
>
> And of course for obscurity, you can set up the sshd on a non-standard
> port.
>
> Then again, Claudio's comment happens to be true, and now I guess some
> kid will actually figure it out, implement and write a HOWTO.  Good
> thing I wasn't eating or drinking anything.

Writing a HOWTO for what? Don't get it...

I have been working with security on several platforms since 1990. Have been
on OpenBSD since 2.6. You of all Peter should know that it's always a tradeoff
between security, ease of use and the importance of the content. I have done
that tradeoff and therefor come up with this solution.

I can build my own code for this, but posted to see if there was already
something built.

Claudios comment is not relevant. See reply to Bret S Lambert


/Per-Olov

>
> grmpf,
> Peter
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 11.17, Bret S. Lambert wrote:

>>> There is a way to do port knocking in pf without any external help. Maybe
>>> you can figure it out. I will not give more hints since port knocking is
a
>>> dumb idea better spend your time reading on authpf(8).
>>>
>>> --
>>> :wq Claudio
>>>
>>
>> How do you use authpf from a IPhone or similar...
>>
>> The reason is to use and RSS reader that cannot autenticate. I want some
sort
>
> An RSS reader that can't authenticate, but can ping a series of TCP/IP
ports?

Where did you get that from? I didn't say it could... No but all devices with
an RSS client, even phones, have a web browser that can have a bookmarked IP
and obscure port.
>
>> of security for it even though it's not critical. Therefor I want to just
have
> 
> That word you keep using...I don't think it means what you think it means.
> Unless you've got a mechanism to randomize the ports on every port-knocking
> attempt, you're essentially using a plaintext password on the internet.
>

None said anything about a password.. From where did you get that? I don't
have a plain text password. I don't even have a password at all as RSS readers
with auth in not widely spread at all. So I don't have any auth... Just access
through IP. My data is not that critical, but as said I want to limit access a
little bit by forcing the clients to first open their browser and access a
specific IP and a specific port. Then the PF should trig on that block in PF
and open from the client IP to the RSS server. Of course a client can sit
behind NAT and therefor give access to many computers. But again, the data is
not that critical. And it's not likely they will guess the link.


/Per-Olov
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4

Re: PF log parser and dynamic PF rules...

[Bret S. Lambert]

> > There is a way to do port knocking in pf without any external help. Maybe
> > you can figure it out. I will not give more hints since port knocking is a
> > dumb idea better spend your time reading on authpf(8).
> >
> > --
> > :wq Claudio
> >
> 
> How do you use authpf from a IPhone or similar...
> 
> The reason is to use and RSS reader that cannot autenticate. I want some sort

An RSS reader that can't authenticate, but can ping a series of TCP/IP ports?

> of security for it even though it's not critical. Therefor I want to just have
 
That word you keep using...I don't think it means what you think it means.
Unless you've got a mechanism to randomize the ports on every port-knocking
attempt, you're essentially using a plaintext password on the internet.

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 11.11, Lars Nooden wrote:

> http://rsug.itd.umich.edu/software/fugu/


Noop. Can't see that these will work and all phones and computers seamlessly
with ease of use for the users.

The reason for the post was just to see if there is already any tools for this
purpose, which is to have log trigger in PF logfile or its pflog0 device.


/Per-Olov

Re: PF log parser and dynamic PF rules...

[Peter N. M. Hansteen]

Per-Olov Sjvholm  writes:

> How do you use authpf from a IPhone or similar...

There are ssh clients for iphones, just look in the app store.  The
one i ended up installing has gone up in price it seems to (shock,
horror) NOK 35 (about USD 6), but I see one at NOK 6 (about a dollar).

And of course for obscurity, you can set up the sshd on a non-standard
port.

Then again, Claudio's comment happens to be true, and now I guess some
kid will actually figure it out, implement and write a HOWTO.  Good
thing I wasn't eating or drinking anything.

grmpf,
Peter
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 11.04, Floor Terra wrote:

> Why not require a authentication token in the url?
>
> On 16 Feb 2010 10:59, "Per-Olov SjC6holm"  wrote:
>
> On 16 feb 2010, at 10.40, Claudio Jeker wrote:
>
>> On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov...
> How do you use authpf from a IPhone or similar...
>
> The reason is to use and RSS reader that cannot autenticate. I want some
> sort
> of security for it even though it's not critical. Therefor I want to just
> have
> trigger in the PF log. To try to find an SSH client to use authpf for all
> RSS
> client capable phones is not an option.
>
>
> /Per-Olov
>

Yes that is better, but then I have to check web server logs, enable relayd or
so. Maybe that will be the next step after this. But still... as I _test_ I
just want to check PF blocks as a port knocker.


/Per-Olov

Re: PF log parser and dynamic PF rules...

[Lars Nooden]

Per-Olov SjC6holm wrote:

> How do you use authpf from a IPhone or similar...

Probably Fugu or Cyberduck or, if you can get a shell, plain openssh, as
Fugu is a UI for the client.

 http://rsug.itd.umich.edu/software/fugu/
 http://cyberduck.ch/

/Lars

Re: PF log parser and dynamic PF rules...

[Floor Terra]

Why not require a authentication token in the url?

On 16 Feb 2010 10:59, "Per-Olov SjC6holm"  wrote:

On 16 feb 2010, at 10.40, Claudio Jeker wrote:

> On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov...
How do you use authpf from a IPhone or similar...

The reason is to use and RSS reader that cannot autenticate. I want some
sort
of security for it even though it's not critical. Therefor I want to just
have
trigger in the PF log. To try to find an SSH client to use authpf for all
RSS
client capable phones is not an option.


/Per-Olov

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 10.40, Claudio Jeker wrote:

> On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov Sjvholm wrote:
>> Hi "misc"
>>
>> I am looking for a tool to use as a trigger for dynamically open PF ports
from
>> certain IP:s.
>>
>> I will access non critical info but want at least a port knocker as
security.
>>
>> If I access an IP on my DMZ that is not in use on a port that is fake I
want
>> to dynamically add a PF rule for a totally different purpose. Let's say I
>> access http://1.2.3.4:45321 which is blocked and logged in PF, what is the
>> easiest way to create a trigger from the PF log or the PF log device?
>>
>> A cron job with grep in the PF log and then run pfctl to add the rule is
from
>> many points of view a bad choice... I don't want to dig through the PF log
as
>> it can be huge, and I don't want to use a cron job as it takes to long..
>>
>
> There is a way to do port knocking in pf without any external help. Maybe
> you can figure it out. I will not give more hints since port knocking is a
> dumb idea better spend your time reading on authpf(8).
>
> --
> :wq Claudio
>

How do you use authpf from a IPhone or similar...

The reason is to use and RSS reader that cannot autenticate. I want some sort
of security for it even though it's not critical. Therefor I want to just have
trigger in the PF log. To try to find an SSH client to use authpf for all RSS
client capable phones is not an option.


/Per-Olov

Re: PF log parser and dynamic PF rules...

[Claudio Jeker]

On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov Sjvholm wrote:
> Hi "misc"
> 
> I am looking for a tool to use as a trigger for dynamically open PF ports from
> certain IP:s.
> 
> I will access non critical info but want at least a port knocker as security.
> 
> If I access an IP on my DMZ that is not in use on a port that is fake I want
> to dynamically add a PF rule for a totally different purpose. Let's say I
> access http://1.2.3.4:45321 which is blocked and logged in PF, what is the
> easiest way to create a trigger from the PF log or the PF log device?
> 
> A cron job with grep in the PF log and then run pfctl to add the rule is from
> many points of view a bad choice... I don't want to dig through the PF log as
> it can be huge, and I don't want to use a cron job as it takes to long..
> 

There is a way to do port knocking in pf without any external help. Maybe
you can figure it out. I will not give more hints since port knocking is a
dumb idea better spend your time reading on authpf(8).

-- 
:wq Claudio

Re: PF log parser and dynamic PF rules...

[Bret S. Lambert]

On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov Sj?holm wrote:
> Hi "misc"
> 
> I am looking for a tool to use as a trigger for dynamically open PF ports from
> certain IP:s.
> 
> I will access non critical info but want at least a port knocker as security.
> 
> If I access an IP on my DMZ that is not in use on a port that is fake I want
> to dynamically add a PF rule for a totally different purpose. Let's say I
> access http://1.2.3.4:45321 which is blocked and logged in PF, what is the
> easiest way to create a trigger from the PF log or the PF log device?
> 
> A cron job with grep in the PF log and then run pfctl to add the rule is from
> many points of view a bad choice... I don't want to dig through the PF log as
> it can be huge, and I don't want to use a cron job as it takes to long..
> 
> Any suggestions appreciated.
> 

Seriously, though:

Why are you so interested in reimplementing authpf, but doing it badly?

> 
> Thanks in advance
> /Per-Olov

Re: PF log parser and dynamic PF rules...

[Bret S. Lambert]

> I will access non critical info but want at least a port knocker as security.

s/security/inappropriate self-touching/

PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

Hi "misc"

I am looking for a tool to use as a trigger for dynamically open PF ports from
certain IP:s.

I will access non critical info but want at least a port knocker as security.

If I access an IP on my DMZ that is not in use on a port that is fake I want
to dynamically add a PF rule for a totally different purpose. Let's say I
access http://1.2.3.4:45321 which is blocked and logged in PF, what is the
easiest way to create a trigger from the PF log or the PF log device?

A cron job with grep in the PF log and then run pfctl to add the rule is from
many points of view a bad choice... I don't want to dig through the PF log as
it can be huge, and I don't want to use a cron job as it takes to long..

Any suggestions appreciated.


Thanks in advance
/Per-Olov