Re: PF log parser and dynamic PF rules...
On 17 feb 2010, at 12.38, Peter Hessler wrote: > On 2010 Feb 17 (Wed) at 07:51:03 +0100 (+0100), Per-Olov Sjvholm wrote: > :Answer correctly or don't answer at all. > > It seems to me that people *did* answer correctly. But, their answer > was not what you wanted to hear. > > The answer: don't use port knocking, use a randomized url. > > https://example.com/64482a3717737695e4dd254a4d57da4f6c0795f3e811e8b12347625fb 285.rss > > Google, Apple, etc use this scheme for webcal access. I strongly doubt > your rss feed requires more privacy than people's private calendars. > > > -- > Beware of altruism. It is based on self-deception, the root of all > evil. > I know what I am doing and it's a simple test. A production environment will for sure be more secured. As said. I _very_ much appreciate if people give their opinion _and_ an answer to the actual question if the person know how to do what I ask for. But what I don't like about it is that some just reply to tell it's done wrong, even though they don not know the context and the tradeoffs that have been made and why. Professional people could nicely tell their opinion and a hint to my question IF they have any clue. If they think I should have provided more info, they could say so I am a member of a few helicopter forums, some Dreambox HTPC forums (TuxBOX), a bunch of Linux forums (i.e many different kind of forums). Nowehere they hack at each other like they do at the OpenBSD lists. This is the only sad thing about OpenBSD, the mailinglist. Therefor I don't use it as much as before. A few of my developer friends share this sadness with me. You are right, Peter. My rss feed does not require more privacy (at this stage) than private google calendars. However there are a few problems with randomized urls that I simply want to spend time on later. This as I at this stage just want to sell in the idea with a test containing less important data and therefor use less work. A prod environment will be more secured to fulfill the security policies etc. Tnx to the people who contributed with something. This thread is closed for me now /Per-Olov -- GPG keyID: 5231C0C4 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
Re: PF log parser and dynamic PF rules...
On 2010 Feb 17 (Wed) at 07:51:03 +0100 (+0100), Per-Olov Sjvholm wrote: :Answer correctly or don't answer at all. It seems to me that people *did* answer correctly. But, their answer was not what you wanted to hear. The answer: don't use port knocking, use a randomized url. https://example.com/64482a3717737695e4dd254a4d57da4f6c0795f3e811e8b12347625fb285.rss Google, Apple, etc use this scheme for webcal access. I strongly doubt your rss feed requires more privacy than people's private calendars. -- Beware of altruism. It is based on self-deception, the root of all evil.
Re: PF log parser and dynamic PF rules...
On Wed, Feb 17, 2010 at 07:51:03AM +0100, Per-Olov Sj?holm wrote: > On 17 feb 2010, at 02.07, Randal L. Schwartz wrote: > > >> "Paul" == Paul de Weerd writes: > > > > Paul> Jeez... As an asker, you don't really get to decide how or what other > > Paul> people answer, or if they even answer at all. > > > > As I snipped off a Usenet group once: > > > >Get real! This is a discussion group, not a helpdesk. You post > >something -- we discuss its implications. If the discussion happens > >to answer a question you've asked, that's incidental. If you post a > >question that implies that you've got a problem finding answers to > >trivial questions in the manual, then it is perfectly reasonable for > >us to discuss how to do that. > > > > -- > > Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 > > http://www.stonehenge.com/merlyn/> > > Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. > > See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion > > I have been on this list for many years. Sometimes asking and sometimes > helping others. > > you are wrong > > http://www.openbsd.org/mail.html > --snip-- > User questions and answers, general questions > --snip-- > > > Answer correctly or don't answer at all. A winning concept in real life as > well. > > ^d > > Regards > /Per-Olov > -- > GPG keyID: 5231C0C4 > GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 > GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4 > "I have been on this list for many years ..." and "Answer correctly or don't answer at all.". You've been on misc@ for many years and expect correct answers or respectful silence? My goodness, your optimism seems impervious to experience. You've been on misc@ for many years, yell at several developers giving you correct answers and expect to get better support? Interesting approach. Looks like my first post to misc@ was only in 1998 so perhaps I have insufficient experience to opine. Ken
Re: PF log parser and dynamic PF rules...
On 17 feb 2010, at 02.07, Randal L. Schwartz wrote: >> "Paul" == Paul de Weerd writes: > > Paul> Jeez... As an asker, you don't really get to decide how or what other > Paul> people answer, or if they even answer at all. > > As I snipped off a Usenet group once: > >Get real! This is a discussion group, not a helpdesk. You post >something -- we discuss its implications. If the discussion happens >to answer a question you've asked, that's incidental. If you post a >question that implies that you've got a problem finding answers to >trivial questions in the manual, then it is perfectly reasonable for >us to discuss how to do that. > > -- > Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 > http://www.stonehenge.com/merlyn/> > Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. > See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion I have been on this list for many years. Sometimes asking and sometimes helping others. you are wrong http://www.openbsd.org/mail.html --snip-- User questions and answers, general questions --snip-- Answer correctly or don't answer at all. A winning concept in real life as well. ^d Regards /Per-Olov -- GPG keyID: 5231C0C4 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
Re: PF log parser and dynamic PF rules...
> "Paul" == Paul de Weerd writes: Paul> Jeez... As an asker, you don't really get to decide how or what other Paul> people answer, or if they even answer at all. As I snipped off a Usenet group once: Get real! This is a discussion group, not a helpdesk. You post something -- we discuss its implications. If the discussion happens to answer a question you've asked, that's incidental. If you post a question that implies that you've got a problem finding answers to trivial questions in the manual, then it is perfectly reasonable for us to discuss how to do that. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 http://www.stonehenge.com/merlyn/> Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion
Re: PF log parser and dynamic PF rules...
On Wed, Feb 17, 2010 at 12:40:02AM +0100, Per-Olov Sj?holm wrote: | Amazing that so many people in this forum cannot read and therefor answer to B | when I ask for A. It's amazing that you get so much free (and good, imo) advice and then not only completely ignore it, but even go out of your way to ridicule the poeple spending their time to try and help you. Please, ask for C on this list again. I hope enough people remember the gratitude you showed to *NOT* give you an answer to C *or* D. Jeez... As an asker, you don't really get to decide how or what other people answer, or if they even answer at all. If you don't like the replies you get, maybe you shouldn't be asking questions in the first place - people here try to give sane advice, not hold your hand while you try to shoot yourself in the foot. And I'll be explicit : the people replying decide wether they consider what you're doing is shooting yourself in the foot or not; if you want to debate their considerations (better to ignore replies you do not consider useful and draw your own conclusions when you're left with nothing), you probably want to do that off-list. Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 17.17, Eugene Yunak wrote: > 2010/2/16 Per-Olov Sjvholm : >> Hi "misc" >> >> I am looking for a tool use as a trigger for dynamically open PF ports from >> certain IP:s. >> >> I will access non critical info but want at least a port knocker as security. >> >> If I access an IP on my DMZ that is not in use on a port that is fake I want >> to dynamically add a PF rule for a totally different purpose. Let's say I >> access http://1.2.3.4:45321 which is blocked and logged in PF, what is the >> easiest way to create a trigger from the PF log or the PF log device? >> >> A cron job with grep in the PF log and then run pfctl to add the rule is from >> many points of view a bad choice... I don't want to dig through the PF log as >> it can be huge, and I don't want to use a cron job as it takes to long.. >> >> Any suggestions appreciated. >> >> >> Thanks in advance >> /Per-Olov >> > > As many people have already suggested to you in this thread, you are > doing it wrong. But if you _really_ want to do it that way, then > probably you can simplify your configuration a bit. > > You can use "log (to pflog10)" to have a separate pflog device with > only log entries about port-knocking attempts. Then you can have a > small shellscript reading from tcpdump pflog10 in a cycle and adding > IP addresses to a table of hosts with permitted access to your rss > feed. This is much simpler and quicker than a cron job with full pflog > parser. > > I would strongly encourage you to use per-user http authentication > instead. Most rss readers i encountered actually _do_ support it, as > they are all based on standard libraries, so you can just give them > http://user:p...@host/path/file.rss url if they don't have a separate > "authentication" field. > > -- > The best the little guy can do is what > the little guy does right Hi Eugene Thanks. As this is a test shoot only I will go for something home made in C to feed a table for now. And I _really_ want to do it this way as it's a test. a future production environment could maybe be totally different, who knows I have done security analysis since early -90 and asked a simple question to this forum. When people does not know, they just mess up the thread with garbage. If only more people were like you Eugene. That is point out your opinion AND a way to do it. Not just the first. The opinion can be right, but also wrong as everything must be set in its correct context. Also, a security tradeoff can be rated differently by different people. Amazing that so many people in this forum cannot read and therefor answer to B when I ask for A. /Per-Olov -- GPG keyID: 5231C0C4 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
Re: PF log parser and dynamic PF rules...
2010/2/16 Per-Olov SjC6holm : > Hi "misc" > > I am looking for a tool use as a trigger for dynamically open PF ports from > certain IP:s. > > I will access non critical info but want at least a port knocker as security. > > If I access an IP on my DMZ that is not in use on a port that is fake I want > to dynamically add a PF rule for a totally different purpose. Let's say I > access http://1.2.3.4:45321 which is blocked and logged in PF, what is the > easiest way to create a trigger from the PF log or the PF log device? > > A cron job with grep in the PF log and then run pfctl to add the rule is from > many points of view a bad choice... I don't want to dig through the PF log as > it can be huge, and I don't want to use a cron job as it takes to long.. > > Any suggestions appreciated. > > > Thanks in advance > /Per-Olov > As many people have already suggested to you in this thread, you are doing it wrong. But if you _really_ want to do it that way, then probably you can simplify your configuration a bit. You can use "log (to pflog10)" to have a separate pflog device with only log entries about port-knocking attempts. Then you can have a small shellscript reading from tcpdump pflog10 in a cycle and adding IP addresses to a table of hosts with permitted access to your rss feed. This is much simpler and quicker than a cron job with full pflog parser. I would strongly encourage you to use per-user http authentication instead. Most rss readers i encountered actually _do_ support it, as they are all based on standard libraries, so you can just give them http://user:p...@host/path/file.rss url if they don't have a separate "authentication" field. -- The best the little guy can do is what the little guy does right
Re: PF log parser and dynamic PF rules...
On Tue, Feb 16, 2010 at 12:27 PM, Per-Olov SjC6holm wrote: There is no authentication available in most RSS clients. If it was, i would > of course prefer or at least consider that. I am not that stupid you know. > > https://example.com/feed.php?user=floort&passwd=SUPERSECRET Every feed reader i know of can handle a url like this. It's probably more secure and easier to implement than port-knocking. And I wouldn't want to be the one who has to explain port-knocking to all your customers and tell them they have to do this every time their feed needs to refresh. Floor -- Floor Terra www: http://brobding.mine.nu/
Re: PF log parser and dynamic PF rules...
> So if anybody can come up with a better approach I will be very happy. You've already been told, by multiple people, that a better approach is to use the things that are available to you via the rich possibilities of HTTP to solve this problem. Sometimes, you're the lone genius who is misunderstood in his own time, who future generations will admire for his foresight. Most of the time, though, you're just Doing It Wrong(tm).
Re: PF log parser and dynamic PF rules...
Per-Olov Sjvholm writes: > we have to use something that works from all places. The content is > not a secret, but something you have to pay a little for. So... not > critical. Being the lazy git that I am, I could imagine that simply generating a sufficiently obfuscated set of file or directory names to put in the URL, likely a per user basis, would achieve roughly what you are talking about. Not exactly rocket science, but then neither are the other options. I fully understand the desire to write a PF log parser, though :) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 12.06, Peter N. M. Hansteen wrote: > Per-Olov Sjvholm writes: > >> None said anything about a password.. From where did you get that? I don't >> have a plain text password. > > A port knocking sequence is for most purposes a password, encoded in a > 16 bit alphabet. That's it - port numbers run from 0 through 64k, > although the practical range for portknocking purposes would likely > exclude the more commonly used ones, mainly in the lower parts. > > I've been in the process of almost getting around to writing an > article about how this limits the usefulness of portknocking as a > security measure, there's always the question of round tuits. > keywords: is your password more secure if it's stored as unicode?, the > well known password guessing botnets, and so forth. > > The question of proporitonality, as in the importance of your data vs > the strength of your security measures is certainly relevant, but you > should also take into consideration how much complexity any given > security measure adds to your setup versus the actual gain in security. > Hm. There might actually be an article in there. > > - P > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > We want to lock RSS to our own clients floating around in cyberspace. As there is not widely spread with authentication in RSS clients, authentication is not usable. Therefor we have to come up with a different approach. As we want you use Igoogle and phones etc we have to use something that works from all places. The content is not a secret, but something you have to pay a little for. So... not critical. Or course you could authenticate with a web browser and then trigger to open in PF. Probably a little better than just the access to a dummy IP on a dummy port. But still not as good as I would like. SSH and authpf is as far as I know now not possible as the SSH client will freeze in the Iphone (which is widely used here) when going into background and swtiching to the RSS client. So if anybody can come up with a better approach I will be very happy. Otherwise I have to create my pflog device parser myself as obviously none in this forum have seen anything similar. Thanks Per-Olov -- GPG keyID: 5231C0C4 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
Re: PF log parser and dynamic PF rules...
On Tue, Feb 16, 2010 at 12:27:44PM +0100, Per-Olov Sj?holm wrote: > > On 16 feb 2010, at 12.07, Bret S. Lambert wrote: > > > On Tue, Feb 16, 2010 at 11:44:12AM +0100, Per-Olov Sj?holm wrote: > >> See my post to Peter H. You obviously have not worked with security > > > > Why? Because I'm unwilling to endorse your preferred approach? > > > >> and the tradeoffs you _always_ have to make. > > > > Yes, you make tradeoffs, but you're asking for obscurity, not security. > > It's a very important distinction to make, which you don't seem to be > > doing. > > > >> If you don't have anything to come up with, don't bother to post. > > > > Okay, I'll bite: > > > > You're trying to solve this at the wrong layer. > > > > You're trying to use IP obfuscation. > > > > You should be looking for HTTP authentication instead. > > > There is no authentication available in most RSS clients. No, but web servers don't run on crippled os'es (for certain values of "crippled"), and are able to do thing with URLs that level3 things can't. Floor had a good suggestion about adding something to the URL which would then be acted upon by the RSS feed server to determine if the feed should be served. Since the solution you propose is no less secure, just require that a "?user=NOTABOT" or some such be appended. You're still looking at the wrong layer to solve this problem. > If it was, i would of course prefer or at least consider that. You haven't looked at this problem hard enough, then. > I am not that stupid you know. Why, oh why, dear lord, do you tempt me with such softballs?
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 12.07, Bret S. Lambert wrote: > On Tue, Feb 16, 2010 at 11:44:12AM +0100, Per-Olov Sj?holm wrote: >> See my post to Peter H. You obviously have not worked with security > > Why? Because I'm unwilling to endorse your preferred approach? > >> and the tradeoffs you _always_ have to make. > > Yes, you make tradeoffs, but you're asking for obscurity, not security. > It's a very important distinction to make, which you don't seem to be > doing. > >> If you don't have anything to come up with, don't bother to post. > > Okay, I'll bite: > > You're trying to solve this at the wrong layer. > > You're trying to use IP obfuscation. > > You should be looking for HTTP authentication instead. There is no authentication available in most RSS clients. If it was, i would of course prefer or at least consider that. I am not that stupid you know. /Per-Olov -- GPG keyID: 5231C0C4 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 11.57, Stuart Henderson wrote: > On 2010-02-16, Per-Olov Sj?holm wrote: >> The reason is to use and RSS reader that cannot autenticate. I want some sort >> of security for it even though it's not critical. > > https://some.host/super-sekrit-password-here/feed.rss gives more > security than trying to use a web browser (which is highly likely > to be proxied and logged by the carrier) as a port-knocking client. that could be better... right.. > > And with port-knocking, how do you even know the subsequent > connection will be (natted to the same source address || coming > from the same http proxy)? > I know it does from phones connecting thought the operators own network (at least in sweden) and home broadband connected computers. But i don't from stationary computers not sitting at home. /Per-Olov -- GPG keyID: 5231C0C4 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 12.06, Lars Nooden wrote: > Per-Olov Sjvholm wrote: >> ...Or did miss something here? > > You missed quite a lot. I would recommend looking up the following > before aggravating a larger public: > client - server architecture > client application > server (daemon) > rss > ssh > http, https > mod_auth_* > > > Write back in a few days after you have more details about your project. > Speculation is not fun. > > Regards, > /Lars > You did now answer how to use authpf from an Iphone as you suggested as the process will freeze when going into background. It will freeze or not freeze. It's not any speculation, right? I assume fugu or cyberduck as you suggested are dead ends with authpf /Per-Olov
Re: PF log parser and dynamic PF rules...
Per-Olov Sjvholm wrote: > ...Or did miss something here? You missed quite a lot. I would recommend looking up the following before aggravating a larger public: client - server architecture client application server (daemon) rss ssh http, https mod_auth_* Write back in a few days after you have more details about your project. Speculation is not fun. Regards, /Lars
Re: PF log parser and dynamic PF rules...
Per-Olov Sjvholm writes: > None said anything about a password.. From where did you get that? I don't > have a plain text password. A port knocking sequence is for most purposes a password, encoded in a 16 bit alphabet. That's it - port numbers run from 0 through 64k, although the practical range for portknocking purposes would likely exclude the more commonly used ones, mainly in the lower parts. I've been in the process of almost getting around to writing an article about how this limits the usefulness of portknocking as a security measure, there's always the question of round tuits. keywords: is your password more secure if it's stored as unicode?, the well known password guessing botnets, and so forth. The question of proporitonality, as in the importance of your data vs the strength of your security measures is certainly relevant, but you should also take into consideration how much complexity any given security measure adds to your setup versus the actual gain in security. Hm. There might actually be an article in there. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: PF log parser and dynamic PF rules...
On Tue, Feb 16, 2010 at 11:44:12AM +0100, Per-Olov Sj?holm wrote: > See my post to Peter H. You obviously have not worked with security Why? Because I'm unwilling to endorse your preferred approach? > and the tradeoffs you _always_ have to make. Yes, you make tradeoffs, but you're asking for obscurity, not security. It's a very important distinction to make, which you don't seem to be doing. > If you don't have anything to come up with, don't bother to post. Okay, I'll bite: You're trying to solve this at the wrong layer. You're trying to use IP obfuscation. You should be looking for HTTP authentication instead.
Re: PF log parser and dynamic PF rules...
Just put your data on some funny port, then? Or give it a long and hard to guess name, that might actually have sufficient entropy to be any use. A less-than-16-bit "random" port is rather easy to guess. And, if you really want to do port blocking, read the pf man page. It is possible with a rule that adds IPs to tables. Perhaps after more than one knock for "added security..." In any case, I really don't see a need for OpenBSD to support these kinds of silly things, the people who really want to do them can find their own ways.
Re: PF log parser and dynamic PF rules...
Hi again Lars... And important addition below On 16 feb 2010, at 11.44, Lars Nooden wrote: > Per-Olov Sjvholm wrote: >> On 16 feb 2010, at 11.11, Lars Nooden wrote: >> >>> http://rsug.itd.umich.edu/software/fugu/ >> >> >> Noop. Can't see that these will work and all phones and computers >> seamlessly with ease of use for the users. > > You appear to have asked about clients for the iphone, not all phones. > Fugu and cyberduck are very easy to use. But the SSH session will freeze when you switch to the RSS client that is the main purpose to use, right? This as the Iphone is not multi tasking with third party applications. Then it's not usable without a jail brake of all company IPhones... Or did miss something here? /Per-Olov > >> The reason for the post was just to see if there is already any tools >> for this purpose, which is to have log trigger in PF logfile or its >> pflog0 device. > > authpf then. > > Note pf.conf allows you to apply filters to groups of users. See the > 'group' parameter about 17% of the way down through pf.conf(5) > > Something like this: > pass in log (to pflog2) group phoners > > /Lars
Re: PF log parser and dynamic PF rules...
On 2010-02-16, Per-Olov Sj?holm wrote: > The reason is to use and RSS reader that cannot autenticate. I want some sort > of security for it even though it's not critical. https://some.host/super-sekrit-password-here/feed.rss gives more security than trying to use a web browser (which is highly likely to be proxied and logged by the carrier) as a port-knocking client. And with port-knocking, how do you even know the subsequent connection will be (natted to the same source address || coming from the same http proxy)?
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 11.35, Bret S. Lambert wrote: > On Tue, Feb 16, 2010 at 11:28:28AM +0100, Per-Olov Sj?holm wrote: >> >> On 16 feb 2010, at 11.17, Bret S. Lambert wrote: >> > There is a way to do port knocking in pf without any external help. Maybe > you can figure it out. I will not give more hints since port knocking is a > dumb idea better spend your time reading on authpf(8). > > -- > :wq Claudio > How do you use authpf from a IPhone or similar... The reason is to use and RSS reader that cannot autenticate. I want some sort >>> >>> An RSS reader that can't authenticate, but can ping a series of TCP/IP ports? >> >> Where did you get that from? I didn't say it could... No but all devices with an RSS client, even phones, have a web browser that can have a bookmarked IP and obscure port. >>> of security for it even though it's not critical. Therefor I want to just have >>> >>> That word you keep using...I don't think it means what you think it means. >>> Unless you've got a mechanism to randomize the ports on every port-knocking >>> attempt, you're essentially using a plaintext password on the internet. >>> >> >> None said anything about a password.. From where did you get that? > > I said that you're *essentially* using a plaintext password, not that > you're *actually* using a plaintext password. My meaning was that you're > effectively using a security model that's been known to be bad for as > long as I've been in the tech industry. > >> forcing the clients to first open their browser and access a >> specific IP and a specific port. > > Yes, because those are impossible for an attacker to guess. > >> But again, the data is not that critical. > > Then why care about "security" at all? > >> And it's not likely they will guess the link. > > Congratulations; I'm actually at a loss for words after reading that. See my post to Peter H. You obviously have not worked with security and the tradeoffs you _always_ have to make. If you don't have anything to come up with, don't bother to post. /Per-Olov
Re: PF log parser and dynamic PF rules...
Per-Olov Sjvholm wrote: > On 16 feb 2010, at 11.11, Lars Nooden wrote: > >> http://rsug.itd.umich.edu/software/fugu/ > > > Noop. Can't see that these will work and all phones and computers > seamlessly with ease of use for the users. You appear to have asked about clients for the iphone, not all phones. Fugu and cyberduck are very easy to use. > The reason for the post was just to see if there is already any tools > for this purpose, which is to have log trigger in PF logfile or its > pflog0 device. authpf then. Note pf.conf allows you to apply filters to groups of users. See the 'group' parameter about 17% of the way down through pf.conf(5) Something like this: pass in log (to pflog2) group phoners /Lars
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 11.44, Lars Nooden wrote: > Per-Olov Sjvholm wrote: >> On 16 feb 2010, at 11.11, Lars Nooden wrote: >> >>> http://rsug.itd.umich.edu/software/fugu/ >> >> >> Noop. Can't see that these will work and all phones and computers >> seamlessly with ease of use for the users. > > You appear to have asked about clients for the iphone, not all phones. > Fugu and cyberduck are very easy to use. My mistake. Sorry! It must be a solution for _any_ RSS client and a web browser. > >> The reason for the post was just to see if there is already any tools >> for this purpose, which is to have log trigger in PF logfile or its >> pflog0 device. > > authpf then. > > Note pf.conf allows you to apply filters to groups of users. See the > 'group' parameter about 17% of the way down through pf.conf(5) > > Something like this: > pass in log (to pflog2) group phoners > > /Lars Yes, I have used that a few years ago. It's nice but is not doable on all clients. But maybe I could set an SSH capable client as a company requirement. Of course I agree it's a better solution if I only could limit the phones to the ones that can use an SSH client. /Per-Olov -- GPG keyID: 5231C0C4 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
Re: PF log parser and dynamic PF rules...
On Tue, Feb 16, 2010 at 11:28:28AM +0100, Per-Olov Sj?holm wrote: > > On 16 feb 2010, at 11.17, Bret S. Lambert wrote: > > >>> There is a way to do port knocking in pf without any external help. Maybe > >>> you can figure it out. I will not give more hints since port knocking is a > >>> dumb idea better spend your time reading on authpf(8). > >>> > >>> -- > >>> :wq Claudio > >>> > >> > >> How do you use authpf from a IPhone or similar... > >> > >> The reason is to use and RSS reader that cannot autenticate. I want some > >> sort > > > > An RSS reader that can't authenticate, but can ping a series of TCP/IP > > ports? > > Where did you get that from? I didn't say it could... No but all devices with > an RSS client, even phones, have a web browser that can have a bookmarked IP > and obscure port. > > > >> of security for it even though it's not critical. Therefor I want to just > >> have > > > > That word you keep using...I don't think it means what you think it means. > > Unless you've got a mechanism to randomize the ports on every port-knocking > > attempt, you're essentially using a plaintext password on the internet. > > > > None said anything about a password.. From where did you get that? I said that you're *essentially* using a plaintext password, not that you're *actually* using a plaintext password. My meaning was that you're effectively using a security model that's been known to be bad for as long as I've been in the tech industry. > forcing the clients to first open their browser and access a > specific IP and a specific port. Yes, because those are impossible for an attacker to guess. > But again, the data is not that critical. Then why care about "security" at all? > And it's not likely they will guess the link. Congratulations; I'm actually at a loss for words after reading that.
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 11.17, Peter N. M. Hansteen wrote: > Per-Olov Sjvholm writes: > >> How do you use authpf from a IPhone or similar... > > There are ssh clients for iphones, just look in the app store. The > one i ended up installing has gone up in price it seems to (shock, > horror) NOK 35 (about USD 6), but I see one at NOK 6 (about a dollar). > > And of course for obscurity, you can set up the sshd on a non-standard > port. > > Then again, Claudio's comment happens to be true, and now I guess some > kid will actually figure it out, implement and write a HOWTO. Good > thing I wasn't eating or drinking anything. Writing a HOWTO for what? Don't get it... I have been working with security on several platforms since 1990. Have been on OpenBSD since 2.6. You of all Peter should know that it's always a tradeoff between security, ease of use and the importance of the content. I have done that tradeoff and therefor come up with this solution. I can build my own code for this, but posted to see if there was already something built. Claudios comment is not relevant. See reply to Bret S Lambert /Per-Olov > > grmpf, > Peter > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 11.17, Bret S. Lambert wrote: >>> There is a way to do port knocking in pf without any external help. Maybe >>> you can figure it out. I will not give more hints since port knocking is a >>> dumb idea better spend your time reading on authpf(8). >>> >>> -- >>> :wq Claudio >>> >> >> How do you use authpf from a IPhone or similar... >> >> The reason is to use and RSS reader that cannot autenticate. I want some sort > > An RSS reader that can't authenticate, but can ping a series of TCP/IP ports? Where did you get that from? I didn't say it could... No but all devices with an RSS client, even phones, have a web browser that can have a bookmarked IP and obscure port. > >> of security for it even though it's not critical. Therefor I want to just have > > That word you keep using...I don't think it means what you think it means. > Unless you've got a mechanism to randomize the ports on every port-knocking > attempt, you're essentially using a plaintext password on the internet. > None said anything about a password.. From where did you get that? I don't have a plain text password. I don't even have a password at all as RSS readers with auth in not widely spread at all. So I don't have any auth... Just access through IP. My data is not that critical, but as said I want to limit access a little bit by forcing the clients to first open their browser and access a specific IP and a specific port. Then the PF should trig on that block in PF and open from the client IP to the RSS server. Of course a client can sit behind NAT and therefor give access to many computers. But again, the data is not that critical. And it's not likely they will guess the link. /Per-Olov -- GPG keyID: 5231C0C4 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
Re: PF log parser and dynamic PF rules...
> > There is a way to do port knocking in pf without any external help. Maybe > > you can figure it out. I will not give more hints since port knocking is a > > dumb idea better spend your time reading on authpf(8). > > > > -- > > :wq Claudio > > > > How do you use authpf from a IPhone or similar... > > The reason is to use and RSS reader that cannot autenticate. I want some sort An RSS reader that can't authenticate, but can ping a series of TCP/IP ports? > of security for it even though it's not critical. Therefor I want to just have That word you keep using...I don't think it means what you think it means. Unless you've got a mechanism to randomize the ports on every port-knocking attempt, you're essentially using a plaintext password on the internet.
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 11.11, Lars Nooden wrote: > http://rsug.itd.umich.edu/software/fugu/ Noop. Can't see that these will work and all phones and computers seamlessly with ease of use for the users. The reason for the post was just to see if there is already any tools for this purpose, which is to have log trigger in PF logfile or its pflog0 device. /Per-Olov
Re: PF log parser and dynamic PF rules...
Per-Olov Sjvholm writes: > How do you use authpf from a IPhone or similar... There are ssh clients for iphones, just look in the app store. The one i ended up installing has gone up in price it seems to (shock, horror) NOK 35 (about USD 6), but I see one at NOK 6 (about a dollar). And of course for obscurity, you can set up the sshd on a non-standard port. Then again, Claudio's comment happens to be true, and now I guess some kid will actually figure it out, implement and write a HOWTO. Good thing I wasn't eating or drinking anything. grmpf, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 11.04, Floor Terra wrote: > Why not require a authentication token in the url? > > On 16 Feb 2010 10:59, "Per-Olov SjC6holm" wrote: > > On 16 feb 2010, at 10.40, Claudio Jeker wrote: > >> On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov... > How do you use authpf from a IPhone or similar... > > The reason is to use and RSS reader that cannot autenticate. I want some > sort > of security for it even though it's not critical. Therefor I want to just > have > trigger in the PF log. To try to find an SSH client to use authpf for all > RSS > client capable phones is not an option. > > > /Per-Olov > Yes that is better, but then I have to check web server logs, enable relayd or so. Maybe that will be the next step after this. But still... as I _test_ I just want to check PF blocks as a port knocker. /Per-Olov
Re: PF log parser and dynamic PF rules...
Per-Olov SjC6holm wrote: > How do you use authpf from a IPhone or similar... Probably Fugu or Cyberduck or, if you can get a shell, plain openssh, as Fugu is a UI for the client. http://rsug.itd.umich.edu/software/fugu/ http://cyberduck.ch/ /Lars
Re: PF log parser and dynamic PF rules...
Why not require a authentication token in the url? On 16 Feb 2010 10:59, "Per-Olov SjC6holm" wrote: On 16 feb 2010, at 10.40, Claudio Jeker wrote: > On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov... How do you use authpf from a IPhone or similar... The reason is to use and RSS reader that cannot autenticate. I want some sort of security for it even though it's not critical. Therefor I want to just have trigger in the PF log. To try to find an SSH client to use authpf for all RSS client capable phones is not an option. /Per-Olov
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 10.40, Claudio Jeker wrote: > On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov Sjvholm wrote: >> Hi "misc" >> >> I am looking for a tool to use as a trigger for dynamically open PF ports from >> certain IP:s. >> >> I will access non critical info but want at least a port knocker as security. >> >> If I access an IP on my DMZ that is not in use on a port that is fake I want >> to dynamically add a PF rule for a totally different purpose. Let's say I >> access http://1.2.3.4:45321 which is blocked and logged in PF, what is the >> easiest way to create a trigger from the PF log or the PF log device? >> >> A cron job with grep in the PF log and then run pfctl to add the rule is from >> many points of view a bad choice... I don't want to dig through the PF log as >> it can be huge, and I don't want to use a cron job as it takes to long.. >> > > There is a way to do port knocking in pf without any external help. Maybe > you can figure it out. I will not give more hints since port knocking is a > dumb idea better spend your time reading on authpf(8). > > -- > :wq Claudio > How do you use authpf from a IPhone or similar... The reason is to use and RSS reader that cannot autenticate. I want some sort of security for it even though it's not critical. Therefor I want to just have trigger in the PF log. To try to find an SSH client to use authpf for all RSS client capable phones is not an option. /Per-Olov
Re: PF log parser and dynamic PF rules...
On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov Sjvholm wrote: > Hi "misc" > > I am looking for a tool to use as a trigger for dynamically open PF ports from > certain IP:s. > > I will access non critical info but want at least a port knocker as security. > > If I access an IP on my DMZ that is not in use on a port that is fake I want > to dynamically add a PF rule for a totally different purpose. Let's say I > access http://1.2.3.4:45321 which is blocked and logged in PF, what is the > easiest way to create a trigger from the PF log or the PF log device? > > A cron job with grep in the PF log and then run pfctl to add the rule is from > many points of view a bad choice... I don't want to dig through the PF log as > it can be huge, and I don't want to use a cron job as it takes to long.. > There is a way to do port knocking in pf without any external help. Maybe you can figure it out. I will not give more hints since port knocking is a dumb idea better spend your time reading on authpf(8). -- :wq Claudio
Re: PF log parser and dynamic PF rules...
On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov Sj?holm wrote: > Hi "misc" > > I am looking for a tool to use as a trigger for dynamically open PF ports from > certain IP:s. > > I will access non critical info but want at least a port knocker as security. > > If I access an IP on my DMZ that is not in use on a port that is fake I want > to dynamically add a PF rule for a totally different purpose. Let's say I > access http://1.2.3.4:45321 which is blocked and logged in PF, what is the > easiest way to create a trigger from the PF log or the PF log device? > > A cron job with grep in the PF log and then run pfctl to add the rule is from > many points of view a bad choice... I don't want to dig through the PF log as > it can be huge, and I don't want to use a cron job as it takes to long.. > > Any suggestions appreciated. > Seriously, though: Why are you so interested in reimplementing authpf, but doing it badly? > > Thanks in advance > /Per-Olov
Re: PF log parser and dynamic PF rules...
> I will access non critical info but want at least a port knocker as security. s/security/inappropriate self-touching/
PF log parser and dynamic PF rules...
Hi "misc" I am looking for a tool to use as a trigger for dynamically open PF ports from certain IP:s. I will access non critical info but want at least a port knocker as security. If I access an IP on my DMZ that is not in use on a port that is fake I want to dynamically add a PF rule for a totally different purpose. Let's say I access http://1.2.3.4:45321 which is blocked and logged in PF, what is the easiest way to create a trigger from the PF log or the PF log device? A cron job with grep in the PF log and then run pfctl to add the rule is from many points of view a bad choice... I don't want to dig through the PF log as it can be huge, and I don't want to use a cron job as it takes to long.. Any suggestions appreciated. Thanks in advance /Per-Olov