Thursday, September 14, 2017

Encrypt your LAN with IPsec (OpenBSD)

Note: Your feedback is welcome. Please leave a comment at the bottom.


IPsec is often used for Virtual Private Networks (VPN) but can also be used between computers on a local network. IPsec provides encryption and authentication and prevents replay attacks

Some protocols are useful, but don't have great security, like NFS, NIS, and SNMP. You can run them securely if your LAN is secured with IPsec

OpenBSD supports IPsec natively as well as Internet Key Exchange (IKE) protocol version 1. OpenIKED supports IKEv2, but doesn't support transport mode, meaning it can only be used for VPNs, so we'll use IKEv1 here

Here's how to configure two computers to use IPsec to talk between them. We'll use public keys (without X.509 certificates, for simplicity)

Host ipsecone (10.0.2.4)


# cat << EOF > /etc/ipsec.conf
ike active esp transport from 10.0.2.4 to 10.0.2.5 \
  main auth hmac-sha1 enc aes \
  quick auth hmac-sha2-256 enc aes 
EOF
# chmod 640 /etc/ipsec.conf

# cd /etc/isakmpd/pubkeys/ipv4
# scp notRoot@10.0.2.5:/etc/isakmpd/local.pub 10.0.2.5 `# copy remote's public key`

# rcctl enable ipsec
# rcctl enable isakmpd
# rcctl set isakmpd flags "-KTv" `#K = use ipsec.conf for configuration, T = disable NAT traversal, v = verbose logging`

# ipsecctl -vf /etc/ipsec.conf  `# start ipsec, or reboot`
# rcctl start isakmpd

Host ipsectwo (10.0.2.5)


# cat << EOF > /etc/ipsec.conf
ike active esp transport from 10.0.2.5 to 10.0.2.4 \
  main auth hmac-sha1 enc aes \
  quick auth hmac-sha2-256 enc aes 
EOF
# chmod 640 /etc/ipsec.conf

# cd /etc/isakmpd/pubkeys/ipv4
# scp notRoot@10.0.2.4:/etc/isakmpd/local.pub 10.0.2.4 `# copy remote's public key`

# rcctl enable ipsec
# rcctl enable isakmpd
# rcctl set isakmpd flags "-KTv" `#K = use ipsec.conf for configuration, T = disable NAT traversal, v = verbose logging`

# ipsecctl -vf /etc/ipsec.conf  `# start ipsec, or reboot`
# rcctl start isakmpd


Testing

On ipsecone, run # tcpdump host 10.0.2.5

On ipsectwo, run # ping 10.0.2.4

On ipsecone, you should see "esp" and "spi" in your tcpdump output

Logging

You can see IPsec / IKE log output at /var/log/daemon

Wednesday, September 6, 2017

Monitor a remote computer securely using SNMP (OpenBSD)

The Simple Network Management Protocol (SNMP) lets you query a computer for system monitoring info, like uptime and hard drive capacity

OpenBSD has an SNMP server built in (snmpd), as well as an SNMP client (snmpctl)

OpenBSD includes SNMP info ("mibs") for CARP, relayd, and pf as well as the standard ones

The OpenBSD client is limited to version 2 of SNMP, so we'll use net-snmp, which supports version 3 and therefore authentication and encryption. There's a package for that.

Server (10.0.2.35)

# cat /etc/snmpd.conf

listen on 10.0.2.35
seclevel enc
user "snmp" authkey "s3cr3t00" enckey "s3cr3t00" enc aes auth hmac-sha1

# chown root:_snmpd /etc/snmpd.conf `# root is owner, _snmpd is group`
# chmod u=w,g=r,o= /etc/snmpd.conf `# root write, _snmpd read, other nothing`
# rcctl enable snmpd
# rcctl start snmpd

Need to check your config?

# snmpd -n

Need to debug snmpd?

# snmpd -dvv

Client

# pkg_add net-snmp
# cat /etc/snmp/snmp.conf

defSecurityName snmp
defSecurityLevel authPriv
defPassphrase "s3cr3t00"
defAuthType SHA
defPrivType AES

# chown root:wheel `# root is owner, wheel is group`
# chmod u=w,g=r,o= /etc/snmp/snmp.conf `# root write, wheel read, other nothing`
# snmpwalk 10.0.2.35 | less `# shows much info from remote system`

Forward syslogs to a central server using TLS (OpenBSD)

Syslogd runs by default on OpenBSD and is used to collect log messages on a host

You can see (some of) the logs using

$ tail /var/log/messages

And you can add a message using

$ logger 'hello'

Say you have dozens or hundreds of servers. You don't want to login to each one and look at each log. Instead, it makes sense to forward them to a central server. It's also safer, as it makes it more difficult for a hacker to hide his tracks.

We don't want to send potentially sensitive logs in plain text, so we'll use TLS

Server (10.0.2.35 aka 'loghost')

# cd /etc/ssl/private
# openssl genrsa -out loghost.key 2048 `# generate 2048-bit RSA key`
# openssl req -x509 -new -key loghost.key -out ../loghost.crt -days 365 `# generate cert. set common name to loghost`
# echo '10.0.2.35 loghost' >> /etc/hosts
# rcctl set syslogd flags "-S loghost" `# -S means use TLS`
# rcctl restart syslogd
# tail -f /var/log/messages `# watch for syslog messages`

Client (10.0.2.36 aka 'logclient')


Add to /etc/syslog.conf:

*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none  @tls://loghost
auth,daemon,syslog,user.info;authpriv.kern.debug  @tls://loghost

# echo '10.0.2.35 loghost' >> /etc/hosts
# scp nonRootSSHUser@loghost:/etc/ssl/loghost.crt /etc/ssl/trusted.crt `# copy the cert from server`
# rcctl set syslogd flags "-h -C /etc/ssl/trusted.crt" `# use hostnames instead of IPs and set the TLS trust store`
# rcctl restart syslogd
# logger hello from logclient `# you should see this on loghost`

If you need to debug syslogd, run /usr/sbin/syslogd -d

Friday, August 25, 2017

Setting up OpenBSD's LDAP Server (ldapd) with StartTLS and SASL

OpenBSD has its own LDAP server, ldapd. Here's how to configure it for use with StartTLS and SASL authentication

I don't cover common LDAP operations, like adding users, as that's covered well elsewhere

Server (ldapserver / 10.0.2.35)


1. Create a self-signed TLS certificate

# cd /etc/ldap/certs
# openssl genrsa -out ldapserver.key 2048
# openssl req -x509 -new -key ldapserver.key -out ldapserver.crt -days 365
# `# enter ldapserver as the canonical name`

Configure ldapd:

# touch /etc/ldapd.conf
# chmod o-r /etc/ldapd.conf 
# cat /etc/ldapd.conf

schema "/etc/ldap/core.schema"
schema "/etc/ldap/inetorgperson.schema"
schema "/etc/ldap/nis.schema"

listen on lo0 tls certificate ldapserver  
listen on em0 tls certificate ldapserver
listen on "/var/run/ldapi" 

Check your configuration:

# /usr/sbin/ldapd -n
configuration ok

Enable and start ldapd:

# rcctl enable ldapd
# rcctl start ldapd
ldapd(ok)

Copy the cert to /tmp so we can scp it as not root from the client:

cp /etc/ldap/certs/ldapserver.crt /tmp

Need to debug ldapd?

# /usr/sbin/ldapd -d -vv
# ldapctl log verbose

Client

Trust the server's certificate:

# echo '10.0.2.35    ldapserver' >> /etc/hosts
# scp notRoot@ldapserver:/tmp/ldapserver.crt >> /etc/ssl/trusted.crt

Install openldap-client (this installs cyrus-sasl as well):

# pkg_add openldap-client

Configure it:

# cat /etc/openldap/ldap.conf
TLS_CACERT    /etc/ssl/trusted.crt

Start saslauthd

# rcctl enable saslauthd
# rcctl start saslauthd
saslauthd(ok)

Connect to ldapd (-ZZ means force TLS, use -H to specify URI):

# ldapsearch -H ldap://ldapserver -ZZ
SASL/PLAIN authentication started
Please enter your password:

Need to debug saslauthd?

# /usr/local/sbin/saslauthd -a getpwent  -d

Need to debug OpenLDAP client?

# ldapsearch -d1 -v -ZZ
# ldapadd -d1 -v -ZZ