Building Firewalls With OpenBSD And PF, 2nd Edition (2003)
.pdfSection 11.4: The Secret Life of Logs |
227 |
|
|
sary, rename it, create an empty /var/log/p•og, and compress the old /var/log/p•og with gzip(1). The name of the archived log begins with the original log Œlename and ends with the 0.gz sufŒx. So, /var/log/p•og becomes /var/log/p•og.0.gz and syslogd(8) can begin Œlling up /var/log/p•og again. The whole cycle repeats every hour, and when newsyslog(8) decides that /var/log/p•og is ready to be archived again, it will rename
/var/log/p•og.0.gz to /var/log/p•og.1.gz and repeat the steps described earlier.
At any given point in time, your Œrewall will store up to four p•og archives. When a new archive is created, the archive with the highest number (p•og.3.gz) is overwritten with the younger archive, (p•og.2.gz). You can check the times when they were created in the following way:
# ls -l /var/log/pflog* |
|
|
|
||
-rw------- |
1 |
root wheel |
268582 May 27 11:37 pflog |
||
-rw------- |
1 |
root wheel |
1993502 |
May 27 |
10:59 pflog.0.gz |
-rw------- |
1 |
root wheel |
1220902 |
May 27 |
10:00 pflog.1.gz |
-rw------- |
1 |
root wheel |
1625010 |
May 27 |
08:58 pflog.2.gz |
-rw------- |
1 |
root wheel |
1334018 |
May 27 |
08:00 pflog.3.gz |
On Œrewalls servicing busy networks, the best we can hope for is a fourhour snapshot of the trafŒc. If we want to extend that time, we have two choices: either modify the newsyslog entry in crontab, or edit the
/etc/newsyslog.conf entry for p•og.
Editing crontab allows us to only change the delay between consecutive newsyslog runs; the longer the delay, the larger the logs and their archives will be. The procedure is quite simple. Do (as root):
# crontab -e -u root
and change:
# rotate log files every hour, if necessary
0 * * * * /usr/bin/newsyslog
to:
# rotate log files every two hours, if necessary
0-23/2 * * * /usr/bin/newsyslog
228 |
Chapter 11: Logging and Log Analysis |
|
|
Then press Esc and type :x followed by a hit on the Enter/Return key on your keyboard. Cron(8) will run newsyslog(8) every two hours, keeping an eight-hour snapshot of the trafŒc. (Changing the value of the hour Œeld to 0-23/6 would give us a 24-hour snapshot of the trafŒc. For additional information on cron read man cron, man crontab, and man 5 crontab.) The Œles will be larger, but there will still be a limit on the number of p•og archives kept in /var/log.
If you want to change the number of archives newsyslog keeps in /var/log, or increase their size without affecting all other logs, you need to get familiar with /etc/newsyslog.conf, the conŒguration Œle for newsyslog(8). Open /etc/newsyslog.conf in a text editor (vi(1) will do nicely) and locate the following lines:
# logfilename owner.group mode ngen size time [ZB] /var/log/pflog 600 3 250 * ZB /var/run/pflogd.pid
As you can see, the owner.group Œeld is empty, which means that the archives of p•og will be owned by the user running newsyslog(8) (typically root). You could consider changing the owner and the group to a different user, if you have plans to automate the downloading of p•ogs to another workstation for later analysis. Why not just log in as root and download the archives? Because you cannot be sure that your network is internally secure unless you have control over all machines on it. And even then, there is (however remote) a possibility that you may download rogue code that snoops on your network. But it is better to leave that setting alone and write a script that copies the archives to another place, changing its owner and permissions.
The mode Œeld speciŒes the write, read, and execute privileges. The default 600 (owner can read and write) is a good choice and should be left alone. The highest number a log archive can have is set in the ngen Œeld. The default value is 3, which tells newsyslog(8) to keep at most 4 (0 - 3) p•og archives. If you wanted to keep more, say 24 archives, you'd need to set it to 23. This increases the time required to complete the whole procedure of log rotation, so do not go overboard.
The size Œeld deŒnes the minimum size (in kilobytes) of the log Œle that qualiŒes it for archiving. The default setting is 250 kilobytes. Increasing its value will result in longer delays between log rotations; decreasing it
Section 11.5: Bandwidth and Disk Space Requirements |
229 |
|
|
will result in more frequent rotation of logs, quite possibly at every newsyslog(8) run. Next we encounter the time Œeld, set by default to *, which tells newsyslog(8) to ignore it. Should you set it to 1, it will rotate p•og, if the last log rotation was done one or more hours ago. This setting overrides the values in the size Œeld. The [ZB] •ags Œeld and the pid Œle options should be left alone (you can learn more about them from man newsyslog).
OK. So now you know how the operating system keeps an eye on the logs so they don't cause trouble. What if you want to archive them for longer than newsyslog(8) settings allow? There are two solutions: one is to write a script that runs 10-15 minutes after newsyslog(8) and checks to see if the scripts have been rotated, then stores them in a safe place (possibly on another machine); the other is to set up a log monitoring station on a separate local network segment (not the one used by ordinary users, nor the DMZ segment). Such station ought to have two Ethernet cards: one for receiving packets sent to it by rules that use the dup-to keywords (see Chapter 8, Packet Filtering); another for the system administrator to log on the logging station. The logging station ought to be running pf(4) with a ruleset that blocks and logs all inbound packets. A script running at regular intervals can check for new archived logs, mark them with a time stamp and move to another location on the logging station or write them to a CD-R, tape, or another external storage device.
Why go to such lengths? Well, if you are running a network where you store or process highly valuable information, or you run a site that may become a target of an attack because of the content it serves, you should not take chances. If you store logs on the Œrewall or on another machine on the network protected by that Œrewall and your defenses are compromised, malicious hackers will want to cover their steps and remove the information about their visit from the system and pf(4) logs.
11.5 Bandwidth and Disk Space Requirements
How big a log partition or disk should be? That largely depends on the amount of data you want to store. The upper limit can be computed using this formula:
max. speed of the interface (Mbps) ´ 24 ´ 3600
8
230 |
Chapter 11: Logging and Log Analysis |
|
|
So, if you wanted to compute the amount of space needed to store logs arriving on a 100Mbps interface on the monitoring station over a period of 24 hours, you'd need a rather large partition or disk (note that 1MB is assumed to be 1024KB, not 1000KB):
100 ´ 24 ´ 3600 = 1080000MB = 1055GB = 1. 1TB 8
Wow! That's a lot of data to play with! You might have a problem, because you cannot buy a 1.1 TB disk today although there are news of 200GB disks, so that day may be nearer than one might think. But don't worry. If you absolutely need that kind of capacity, you can build or buy a RAID array to handle it. Another problem is disk subsystem bandwidth. If your disk cannot write information fast enough, the performance of the Œrewall and the network connection suffers. Suddenly, the performance of the I/O subsystem begins to affect the performance of an otherwise very capable Œrewall machine.
In practice, you are unlikely to saturate such link, at least on a small or medium sized network, because (a) the Œrewall machine probably cannot send data fast enough, (b) the monitoring station cannot receive data at that rate, and (c) the trafŒc on your network does not reach the 100Mbps limit.
But even if it was nearer 600GB, we'd still have a problem. We can solve it in several ways:
ƒUse a RAID array to store data. A pure brute force hardware/software solution. May be necessary on high-risk sites or when logs are monitored in real-time by NIDS software, which can take some automated actions.
ƒKeep less data on the disk by moving it to a tape, CD-R or CD-RW. Requires fast and automated backup hardware. Expensive.
ƒLog less data. Not possible in all cases.
ƒUse separate logging stations for each subnet. Spreads the load, increases complexity.
The Œrst solution is based on a hardware, simply buy enough disks to hold as much data as you need and conŒgure them in a way that suits your needs (man raidctl for more information or look it up in [Artymiak, 2000]).
The second solution still requires a large disk, but not as large as 1.1TB. If your Œrewall was really receiving 1.1TB of data in a day, it would require a
Section 11.5: Bandwidth and Disk Space Requirements |
231 |
|
|
modest 44GB of data in an hour. A 100GB disk could, therefore, hold the current log plus data from the last hour. That old log ought to be written to an external storage device before the current log closes and is rotated. That should not be a problem, if you own a fast tape streamer capable of recording up to 44GB of data per hour. Other storage media, such as CD-R, CD-RW, DVD-R, or optical disks are just not fast enough or cannot hold enough data. But this is theory and one cannot realistically expect a small or medium sized network to have such resources. And they probably do not have to, because the amount of trafŒc logged will be much lower. How much? Well, the answer to that question has to be found by the administrator who will watch the amount of trafŒc on the monitoring station's interface over a period of a few weeks.
A far less expensive, and much saner, solution for those networks that do not need to log all trafŒc, is optimization of the pf(4) logging setup. Instead of logging all trafŒc on all interfaces, you can only log trafŒc entering and leaving the external interface. That should be good enough for catching most of the interesting trafŒc and will make log analysis and storage more manageable.
To see how much storage space we'll need this time, we'll use our magic formula again, using a fast ADSL modem as an example. Suppose it is a 7 (downlink) / 3 (uplink) Mbps model:
7 ´ 24 ´ 3600 = 75600MB = 74GB 8
Now, 74GB of data per day is certainly more manageable than 1.1TB. Furthermore, the external interface is never working at 100% of its maximum transfer rate, and we can safely assume that we need a paltry 40GB (or less) of space to store uncompressed trafŒc logged over a period of 24 hours. A 100GB disk will hold two days worth of data plus enough space for another 12 hours. That is enough data to get a very good view of suspicious activities. Also, 40GB is well within capacity of inexpensive modern DDS/DAT streamers.
What's more, if we tell pf(4) to log only incoming packets, we further decrease the amount of space needed to log trafŒc. Just how much of a saving it will be depends on the patterns of usage of our network. If the amount of outbound trafŒc passing though the external interface is a signiŒcant
232 |
Chapter 11: Logging and Log Analysis |
|
|
portion of the overall trafŒc on that interface, the savings might be substantial; otherwise, they might not be noticeable.
1.6 Logging on a Bridge (Span Ports)
When you run your OpenBSD box, you can easily log trafŒc passing through it to an external machine with span ports, a feature of bridge(4), which lets you conŒgure one of the interfaces to transmit a copy of every packet received by the bridge.
You can conŒgure an interface as a span port with the following command added to the appropriate /etc/bridgename.if Œle:
addspan rl2
For more information, consult brconŒg(8) and bridgename.if(5), and Chapter 4, ConŒguring OpenBSD.
Chapter 12
Using authpf
In this chapter we'll discuss authpf(8), the authenticating gateway shell that offers an elegant solution to the problem of making sure that the users behind the Œrewall really are who say they are.
The problem of user authentication is a complex one, not only because it is a technological challenge, but also because it must be done in a way that will cause the least user rebellion against the system.
One-time user authentication on the computer he or she is working at is not good enough, especially when users are mobile and often disable password protection or use weak passwords. If you write a ruleset that is based solely on IP addresses or port numbers, your Œrewall may fail quickly when one of the machines it is protecting falls into wrong hands or is otherwise broken into. One of the methods for making sure this doesn't happen is user authentication done on the Œrewall implemented with pf(4) and authpf(8). It is quite simple, each user who wants to connect to the Œrewall, must log on the Œrewall via ssh(1). When the authentication is successful, the Œrewall loads a ruleset (via anchors) that allows that user access to the network. Every user can have a separate ruleset, limiting them in what they can do. This solution is used to secure wireless networks, which are particularly vulnerable to host identity theft, but it is also being used increasingly often on `wired' networks to add another layer of defense.
Every user whom you want to authenticate must have an account on the Œrewall and a copy of an SSH client on its computer before they can log on.
12.1 ConŒguring authpf
ƒ/etc/authpf/authpf.conf Š the authpf(8) conŒguration Œle. Contains the name of the anchors where redirection and Œltering rules are loaded into.
234 Chapter 12: Using authpf
The default name is authpf, but you can change it to something else:
anchor=userrules
If you want to leave the default setting, use:
#touch /etc/authpf/authpf.conf
ƒ/etc/authpf/authpf.allow Š contains the list of user names allowed to authenticate on the Œrewall, one name per line.
ƒ/etc/authpf/banned/ Š not a Œle but a directory, which contain the list of user who are banned from accessing the Œrewall. To ban user joe, use:
#touch /etc/authpf/banned/joe
To let him use the Œrewall again, use:
# rm /etc/authpf/banned/joe
ƒ/etc/authpf/authpf.message Š the message displayed upon successful authentication.
ƒ/etc/authpf/authpf.problem Š the message displayed upon authentication failure.
12.2 ConŒguring sshd
Add the following lines to /etc/ssh/sshd_conŒg:
Protocol 2
ClientAliveInterval 15
ClientAliveCountMax 3
This will make sure that users are logged off the Œrewall after 60 seconds of inactivity.
12.3 ConŒguring Login Shell
To successfully authenticate a user on the Œrewall, you must change her/his shell to authpf(8). Do it with vipw(8):
Section 12.4: Writing pf Rules for authpf |
235 |
|
|
# vipw
and change the last Œeld from something like /bin/sh to
/usr/sbin/authpf.
If you want to limit access to system resources, read loging.conf(5).
12.4 Writing pf Rules for authpf
Rules for authenticating users reside in /etc/authpf/users/, e.g. rules for joe reside in /etc/authpf/users/joe/authpf.rules. Users for whom such rulesets do not exist have their rules set to those from /etc/authpf/authpf.rules.
To load those rulesets into the main ruleset, /etc/pf.conf must contain the following anchors placed in relevant places:
nat-anchor authpf rdr-anchor authpf binat-anchor authpf anchor authpf
Writing rulesets for authenticating users is like writing other named rulesets, but there are two important additions, in the form of the $user_ip macro, which expands to the IP address of the host that the user authenticated from, and the $user_id macro that expands to the name of the user authenticating on the Œrewall (see Chapter 8, Packet Filtering for more information about Œltering with user names. This allows us to write rules that are bound to users, not hosts.
12.5 Authenticating User Joe
Let's walk through a simple example, in which we'll create an authentication setup for use joe who will be allowed to connect to external HTTP servers. We assume that user joe already has an ordinary user account. If you do not kow how to do it, read Chapter 4, ConŒguring OpenBSD.
Create /etc/authpf/authpf.conf:
# touch /etc/authpf/authpf.conf
236 |
Chapter 12: Using authpf |
|
|
Add user joe to /etc/authpf/authpf.allow:
# echo "joe" >> /etc/authpf/authpf.allow
Create a welcome message:
# echo "Where are you going with that NIC in your hand?" >
/etc/authpf/authpf.message
Create a message displayed when there are problems with authentication:
# echo "I'm sorry Dave ..." > /etc/authpf/authpf.problem
ConŒgure sshd(8) (see section 12.2).
ConŒgure login shell (see section 12.3).
Clear pf(4) ruleset:
# pftcl -F all
Create a directory for joe's ruleset:
# mkdir -p /etc/authpf/users/joe
Create a new ruleset for joe. We add only add a Œltering rule, you can create as many rules as you like, just remember to not use the quick keyword. Read Chapter 5, /etc/pf.conf and Chapter 9, Dynamic Rulesets for more information about limits of anchor rulesets:
The /etc/pf.conf ruleset will contain the following rules:
ext_if = "ne1" int_if = "ne2"
nat-anchor authpf rdr-anchor authpf binat-anchor authpf block in on $ext_if all block out on $ext_if all