know-how:firewall
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung | ||
know-how:firewall [2021/09/21 14:48] – [roadworker mfa - multiple factor auth] cc | know-how:firewall [2024/06/27 13:29] (aktuell) – [internal dns zone] cc | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ~~ODT~~ | ||
FIXME | FIXME | ||
====== Features ====== | ====== Features ====== | ||
Zeile 923: | Zeile 924: | ||
exit $? | exit $? | ||
+ | </ | ||
+ | |||
+ | * **/ | ||
+ | * TOTP Check mit **oathtool** | ||
+ | |||
+ | < | ||
+ | #!/bin/bash | ||
+ | |||
+ | |||
+ | function bailout () | ||
+ | { | ||
+ | echo $1 | ||
+ | exit 1 | ||
+ | |||
+ | } | ||
+ | |||
+ | AUTH_USERNAME=" | ||
+ | AUTH_PASSWORD=" | ||
+ | AUTH_TOTP_SECRET="/ | ||
+ | |||
+ | |||
+ | [[ $AUTH_USERNAME == "" | ||
+ | [[ $AUTH_PASSWORD == "" | ||
+ | |||
+ | |||
+ | echo $AUTH_USERNAME | grep -P -q " | ||
+ | |||
+ | #2021-09-21 cc: Somehow malformed | ||
+ | [[ $? != 0 ]] && bailout " | ||
+ | |||
+ | |||
+ | #2021-09-21 cc: Somehow not 6 digits | ||
+ | echo $AUTH_PASSWORD | grep -P -q " | ||
+ | |||
+ | [[ $? != 0 ]] && bailout " | ||
+ | |||
+ | #2021-09-21 cc: This is tricky , if there' | ||
+ | [[ ! -f $AUTH_TOTP_SECRET ]] && exit 0 | ||
+ | |||
+ | TOTP_SEED=$(cat $AUTH_TOTP_SECRET) | ||
+ | |||
+ | DIGIT_CODE=$(oathtool -b --totp $TOTP_SEED) | ||
+ | |||
+ | #env > /tmp/debug | ||
+ | #echo "u: -$AUTH_USERNAME-" | ||
+ | #echo "p: -$AUTH_PASSWORD-" | ||
+ | #echo "c: -$DIGIT_CODE" | ||
+ | |||
+ | [[ $DIGIT_CODE == $AUTH_PASSWORD ]] && exit 0 | ||
+ | |||
+ | exit 1 | ||
+ | </ | ||
+ | |||
+ | |||
+ | * Um für bestimmten User **TOTP zu aktivieren** | ||
+ | |||
+ | < | ||
+ | pwgen -0 -s -1 16 > / | ||
+ | </ | ||
+ | |||
+ | * Dieser TOTP Seed , der nun unter **/ | ||
+ | |||
+ | |||
+ | * Variante um bei bestehender zertifikatsbasierender Authentifizierung OTP zu aktivieren: | ||
+ | * **für bestimmtes Gerät d.h. Zertifikat ** wird es obligatorisch und User können zum Zertifikat spezifiziert werden | ||
+ | * **/ | ||
+ | < | ||
+ | ... | ||
+ | auth-user-pass-verify / | ||
+ | auth-user-pass-optional | ||
+ | script-security 3 | ||
+ | .... | ||
+ | </ | ||
+ | * **/ | ||
+ | < | ||
+ | #!/bin/bash | ||
+ | |||
+ | |||
+ | function bailout () | ||
+ | { | ||
+ | echo $1 | ||
+ | echo $1 | logger -t totp | ||
+ | exit 1 | ||
+ | |||
+ | } | ||
+ | |||
+ | AUTH_USERNAME=" | ||
+ | AUTH_PASSWORD=" | ||
+ | AUTH_COMMON_NAME=" | ||
+ | AUTH_TOTP_ROOT_SECRET="/ | ||
+ | AUTH_TOTP_SECRET=" | ||
+ | |||
+ | #2021-10-14 cc: Certificate required | ||
+ | echo $common_name | grep -P -q " | ||
+ | |||
+ | [[ $? != 0 ]] && bailout " | ||
+ | |||
+ | #2021-10-14 cc: IF directory with common name does not exist OTP is not activated | ||
+ | [[ ! -d " | ||
+ | |||
+ | |||
+ | echo $AUTH_USERNAME | grep -P -q " | ||
+ | |||
+ | #2021-09-21 cc: Somehow malformed | ||
+ | [[ $? != 0 ]] && bailout " | ||
+ | |||
+ | |||
+ | #2021-09-21 cc: Somehow not 6 digits | ||
+ | echo $AUTH_PASSWORD | grep -P -q " | ||
+ | |||
+ | [[ $? != 0 ]] && bailout " | ||
+ | |||
+ | #2021-09-21 cc: This is tricky , if there' | ||
+ | #2021-10-14 cc: If common_name root path exists there must be a file for the user | ||
+ | [[ ! -f $AUTH_TOTP_SECRET ]] && bailout "TOTP Secret not found - is needed" | ||
+ | |||
+ | TOTP_SEED=$(cat $AUTH_TOTP_SECRET) | ||
+ | |||
+ | DIGIT_CODE=$(oathtool -b --totp $TOTP_SEED) | ||
+ | |||
+ | #env > /tmp/debug | ||
+ | #echo "u: -$AUTH_USERNAME-" | ||
+ | #echo "p: -$AUTH_PASSWORD-" | ||
+ | #echo "c: -$DIGIT_CODE" | ||
+ | |||
+ | [[ $DIGIT_CODE == $AUTH_PASSWORD ]] && exit 0 | ||
+ | |||
+ | exit 1 | ||
+ | |||
</ | </ | ||
===== roadworker openvpn wake on lan (wol) trigger ===== | ===== roadworker openvpn wake on lan (wol) trigger ===== | ||
Zeile 1011: | Zeile 1141: | ||
</ | </ | ||
+ | |||
+ | ====== unbound ====== | ||
+ | * Rekursiver DNS Resolver der DNSSEC validiert und auch dns over tls unterstützt | ||
+ | |||
+ | ===== troubleshoot ===== | ||
+ | * Wenns immer wieder dnssec troubles gibt / und keiner aktiv DNS spoofing betreibt :) | ||
+ | * siehe **https:// | ||
+ | |||
+ | < | ||
+ | |||
+ | 1. Permissive mode | ||
+ | |||
+ | Does not actually turn off dnssec, but stops the resolver from withholding bogus answers from clients. Resolution may be slow due to validation failures but can still proceed. Add to the unbound.conf file: | ||
+ | |||
+ | server: | ||
+ | val-permissive-mode: | ||
+ | |||
+ | 2. Remove trust anchors | ||
+ | |||
+ | If you remove the trust-anchor definitions from the unbound.conf file, DNSSEC is not used for those domains. Related options: | ||
+ | |||
+ | server: | ||
+ | # trust-anchor-file: | ||
+ | # auto-trust-anchor-file: | ||
+ | # trust-anchor: | ||
+ | # trusted-keys-file: | ||
+ | |||
+ | 3. Disable the validator module | ||
+ | |||
+ | This also disables validation for other domains. In the unbound.conf file: | ||
+ | |||
+ | server: | ||
+ | module-config: | ||
+ | |||
+ | 4. Stop a broken chain of trust | ||
+ | |||
+ | To work around a broken chain of trust use a temporary item until the proper DS or DNSKEY records are published, put in the unbound.conf file: | ||
+ | |||
+ | server: | ||
+ | domain-insecure: | ||
+ | |||
+ | |||
+ | </ | ||
+ | |||
+ | ===== internal dns zone ===== | ||
+ | * zB: wenn intern ein AD Server benutzt wird für interne Domäne | ||
+ | |||
+ | < | ||
+ | server: | ||
+ | .. | ||
+ | .. | ||
+ | #2024-02-11 cc: if pannoniait.intern was used by a e.g. windows ad server | ||
+ | private-domain: | ||
+ | domain-insecure: | ||
+ | .. | ||
+ | .. | ||
+ | |||
+ | #2024-02-11 cc: If pannoniait.intern was used e.g. by windows ad server | ||
+ | forward-zone: | ||
+ | name: pannoniait.intern | ||
+ | | ||
+ | |||
+ | </ | ||
+ | |||
+ | ===== dns over tls ===== | ||
+ | * führt zu massiven DNS Performanceeinbruch FIXME performance + prefetch usw. | ||
+ | < | ||
+ | server: | ||
+ | .. | ||
+ | .. | ||
+ | #2024-02-11 cc: The debian place where the bundle can be found | ||
+ | tls-cert-bundle: | ||
+ | .. | ||
+ | .. | ||
+ | forward-zone: | ||
+ | name: " | ||
+ | forward-addr: | ||
+ | forward-addr: | ||
+ | forward-tls-upstream: | ||
+ | .. | ||
+ | .. | ||
+ | </ | ||
+ | |||
+ | ====== Traffic Shaping - tc ====== | ||
+ | * FIXME - Großteil " | ||
+ | * FIXME - PLAYGROUND - für bestimmten Traffic Bandbreite insgesamt einschränken , damit zB: ein Pool von Adressen eingeschränkt werden kann wie zB: Windows Updates :) entweder über iptables Markierungen oder über ipset Matches | ||
+ | < | ||
+ | #!/bin/sh -x | ||
+ | |||
+ | # Maximum allowed downlink. Set to 90% of the achievable downlink in mbit | ||
+ | DOWNLINK=60 | ||
+ | |||
+ | # Interface facing the Internet | ||
+ | EXTDEV=wlp2s0 | ||
+ | |||
+ | # Load IFB, all other modules all loaded automatically | ||
+ | modprobe ifb | ||
+ | ip link set dev ifb0 down | ||
+ | |||
+ | # Clear old queuing disciplines (qdisc) on the interfaces and the MANGLE table | ||
+ | tc qdisc del dev $EXTDEV root 2> /dev/null > /dev/null | ||
+ | tc qdisc del dev $EXTDEV ingress 2> /dev/null > /dev/null | ||
+ | tc qdisc del dev ifb0 root 2> /dev/null > /dev/null | ||
+ | tc qdisc del dev ifb0 ingress | ||
+ | iptables -t mangle -F | ||
+ | |||
+ | # appending " | ||
+ | if [ " | ||
+ | then | ||
+ | echo " | ||
+ | exit | ||
+ | fi | ||
+ | |||
+ | ip link set dev ifb0 up | ||
+ | |||
+ | # HTB classes on IFB with rate limiting - default class 3:30 | ||
+ | tc qdisc add dev ifb0 root handle 3: htb default 30 | ||
+ | |||
+ | tc class add dev ifb0 parent 3:3 classid 3:30 htb rate 60mbit ceil 60mbit | ||
+ | tc class add dev ifb0 parent 3:3 classid 3:33 htb rate 10mbit ceil 10mbit | ||
+ | |||
+ | # Packets marked with " | ||
+ | tc filter add dev ifb0 parent 3:0 protocol ip handle 2 fw flowid 3:33 | ||
+ | |||
+ | # Martin Devera, author of HTB, then recommends SFQ for beneath these classes: | ||
+ | tc qdisc add dev ifb0 parent 3:30 handle 30: sfq perturb 10 | ||
+ | tc qdisc add dev ifb0 parent 3:33 handle 33: sfq perturb 10 | ||
+ | |||
+ | # | ||
+ | iptables -t mangle -A PREROUTING -s 88.198.248.254 -j MARK --set-mark 2 | ||
+ | iptables -t mangle -A PREROUTING -j CONNMARK --save-mark | ||
+ | |||
+ | |||
+ | |||
+ | # Forward all ingress traffic on internet interface to the IFB device | ||
+ | tc qdisc add dev $EXTDEV ingress handle ffff: | ||
+ | tc filter add dev $EXTDEV parent ffff: protocol ip \ | ||
+ | u32 match u32 0 0 \ | ||
+ | action connmark \ | ||
+ | action mirred egress redirect dev ifb0 \ | ||
+ | flowid ffff:1 | ||
+ | |||
+ | |||
+ | # Kein markieren mehr der Pakete / iptables fällt weg über ipset | ||
+ | # root@mrWhiteGhost:/ | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | |||
+ | |||
+ | # | ||
+ | #class htb 3:33 root prio 0 rate 10Mbit ceil 10Mbit burst 1600b cburst 1600b | ||
+ | # Sent 28375626 bytes 20582 pkt (dropped 0, overlimits 20488 requeues 0) | ||
+ | # backlog 0b 0p requeues 0 | ||
+ | # lended: 20582 borrowed: 0 giants: 0 | ||
+ | # tokens: -16889 ctokens: -16889 | ||
+ | # | ||
+ | #class htb 3:30 root prio 0 rate 60Mbit ceil 60Mbit burst 1590b cburst 1590b | ||
+ | # Sent 1760229 bytes 3364 pkt (dropped 0, overlimits 884 requeues 0) | ||
+ | # backlog 0b 0p requeues 0 | ||
+ | # lended: 3364 borrowed: 0 giants: 0 | ||
+ | # tokens: 3125 ctokens: 3125 | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | exit 0 | ||
+ | </ | ||
+ | |||
+ | |||
====== GeoIP - iptables matches ====== | ====== GeoIP - iptables matches ====== | ||
Zeile 1145: | Zeile 1448: | ||
| | ||
</ | </ | ||
+ | ====== GeoIP - map-geoip.sh ====== | ||
+ | * GeoIP Lookup aus vorhandenen Logfiles / kann auch gepiped werden um vorher relevante Auszüge rauszugreppen | ||
+ | * **map-geoip.sh** | ||
+ | |||
+ | < | ||
+ | #!/bin/bash | ||
+ | |||
+ | # cmd: foo=$(mmdblookup -f / | ||
+ | |||
+ | # https:// | ||
+ | |||
+ | PATH_LOGS="/ | ||
+ | PATH_GEODB="/ | ||
+ | |||
+ | function bailout | ||
+ | { | ||
+ | echo -e " | ||
+ | echo -e " | ||
+ | exit 2 | ||
+ | |||
+ | |||
+ | } | ||
+ | |||
+ | function lookup_geo | ||
+ | { | ||
+ | mmdblookup -f $PATH_GEODB | ||
+ | |||
+ | } | ||
+ | |||
+ | function lookup_ip | ||
+ | { | ||
+ | echo $1 | grep -o -P " | ||
+ | |||
+ | |||
+ | } | ||
+ | |||
+ | [[ -r $PATH_GEODB ]] || bailout " | ||
+ | |||
+ | |||
+ | [[ -r " | ||
+ | |||
+ | [[ $1 == " | ||
+ | |||
+ | |||
+ | [[ -r $PATH_LOGS || $PATH_LOGS == " | ||
+ | |||
+ | |||
+ | which mmdblookup >/ | ||
+ | |||
+ | IFS=$' | ||
+ | |||
+ | while read foo ; | ||
+ | do | ||
+ | LOG_SUFFIX="" | ||
+ | SRC_IP="" | ||
+ | DST_IP="" | ||
+ | |||
+ | SRC_IP=$(lookup_ip $foo " | ||
+ | DST_IP=$(lookup_ip $foo " | ||
+ | |||
+ | #echo "SRC: $SRC_IP" | ||
+ | #echo "DST: $DST_IP" | ||
+ | |||
+ | if [ ${#SRC_IP} -gt 0 ] && [ ${#DST_IP} -gt 0 ] | ||
+ | then | ||
+ | SRC_GEO=$(lookup_geo $SRC_IP) | ||
+ | DST_GEO=$(lookup_geo $DST_IP) | ||
+ | |||
+ | [[ -z $SRC_GEO | ||
+ | [[ -z $DST_GEO ]] && DST_GEO=" | ||
+ | |||
+ | LOG_SUFFIX=" | ||
+ | |||
+ | |||
+ | echo " | ||
+ | fi | ||
+ | |||
+ | |||
+ | done < <(zcat -f $PATH_LOGS ) | ||
+ | </ | ||
====== WEB Module ====== | ====== WEB Module ====== | ||
+ | ===== Blocks - Multi - IPSET ===== | ||
+ | * In Kombination mit dnsmasq und seiner Funktionalität ipsets aktualisieren zu können | ||
+ | * www-data muss dnsmasq neu starten können zB: visudo -> www-data | ||
+ | * **Achtung: | ||
+ | * **merge-ipsets.sh** | ||
+ | |||
+ | < | ||
+ | #!/bin/bash | ||
+ | function bailout | ||
+ | { | ||
+ | echo -e " | ||
+ | exit 2 | ||
+ | |||
+ | } | ||
+ | |||
+ | which dnsmasq >/ | ||
+ | |||
+ | |||
+ | LOCATION_DNSMASQS="/ | ||
+ | TMP_LOCATION=$(mktemp) | ||
+ | FINAL_LOCATION="/ | ||
+ | |||
+ | if [ ! -w $FINAL_LOCATION ] | ||
+ | then | ||
+ | rm $TMP_LOCATION | ||
+ | |||
+ | bailout "FAIL: Final config file: $FINAL_LOCATION cannot be written to " | ||
+ | |||
+ | fi | ||
+ | |||
+ | |||
+ | grep -h " | ||
+ | do | ||
+ | nr_matches=$(echo $hosts | awk ' | ||
+ | host_entry=$(echo $hosts | awk ' | ||
+ | |||
+ | if (($nr_matches > 1 )) && | ||
+ | then | ||
+ | | ||
+ | |||
+ | while read found_sets | ||
+ | do | ||
+ | build_entry+="/ | ||
+ | |||
+ | done <<< | ||
+ | |||
+ | |||
+ | echo $build_entry >> $TMP_LOCATION | ||
+ | echo $build_entry | ||
+ | |||
+ | fi | ||
+ | | ||
+ | |||
+ | |||
+ | done | ||
+ | |||
+ | filesize_tmp=$(stat -c %s $TMP_LOCATION) | ||
+ | |||
+ | if [ $filesize_tmp == " | ||
+ | then | ||
+ | |||
+ | rm $TMP_LOCATION | ||
+ | |||
+ | echo "No double ipsets found in $LOCATION_DNSMASQS" | ||
+ | |||
+ | exit 0 | ||
+ | |||
+ | fi | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | cmp -s $TMP_LOCATION $FINAL_LOCATION | ||
+ | |||
+ | compare_ret=" | ||
+ | |||
+ | if [ $compare_ret == " | ||
+ | then | ||
+ | rm $TMP_LOCATION | ||
+ | echo " | ||
+ | exit 0 | ||
+ | fi | ||
+ | |||
+ | |||
+ | dnsmasq --test --conf-file=$TMP_LOCATION | ||
+ | |||
+ | ipset_tests=" | ||
+ | if [ $ipset_tests != " | ||
+ | then | ||
+ | rm $TMP_LOCATION | ||
+ | bailout "FAIL: Malformed config file: $TMP_LOCATION" | ||
+ | fi | ||
+ | |||
+ | #2022-02-21 cc: Keep Ownership intact | ||
+ | cat $TMP_LOCATION > $FINAL_LOCATION | ||
+ | |||
+ | rm $TMP_LOCATION | ||
+ | |||
+ | systemctl reload dnsmasq || bailout "FAIL: Cannot reload dnsmasq" | ||
+ | |||
+ | |||
+ | exit 0 | ||
+ | </ | ||
+ | * {{ : | ||
+ | |||
===== Blocks - IPSET ===== | ===== Blocks - IPSET ===== | ||
* In Kombination mit dnsmasq und seiner Funktionalität ipsets aktualisieren zu können | * In Kombination mit dnsmasq und seiner Funktionalität ipsets aktualisieren zu können | ||
- | * www-data muss dnsmasq neu starten können zB: visudo -> www-data | + | * www-data muss dnsmasq neu starten können zB: visudo -> www-data |
* {{ : | * {{ : | ||
know-how/firewall.txt · Zuletzt geändert: 2024/06/27 13:29 von cc