How to Build a Simple Wireless Authenticated Gateway (SWAG) Using OpenBSD

posted onFebruary 20, 2005
by hitbsecnews

By: Rosli Sukri

Now, without spending a lot of money you to can build an authenticated gateway solution to verify your WIFI users. First and foremost you need to get your hands on the coolest free BSD system for firewalls and security devices. In this example I will be using OpenBSD3.6 stock standard as a build and a base system (but I guess you could use FreeBSD5.3 – me thinks the newer FreeBSD are getting a bit bloated but the background fscking, fscking rocks dude!)

Once you have installed your neighborhood OS in your server (go ahead and install all the packages from the OpenBSD installation CD, heck I have 40G worth of SATA drive on my brand spanking new Dell 1U server so I don't really care) you only need to change a couple of files within your /etc directory before you can start rocking.

The Setup

By the way my rig is a Dell 1U server with 4 NIC cards and a lot of RAM. One neat thing about the setup is its way awesome fan systems that mimics a mini tornado. Woooshh! boy it is very noisy but it keeps the board cool. The Dell is awesome a far cry from the Low Yat's Cap Ayam server that I usually have to work with.

The ultimate goal is to have 2 internal network segments and 1 uplink to the Internet. I am reserving the last NIC card, so that if I ever get another ISP, I might be able to do some funky load balancing stuff :). In addition to that, for all the internal network, we will be providing dhcpd services for the clients behind it. This is done so that we can turn off those pesky dhcpd service with limited functions within the AP itself.

In addition to the above, the gateway has 4 Broadcom GigE's. In this example em0 and em1 are the internal LAN which has and IP range of 192.168.10.x and 192.168.11.x accordingly. em2 is being used for the uplink to the ISP which IPs and network are predefined. The gateway will take 192.168.10.1 and 192.168.11.1 respectively and connect then your AP's to one of the internal LANs. All authorized packets from the internal LANs and the WIFI networks will be NATed at the gateway level.

These are the list of the files that we need to change to make our setup work – you do have to configure the appropriate files to set the IP, default router and DNS of the gateway machine itself, but for that, please refer to the OpenBSD FAQ.

/etc/rc.conf.local
/etc/sysctl.conf
/etc/inetd.conf
/etc/shells
/etc/dhcpd.conf
/etc/dhcpd.interfaces
/etc/pf.conf
/etc/authpf/authpf.conf
/etc/authpf/authpf.rules
/etc/ssh/sshd_config

The Simple Diagram

and here are the files...

# /etc/rc.conf.local
pf=YES
dhcpd_flags=""

Well, you need to enable this at boot time or else it all won't work

# /etc/sysctl.conf

net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1

Don't forget this, else your box can't forward any packets hence it would be useless.

# /etc/inetd.conf

127.0.0.1:8021 stream tcp nowait
root /usr/libexec/ftp-proxy ftp-proxy -n
ident stream tcp nowait
_identd /usr/libexec/identd identd -el
ident stream tcp6 nowait
_identd /usr/libexec/identd identd -el
127.0.0.1:comsat dgram udp wait
root /usr/libexec/comsat comsat
[::1]:comsat dgram udp6 wait
root /usr/libexec/comsat comsat

FTP Service, who needs them anyways...

# echo /usr/sbin/authpf >> /etc/shells

You need to run this command to able to add the correct shells to the user - you don't want them to have shell access now do you?

# /etc/dhcpd.conf

subnet 192.168.10.0 netmask 255.255.255.0 {
option routers 192.168.10.1;
option domain-name-servers 202.188.1.5;
option domain-name "rosli.domain";
range 192.168.10.32 192.168.10.127;
}

subnet 192.168.2.0 netmask 255.255.255.0 {
option routers 192.168.11.1;
option domain-name-servers 202.188.1.5;
option domain-name "rosli.domain";
range 192.168.11.32 192.168.11.127;
}

Complete with the setting to (ab)use one of Malaysia's fat telcos....

# /etc/dhcpd.interfaces
#
em0
em1

With the settings above you should have a fully functional dhcpd server that serves two different internal LANs.
And now the fun stuff – the ever daunting firewall access rules

# /etc/pf.conf
# note: interface use is only em0 and em1, em2 is reserved for external

### macros
internalIf = "{em0, em1}"
externalIf = "em2"

Scrub in all

### nat and rdr
nat on $externalIf from { em0:network, em1:network } to any
-> ($externalIf)
rdr on $internalIf proto tcp from any to any
port 21 -> 127.0.0.1 port 8021

### filter
# Default block stance block in log on $internalIf all

# The annoyance of ftp continues pass in quick on $externalIf inet proto tcp from
port { ftp, ftp-data } to ($externalIf) user proxy flags S/SA keep state

# The gateway allowing itself to go out and about pass out quick on $externalIf proto tcp from $externalIf:network flags S/SA modulate state pass out quick on $externalIf proto { udp, icmp } from
$externalIf:network keep state pass out quick on $externalIf proto tcp from
$externalIf flags S/SA modulate state
pass out quick on $externalIf proto { udp, icmp } from ($externalIf) keep state pass out quick on $externalIf proto tcp from $internalIf flags S/SA modulate state pass out quick on $externalIf proto { udp, icmp } from
$internalIf keep state pass out quick on $externalIf proto tcp from 127.0.0.1 flags S/SA modulate state pass out quick on $externalIf proto { udp, icmp } from
127.0.0.1 keep state

# SSH and pings must be allowed pass in quick on $externalIf proto tcp from
$externalIf:network to $externalIf port ssh flags S/SA keep state pass in quick on em0 proto tcp from em0:network to $externalIf port ssh flags S/SA keep state pass in quick on em1 proto tcp from em1:network to $externalIf port ssh flags S/SA keep state pass in quick on { em0, em1 } proto icmp from
{ em0:network, em1:network } to {em0, em1, em2 } keep state

# Just in case if the uplinks IP is not staticly assigned by the ISP's pass in quick on $externalIf proto { udp, tcp } from $externalIf:network to $externalIf port { bootps, ftp, ftp-data } keep state

# Again ftp strikes back pass in quick on $externalIf proto tcp from $externalIf:network to lo0 port 8021 keep state

# This glues the config to the next section anchor "authpf/*" in on $internalIf

# /etc/authpf/authpf.rules
# note: interface use is only em0 and em1, em2 is reserved for external

### macros
internalIf = "{em0, em1}"

### filter
## 1st internal interface
pass in quick on em0 proto {udp, tcp} from $user_ip to port
domain keep state
pass in quick on em0 proto icmp from $user_ip to any
keep state
pass in quick on em0 proto tcp from $user_ip to any
port { ssh, http, https, smtp, ftp, pop3, imap } flags S/SA keep state
# this damn last rule is needed by ftp passive mode
pass in quick on em0 proto tcp from $user_ip to any
port > 1024 keep state

## 2nd internal interface
pass in quick on em1 proto {udp, tcp} from $user_ip to any
port domain keep state
pass in quick on em1 proto icmp from $user_ip to any
keep state
pass in quick on em1 proto tcp from $user_ip to any
port { ssh, http, https, smtp, ftp, pop3, imap } flags S/SA keep state
# this damn last rule is needed by ftp passive mode
pass in quick on em1 proto tcp from $user_ip to any
port > 1024 keep state

# touch /etc/authpf/authpf.conf

authpf.conf must exist – if not authpf will surely barf

Last but not least

# /etc/ssh/sshd_config
# note: interface use is only em0 and em1, em2 is reserved for external

Port 22
Protocol 2
Subsystem sftp /usr/libexec/sftp-server
# 5 seconds
ClientAliveInterval 5
# 3 strikes and your out
ClientAliveCountMax 3

To avoid ssh zombies – are you afraid of ghosts?

By the way don't forget to set the gateway of the external interface by editing your /etc/mygate

Why does it so long for me to authenticate to the gateway, please refer to:

http://www.openbsd.org/faq/faq8.html#RevDNS

To Add an Authenticated Gateway User

Use the adduser script, but you need to be logged on as root or has root privileges.

# adduser
Use option ``-silent'' if you don't want to see all warnings and questions.

Reading /etc/shells
Reading /etc/login.conf
Check /etc/master.passwd
Check /etc/group

Ok, let's go. Don't worry about mistakes. I will give you the chance later to correct any input.

Enter username []: testuser
Enter full name []: Test Authenticated User
Enter shell autpf csh ksh nologin sh [sh]: authpf
Uid [1002]: Enter
Login group testuser [testuser]: guest
Login group is ``guest''. Invite testuser into other groups: guest no
[no]: no
Login class auth-defaults auth-ftp-defaults daemon default staff

[default]: Enter
Enter password []: Type password, then Enter
Enter password again []: Type password, then Enter

Name: testuser
Password: ****
Fullname: Test Authenticated User
Uid: 1002
Gid: 31 (guest)
Groups: guest
Login Class: default
HOME: /home/testuser
Shell:i /usr/sbin/authpf
OK? (y/n) [y]: y
Added user ``testuser''
Copy files from /etc/skel to /home/testuser
Add another user? (y/n) [y]: n
Goodbye!

To Remove an Authenticated Gateway User

Use the given rmuser script, again you need root privileges to be able to execute this command.

# rmuser
Enter login name for user to remove: testuser
Matching password entry:

testuser:$2a$07$ZWnBOsbqMJ.ducQBfsTKUe3PL97Ve1AHWJ0A4uLamniLNXLeYrEie:1002
:31::0:0:Test Authenticated User:/home/testuser:/usr/sbin/authpf

Is this the entry you wish to remove? y
Remove user's home directory (/home/testuser)? y
Updating password file, updating databases, done.
Updating group file: done.
Removing user's home directory (/home/testuser): done.

Howto Authenticate to the Gateway

Startup your favorite ssh client software and connect to the predefined gateway IP address. In this example we will be using PuTTY and connecting to 10.10.10.1

Enter your assigned user and password, voila you're authenticated to use the network. The gateway now knows the IP address of the client from where you're connected.

You will now be able to access network services that you're authorized as defined by the network access policy.

1.) A Solution To Red Hat PIE Protection - Zarul Shahrin
2.) The Convergence of Hacking and Security Tools - Don Parker
3.) Testifying in a Computer Crimes Case - Deb Shinder
4.) How to Build a Simple Wireless Authenticated Gateway (SWAG) Using OpenBSD - Rosli Sukri
5.) Protecting the Administrator Account - Derek Melber
6.) Mobile Systems: A Threat to Corporate Security - Fernando de la Cuadra

Source

Tags

Articles

You May Also Like

Other Articles In This Section

Recent News

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Ex-Microsoft security expert torches Windows' new 'Recall' feature
The Age of the Drone Police Is Here

Wednesday, June 5th

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
TikTok Hack Targets ‘High-Profile’ Users via DMs