OpenBSD – Phocean.net / Computer Security Blog Fri, 24 Feb 2017 21:17:51 +0000 en-US hourly 1 https://wordpress.org/?v=4.9.10 Perl : how to monitor a service remotely using sockets /2007/07/15/perl-how-to-monitor-a-service-remotely-using-sockets.html Sun, 15 Jul 2007 17:59:55 +0000 http://www.phocean.net/?p=64 http://www.phocean.net/?p=64 I came to program my first Perl script based on sockets, after setting an IPSEC tunnel.

This tunnel is linking the remote peer and the local peer through an OpenBSD VPN gateway (managed with Isakmp).

The problem is that time allowed for this connection is limited, for security policy reasons. So it is not a 24- hour standard tunnel, but rather an on-demand type connection.

Note that the connection is automatically reset by the remote peer, by invalidating the connection cookie and therefore oblige to renegotiate the VPN tunnel from the beginning (phase 1 of the key exchange).

In other words, the Isakmp service has to be restarted every time we need the tunnel to be up.

Of course, it is not the purpose of Isakmp to have such a mechanism and what we want is to start the tunnel from the local peer, every time it needs to do some transfer.

The graph below summarizes the situation :

IPSEC tunnel with OpenBSD as a VPN gateway

That is why I came to develop a script that opens a socket and allows the peer to remotely restart the Isakmp service.

Perl is once again the perfect language for someone like me, who is not a developer. My script uses mainly 2 CPAN modules : NetServer::Generic to manage the socket and Proc::ProcessTable to get the PID of a running process.

You can dowload it here : IsakmpdMon.

And here is the documentation on how to use it : IsakmpdMon Synopsys.

ATTENTION : for security reason, only trusted IPs should be allowed to send the commands.

To have your commands accepted, edit the line :

my ($allowed) = ['10\.80\.1\.2'];

with your IPs. It can be a list of IPs or hostnames separated by commas. You can use some jockers (*) for the names. Please refer to the NetServer::Generic documentation for more info.

Note that this script can be adapted to any usage to manage all kinds of services remotely…

]]> SSH timout /2007/04/21/ssh-timout.html Sat, 21 Apr 2007 18:18:00 +0000 http://192.168.1.10/wordpress/?p=28 After a fresh set up of your network, don't be surprised that your ssh connections are slow.

]]> After a fresh set up of your network, don’t be surprised that your ssh connections are slow.

Depending on the systems and equipment you use, you might encounter some timeout that make any login impossible.

I got such timeouts with an OpenBSD machine behind a Pix firewall. With Linux machines, it was very slow but worked.

This issue is related to the reverse DNS check that SSH makes by default during the login process. This is in order to improve the security. Howerver, this is not so secure as a DNS cache can also be spoofed.
Considering this, you can disable this check with not much worry with the right option in your /etc/sshd_config file :

UseDNS no

Of course, the best solution will be that you set up a full DNS infrastructure as soon as possible.

]]>