-1

I have 2 virtual machines. (Vmware esxi 6)

They are both opensuse 42.3 (tumbleweed)

  1. Firewall (iptables,ipset,dhcpd,dns only)
  2. mail/web server. (apache,dovecot,postfix)

The web server can not communicate with the firewall, except that the traffic passes through it to reach the mail/web server.

The firewall has a block list of IP address that it automatically adds to. However, it is relatively simple, and does not decode SMTP, IMAP, HTTP, or HTTPS. The second has its own protections for the fore-mentioned services, and has its own block list.

Now assume someone comprised my mail server they could easily delete my block list, and etc, but only from the mail server.

How do I have the mail/web server send its block lists to the firewall without breaking the separation between DMZ and everything else (or at least, to the smallest extent possible) in real time?

I don't want to use an external service, like upload to cloud, since they could DDOS me, and the list would be in accessible.

I thought about setting up a 3rd VM as an intermediary(private, but shared subnet separate network cards), but if they compromise the web server, what is to stop them from breaking into the intermediary machine, and then the firewall. If I did this what kind of protections can I implement to verify that a hacker isn't sending their own data through my channel(buffer overflow, or etc attack) instead of just the block list.

how you determine which IP should get blocked:

Generally, any bad behavior. Example all apache error calls have been tied to a php script. The php script logs the details to mysql. Eventually, I will have a full fledge scoring system in place. Each invalid thing you do increase your score, and certain things have higher scores.

For how long? Threshold based, but eventually forever. Score 100 points or whatever goodbye forever.

How you add the rules? ipset add bad_guys 1.2.3.4

if I feel generous I will add timeout ###### to that.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
cybernard
  • 518
  • 2
  • 10

1 Answers1

0

While the full details and possibilities of your architecture are not clear I would suggest the following:

  • A service on the firewall should ask the mail/web server about updates of the IP blocks. This means no communication is initiated to the firewall but any communication regarding firewall rules is only initiated from the firewall to reduce the attack surface. The mail/web system should of course only accept connections to the block-IP service from the firewall.
  • The protocol to share blocked IP addresses should be as simple as possible, so that it can be implemented with a minimum of code which could also easily be verified. This also means that JSON, XML, YAML or whatever fancy formats are out there should not be used since they are not minimal for this purpose and also depend on libraries which add to the attack surface. Preference should also be given to the implementation to higher level languages instead of C/C++ because this first makes the code smaller and thus easier to audit and second makes the typical buffer overflows improbable. Of course the mail/web system should still not be trusted so any input must be strictly verified that it conforms to the expected format.
  • In case the blocking rules need to be updated with administrative privileges it is recommended to have privilege separation, i.e. different processes with different permissions for communicating with the mail/web server and for updating the blocking rules. Each process should only take the minimal privileges needed by using chroot, sandbox, containers, seccomp, pledge or similar technologies.

Note that these suggestions might be considered overkill for your specific purpose. In a perfect world where no bugs exist you would not have to implement all of this because for example privilege separation or sandboxes are primarily needed to limit the impact of an attack in case the attacker could exploit a bug. But I recommend to implement at least part of these, i.e. definitely not have some highly privileged service running at the firewall which speaks a complex protocol to the mail/web system and executes system commands based on seemingly trusted input.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • What details would you like to know? – cybernard Jun 15 '17 at 19:38
  • @cybernard: I think I understand the general architecture and based on this the proposal should work. What is not known if you have the capabilities to implement it. And then the exact details are unknown, i.e. how you determine which IP should get blocked, for how long, how you add the rules etc. But these are only implementation details and not conceptual details. What is also not known is how much resources your are willing to invest into this, i.e. where you sweet spot is for you between efforts (time, maybe money) and gain (security). – Steffen Ullrich Jun 15 '17 at 20:06
  • Added details above. This is a project in my spare time, and unlimited or till its done are its time allotment. Maybe only a couple hours a day, but no end date. Some money(probably a few hundred), especially divide over time. Avoiding things with ongoing, monthly fees. I can program, not a master, and in general knowledgeable about linux's inner workings. Wrote all the php, and did all mysql myself. – cybernard Jun 15 '17 at 20:25
  • @cybernard: given these circumstances I think the answer should cover that. I would definitely go at least with privilege separation since ipset would not to be run as root and the communication process should better not. – Steffen Ullrich Jun 15 '17 at 20:43
  • Obviously, I could open a port tcp,udp, or whatever. I could write it in c,perl,php, or maybe even python. I could then limit the valid characters to **0123456789./:**. Enough for ipv4,v6, and cidr. Drop,alert,log any other data. However, it offers no integrity checks. Any pre-built reputable libraries? Should I bother with any ssh, say on a different port? Should I bother with another VM on another subnet? Another thing if the firewall fetches it, how does it know when to fetch? Hoping for suggestion better than a simple cron interval timer, prefer real-time alerting. – cybernard Jun 15 '17 at 21:00
  • @cybernard: encryption offered by SSH might be useful if you don't trust the internal network. But, if you expect the mail/web system to be compromised you are lost in all cases and the most you can do is to make sure that the firewall does not get compromised too. As for when to fetch, how to implement etc - these are implementation details which are not security relevant and off-topic here. And they depend on what your actual requirements are for how often the blacklists should be updated. There are libraries which might help you with implementation details (but again, off-topic). – Steffen Ullrich Jun 15 '17 at 21:05
  • Asking what utilities/library to use to securely implement this is "off-topic"? In any discussion about security, the tools need to be discussed in order to actually have security. – cybernard Jun 15 '17 at 23:10
  • @cybernard: the security specific use of tools and libraries is on-topic. But more general questions not. For example: one often see users asking about general linux question here when using Kali linux, because Kali is often used in security context. But the question asked are often general linux questions and unrelated to information security - which makes them off-topic. – Steffen Ullrich Jun 16 '17 at 03:46