Security Basics mailing list archives
Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall?
From: Lars <sunberg () gmail com>
Date: Wed, 21 Nov 2007 09:32:12 +0100
Hello! I think I have the solution to your problem.. I have made it myself and I dont know if the source is quite ready to go public.. I need to cleanup the code, please contact me if anyone want to help me out here! My solution is using OPIE S/key. I have done it like this: - A perl script witch uses Auth::opie cpan. I'v compiled the perl script to make it suidbit root so the apache web use can use it (need access to /etc/opiekeys). - PHP talks to the perl executable. PHP tell you the usuall s/key challange and you need to respond the right answer. - If login is ok, it sets a phpsession cookie and adds your ip adress in a allowed list. It actually generates an htaccess files and sets the php sessionID to be allowed and the ip to be allowed. - Inside the logged in "place" I have another php script, that one comunicates with iptables. I have added the www user to sudoers and added so it can executa iptables without any hassle.. This script open up for one specific port to one specific ip. - You can also use the "control" script to delete authenticated php sessions and allowed ip's. You can also delete IP's you have added to the port allow list. If you want to see how it works, please contact me. If you want to try it, tell me and I can make a test page for you.. If you want to help to clean the code, please tell. Its not a mess, and i'v tought about security from the start, so it should be secure. But the main problem is that its a mix of several programming languages. Perl to talk to the opie backend, php to talk to perl and show the login page, bash to generate htaccess file and keep track of logs and such. I really want to get rid of bash in this case. If any one else thinks this sounds interesting, tell me. I want to make it public but I dont know if anyone wants to use this.. Thanks Lars On Nov 19, 2007 11:09 PM, Albert T <albert.t680333 () gmail com> wrote:
Hello. I'm in the process of setting up my own network for my small office. I've set up a small/lightweight FreeBSD-based firewall at the "edge" of my network. It's running the PF firewall. I've got that working well for simple usage. I understand how to set up OpenVPN passthrough from a remote client that has a VPN client; but, that requires the remote user to (a) have the OpenVPN client, and/or (b) have "shell" access. I'd like to do something a bit different -- client-less and browser-only -- but I'm simply not sure how best to go about it. Here's a description of what I'm shooting for. I've installed the Lighttpd web server on the firewall. I'd like to have Lighttpd listen on, and serve up a page/form at, one of my several IP addresses. That form should be an "S/KEY" / "OPIE" authentication form. A user would navigate to that URL, enter OTP credentials (from a OTP calculator, currently a J2ME). If the credentials are VERIFIED, then I'd like to "talk to" the PF firewall, and have it open port80 access at a different IP address to ONLY the authenticating IP address, and for a limited time (say, 1 hour). If the credentials are NOT VERIFIED, and there are for example 3 failed attempt within 15 minutes, then PF would be told to BLOCK ip access from that IP for a given amount of time (say 24 hours). Like I said, I'm not sure how to best go about this. Getting to this point was not the easiset thing in the world, but reading and patience paid off. But doing *this* -- I'm now having much luck even figuring out how to narrow nown my searching. I'd guess that some sort of PHP or CGI script on the Lighttpd page/site would need to have that "listen and control" logic. Is this a good way to go about this? Can anyone point me in the direction of an EXISTING OpenSource solution somewhere? Thanks a bunch, Albert
Current thread:
- Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall?, (continued)
- Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall? Sean Malloy (Nov 20)
- Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall? Brian Mayeur (Nov 20)
- Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall? Albert T (Nov 20)
- Message not available
- Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall? Albert T (Nov 20)
- Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall? Nick Owen (Nov 20)
- Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall? Albert T (Nov 20)
- Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall? Albert T (Nov 20)