Menu
▾
▴
Re: [Openvpn-users] Configuring TCP Wrappers
|
From: David S. <ope...@to...> - 2010-01-06 13:01:07
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/01/10 13:03, Curtis Ide wrote: > On 1/5/10 11:18 PM, "Andreas Jung" <li...@zo...> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Curtis Ide wrote: >>> Configuring TCP Wrappers I?m getting attacks on my openvpn server. >>> I?d like to set up TCP Wrappers but I can?t seem to get it working. >> Why do you need tcp wrapper while MacOSX provides a proper firewall??? >> >> - -aj >> > I am running the maces firewall. I have it configured that firewall to only > allow connections to the services I want open. I have also configured my > router (an apple airport) to only allow connections to the specific ports I > want open. > > I am getting openvpn connection requests from hosts that are clearly bots > trying to find an unsecured openvpn server. I have only several Ips from > which I want to allow openvpn connections. Openvpn ends up disallowing the > connection when the security doesn't match. However, they are sending > buffer overflow attacks and I'd prefer if they never reach the openvpn > service. > > I haven't figured out how to configure either the airport or the maces > firewall to restrict IP connections so I thought I'd use TCP Wrappers. First of all, I'm not sure if openvpn supports TCP wrappers. In fact, if it does, there's no trouble using TCP wrappers in addition to the firewall. It's just another layer of security. For a short and decent "howto", look at [1]. Do 'ldd /usr/sbin/openvpn | grep wrap' to see if libwrap is compiled into openvpn. But to be honest, I doubt it. I'm not sure if you are using TCP or UDP in your OpenVPN config. If you're using UDP (tcpwrapper also supports UDP, afaik, despite its name), using --tls-auth will for sure help you. I'm not sure how well - --tls-auth will work with TCP, as TCP will require the openvpn server to respond to all connections before deciding to close it. While with UDP, the server can analyse the UDP packet and then decide if it wants to respond or not. Anyhow, --tls-auth but it will give another layer of security as well, but it will be most efficient together with UDP. Using another port than the standard port is also an approach, even though that is not really a real security solution. But if you can reconfigure to use UDP and use --tls-auth, you'll get the very best security approach OpenVPN can natively provide in addition to the default setup. kind regards, David Sommerseth [1] <http://linuxhelp.blogspot.com/2005/10/using-tcp-wrappers-to-secure-linux.html> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAktEhvwACgkQDC186MBRfrru5wCghEQ5oiflopRaOPHotz74Qlq8 Mk8An3TC8stDKn4uNEYg7O6fshFP6yeC =oRH6 -----END PGP SIGNATURE----- |
