A secure kernel and properly configured network interfaces are only part of configuring a secure station. There are various parts of the operating system that you must secure to protect yourself from attackers. This includes configuring a host-based firewall, removing unneeded services being started at boot time, and setting static ARP entries to avoid ARP spoofing attacks.
A
firewall configuration on a wireless client is generally
straightforward. Almost all connections will be outbound from the
host. Unless you are running externally accessible services such as a
web or ssh
server, there should never be a
connection attempt from outside hosts.
The firewall configuration is stored in
/etc/pf.conf
. The file contains directives that
will be passed to the packet filter at boot time.
Here is an simple pf.conf
that should work on
most client installations. If you require a more advanced firewall
setup or would like a more complete discussion of
pf
, see Section 13.2 in Chapter 13 or read the pf.conf
manual page.
# Simple client pf.conf oif = "wi0" onet = "192.168.0.0" omask = "255.255.255.0" oip = "192.168.0.248" # block by default block in log all # Let loopback traffic through pass out quick on lo0 all pass in quick on lo0 all # keep windows hosts from filling your logs block in quick on $oif proto tcp from any to any port 136 >< 140 # keep broadcasts from filling your logs block in quick on $oif inet from any to { 255.255.255.255, 192.168.0.255 } # allow everything outbound pass out quick on $oif all keep state
Make sure you have pf support compiled into your
kernel and set pf=YES
in
/etc/rc.conf
to cause the firewall to be enabled
at boot time. This is a very simple firewall configuration. However,
in a hostile wireless environment, keeping things simple may make the
difference between keeping attackers off your machine and being the
weakest link in the network.
Unneeded services running on a machine are a liability. An unneeded service becomes a forgotten service. And a vulnerability discovered in a forgotten service can quickly lead to a compromise. By removing unneeded services from your machine, you make administration easier and increase the security of the host.
In a default OpenBSD install, there are two major places where
services are launched. The standard inetd
facility controls services such as telnet, ftp, chargen, etc. These
services are configured in /etc/inetd.conf
. Edit
this file and comment out any services you do not require. In
general, ssh
will provide all required remote
services so you should be able to comment out everything in
inetd.conf
.
The other source of many services is
/etc/rc.conf
. Again, edit this file and examine
it for any services you do not need. Turn services off by setting the
option to NO
. For example, disable portmapper by
changing:
portmap=YES # almost always needed
to this:
portmap=NO # almost always needed
Restart your machine for these changes to take effect. Verify the machine acts as you anticipate and you have not disabled services in error.
As documented in ARP Poisoning, there is a real threat from man-in-the-middle attacks due to ARP poisoning. A malicious user may be able to convince your workstation that her host is the gateway by forging spoofed packets. By putting a static ARP entry on your host, the effectiveness of this attack is minimized.
Through the
ancontrol
utility, Cisco cards can be configured
to only associate with authorized MAC addresses. Whenever possible,
this filtering should be configured. Authorized access point MAC
address filtering in combination with static ARP entries for your
layer 3 gateway will prevent many of the attacks that can be launched
at layer 2.
Static ARP entries override any dynamic information received over the
network. If you are always using the same gateway (i.e., you are not
roaming around to different layer 3 wireless networks) you can put a
script in /etc
called
staticarp.sh
to hard code the ARP entry:
#!/bin/sh # staticarp.sh # This script will set static arp entries for OpenBSD # Add the ARP entry for the gateway echo -n ' adding gateway arp' /usr/sbin/arp -d <gatewayIP> /usr/sbin/arp -s <gatewayIP> <gatewayMAC> permanent
Make sure you make this shell script executable. In order to run this
file at boot time, add the following lines to
/etc/rc.local
:
# Set static ARP entries for gateway if [ -f /etc/staticarp.sh ]; then . /etc/staticarp.sh fi
After your next reboot, verify the script has executed correctly by
using the arp
command:
bash-2.05a# arp -an ? (192.168.0.1) at 00:02:2d:08:5b:30 permanent static ? (192.168.0.2) at 00:10:5a:a7:09:2a
The word permanent
indicates that no network
traffic including malicious ARPs from other hosts will override this
static entry.
18.227.114.125