December 24, 2014 at 8:46 am #44145
I got a security audit of my network and they found a leak on Zeroshell.
This is on DNS protocol open for everyone in free service.
With this protocol they can able to open a tunnel trough Zeroshell to scan all machines behind this and make a connection on it (by RDP for example) without authentication !
My question is how to limit DNS service to zeroshell local server to avoid this ?
Remove DNS free service but which rules need I create in firewall to make it running ?
Thanks for your help.December 24, 2014 at 1:59 pm #53600
Interesting, which ZS’s version are you running ? This security audit how has been done ? How were configured on ZS, during auditing , the firewall rules ? And in NETWORK, DNS, Clients ?
GreetingsDecember 26, 2014 at 8:21 am #53601
I’m running Zeroshell 3.2.1.
They are used Nmap Security Scanner. They let me saw breaking in Wifi.
I make a wifi network like 192.168.192.0/26 DHCP & DNS on Zeroshell machine. Use DNS a free open service (UDP 53) and DHCP/Bootp (UDP 67) like in your example configuration.
Firewall rules is very simple :
Forward : (51..64 is my wifi access points)
1 ETH00 * ACCEPT all opt — in ETH00 out * 0.0.0.0/0 -> 192.168.2.0/24 source IP range 192.168.192.51-192.168.192.64 no
2 ETH00 * ACCEPT all opt — in ETH00 out * 0.0.0.0/0 -> 172.16.0.0/20 source IP range 192.168.192.51-192.168.192.64 no
3 ETH00 * ACCEPT all opt — in ETH00 out * 0.0.0.0/0 -> 0.0.0.0/0 source IP range 192.168.192.51-192.168.192.64 TIME from 00:00:00 to 23:45:00
1 ETH01 * ACCEPT all opt — in ETH01 out * 0.0.0.0/0 -> 0.0.0.0/0 no
2 ETH00 * ACCEPT all opt — in ETH00 out * 0.0.0.0/0 -> 0.0.0.0/0 source IP range 192.168.192.51-192.168.192.64 no
3 ETH00 * ACCEPT all opt — in ETH00 out * 0.0.0.0/0 -> 0.0.0.0/0 TIME from 07:00:00 to 20:00:00 on Mon,Tue,Wed,Thu,Fri no
4 ETH00 * DROP all opt — in ETH00 out * 0.0.0.0/0 -> 0.0.0.0/0
1 * * ACCEPT all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 destination IP range 192.168.192.51-192.168.192.64 no
2 * * ACCEPT all opt — in * out * 0.0.0.0/0 -> 192.168.192.0/22 TIME from 07:00:00 to 20:00:00 on Mon,Tue,Wed,Thu,Fri no
3 * * DROP all opt — in * out * 0.0.0.0/0 -> 192.168.192.0/22
This rules are made to avoid wifi after 8:00 PM and before 7:00 AM.
Between 11:45 PM and 12:00 PM traffic is disabled for Wifi access points to force a reset.
If you want I can send you my config.
Kind regards.December 26, 2014 at 9:17 am #53602
Rather than the config, would be helpful to know your network topology (with, eg. some ip addresses) and which is your goal, what you want achieve, eg if forwarding between interfaces must be allowed or denied, globally, per ip…
P.S. how are now the firewall’s default policies ? allow or deny ?
Usually, I leave the output chain empty, (allows all) and I work on both input (packets for the ZS itself) and forward (packets which traversing the ZS, aka packet switching) chain.
RegardsDecember 26, 2014 at 9:30 am #53603
Network topology is simple :
ETH0 is Wifi network
ETH1 is DMZ network natting is enabled on this interface.
Default policies is Allow.
I’m using captive portal for user authentication.December 26, 2014 at 1:03 pm #53604
Seems that ETH01 is the wan side of ZS, (maybe is a DMZ of another router), so, let say that ETH00 is the interface to which the APs are connected and where the CP is in listening, I’m now assuming that (just as sample):
ZS def-gw 192.168.2.1
other network, 172.16.0.0/20
I’d manage the APs (192.168.192.51-64) from both networks 192.168.2.0/24 and 172.16.0.0/20 ( managing pc must know to reach the network 192.168.192.0/22, which is behind the 192.168.2.x interface of ZS, their default gw must have a route to that network) allow the users, once authenticated to the CP, to access the web, while denying the access to the private networks beyond the ZS.
Forward chain, default policy DROP
1 ETH01 ETH00 ACCEPT all opt -- in ETH01 out ETH00 192.168.2.0/24 -> 0.0.0.0/0 destination IP range 192.168.192.51-192.168.192.64
2 ETH01 ETH00 ACCEPT all opt -- in ETH01 out ETH00 172.16.0.0/22 -> 0.0.0.0/0 destination IP range 192.168.192.51-192.168.192.64
3 ETH00 ETH01 ACCEPT all opt -- in ETH00 out ETH01 0.0.0.0/0 -> 192.168.2.0/24 source IP range 192.168.192.51-192.168.192.64 state RELATED,ESTABLISHED
4 ETH00 ETH01 ACCEPT all opt -- in ETH00 out ETH01 0.0.0.0/0 -> 172.16.0.0/22 source IP range 192.168.192.51-192.168.192.64 state RELATED,ESTABLISHED
5 ETH00 * DROP all opt -- in ETH00 out * 0.0.0.0/0 -> 10.0.0.0/8
6 ETH00 * DROP all opt -- in ETH00 out * 0.0.0.0/0 -> 172.16.0.0/12
7 ETH00 * DROP all opt -- in ETH00 out * 0.0.0.0/0 -> 192.168.0.0/16
8 ETH00 * time based rule .......
9 ETH00 * (other time based rule ....)
You may want to add a rule in Startup Script,Nat and Virtual Servers, for avoiding that the APs’s ip addresses are NATted during the management
iptables -t nat -I POSTROUTING 1 -o ETH01 -d 192.168.2.0/24 -j ACCEPT
iptables -t nat -I POSTROUTING 2 -o ETH01 -d 172.16.0.0/22 -j ACCEPT
For devices in the same broadcast domain, ZS is irrilevant, you have to use some kind of client isolation/L2 isolation on the APs for deny devices to see each other.
And also, you may want to deny the ZS’s management from the wifi network, look in Setup, Web and ssh
RegardsDecember 26, 2014 at 1:30 pm #53605
Thanks for your response.
With this config I get problem. My authenticated users need access through a firewall on DMZ to they VDI machines (VMWare Windows 7 machines). This is on a part of our internal network. They need access to machines on DMZ.
My only problem is how to limit DNS to current Zeroshell server to avoid creating a DNS tunneling relevate by auditor.
So how delete “Free service DNS” and remplace it with firewall rules to limit DNS request to Zeroshell and limit it at this server.
This is the only point they found on Zeroshell.
Thanks for your help.December 26, 2014 at 1:55 pm #53606
If ZS acts as DNS server for wifi clients, (and then , they have the ip of ZS as def-gw as well as dns) shouldn’t be enough add a couple of rules ? In FORWARD chain, 1st and 2nd place
1 ETH00 * DROP udp opt -- in ETH00 out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:53
2 ETH00 * DROP udp opt -- in ETH00 out * 0.0.0.0/0 -> 0.0.0.0/0 udp spt:53
Edit … you can also disable the free DNS service for CP users, this can be done under ‘Users’ ‘Captive Portal’ ‘Free Authorized Services’ , remove ‘ ‘Domain Name System’.
RegardsDecember 26, 2014 at 2:31 pm #53607
You are the best !
I have delete free DNS service.
Add the 2 rules you give me.
And tataam : It’s pretty fine now !
They use nbscan program to find trough port 53 system behind Zeroshell.
nbscan -f -p 53 192.168.2.0/24 by example.
Before change it, all systems was able to be see by this utilitie.
After change, nothing displayed.
And captive portable still running fine !
Thanks for your help.
You must be logged in to reply to this topic.