Home page logo

basics logo Security Basics mailing list archives

Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall?
From: Lars <sunberg () gmail com>
Date: Wed, 21 Nov 2007 09:32:12 +0100


I think I have the solution to your problem.. I have made it myself
and I dont know if the source is quite ready to go public.. I need to
cleanup the code, please contact me if anyone want to help me out

My solution is using OPIE S/key. I have done it like this:
 - A perl script witch uses Auth::opie cpan. I'v compiled the perl
script to make it suidbit root so the apache web use can use it (need
access to /etc/opiekeys).
 - PHP talks to the perl executable. PHP tell you the usuall s/key
challange and you need to respond the right answer.
 - If login is ok, it sets a phpsession cookie and adds your ip adress
in a allowed list. It actually generates an htaccess files and sets
the php sessionID to be allowed and the ip to be allowed.
 - Inside the logged in "place" I have another php script, that one
comunicates with iptables. I have added the www user to sudoers and
added so it can executa iptables without any hassle.. This script open
up for one specific port to one specific ip.
 - You can also use the "control" script to delete authenticated php
sessions and allowed ip's. You can also delete IP's you have added to
the port allow list.

If you want to see how it works, please contact me.
If you want to try it, tell me and I can make a test page for you..
If you want to help to clean the code, please tell. Its not a mess,
and i'v tought about security from the start, so it should be secure.
But the main problem is that its a mix of several programming
languages. Perl to talk to the opie backend, php to talk to perl and
show the login page, bash to generate htaccess file and keep track of
logs and such. I really want to get rid of bash in this case.

If any one else thinks this sounds interesting, tell me. I want to
make it public but I dont know if anyone wants to use this..


On Nov 19, 2007 11:09 PM, Albert T <albert.t680333 () gmail com> wrote:

I'm in the process of setting up my own network for my small office.

I've set up a small/lightweight FreeBSD-based firewall at the "edge"
of my network.

It's running the PF firewall.  I've got that working well for simple usage.

I understand how to set up OpenVPN passthrough from a remote client
that has a VPN client; but, that requires the remote user to (a) have
the OpenVPN client, and/or (b) have "shell" access.

I'd like to do something a bit different -- client-less and
browser-only -- but I'm simply not sure how best to go about it.

Here's a description of what I'm shooting for.

I've installed the Lighttpd web server on the firewall.

I'd like to have Lighttpd listen on, and serve up a page/form at, one
of my several IP addresses.

That form should be an "S/KEY" / "OPIE" authentication form.  A user
would navigate to that URL, enter OTP credentials (from a OTP
calculator, currently a J2ME).

If the credentials are VERIFIED, then I'd like to "talk to" the PF
firewall, and have it open port80 access at a different IP address to
ONLY the authenticating IP address, and for a limited time (say, 1

If the credentials are NOT VERIFIED, and there are for example 3
failed attempt within 15 minutes, then PF would be told to BLOCK ip
access from that IP for a given amount of time (say 24 hours).

Like I said, I'm not sure how to best go about this.  Getting to this
point was not the easiset thing in the world, but reading and patience
paid off.  But doing *this* -- I'm now having much luck even figuring
out how to narrow nown my searching.

I'd guess that some sort of PHP or CGI script on the Lighttpd
page/site would need to have that "listen and control" logic.

Is this a good way to go about this?

Can anyone point me in the direction of an EXISTING OpenSource
solution somewhere?

Thanks a bunch,


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]