Friends don’t let friends use commercial routers

Now that I have my laptop working well, it’s time to address one of the main reasons I wanted to explore OpenBSD – securing my home network.  Many people might question the need for this.  After all, isn’t that the job of your Internet Service Provider?

Case in point – I received a notice from my ISP that they would be sending me a new cablemodem/router that I had to install by a particular date or I would possibly not be able to access the Internet.  After setting it up (turns out they were migrating to IPv6 which was why I needed new hardware), I ran into some problems.  I spent 2+ hours on the phone with their support team that followed a pattern:

  • On hold for 20 minutes
  • Speak to an agent
  • They tell me to reboot the modem (which I’ve done)
  • I tell them the problem is deeper than that
  • They tell me they will escalate this to a level 2 technician, please hold
  • They hang up on me

After a couple of iterations of this, I got frustrated.  I did some Googling and found the default admin userid and password for the modem.  Surely that wouldn’t work…  Yep it did.  So on the one hand, I was able to fix my problem (yay) on the other, what an appalling security setup.  I needed to have my own firewall that fronted to the ISPs router and treat their network as hostile.  As I’m fond of saying, the only thing more dangerous than running an insecure network is thinking you are running a secure network.

Fortunately, our friends at BSDNow.TV had a great tutorial for solving this problem (http://www.bsdnow.tv/tutorials/openbsd-router).  However, there was the question of what hardware to use.  I wanted something that would be quiet and not consume a lot of power (i.e. not generate a lot of heat) and yet be powerful enough to serve multiple purposes on my network.  I also wanted hardware (especially network hardware) that was mainstream for OpenBSD.  Oh, and it needed two NICs.

I ended up selecting a fanless ASRock motherboard (http://www.newegg.com/Product/Product.aspx?Item=N82E16813157417) that had a dual core 1.86 GHz Atom processor and two Intel gigabit NICs onboard.  I purchased a replacement fan (http://www.newegg.com/Product/Product.aspx?Item=N82E16835608055) for the power supply in the case (http://www.newegg.com/Product/Product.aspx?Item=N82E16811108196) I ordered to keep the noise levels down.  Throw in a couple of sticks of RAM and a small SSD and I was good to go.

When the hardware arrived, I quickly assembled it, booted from the OpenBSD 5.7 install image (I figured I wouldn’t run current on this box because it needed to be more of an appliance) from a thumb drive (install57.fs) and configured my base system.  After that, I followed the BSDNow tutorial and soon had a router up and running.

I’ve been running the router for some time now and the performance is great.  The only issue I have had to date is with dnscrypt and the server I chose to use in the Netherlands.  There was a recent Amazon outage and that server went dark on me which caused me to chase my tail a bit to find out why I couldn’t resolve names any more on the network.  After that, it seemed to have an issue where, after 7 days of uptime, it would randomly stop resolving names.  I switched to a server in Sweden and it looks like that problem is resolved.  I could run my own recursive server internally but I liked the fact that my DNS requests were totally unknown to my ISP and being serviced outside of the United States.

On my “todo” list going forward, I would like to:

  • Set up an internal caching proxy server to improve my local network’s performance to frequently visited sites
  • Set up my own internal mail server that stores all of my mail data locally on an encrypted volume
  • Set up network monitoring (likely nagios given my experience with it) using the new httpd daemon in OpenBSD (no more Apache for me)
  • Set up snort as an Intrusion Detection System (IDS) on the internal network

In the “just for convenience” category, I set up an ssh server, poked a wall through the pf firewall and port forwarded the port from the ISP’s modem to my box.  I set it up as securely as I could think to (no password logins allowed, root cannot login) and limited it to using certificate based authentication with only one user on the box having access.  For fun (I know, I have strange hobbies) I created a cron job to look at who was trying to remotely log into the open port and was astonished at the frequency of attacks.

For those interested, here is the quick & dirty script I cooked up to generate a daily report from the router that I send to my gmail address each morning (triggered by cron) so that I can keep an eye on what’s going on:

#! /bin/sh
echo 'Uptime:' > /tmp/network-report
uptime >> /tmp/network-report
echo ' ' >> /tmp/network-report
echo 'Hardware sensors' >> /tmp/network-report
sysctl hw.sensors >> /tmp/network-report
echo ' ' >> /tmp/network-report
echo 'Egress (em0) network statistics' >> /tmp/network-report
vnstat -i em0 >> /tmp/network-report
echo ' ' >> /tmp/network-report
echo 'Interal (em1) network statistics' >> /tmp/network-report
vnstat -i em1 >> /tmp/network-report
echo ' ' >> /tmp/network-report
echo 'List of firewall rules' >> /tmp/network-report
pfctl -g -s rules| grep '^@' >> /tmp/network-report
echo ' ' >> /tmp/network-report
echo 'Tcpdump of egress (em0) network' >> /tmp/network-report
tcpdump -n -e -ttt -r /var/log/pflog inbound and host 11.11.11.11 >> /tmp/network-report
echo ' ' >> /tmp/network-report

echo ' ' >> /tmp/network-report
echo 'Failed ssh login attempts' >> /tmp/network-report
cat /var/log/authlog | grep 'sshd' | grep 'Invalid' >> /tmp/network-report
cat /var/log/authlog | grep 'sshd' | grep 'Invalid' | grep -o '[0-9]\{1,3\}\.[0-
9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq -u | while read in; do /usr
/local/bin/country.sh "$in"; done >> /tmp/network-report

cat /tmp/network-report | mail -s 'Daily router activity' me@mydomain.com

The “country.sh” was a little quick & dirty script I cooked up to further “gild the lilly”.  I was curious as to what the country of origin was for the attempted intrusions.  Again, I have odd hobbies.  Here’s that script too if you are interested:


! /bin/sh

echo >/tmp/lookup "curl -silent /dev/null https://restcountries.eu/rest/v1/alpha/"
curl -silent /dev/null ipinfo.io/$1 | grep country | sed s/'  "country":'//g |sed s/'"'//g | sed s/,//g | awk '{print tolower($0)}' >> /tmp/lookup

sed 'N;s/\n//' /tmp/lookup > /tmp/lookup.sh
chmod +x /tmp/lookup.sh

echo $1 ' -> ' >/tmp/result.out
exec /tmp/lookup.sh | perl -pe 's/,/\n/g' | grep name | sed 's/{"name":"//g'| sed 's/"//g' >>/tmp/result.out

cat /tmp/result.out | sed 'N;s/\n//'

This entry was posted in Uncategorized. Bookmark the permalink.

3 Responses to Friends don’t let friends use commercial routers

  1. Chris says:

    I think there is an issue with your country lookup tool. The restcountries link doesn’t provide any info.

  2. Pingback: Say my Blog’s name! | FunctionallyParanoid.com

  3. Pingback: Installing Snort on OpenBSD 6.4 | FunctionallyParanoid.com

Leave a Reply

Your email address will not be published. Required fields are marked *