venerdì 8 ottobre 2010

Pfsense: Securing lightsquid and bandwithd web interfaces







I'm managing a pfSense 1.2.3 based firewall and they asked me to enable logging on the integrated squid proxy and network activity.
I have chosen these services and I have installed them through PfSense's webinterface (WebGui) :


Bandwidthd and lightsquid collect statistics and create reports about the users navigation and only the administrator should be able to access this datas.
Despite these considerations, PfSense's default configuration doesn't restrict the access to these services.


PfSense management console (WebGui) is password protected but the bandwithd and lightsquid interfaces are accessible with no restriction. You can check this by installing bandwithd and navigating to: https://yourfirewall-IP/bandwithd


About PfSense

  • PfSense is a BSD derived distribution but its applications, config files and resources have often unusual names and location.
  • So, I suggest to use: find / -name findthis.* in order to find out stuff.
  • PfSense uses PHP scripts in order boot services and configure them; during the firewall reboot lots of the config files are generated from scratch.
  • The service's scripts (in order to stop or restart a service) are located in /etc folder and are named rc.nameservice-restart (they are PHP-scripts).
  • PfSense runs all the web interfaces and services using lightppd service (PfSense 1.2.3 is shipped with a lightppd 1.4.x release).
  • Web configuration is stored into /var/etc/lighty-webConfigurator.conf ; this file is generated at every service's restart.Modifying this file is useless.

The solution

We are going to configure lightppd server in order to request user's authentication for the fresh new services, this solution is an auth module's guide adaptation.
PfSense enviroment is quite different and WebConfigurator's configuration is generated at every service restart by /etc/inc/system.inc PHP scipt.
We need to log into the firewall shell and hack a bit... let's do:
  • enable PfSense ssh console/shell (form PfSense's WebGui)
  • log into PfSense ssh shell (window's users use Putty)
Edit WebConfigurator PHP-script

mcedit /etc/inc/system.inc or nano /etc/inc/system.inc

Somewhere near row 798 (I'm sorry about code indentation, cut&paste problems):

{$network_handler}

## modules to load
server.modules = (
{$captive_portal_module}
"mod_access", "mod_accesslog",
{$module}{$captiveportal},
"mod_auth"
)


Add this one into the file, just after server.modules (but this is not mandatory, I added these lines after access log configuration, at row number 920):

\$HTTP["url"] =~ "^/lightsquid/" {
auth.backend = "plain"
auth.backend.plain.userfile = "/var/etc/lighttpd-plain.myusers"
auth.require = ("/lightsquid" => (
"method" => "digest",
"realm" => "lightsquid",
"require" => "valid-user"
))
}

\$HTTP["url"] =~ "^/bandwidthd/" {
auth.backend = "plain"
auth.backend.plain.userfile = "/var/etc/lighttpd-plain.myusers"
auth.require = ("/bandwidthd" => (
"method" => "digest",
"realm" => "bandwidthd",
"require" => "valid-user"
))
}

Create users credentials

Let's create the text file /var/etc/lighttpd-plain.myusers 
eg.   nano /var/etc/lighttpd-plain.myusers
/var/etc/lighttpd-plain.myusers should contain username/password pairs (don't forget newline!):

myusername1:passwordOfUsername1
myusername2:passwordOfUsername2
Restart WebGui

From PfSense shell; execute the script:
/etc/rc.restart_webgui

Final note

The digest authentication method secures the password exchange between the browser and the firewall;
Using the plain backend, the usernames and passwords are stored unencrypted on a text file; in case you need password encryption, you have to change the auth.backend option in order to use a different policy (not plain).
Please refer the mod_auth (1,2) documentation in order to adapt this solution to your needs.

The proposed changes don't affect the default authentication on the main PfSense WebGui;
Main console authentication is managed elsewhere inside the firewall, I suppose by elves and fairies.

Have fun!