Over the past few weeks I have been switching off of NixOS and going back to the previous OSes and distros I was using. Last week I migrated my VPS back to OpenBSD and I now feel like I can appreciate its simplicity even more. That's not the point of this though.
When migrating I was reminded of something
@nemo@camp.crates.im previously said about only allowing ssh access to the IP addresses he know he uses. I thought I should try doing something similar especially because to me pf is way saner to use and manage than iptables.
The addresses I know I'll use are my home IPv4 address and the IPv4+6 addresses of the Mullvad enpoints I am likely to use.
Unfortunately I don't know what those public addresses are before connecting.
A quick script containing something like below (I didn't save it >_<) later, I was able to get all the addresses I needed for passing to pf.
for i in *.conf; do
wg-quick up $i
curl -s4 https://zx2c4.com/ip | sed 1q
# the connect timeout is there because a few of the endpoints had a not-working IPv6 address
curl --connect-timeout -s6 https://zx2c4.com/ip | sed 1q
wg-quick down $i
done
```
Now in my pf.conf I just had to do something like this which didn't seem that complicated after all. I just modelled it after my existing rule that I used for opening ports (I removed ssh from that rule in favour of this one). This can most definitely be made better, but at least it works!
explicitly allow home and vpn ip addresses
ssh_whitelist_ipv4 = "{
ipv4 addresses here
I put my home address at the top as is and then /24 ranges for the mullvad IPs because I was told they may change frequently
}"
ssh_whitelist_ipv6 = "{
ipv6 addresses here from mullvad
I figured that they won't change often so I simply pasted them as is without specifying prefix
}"
...
allow public ssh only to my normal home address and mullvad ips
pass in log on $ext_if inet proto tcp from $ssh_whitelist_ipv4 to ($ext_if) \
port ssh flags S/SA keep state
pass in log on $ext_if inet6 proto tcp from $ssh_whitelist_ipv6 to ($ext_if) \
port ssh flags S/SA keep state
After running for over a day, my /var/log/authlog still only shows my own connections and not some people across the globe spamming connections to invalid users.
saklas$ zgrep preauth /var/log/authlog.0.gz | grep -v vin | wc -l
3918
saklas$ grep preauth /var/log/authlog | grep -v vin | wc -l
1
I was previously using pf-badhost in place of fail2ban due to the latter not being available on OpenBSD, but pf-badhost didn't prevent active attacks while both of them still allowed those (initial) connections in the first place.
There's a much smaller likelihood of an attacker using the same Mullvad endpoints I use, and if they do I probably have bigger problems to worry about. I'm also pretty much always connected to my Wireguard VPN (separate post on my website for this later) and that would let me bypass this anyways. This setup is more of a failsafe if I'm unable to connect through the VPN, and a failsafe of that failsafe if things really go wrong is just using the Hetzner web console I guess.
After writing all this, I think it's better to just post this on my website and syndicate here.
#openbsd #mullvad #pf
