From 01578cf33cdcad5fa5be69e59b165e1bc6c7066f Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Wed, 26 Aug 2020 11:54:53 +0200 Subject: [PATCH 1/5] +nospam article --- content/u/products/mail-hosting/contents.lr | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/content/u/products/mail-hosting/contents.lr b/content/u/products/mail-hosting/contents.lr index 45d7948..c4b3ad8 100644 --- a/content/u/products/mail-hosting/contents.lr +++ b/content/u/products/mail-hosting/contents.lr @@ -12,7 +12,7 @@ headline1: Mail Hosting: --- headline2: Your Mails in Switzerland --- -header_background_color: #788BCE +header_background_color: #788BCE --- header_text_color: text-light --- @@ -40,13 +40,22 @@ description2: This mailhosting is mainly targeted for low volume, single person or single system usage. +This product is feasible for normal use of email. Spamming is +prohibited and will lead to suspension and/or terminaton of your +account. + +If you are interested in a legit high volume mail traffic product, +[contact us](/u/contact/) for an individual offer. + ## What you get * A single mailbox account (yourname@ungleich.cloud) * Up to 100 mail aliases -* Up to 100GB usage +* Up to 100GB usage (additional storage: 100GB for 2 CHF/month) ## Pricing The one time setup fee is 15 CHF, the monthly recurring fee is 7 CHF per month. + +You can order it by sending an email to **support at ungleich.ch**. From 428051071275415d0d9ff92ea4d1e93c733b4287 Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Wed, 26 Aug 2020 11:56:24 +0200 Subject: [PATCH 2/5] mail: ++prosa --- content/u/products/mail-hosting/contents.lr | 3 +++ 1 file changed, 3 insertions(+) diff --git a/content/u/products/mail-hosting/contents.lr b/content/u/products/mail-hosting/contents.lr index c4b3ad8..6780e7b 100644 --- a/content/u/products/mail-hosting/contents.lr +++ b/content/u/products/mail-hosting/contents.lr @@ -39,6 +39,8 @@ description2: This mailhosting is mainly targeted for low volume, single person or single system usage. +If you need a mail gateway for sending system logs or if you just need +an easy to use mail account, this is the right product. This product is feasible for normal use of email. Spamming is prohibited and will lead to suspension and/or terminaton of your @@ -52,6 +54,7 @@ If you are interested in a legit high volume mail traffic product, * A single mailbox account (yourname@ungleich.cloud) * Up to 100 mail aliases * Up to 100GB usage (additional storage: 100GB for 2 CHF/month) +* Access via SMTP, IMAPS and Webmail ## Pricing From 23b5be244895963ff4c5611f7b430bf5a2bd32ed Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Thu, 27 Aug 2020 11:25:52 +0200 Subject: [PATCH 3/5] ++blog: dhcp/router advertisement blocking --- .../contents.lr | 106 ++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 content/u/blog/nftables-block-dhcp-and-router-advertisements/contents.lr diff --git a/content/u/blog/nftables-block-dhcp-and-router-advertisements/contents.lr b/content/u/blog/nftables-block-dhcp-and-router-advertisements/contents.lr new file mode 100644 index 0000000..27d69bd --- /dev/null +++ b/content/u/blog/nftables-block-dhcp-and-router-advertisements/contents.lr @@ -0,0 +1,106 @@ +title: Blocking DHCP servers and router advertisements with nftables +--- +pub_date: 2020-08-27 +--- +author: ungleich +--- +twitter_handle: ungleich +--- +_hidden: no +--- +_discoverable: yes +--- +abstract: +Blocking typical data center workloads with nftables +--- +body: + +## Motivation + +Here at [ungleich](https://ungleich.ch) we are providing a variety of +hosting services in the [Data Center +Light](https://datacenterlight.ch). One of the workloads we offer is +VM hosting and we need to take some security measures to prevent one +customer abusing another customer. + +## The problem + +The virtual machines in our next generation uncloud hosting will be +using standard DHCP and IPv6 address assignments and not the +[OpenNebula](https://github.com/OpenNebula/addon-context-linux) +contextualisation scripts that read the networking information from an +attached ISO. + +While this makes it easier to create VM images and VMs behave even +more like regular computers, this exposes the VMs to attacks where one +customer runs a DHCP server or IPv6 router advertisement daemon and +tricks the other VMs into sending traffic to it. + +## The architecture + +VMs are connected to a single shared network in which they get +their IP addresses (in uncloud usually only IPv6) and then they can +retrieve more information from a metadata server. So the main +protection that is required is preventing to trick other customers +into using a wrong IP address or route. + + +## Fixing it + +So the easiest thing to do is to disallow IPv6 router advertisements +and IPv4 DHCP server answers. However as all the interfaces are put +into one bridge, we will need to filter on bridge and not ip level: + +``` +table bridge filter { + chain prerouting { + type filter hook prerouting priority 0; + policy accept; + + + } +``` + +Next we create a chain to drop the packets we dislike: + +``` + chain drop_ra_dhcp { + # Default blocks: router advertisements, dhcpv6, dhcpv4 + icmpv6 type nd-router-advert drop + ip6 version 6 udp sport 547 drop + ip version 4 udp sport 67 drop + } +``` + +Now the only thing left is to correctly classify the traffic: + +* Let's assume the bridge is named **br100** +* Let's assume the upstream interface that should allow RA/DHCP is + named **vxlan100** + +Then we can connect the chains together: + +``` +table bridge filter { + chain prerouting { + type filter hook prerouting priority 0; + policy accept; + + iifname != vxlan100 meta ibrname br100 jump drop_ra_dhcp + } + + chain drop_ra_dhcp { + # Blocks: router advertisements, dhcpv6, dhcpv4 + icmpv6 type nd-router-advert drop + ip6 version 6 udp sport 547 drop + ip version 4 udp sport 67 drop + } +} +``` + +This way we have a very simple filter to prevent router advertisements +or dhcp answers to come from customer VMs. + +If something does not make sense, +you can ask on our [open chat](/u/projects/open-chat/) or +[consult the nftables reference](https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Meta). From 7bab16f434c99303f4d0ed5e6e843144b1070b83 Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Thu, 27 Aug 2020 11:28:06 +0200 Subject: [PATCH 4/5] finishing sentence change --- .../nftables-block-dhcp-and-router-advertisements/contents.lr | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/u/blog/nftables-block-dhcp-and-router-advertisements/contents.lr b/content/u/blog/nftables-block-dhcp-and-router-advertisements/contents.lr index 27d69bd..4dbc7c5 100644 --- a/content/u/blog/nftables-block-dhcp-and-router-advertisements/contents.lr +++ b/content/u/blog/nftables-block-dhcp-and-router-advertisements/contents.lr @@ -101,6 +101,6 @@ table bridge filter { This way we have a very simple filter to prevent router advertisements or dhcp answers to come from customer VMs. -If something does not make sense, +We hope you enjoyed reading it, but if something does not make sense, you can ask on our [open chat](/u/projects/open-chat/) or [consult the nftables reference](https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Meta). From 16f6a2cddfea91282d73a0bded02fe2c33a5fa0d Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Thu, 27 Aug 2020 11:31:29 +0200 Subject: [PATCH 5/5] ++doc update --- .../contents.lr | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/content/u/blog/nftables-block-dhcp-and-router-advertisements/contents.lr b/content/u/blog/nftables-block-dhcp-and-router-advertisements/contents.lr index 4dbc7c5..5b134fc 100644 --- a/content/u/blog/nftables-block-dhcp-and-router-advertisements/contents.lr +++ b/content/u/blog/nftables-block-dhcp-and-router-advertisements/contents.lr @@ -26,7 +26,8 @@ customer abusing another customer. ## The problem The virtual machines in our next generation uncloud hosting will be -using standard DHCP and IPv6 address assignments and not the +using standard DHCP and IPv6 address assignments. Currently +we are still using the [OpenNebula](https://github.com/OpenNebula/addon-context-linux) contextualisation scripts that read the networking information from an attached ISO. @@ -44,6 +45,8 @@ retrieve more information from a metadata server. So the main protection that is required is preventing to trick other customers into using a wrong IP address or route. +Also, if the network is IPv6 only, another customer should not be able +to trick someone else into using IPv4. ## Fixing it @@ -56,8 +59,6 @@ table bridge filter { chain prerouting { type filter hook prerouting priority 0; policy accept; - - } ``` @@ -65,14 +66,15 @@ Next we create a chain to drop the packets we dislike: ``` chain drop_ra_dhcp { - # Default blocks: router advertisements, dhcpv6, dhcpv4 + # Blocks: router advertisements, dhcpv6, dhcpv4 icmpv6 type nd-router-advert drop ip6 version 6 udp sport 547 drop ip version 4 udp sport 67 drop } ``` -Now the only thing left is to correctly classify the traffic: +Now the only thing left is to correctly classify the traffic. For this +lets take some real world assumptions: * Let's assume the bridge is named **br100** * Let's assume the upstream interface that should allow RA/DHCP is