Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
HA XMLRPC sync cleartext password: recommendations for username?
« previous
next »
Print
Pages: [
1
]
Author
Topic: HA XMLRPC sync cleartext password: recommendations for username? (Read 4316 times)
mfedv
Newbie
Posts: 43
Karma: 6
HA XMLRPC sync cleartext password: recommendations for username?
«
on:
March 11, 2020, 01:38:31 pm »
Hi,
when configuring XMLRPC sync in System / High Availability / Settings, you enter a web GUI username/password of the backup firewall. While passwords are otherwise only ever stored in encrypted form in the XML config, this one is not (as the XMLRPC push needs it in cleartext for authentication with the slave fw).
But backups of /conf/config.xml then contain a cleartext secret to the web GUI, which might compromise security if stored outside the fw box itself (e.g. a backup server) and if web GUI access is not tightly restricted to certain limited and trusted systems(*).
Is it possible to configure a user/password exclusively for XMLRPC sync use, such that it could only be used when connecting from the master fw? Then the cleartext secret would be useless to an attacker.
Regards
Matthias Ferdinand
(*) while encrypted passwords could still be guessed with offline dictionary attacks / bruteforcing, for non-trivial passwords they considerably raise the bar. Trivial passwords to intruder-accesible services would be a security threat on their own, and encryption would not help defend here.
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: HA XMLRPC sync cleartext password: recommendations for username?
«
Reply #1 on:
March 11, 2020, 03:37:00 pm »
Hi Matthias,
Since the password is needed in order to be verified on the other side there's no other way of doing this.
You can, however, restrict the target user to only contain the "XMLRPC Library" privilege so the user won't have access to any other page but xmlrpc.php which in turn only accepts basic authentication.
Cheers,
Franco
Logged
mfedv
Newbie
Posts: 43
Karma: 6
Re: HA XMLRPC sync cleartext password: recommendations for username?
«
Reply #2 on:
March 11, 2020, 04:16:08 pm »
Thank you very much!
To recap:
- Create new user at System / Access / Users (e.g. "xmlrpc")
- do NOT add it to admins group
- under "Effective Privileges", click Edit button
- scroll down the long list of available privs or use search box for XMLRPC
- select "GUI XMLRPC" privilege
- save
- push change to slave fw (System / High Availability / Status: "Synchronize config to backup")
- enter the new user credentials in System / High Availability / Settings in section "XMLRPC sync"
Regards
Matthias Ferdinand
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: HA XMLRPC sync cleartext password: recommendations for username?
«
Reply #3 on:
March 11, 2020, 07:19:09 pm »
Hi Matthias,
Looks good, thanks for the thorough step-by-step guide.
Cheers,
Franco
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: HA XMLRPC sync cleartext password: recommendations for username?
«
Reply #4 on:
March 11, 2020, 07:20:17 pm »
Worth it to add it to the docs repo
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
mfedv
Newbie
Posts: 43
Karma: 6
Re: HA XMLRPC sync cleartext password: recommendations for username?
«
Reply #5 on:
March 12, 2020, 03:13:42 pm »
Restricting Effective Privileges is not enough. This user is still able to access /xmlrpc.php to e.g. POST a malicious config.
IIUC, from wherever (interface, client ip) the GUI is accessible, so is /xmlrpc.php, both being served from the same lighttpd instance. There are no per-client-ip restrictions in lighttpd conf for /xmlrpc.php, nor in /xmlrpc.php itself.
And due to the anti-lockout rules, both GUI and /xmlrpc.php are always accessible to anybody on the LAN interface. If you have a VPN box there, this might include all your VPN peers.
Perhaps /xmlrpc.php would better be served by a separate lighttpd instance on a different port. Access to /xmlrpc.php could then easily be restricted using standard firewall rules.
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: HA XMLRPC sync cleartext password: recommendations for username?
«
Reply #6 on:
March 12, 2020, 09:50:55 pm »
You can easily disable anti-lock out rule, and don't foget, you need to know the credentials.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: HA XMLRPC sync cleartext password: recommendations for username?
«
Reply #7 on:
March 13, 2020, 03:25:06 pm »
> Restricting Effective Privileges is not enough. This user is still able to access /xmlrpc.php to e.g. POST a malicious config.
But that means the attack vector is the feature itself--- I don't know how to make this more secure without rewriting the procedure.
Logged
mfedv
Newbie
Posts: 43
Karma: 6
Re: HA XMLRPC sync cleartext password: recommendations for username?
«
Reply #8 on:
March 14, 2020, 06:31:47 pm »
Correct, and that is what I proposed :-)
Currently a client IP can access /xmlrpc.php if it can access the web GUI.
You can't always restrict the web GUI as tightly as you would wish (e.g. password self-service)
Most HA installations will have a dedicated interface for master/slave communication, and /xmlrpc.php needs only be accessible to a) localhost and b) to the master fw on that dedicated interface.
If you limit access to /xmlrpc.php this way, the cleartext secret will be useless to an attacker.
lighttpd config syntax allows for restrictions per URL and client IP. Requires adding configurables to the GUI though.
Or you could have a separate lighttpd instance just for /xmlrpc.php and trust the fw admin to properly restrict access to it. Requires documentation effort and changes to the backends using /xmlrpc.php, perhaps as little as using a different port.
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: HA XMLRPC sync cleartext password: recommendations for username?
«
Reply #9 on:
March 16, 2020, 10:48:52 am »
It would be nice to have a feature request for this, but I can't make any promises at the moment:
https://github.com/opnsense/core/issues/new?assignees=&labels=&template=feature_request.md&title=
But I do agree that this sounds like a good road to improvement.
Cheers,
Franco
Logged
mfedv
Newbie
Posts: 43
Karma: 6
Re: HA XMLRPC sync cleartext password: recommendations for username?
«
Reply #10 on:
March 18, 2020, 07:27:03 pm »
Tried signing up at Github in several variations (all involving Tor), but they all failed. Sorry, for the time being I can't bring this as a feature request to Github.
---------------
boring details: following their troubleshooting-the-captcha link, all external captchas report success. Entering account details, I see a green checkmark at "Verify your account". When clicking on "Next: Select a plan" it reports a failed captcha (but no captcha was ever displayed). It seems that even the pros at github have difficulties binding together their own services with external ones (captcha providers) into a working logical unit.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
HA XMLRPC sync cleartext password: recommendations for username?