From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by huchra.bufferbloat.net (Postfix, from userid 1000) id 4034C21F0A2; Mon, 21 Oct 2013 18:59:49 -0700 (PDT) Date: Mon, 21 Oct 2013 18:59:49 -0700 From: Dave Taht To: Aristar Message-ID: <20131022015949.GB5076@lists.bufferbloat.net> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] cerowrt security X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Oct 2013 01:59:49 -0000 Obviously security is on everyone's mind right now, and I have been taking what steps I can to improve matters over the past several weeks. Next up is https support. The whole /dev/random and entropy issue has bugged me for YEARS, I am glad various parties are making a dent in it. That said, I'm not into security theater... On Mon, Oct 21, 2013 at 09:31:12PM -0400, Aristar wrote: > I understand this may be out of the scope of cerowrt right now since we're > trying to get closer to a stable release and it's primary focus is on > reducing buffer bloat, but as we get closer to a distribution I do have > some security suggestions for consideration in the future. Cerowrt has multiple goals documented in multiple places. Bufferbloat was primary, of course, but better security has always been on the roadmap. One of my big bugaboos is privilege separation. The squashfs filesystem supports nothing more than uid 0, and most processes run as root, which is just pain wrong... I'd like the front end web server to be running as a very restricted user in particular and using fastcgi to be talking to the config.... > DNSCrypt-proxy ( http://www.opendns.com/technology/dnscrypt/ ) Is becoming > popular with a lot of router firmwares such as Tomato-USB and DD-WRT. It > runs as a local service which proxies DNS requests to OpenDNS (or any other > compatible DNS providers) with an encrypted connection, secure from > evesdropping or MITM attacks. There is a wiki tutorial on openwrt here ( > http://wiki.openwrt.org/inbox/dnscrypt ) however it's a bit out of date. > Not sure why it hasn't been included in openwrt trunk yet ( > https://dev.openwrt.org/ticket/12969 ). I've been running the latest > version I could find (1.3.2 from this thread here: > https://forum.openwrt.org/viewtopic.php?id=36380&p=3 ) on cero 3.7.5, it > requires setting dnsmasq to use 127.0.0.1 for dns requests. Perhaps if > this makes it into trunk we'd be able to consider it in the future? The > full source is available here: https://github.com/opendns/dnscrypt-proxy - > notably, it requires libsodium to function. I can make it available as an optional package in ceropackages. patches gladly accepted. > sysctl.conf network hardening: > > source address verification to protect against IP spoofing > net.ipv4.conf.default.rp_filter=1 > net.ipv4.conf.all.rp_filter=1 > more information here: > http://www.slashroot.in/linux-kernel-rpfilter-settings-reverse-path-filtering Well, I'd like igmp and pimd to actually work, too. I'd REALLY like BCP38 to "just work" too. I'd argue that's more generic and harder to do right than rp_filter. I was actually under the impression these two were set by default these days. > > Enable RFC 1337 to protect against time-wait assassination hazzards: > net.ipv4.tcp_rfc1337 = 1 > I think only Linux hosts seem to support this so far, but since it's part > of the RFC standard I don't see why this shouldn't be enabled by default. > more information: http://tools.ietf.org/html/rfc1337) > Other information: "This boolean enables a fix for 'time-wait assassination > hazards in tcp', described in RFC 1337. If enabled, this causes the kernel > to drop RST packets for sockets in the time-wait state. Default: 0" Hmm. Dunno. > > IPv6 Privacy Extensions (RFC 4941) ( http://tools.ietf.org/html/rfc4941 ) > net.ipv6.conf.all.use_tempaddr = 2 > net.ipv6.conf.default.use_tempaddr = 2 > TLDR version: "IPv6 typically uses a device's MAC address when choosing an > IPv6 address to use in autoconfiguration. Privacy extensions allow using a > randomly generated IPv6 address, which increases privacy" > Ubuntu enables this by default (and probably other distros too). It is possibly less useful on a router that usually sets it's interfaces to whatever::1:1/64 whatever::2:1/64 That said, I would actually like it very much if it could use privacy addresses for some stuff, so long as the dynamicism in it was up to homenet standards. It isn't. It makes me nervous to think my core dns server is going to hang off some dns address I can't remember either. > Symlink Protection: > fs.protected_hardlinks = 1 > fs.protected_symlinks = 1 > "A long-standing class of security issues is the symlink-based ToCToU race, > most commonly seen in world-writable directories like /tmp/. The common > method of exploitation of this flaw is crossing privilege boundaries when > following a given symlink (i.e. a root user follows a symlink belonging to > another user)." > More information here (with a lot of refernces) > https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#Symlink_Protection > Not entirely sure how this would effect cerowrt, or if it's even important > at all with our current filesystem layout but worth looking into. Well I'm not sure if this is a real problem or not. I'd certainly like a security minded individual to try out the attacks outlined here: http://securityevaluators.com/content/case-studies/routers/soho_service_hacks.jsp The successful ones were mostly an exploit via symlink against samba. > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel