From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qa0-x22c.google.com (mail-qa0-x22c.google.com [IPv6:2607:f8b0:400d:c00::22c]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 73A2521F0F2 for ; Mon, 21 Oct 2013 18:31:43 -0700 (PDT) Received: by mail-qa0-f44.google.com with SMTP id cm18so2989705qab.17 for ; Mon, 21 Oct 2013 18:31:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:message-id:subject:to:content-type; bh=z1bQkrvEhiSwaKCAiqIAkJmxnURikuYfc7YWQcekoSM=; b=hOQXHv4D0SCaCAfz6g9rVt+NB5wF8Mg0trXr+Md7g+VC/qq2IkvpDTyO9RdF5lR1J5 ZZCHUeU+qmzPoInRXnTKZZUXIEDZdZUPZFpisTL09MjKjB31bAriVgXkUn92BjrZmBK8 y8868hETZq00bqPkPHTczs02yoiviZW5/vEhyOlH3ZoAdLZH3ZryqEYMVAeWC+nAQzst 9eeXyg3jfLG5rwTWN2P8yvfBP4dklKYAk5flqbVIwHSvQaT9FF4XQ0bAj+tNLWqnmVfF vUcgPsEDM/cKoKAxNSOp1/+S7qMfTyIpnfJ4H+tEdhjaqHS47+PrWfZyy5MSBzyx4jAn PW2A== X-Received: by 10.224.45.136 with SMTP id e8mr139650qaf.123.1382405502210; Mon, 21 Oct 2013 18:31:42 -0700 (PDT) MIME-Version: 1.0 Sender: white.phoenix@gmail.com Received: by 10.96.152.73 with HTTP; Mon, 21 Oct 2013 18:31:12 -0700 (PDT) From: Aristar Date: Mon, 21 Oct 2013 21:31:12 -0400 X-Google-Sender-Auth: 9aGnfoBEN_uUmBnoZ53YaPGvnf4 Message-ID: To: cerowrt-devel@lists.bufferbloat.net Content-Type: multipart/alternative; boundary=001a11c35c28e5178804e94a5ccf Subject: [Cerowrt-devel] cerowrt security X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Oct 2013 01:31:43 -0000 --001a11c35c28e5178804e94a5ccf Content-Type: text/plain; charset=ISO-8859-1 I understand this may be out of the scope of cerowrt right now since we're trying to get closer to a stable release and it's primary focus is on reducing buffer bloat, but as we get closer to a distribution I do have some security suggestions for consideration in the future. DNSCrypt-proxy ( http://www.opendns.com/technology/dnscrypt/ ) Is becoming popular with a lot of router firmwares such as Tomato-USB and DD-WRT. It runs as a local service which proxies DNS requests to OpenDNS (or any other compatible DNS providers) with an encrypted connection, secure from evesdropping or MITM attacks. There is a wiki tutorial on openwrt here ( http://wiki.openwrt.org/inbox/dnscrypt ) however it's a bit out of date. Not sure why it hasn't been included in openwrt trunk yet ( https://dev.openwrt.org/ticket/12969 ). I've been running the latest version I could find (1.3.2 from this thread here: https://forum.openwrt.org/viewtopic.php?id=36380&p=3 ) on cero 3.7.5, it requires setting dnsmasq to use 127.0.0.1 for dns requests. Perhaps if this makes it into trunk we'd be able to consider it in the future? The full source is available here: https://github.com/opendns/dnscrypt-proxy - notably, it requires libsodium to function. sysctl.conf network hardening: source address verification to protect against IP spoofing net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 more information here: http://www.slashroot.in/linux-kernel-rpfilter-settings-reverse-path-filtering Enable RFC 1337 to protect against time-wait assassination hazzards: net.ipv4.tcp_rfc1337 = 1 I think only Linux hosts seem to support this so far, but since it's part of the RFC standard I don't see why this shouldn't be enabled by default. more information: http://tools.ietf.org/html/rfc1337) Other information: "This boolean enables a fix for 'time-wait assassination hazards in tcp', described in RFC 1337. If enabled, this causes the kernel to drop RST packets for sockets in the time-wait state. Default: 0" IPv6 Privacy Extensions (RFC 4941) ( http://tools.ietf.org/html/rfc4941 ) net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 TLDR version: "IPv6 typically uses a device's MAC address when choosing an IPv6 address to use in autoconfiguration. Privacy extensions allow using a randomly generated IPv6 address, which increases privacy" Ubuntu enables this by default (and probably other distros too). Symlink Protection: fs.protected_hardlinks = 1 fs.protected_symlinks = 1 "A long-standing class of security issues is the symlink-based ToCToU race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of this flaw is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user)." More information here (with a lot of refernces) https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#Symlink_Protection Not entirely sure how this would effect cerowrt, or if it's even important at all with our current filesystem layout but worth looking into. --001a11c35c28e5178804e94a5ccf Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
I understand this may be out of the scope of cerowrt right= now since we're trying to get closer to a stable release and it's = primary focus is on reducing buffer bloat, but as we get closer to a distri= bution I do have some security suggestions for consideration in the future.=

DNSCrypt-proxy (=A0http://www.opendns.com/technology/dnscrypt/=A0) Is becom= ing popular with a lot of router firmwares such as Tomato-USB and DD-WRT. I= t runs as a local service which proxies DNS requests to OpenDNS (or any oth= er compatible DNS providers) with an encrypted connection, secure from eves= dropping or MITM attacks. There is a wiki tutorial on openwrt here (=A0http://wiki.openwrt.org/inbo= x/dnscrypt=A0) however it's a bit out of date. Not sure why it hasn= 't been included in openwrt trunk yet (=A0https://dev.openwrt.org/ticket/12969=A0). I've = been running the latest version I could find (1.3.2 from this thread here:= =A0https://forum.openwrt.org/viewtopic.php?id=3D36380&p=3D3=A0) on ce= ro 3.7.5, it =A0requires setting dnsmasq to use 127.0.0.1 for dns requests.= Perhaps if this makes it into trunk we'd be able to consider it in the= future? The full source is available here:=A0https://github.com/opendns/dnscrypt-proxy=A0- = notably, it requires libsodium to function.

sysctl.conf network hardening:

source address verification to protect against IP spoofing
<= div>net.ipv4.conf.default.rp_filter=3D1
net.ipv4.conf.all.rp_filt= er=3D1

Enable RFC 1337 to protect against time-wait assassination hazzards:
net.ipv4.tcp_rfc1337 =3D 1
I think only Linux hosts = seem to support this so far, but since it's part of the RFC standard I = don't see why this shouldn't be enabled by default. more informatio= n:=A0http://tools.ietf.org/h= tml/rfc1337)=A0
Other information: "This boolean enables a fix for 'time-wait= assassination hazards in tcp', described in RFC 1337. If enabled, this= causes the kernel to drop RST packets for sockets in the time-wait state. = Default: 0"

IPv6 Privacy Extensions (RFC 4941) (=A0http://tools.ietf.org/html/rfc4941=A0)
net.ipv6.conf.all.use_tempaddr =3D 2
net.ipv6.conf.= default.use_tempaddr =3D 2
TLDR version: "IPv6 typically uses a device's MAC addre= ss when choosing an IPv6 address to use in autoconfiguration. Privacy exten= sions allow using a randomly generated IPv6 address, which increases privac= y"
Ubuntu enables this by default (and probably other distros too).
=

Symlink Protection:
fs.protected_hardlin= ks =3D 1
fs.protected_symlinks =3D 1
"A = long-standing class of security issues is the symlink-based ToCToU race, mo= st commonly seen in world-writable directories like /tmp/. The common metho= d of exploitation of this flaw is crossing privilege boundaries when follow= ing a given symlink (i.e. a root user follows a symlink belonging to anothe= r user)."
Not entirely sure how this would effect cerowrt, or if it's even i= mportant at all with our current filesystem layout but worth looking into.<= /div>


--001a11c35c28e5178804e94a5ccf--