<div dir="ltr">I understand this may be out of the scope of cerowrt right now since we're trying to get closer to a stable release and it's primary focus is on reducing buffer bloat, but as we get closer to a distribution I do have some security suggestions for consideration in the future.<div>
<br></div><div>DNSCrypt-proxy ( <a href="http://www.opendns.com/technology/dnscrypt/">http://www.opendns.com/technology/dnscrypt/</a> ) Is becoming popular with a lot of router firmwares such as Tomato-USB and DD-WRT. It runs as a local service which proxies DNS requests to OpenDNS (or any other compatible DNS providers) with an encrypted connection, secure from evesdropping or MITM attacks. There is a wiki tutorial on openwrt here ( <a href="http://wiki.openwrt.org/inbox/dnscrypt">http://wiki.openwrt.org/inbox/dnscrypt</a> ) however it's a bit out of date. Not sure why it hasn't been included in openwrt trunk yet ( <a href="https://dev.openwrt.org/ticket/12969">https://dev.openwrt.org/ticket/12969</a> ). I've been running the latest version I could find (1.3.2 from this thread here: <a href="https://forum.openwrt.org/viewtopic.php?id=36380&p=3">https://forum.openwrt.org/viewtopic.php?id=36380&p=3</a> ) on cero 3.7.5, it requires setting dnsmasq to use 127.0.0.1 for dns requests. Perhaps if this makes it into trunk we'd be able to consider it in the future? The full source is available here: <a href="https://github.com/opendns/dnscrypt-proxy">https://github.com/opendns/dnscrypt-proxy</a> - notably, it requires libsodium to function.</div>
<div><br></div><div>sysctl.conf network hardening:</div><div><br></div><div>source address verification to protect against IP spoofing<br></div><div><div>net.ipv4.conf.default.rp_filter=1</div><div>net.ipv4.conf.all.rp_filter=1</div>
</div><div>more information here: <a href="http://www.slashroot.in/linux-kernel-rpfilter-settings-reverse-path-filtering">http://www.slashroot.in/linux-kernel-rpfilter-settings-reverse-path-filtering</a></div><div><br></div>
<div>Enable RFC 1337 to protect against time-wait assassination hazzards:</div><div>net.ipv4.tcp_rfc1337 = 1<br></div><div>I think only Linux hosts seem to support this so far, but since it's part of the RFC standard I don't see why this shouldn't be enabled by default. more information: <a href="http://tools.ietf.org/html/rfc1337">http://tools.ietf.org/html/rfc1337</a>) </div>
<div>Other information: "This boolean enables a fix for 'time-wait assassination hazards in tcp', described in RFC 1337. If enabled, this causes the kernel to drop RST packets for sockets in the time-wait state. Default: 0"</div>
<div><br></div><div>IPv6 Privacy Extensions (RFC 4941) ( <a href="http://tools.ietf.org/html/rfc4941">http://tools.ietf.org/html/rfc4941</a> )</div><div><div>net.ipv6.conf.all.use_tempaddr = 2</div><div>net.ipv6.conf.default.use_tempaddr = 2</div>
</div><div>TLDR version: "IPv6 typically uses a device's MAC address when choosing an IPv6 address to use in autoconfiguration. Privacy extensions allow using a randomly generated IPv6 address, which increases privacy"</div>
<div>Ubuntu enables this by default (and probably other distros too).</div><div><br></div><div>Symlink Protection:</div><div><div>fs.protected_hardlinks = 1<br></div><div>fs.protected_symlinks = 1</div></div><div>"A long-standing class of security issues is the symlink-based ToCToU race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of this flaw is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user)."</div>
<div>More information here (with a lot of refernces) <a href="https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#Symlink_Protection">https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#Symlink_Protection</a></div>
<div>Not entirely sure how this would effect cerowrt, or if it's even important at all with our current filesystem layout but worth looking into.</div><div><br></div><div><br></div></div>