Peter Müller [Mon, 10 Sep 2018 14:29:08 +0000 (16:29 +0200)]
add hardened SSH client configuration
Introduce a custom OpenSSH client configuration file for IPFire.
Some people use it as a jumping host, so applying hardening options
system-wide improves security.
Cryptography setup is the same as for OpenSSH server configuration.
The second version of this patch re-adds some non-AEAD cipher suites
which are needed for connecting to older RHEL systems.
Partially fixes #11751
Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 10 Sep 2018 14:21:25 +0000 (16:21 +0200)]
Unbound: Use caps for IDs
Attempt to detect DNS spoofing attacks by inserting 0x20-encoded
random bits into upstream queries. Upstream documentation claims
it to be an experimental implementation, it did not cause any trouble
on productive systems here.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
further details.
Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 10 Sep 2018 14:21:24 +0000 (16:21 +0200)]
Unbound: Enable DNS cache poisoning mitigation
By default, Unbound neither keeps track of the number of unwanted
replies nor initiates countermeasures if they become too large (DNS
cache poisoning).
This sets the maximum number of tolerated unwanted replies to
1M, causing the cache to be flushed afterwards. (Upstream documentation
recommends 10M as a threshold, but this turned out to be ineffective
against attacks in the wild.)
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
details. This version of the patch uses 1M as threshold instead of
5M and supersedes the first and second version.
Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 10 Sep 2018 14:15:44 +0000 (16:15 +0200)]
embed background image in redirect template
Embed the IPFire background image into the redirect template
directly via CSS instead of loading it from somewhere else.
This is necessary because of Content Security Policy (CSP).
This patch inserts the base64 encoded image during build so
nothing needs to be updated twice in case background image
changes.
It supersedes first to fourth version of this patch and has
been successfully tested during a clean build.
Fixes #11650
Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Thu, 6 Sep 2018 10:09:34 +0000 (12:09 +0200)]
logs.cgi/ids.dat: Adjust code to show suricata events
As default show the events generated by suricata and if
for a certain selected date no suricata log is available
try to fall-back to read the events from the old snort
alert files (if available).
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Thu, 30 Aug 2018 13:12:29 +0000 (15:12 +0200)]
Enable threshold file in suricata.yaml
Enable and specify the path to the threshold-file in the suricata.yaml,
otherwise the programm is trying to read it from a build-in default
location and prints the following error message:
Error opening file: "/etc/suricata//threshold.config": No such file or directory
Fixes #11837.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Wed, 29 Aug 2018 09:50:59 +0000 (11:50 +0200)]
ids.cgi: Create file for used rulefiles on first execution if not present
Create this file on first execution of the script if it does not exist yet.
This will allow suricata to imediately be started. Otherwise the ruleset has
to be downloaded and configured before this file has been created and suricata
could be launched.
Fixes #11833.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Michael Tremer [Mon, 27 Aug 2018 06:23:03 +0000 (07:23 +0100)]
pakfire: Remove mirror health check
This is not really necessary because pakfire will automatically
failover to the next mirror anyways and that a mirror responds
to an ICMP echo request doesn't necessarily mean that it can
deliver the requested file.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Fri, 24 Aug 2018 12:55:40 +0000 (14:55 +0200)]
ids-functions.pl: Add priviate function _check_rulesdir_permissions()
This function checks if all files located in /etc/suricata/rules are
writable by the effective user and group (nobody:nobody) and if not
calls suricatactl to fix it.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Alexander Marx [Fri, 24 Aug 2018 08:06:30 +0000 (10:06 +0200)]
BUG11825: firewall: Renaming a network/host group doesn't update rules
Code only changed field 6 of hash (target group) and not field 4 (source group).
Also if using geoip it was only field 4 of hash (source group) and not field 6 of hash (target group)
Added new code that changes both fields to reflect the change in the firewallrules immediately.
fixes: #11825
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Wed, 22 Aug 2018 06:39:57 +0000 (08:39 +0200)]
ids.cgi: Rework handling of enabled/disabled sids
Now the enabled or disabled sids are stored in a single
hash instead of two arrays, which easily can be modified.
When saving the ruleset, the new read_enabled_disabled_sids() function
will be used to read-in the current (old) saved enabled or disabled sids
and add them to the new hash structure.
After adding or modifiying sids to the hash, the entries will be written
to the corresponding files.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Wed, 22 Aug 2018 06:38:16 +0000 (08:38 +0200)]
ids.cgi: Add function to read the enabled/disabled sid files
This function is used to read-in the files for enabled or disabled sid
files and stores the sid and their state into a temporary hash which will
be returned by the function.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Sat, 18 Aug 2018 12:48:30 +0000 (14:48 +0200)]
ids.cgi: Add backend code to handle switch between IDS and IPS mode
This commit adds the required backend code to allow switching
between IDS and IPS mode of suricata.
Technically the behaviour of suricata is specified by the rules -
each of them can contain the action "alert" or "drop" (There are
more actions supported but these two are currently the important one)
When running in IDS mode, the ruleset does not need to be touched,
because the default action is "alert". When switching to IPS mode,
the CGI writes a single line to "oinkmaster-modify-sids.conf" which
is included by oinkmaster and modify the action for each single rule
from alert to drop.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
xtables are build for installed iptables version so we need
to ship it even if it was not updated.
Also clean /lib/xtables because some modules are renamed.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Thu, 16 Aug 2018 15:08:04 +0000 (17:08 +0200)]
Postfix: update to 3.3.1
This updates Postfix to recent 3.3.x series, which contains
some new features. Release announcement available at
http://www.postfix.org/announcements/postfix-3.3.1.html
The third version of this patch superseds the first and
second one which were broken due to bugs in the MUAs GPG
implementation.
Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / people / ummeegge / ipfire-2.x.git / log
