Development March 2019

development@lists.ipfire.org

17 participants
64 discussions

[PATCH] logs.cgi/ids.dat: Fixup processing dates from logfiles which contains a year
by Stefan Schantl 16 Mar '19

16 Mar '19

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> --- html/cgi-bin/logs.cgi/ids.dat | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/html/cgi-bin/logs.cgi/ids.dat b/html/cgi-bin/logs.cgi/ids.dat index e374f5711..1447a06f0 100644 --- a/html/cgi-bin/logs.cgi/ids.dat +++ b/html/cgi-bin/logs.cgi/ids.dat @@ -460,7 +460,14 @@ sub processevent } } $line++; - unless ($line == 1 || $date ne "$monthstr/$daystr") { &append; } + + # Split the date into single chunks. + my ($month, $day, $year) = split('/', $date); + + # Check if all data is collected and the date of the event fits the desired date to + # get displayed. + if ($line gt 1 || "$month/$day" eq "$monthstr/$daystr") { &append; } + close(LOG); } } -- 2.20.1

1 0

[PATCH] ntp: Update to 4.2.8p13
by Matthias Fischer 15 Mar '19

15 Mar '19

For details see: http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/ntp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/ntp b/lfs/ntp index 8f845409c..040a0c2ae 100644 --- a/lfs/ntp +++ b/lfs/ntp @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> # +# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 4.2.8p12 +VER = 4.2.8p13 THISAPP = ntp-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 1522d66574bae14abb2622746dad2bdc +$(DL_FILE)_MD5 = ea040ab9b4ca656b5229b89d6b822f13 install : $(TARGET) -- 2.18.0

1 0

[PATCH 2/2] run Tor under dedicated user
by Peter Müller 15 Mar '19

15 Mar '19

This allows more-fine granular firewall rules (see first patch for further information). Further, it prevents other services running as "nobody" (Apache, ...) from reading Tor relay keys. Fixes #11779. Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- lfs/tor | 6 +++--- src/paks/tor/install.sh | 15 ++++++++++++++- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/lfs/tor b/lfs/tor index 384b1b213..2b0e0903a 100644 --- a/lfs/tor +++ b/lfs/tor @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = tor -PAK_VER = 34 +PAK_VER = 35 DEPS = "" @@ -82,8 +82,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ - --with-tor-user=nobody \ - --with-tor-group=nobody + --with-tor-user=tor \ + --with-tor-group=tor cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install diff --git a/src/paks/tor/install.sh b/src/paks/tor/install.sh index 31c5fecae..e1ed33331 100644 --- a/src/paks/tor/install.sh +++ b/src/paks/tor/install.sh @@ -17,11 +17,24 @@ # along with IPFire; if not, write to the Free Software # # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # # -# Copyright (C) 2007 IPFire-Team <info(a)ipfire.org>. # +# Copyright (C) 2007-2019 IPFire-Team <info(a)ipfire.org>. # # # ############################################################################ # . /opt/pakfire/lib/functions.sh + +# Run Tor as dedicated user and make sure user and group exist +if ! getent group tor &>/dev/null; then + groupadd -g 119 tor +fi + +if ! getent passwd tor; then + useradd -u 119 -g tor -d /var/empty -s /bin/false tor + + # Adjust some folder permission for new UID/GID + chown -R tor:tor /var/lib/tor /var/ipfire/tor +fi + extract_files restore_backup ${NAME} start_service --background ${NAME} -- 2.16.4

2 4

[PATCH] core130: Fix another error in rootfile
by Stefan Schantl 15 Mar '19

15 Mar '19

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> --- config/rootfiles/core/130/filelists/files | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/rootfiles/core/130/filelists/files b/config/rootfiles/core/130/filelists/files index d71f4ff75..d33ede19c 100644 --- a/config/rootfiles/core/130/filelists/files +++ b/config/rootfiles/core/130/filelists/files @@ -13,7 +13,7 @@ srv/web/ipfire/cgi-bin/ids.cgi srv/web/ipfire/cgi-bin/logs.cgi/ids.dat srv/web/ipfire/cgi-bin/logs.cgi/log.dat usr/local/bin/suricatactrl -usr/local/bin/update-ids-rules +usr/local/bin/update-ids-ruleset usr/sbin/convert-snort var/ipfire/backup/bin/backup.pl var/ipfire/backup/include -- 2.20.1

1 0

Core 128 Update - some glitches
by Matthias Fischer 15 Mar '19

15 Mar '19

Hi, yesterday I installed the update from Core 127 to Core 128 / 32bit on my Duo Box with 4 GB RAM. Pakfire showed *no* errors during the (second) try. But I noticed a few "glitches": 1. First download attempt was aborted with: ***SNIP*** 20:50:58 pakfire: DOWNLOAD INFO: File received. Start checking signature... 20:50:59 pakfire: DOWNLOAD ERROR: The downloaded file (ipfire/pakfire2/2.21/paks/core-upgrade-2.2 1-128.ipfire) wasn't verified by IPFire.org. Sorry - Exiting... 20:50:59 pakfire: TIME INFO: Time Server 193.175.73.151 has -0.093144 sec offset to localtime. ***SNAP*** On the second try everything went smooth - absolutely no Pakfire or installation errors - update went through. Ok, it could have been me or my ISP. I didn't bother. But after rebooting I saw that only the *SMP* kernel had been updated, *PAE* is missing for some reason, I'm still on the old version. Can anyone explain why? Current contents of '/boot': config-4.14.103-ipfire config-4.14.86-ipfire-pae grub initramfs-4.14.103-ipfire.img initramfs-4.14.86-ipfire-pae.img lost+found System.map-4.14.103-ipfire System.map-4.14.86-ipfire-pae vmlinuz-4.14.103-ipfire vmlinuz-4.14.86-ipfire-pae More details (german): => https://forum.ipfire.org/viewtopic.php?f=22&t=22463 So now I got a new SMP kernel (running) and an old PAE kernel... Bug or feature or anything I can do about this!? ##### 2. I found that - not only with this but also with other updates - the module 'nct6775' is installed on the Duo Box. I can't use this. This module leads to sensor values being displayed in the hardware graphs - with errors - which do *not exist* on the Duo Box. Kernel says: 1 Time(s): nct6775: Found NCT6106D or compatible chip at 0x2e:0xa10 But there are no fans on this board... Solution: Stop 'collectd': /etc/init.d/collectd stop Delete directory: '/var/log/rrd/collectd/localhost/sensors-nct6106-isa-0a10' Unload 'nct6775': /etc/modprobe.d/nct6775.conf Delete 'nct6775' in '/etc/sysconfig/lm_sensors' Start 'collectd' again: /etc/init.d/collectd stop I tried adding 'blacklist nct6775' to '/etc/modprobe.d/blacklist.conf' but this had no effect. Is there anything else I can do to prevent this module for being loaded? ##### 3. Today I noticed some kernel messages which I didn't see before after an update: ***SNIP*** 1 Time(s): <27>udevd[487]: RUN{builtin}: 'firmware' unknown /lib/udev/rules.d/50-firmware.rules:3 1 Time(s): <27>udevd[487]: specified group 'input' unknown 1 Time(s): <27>udevd[487]: specified group 'kvm' unknown 1 Time(s): <27>udevd[487]: specified group 'render' unknown 1 Time(s): Kernel log daemon terminating. 1 Time(s): Kernel logging (proc) stopped. ***SNAP*** Besides these "problems", the machine is running smooth. With ~3 GB RAM. ;-) Can anyone confirm or has any hints? Best, Matthias

1 0

Testers wanted for patch "hostapd: make client isolation configurable via WebUI"
by Peter Müller 12 Mar '19

12 Mar '19

Hi, some times ago, there was a feature request regarding client isolation for WLAN networks ran by local hostapd. This sounds like a good idea to me, and there is a patch available at https://bugzilla.ipfire.org/attachment.cgi?id=656&action=diff . Could somebody with a more WLAN knowledge than I have test this too, to make sure things do not break here? Thank you very much. :-) Corresponding issue is available at https://bugzilla.ipfire.org/show_bug.cgi?id=11974 . Thanks, and best regards, Peter Müller -- The road to Hades is easy to travel. -- Bion of Borysthenes

2 1

[PATCH] less: update to 530
by Peter Müller 11 Mar '19

11 Mar '19

Backporting package updates to IPFire 3.x, too... Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- less/less.nm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/less/less.nm b/less/less.nm index 8e9d54355..e021e37ef 100644 --- a/less/less.nm +++ b/less/less.nm @@ -4,7 +4,7 @@ ############################################################################### name = less -version = 481 +version = 530 release = 1 groups = Applications/Text -- 2.16.4

1 0

[PATCH 1/2] add IPtables chain for outgoing Tor traffic
by Peter Müller 11 Mar '19

11 Mar '19

If Tor is operating in relay mode, it has to open a lot of outgoing TCP connections. These should be separated from any other outgoing connections, as allowing _all_ outgoing traffic will be unwanted and risky in most cases. Thereof, Tor will be running as a dedicated user (see second patch), allowing usage of user-based IPtables rulesets. Partially fixes #11779. Singed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- src/initscripts/packages/tor | 4 ++++ src/initscripts/system/firewall | 4 +++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/initscripts/packages/tor b/src/initscripts/packages/tor index 551538e2f..754a2786f 100644 --- a/src/initscripts/packages/tor +++ b/src/initscripts/packages/tor @@ -21,8 +21,11 @@ function setup_firewall() { # Flush all rules. flush_firewall + # Allow incoming traffic to Tor relay (and directory) port and + # all outgoing TCP connections from Tor user. if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_PORT}" ]; then iptables -A TOR_INPUT -p tcp --dport "${TOR_RELAY_PORT}" -j ACCEPT + iptables -A TOR_OUTPUT -p tcp -m owner --uid-owner tor -j ACCEPT fi if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_DIRPORT}" ] && [ "${TOR_RELAY_DIRPORT}" -ne 0 ]; then @@ -33,6 +36,7 @@ function setup_firewall() { function flush_firewall() { # Flush all rules. iptables -F TOR_INPUT + iptables -F TOR_OUTPUT } case "${1}" in diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 2739a6834..cb533cc94 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -294,9 +294,11 @@ iptables_init() { iptables -N OVPNINPUT iptables -A INPUT -j OVPNINPUT - # Tor + # Tor (inbound and outbound) iptables -N TOR_INPUT iptables -A INPUT -j TOR_INPUT + iptables -N TOR_OUTPUT + iptables -A OUTPUT -j TOR_OUTPUT # Jump into the actual firewall ruleset. iptables -N INPUTFW -- 2.16.4

1 0

Suricata testing
by Kienker, Fred 11 Mar '19

11 Mar '19

Thanks for all your hard work on this Stefan. I am reporting the results of our testing to date. Environment: C128 with Suricata from latest posted tarball (2019-03-02) 1. The web interface seems *very* sluggish – checking boxes requires quite a bit of wait time until the check mark appears. Maybe this is normal and to be expected? 2. Runs properly with most websites, with one MAJOR (at least for us) exception – the LogMeIn Central management panel. For those not familiar with this product, it is commonly used in the US to provide remote access for individual users, and management of large groups of computers by companies or managed service providers. With Suricata enabled and the monitor only box unchecked, it is not possible to connect to the remote machine – it freezes when it tries to set up the TLS connection. With Suricata enabled and the monitor only box checked it IS possible to connect to the remote machine. This was never a problem with the previous IPFire intrusion detection system. If you tell me what you want, I can provide copies of logs. 3. In the older intrusion detection system with Guardian installed, bad actors were automatically blocked. With Suricata, even when run for extended periods of time, this never seems to happen. Am I misunderstanding what Suricata is supposed to do? 4. With our typical machine (a Dell R610 12 core Xeon and 12 GB of RAM) it runs very substantially better than the previous intrusion detection system (snort) every did. I am hoping my issue with the automatic blocking is simply my not understanding how to use Suricata. I really don’t want to have to go back to putting fail2ban back on all of the servers. Best regards, Fred Fred Kienker fkienker(a)at4b.com This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this message is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify us by reply e-mail or by telephone at 1.770.518.6166, and destroy the original transmission and its attachments without reading them or saving them to disk. This communication is covered by the Electronic Communications Privacy Act, 18 U.S.C. sections 2510-2521. Thank you.

2 1

[PATCH] amavisd: update to 2.11.1
by Peter Müller 11 Mar '19

11 Mar '19

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- lfs/amavisd | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lfs/amavisd b/lfs/amavisd index a46866236..026e43f2f 100644 --- a/lfs/amavisd +++ b/lfs/amavisd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> # +# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,15 +24,15 @@ include Config -VER = 2.5.2 +VER = 2.11.1 THISAPP = amavisd-new-$(VER) -DL_FILE = $(THISAPP).tar.gz +DL_FILE = $(THISAPP).tar.bz2 DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = amavisd -PAK_VER = 1 +PAK_VER = 2 DEPS = "clamav spamassassin" @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 52d227d442fac64916488b83d79806d7 +$(DL_FILE)_MD5 = f89fc043c790e35137121e45f2890703 install : $(TARGET) @@ -76,7 +76,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && cp -f amavisd /usr/bin chown root.root /usr/bin/amavisd chmod 755 /usr/bin/amavisd -- 2.16.4

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development March 2019