This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via cc3e41cb8b0b7d713ce15a7177d1bbda7778b2ca (commit) via edea6ec5a4ee9a75afcf69c65178089f6a928105 (commit) via 0762dcc4e86937ae2f00d09d449563eb12563b9c (commit) via 8a0585837c4f743676a27ad16212a68b8fb4172b (commit) via 4e4128faacab7a25e5845faffefa2b2b2128eff7 (commit) via ffba3c98bac2675f19f32541f5e1ebe61419e7bd (commit) via 4ca0cb33543e780f02142cd70b18bb341d2eabad (commit) via b67e79a4f15bcb8f2e9d525169d9c51611fe6c7e (commit) from a0d612be7ac96cff5dc988f89054db49420c14b8 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit cc3e41cb8b0b7d713ce15a7177d1bbda7778b2ca Author: Peter Müller peter.mueller@link38.eu Date: Mon Sep 10 16:29:09 2018 +0200
use custom SSH client configuration in LFS file
Include OpenSSH client configuration file during build.
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit edea6ec5a4ee9a75afcf69c65178089f6a928105 Author: Peter Müller peter.mueller@link38.eu Date: Mon Sep 10 16:29:08 2018 +0200
add hardened SSH client configuration
Introduce a custom OpenSSH client configuration file for IPFire. Some people use it as a jumping host, so applying hardening options system-wide improves security.
Cryptography setup is the same as for OpenSSH server configuration.
The second version of this patch re-adds some non-AEAD cipher suites which are needed for connecting to older RHEL systems.
Partially fixes #11751
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0762dcc4e86937ae2f00d09d449563eb12563b9c Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 10 16:35:25 2018 +0100
core124: Ship updated unbound configuration and restart daemon
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 8a0585837c4f743676a27ad16212a68b8fb4172b Author: Peter Müller peter.mueller@link38.eu Date: Mon Sep 10 16:21:26 2018 +0200
Unbound: Use aggressive NSEC
This avoids some needless lookups to destination domains with a very high NXDOMAIN rate and reduces load on upstream servers.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for further details.
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4e4128faacab7a25e5845faffefa2b2b2128eff7 Author: Peter Müller peter.mueller@link38.eu Date: Mon Sep 10 16:21:25 2018 +0200
Unbound: Use caps for IDs
Attempt to detect DNS spoofing attacks by inserting 0x20-encoded random bits into upstream queries. Upstream documentation claims it to be an experimental implementation, it did not cause any trouble on productive systems here.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for further details.
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ffba3c98bac2675f19f32541f5e1ebe61419e7bd Author: Peter Müller peter.mueller@link38.eu Date: Mon Sep 10 16:21:24 2018 +0200
Unbound: Enable DNS cache poisoning mitigation
By default, Unbound neither keeps track of the number of unwanted replies nor initiates countermeasures if they become too large (DNS cache poisoning).
This sets the maximum number of tolerated unwanted replies to 1M, causing the cache to be flushed afterwards. (Upstream documentation recommends 10M as a threshold, but this turned out to be ineffective against attacks in the wild.)
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for details. This version of the patch uses 1M as threshold instead of 5M and supersedes the first and second version.
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4ca0cb33543e780f02142cd70b18bb341d2eabad Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 10 16:30:52 2018 +0100
core124: Ship updated redirect page template
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b67e79a4f15bcb8f2e9d525169d9c51611fe6c7e Author: Peter Müller peter.mueller@link38.eu Date: Mon Sep 10 16:15:44 2018 +0200
embed background image in redirect template
Embed the IPFire background image into the redirect template directly via CSS instead of loading it from somewhere else. This is necessary because of Content Security Policy (CSP).
This patch inserts the base64 encoded image during build so nothing needs to be updated twice in case background image changes.
It supersedes first to fourth version of this patch and has been successfully tested during a clean build.
Fixes #11650
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/core/124/filelists/files | 2 ++ config/rootfiles/core/124/update.sh | 1 + config/ssh/ssh_config | 33 +++++++++++++++++++++++ config/unbound/unbound.conf | 6 ++++- html/html/redirect-templates/legacy/template.html | 7 ++++- lfs/openssh | 5 ++++ lfs/web-user-interface | 5 ++++ 7 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 config/ssh/ssh_config
Difference in files: diff --git a/config/rootfiles/core/124/filelists/files b/config/rootfiles/core/124/filelists/files index 5cc19a8a5..cfd300dce 100644 --- a/config/rootfiles/core/124/filelists/files +++ b/config/rootfiles/core/124/filelists/files @@ -5,6 +5,7 @@ etc/rc.d/init.d/aws etc/rc.d/init.d/localnet etc/rc.d/init.d/partresize etc/sysctl.conf +etc/unbound/unbound.conf opt/pakfire/lib/functions.pl opt/pakfire/pakfire srv/web/ipfire/cgi-bin/firewall.cgi @@ -13,6 +14,7 @@ srv/web/ipfire/cgi-bin/ids.cgi srv/web/ipfire/cgi-bin/index.cgi srv/web/ipfire/cgi-bin/pakfire.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi +srv/web/ipfire/html/redirect-templates/legacy/template.html usr/bin/install-bootloader usr/local/bin/backupiso usr/local/bin/rebuild-initrd diff --git a/config/rootfiles/core/124/update.sh b/config/rootfiles/core/124/update.sh index 5a92aa72d..59f1e8f55 100644 --- a/config/rootfiles/core/124/update.sh +++ b/config/rootfiles/core/124/update.sh @@ -50,6 +50,7 @@ ldconfig # Start services /etc/init.d/rngd restart /etc/init.d/ntp restart +/etc/init.d/unbound restart
# Reload sysctl.conf sysctl -p diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config new file mode 100644 index 000000000..2abfae6d1 --- /dev/null +++ b/config/ssh/ssh_config @@ -0,0 +1,33 @@ +# OpenSSH client configuration +# +# set some basic hardening options for all connections +Host * + # disable Roaming as it is known to be vulnerable + UseRoaming no + + # only use secure crypto algorithm + KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + + # always visualise server host keys (has no technical + # effect, but helps to identify key based MITM attacks) + VisualHostKey yes + + # use SSHFP (might work on some up-to-date networks) to look up host keys + VerifyHostKeyDNS yes + + # send keep-alive messages to connected server to avoid broken connections + ServerAliveInterval 10 + ServerAliveCountMax 6 + + # disable X11 forwarding (security risk) + ForwardX11 no + + # always check server IP address + CheckHostIP yes + + # ensure only allowed authentication methods are used + PreferredAuthentications publickey,keyboard-interactive,password + +# EOF diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 3f724d8f7..cda591dab 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -59,7 +59,11 @@ server: harden-below-nxdomain: yes harden-referral-path: yes harden-algo-downgrade: no - use-caps-for-id: no + use-caps-for-id: yes + aggressive-nsec: yes + + # Harden against DNS cache poisoning + unwanted-reply-threshold: 1000000
# Listen on all interfaces interface-automatic: yes diff --git a/html/html/redirect-templates/legacy/template.html b/html/html/redirect-templates/legacy/template.html index b5fb61ebe..297561e3a 100644 --- a/html/html/redirect-templates/legacy/template.html +++ b/html/html/redirect-templates/legacy/template.html @@ -3,11 +3,16 @@ <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>ACCESS MESSAGE</title> + <style content="text/css"> + td.image { + background-image: url(data:image/gif;base64,IMAGEDATAPLACEHOLDER); + } + </style> </head> <body> <table width="100%" height='100%' border="0"> <tr> - <td colspan='3' width='100%' height='130' align="center" background="<TMPL_VAR NAME="ADDRESS">/images/background.gif"> + <td colspan='3' width='100%' height='152px' align="center" class="image"> </td> <tr> <td width='10%'> <td align='center' bgcolor='#CC000000' width='80%'> diff --git a/lfs/openssh b/lfs/openssh index a88b2d126..0e6acc227 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -100,5 +100,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -e 's|^#?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \ -e 's|^#?HostKey /etc/ssh/ssh_host_rsa_key$$|HostKey /etc/ssh/ssh_host_ecdsa_key\nHostKey /etc/ssh/ssh_host_ed25519_key\nHostKey /etc/ssh/ssh_host_rsa_key|' \ /etc/ssh/sshd_config + + # install custom OpenSSH client configuration + install -v -m 644 $(DIR_SRC)/config/ssh/ssh_config \ + /etc/ssh/ssh_config + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/web-user-interface b/lfs/web-user-interface index 0c5688252..73aec3a8d 100644 --- a/lfs/web-user-interface +++ b/lfs/web-user-interface @@ -55,6 +55,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) mkdir -p /var/updatecache/{download,metadata} cp -aR $(DIR_SRC)/html/* /srv/web/ipfire
+ # Add base64 encoded background image to Squid content access page + basedata="$$( base64 $(DIR_SRC)/html/html/images/background.gif | tr -d '\n' )"; \ + sed -i "s|IMAGEDATAPLACEHOLDER|$${basedata}|g" \ + /srv/web/ipfire/html/redirect-templates/legacy/template.html + # Change CONFIG_ROOT in cgi-scripts for i in /srv/web/ipfire/cgi-bin/{*,logs.cgi/*,vpn.cgi/*}; do \ if [ -f $$i ]; then \
hooks/post-receive -- IPFire 2.x development tree