From: Michael Tremer <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. cc3e41cb8b0b7d713ce15a7177d1bbda7778b2ca
Date: Mon, 10 Sep 2018 16:38:02 +0100 [thread overview]
Message-ID: <20180910153803.9BECC1081BD3@git01.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 11907 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via cc3e41cb8b0b7d713ce15a7177d1bbda7778b2ca (commit)
via edea6ec5a4ee9a75afcf69c65178089f6a928105 (commit)
via 0762dcc4e86937ae2f00d09d449563eb12563b9c (commit)
via 8a0585837c4f743676a27ad16212a68b8fb4172b (commit)
via 4e4128faacab7a25e5845faffefa2b2b2128eff7 (commit)
via ffba3c98bac2675f19f32541f5e1ebe61419e7bd (commit)
via 4ca0cb33543e780f02142cd70b18bb341d2eabad (commit)
via b67e79a4f15bcb8f2e9d525169d9c51611fe6c7e (commit)
from a0d612be7ac96cff5dc988f89054db49420c14b8 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit cc3e41cb8b0b7d713ce15a7177d1bbda7778b2ca
Author: Peter Müller <peter.mueller(a)link38.eu>
Date: Mon Sep 10 16:29:09 2018 +0200
use custom SSH client configuration in LFS file
Include OpenSSH client configuration file during build.
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit edea6ec5a4ee9a75afcf69c65178089f6a928105
Author: Peter Müller <peter.mueller(a)link38.eu>
Date: Mon Sep 10 16:29:08 2018 +0200
add hardened SSH client configuration
Introduce a custom OpenSSH client configuration file for IPFire.
Some people use it as a jumping host, so applying hardening options
system-wide improves security.
Cryptography setup is the same as for OpenSSH server configuration.
The second version of this patch re-adds some non-AEAD cipher suites
which are needed for connecting to older RHEL systems.
Partially fixes #11751
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 0762dcc4e86937ae2f00d09d449563eb12563b9c
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Sep 10 16:35:25 2018 +0100
core124: Ship updated unbound configuration and restart daemon
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 8a0585837c4f743676a27ad16212a68b8fb4172b
Author: Peter Müller <peter.mueller(a)link38.eu>
Date: Mon Sep 10 16:21:26 2018 +0200
Unbound: Use aggressive NSEC
This avoids some needless lookups to destination domains
with a very high NXDOMAIN rate and reduces load on upstream
servers.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/
for further details.
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 4e4128faacab7a25e5845faffefa2b2b2128eff7
Author: Peter Müller <peter.mueller(a)link38.eu>
Date: Mon Sep 10 16:21:25 2018 +0200
Unbound: Use caps for IDs
Attempt to detect DNS spoofing attacks by inserting 0x20-encoded
random bits into upstream queries. Upstream documentation claims
it to be an experimental implementation, it did not cause any trouble
on productive systems here.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
further details.
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit ffba3c98bac2675f19f32541f5e1ebe61419e7bd
Author: Peter Müller <peter.mueller(a)link38.eu>
Date: Mon Sep 10 16:21:24 2018 +0200
Unbound: Enable DNS cache poisoning mitigation
By default, Unbound neither keeps track of the number of unwanted
replies nor initiates countermeasures if they become too large (DNS
cache poisoning).
This sets the maximum number of tolerated unwanted replies to
1M, causing the cache to be flushed afterwards. (Upstream documentation
recommends 10M as a threshold, but this turned out to be ineffective
against attacks in the wild.)
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
details. This version of the patch uses 1M as threshold instead of
5M and supersedes the first and second version.
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 4ca0cb33543e780f02142cd70b18bb341d2eabad
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Sep 10 16:30:52 2018 +0100
core124: Ship updated redirect page template
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit b67e79a4f15bcb8f2e9d525169d9c51611fe6c7e
Author: Peter Müller <peter.mueller(a)link38.eu>
Date: Mon Sep 10 16:15:44 2018 +0200
embed background image in redirect template
Embed the IPFire background image into the redirect template
directly via CSS instead of loading it from somewhere else.
This is necessary because of Content Security Policy (CSP).
This patch inserts the base64 encoded image during build so
nothing needs to be updated twice in case background image
changes.
It supersedes first to fourth version of this patch and has
been successfully tested during a clean build.
Fixes #11650
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/core/124/filelists/files | 2 ++
config/rootfiles/core/124/update.sh | 1 +
config/ssh/ssh_config | 33 +++++++++++++++++++++++
config/unbound/unbound.conf | 6 ++++-
html/html/redirect-templates/legacy/template.html | 7 ++++-
lfs/openssh | 5 ++++
lfs/web-user-interface | 5 ++++
7 files changed, 57 insertions(+), 2 deletions(-)
create mode 100644 config/ssh/ssh_config
Difference in files:
diff --git a/config/rootfiles/core/124/filelists/files b/config/rootfiles/core/124/filelists/files
index 5cc19a8a5..cfd300dce 100644
--- a/config/rootfiles/core/124/filelists/files
+++ b/config/rootfiles/core/124/filelists/files
@@ -5,6 +5,7 @@ etc/rc.d/init.d/aws
etc/rc.d/init.d/localnet
etc/rc.d/init.d/partresize
etc/sysctl.conf
+etc/unbound/unbound.conf
opt/pakfire/lib/functions.pl
opt/pakfire/pakfire
srv/web/ipfire/cgi-bin/firewall.cgi
@@ -13,6 +14,7 @@ srv/web/ipfire/cgi-bin/ids.cgi
srv/web/ipfire/cgi-bin/index.cgi
srv/web/ipfire/cgi-bin/pakfire.cgi
srv/web/ipfire/cgi-bin/vpnmain.cgi
+srv/web/ipfire/html/redirect-templates/legacy/template.html
usr/bin/install-bootloader
usr/local/bin/backupiso
usr/local/bin/rebuild-initrd
diff --git a/config/rootfiles/core/124/update.sh b/config/rootfiles/core/124/update.sh
index 5a92aa72d..59f1e8f55 100644
--- a/config/rootfiles/core/124/update.sh
+++ b/config/rootfiles/core/124/update.sh
@@ -50,6 +50,7 @@ ldconfig
# Start services
/etc/init.d/rngd restart
/etc/init.d/ntp restart
+/etc/init.d/unbound restart
# Reload sysctl.conf
sysctl -p
diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config
new file mode 100644
index 000000000..2abfae6d1
--- /dev/null
+++ b/config/ssh/ssh_config
@@ -0,0 +1,33 @@
+# OpenSSH client configuration
+#
+# set some basic hardening options for all connections
+Host *
+ # disable Roaming as it is known to be vulnerable
+ UseRoaming no
+
+ # only use secure crypto algorithm
+ KexAlgorithms curve25519-sha256(a)libssh.org,diffie-hellman-group-exchange-sha256
+ Ciphers chacha20-poly1305(a)openssh.com,aes256-gcm(a)openssh.com,aes128-gcm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+ MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.com,umac-128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.com
+
+ # always visualise server host keys (has no technical
+ # effect, but helps to identify key based MITM attacks)
+ VisualHostKey yes
+
+ # use SSHFP (might work on some up-to-date networks) to look up host keys
+ VerifyHostKeyDNS yes
+
+ # send keep-alive messages to connected server to avoid broken connections
+ ServerAliveInterval 10
+ ServerAliveCountMax 6
+
+ # disable X11 forwarding (security risk)
+ ForwardX11 no
+
+ # always check server IP address
+ CheckHostIP yes
+
+ # ensure only allowed authentication methods are used
+ PreferredAuthentications publickey,keyboard-interactive,password
+
+# EOF
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 3f724d8f7..cda591dab 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -59,7 +59,11 @@ server:
harden-below-nxdomain: yes
harden-referral-path: yes
harden-algo-downgrade: no
- use-caps-for-id: no
+ use-caps-for-id: yes
+ aggressive-nsec: yes
+
+ # Harden against DNS cache poisoning
+ unwanted-reply-threshold: 1000000
# Listen on all interfaces
interface-automatic: yes
diff --git a/html/html/redirect-templates/legacy/template.html b/html/html/redirect-templates/legacy/template.html
index b5fb61ebe..297561e3a 100644
--- a/html/html/redirect-templates/legacy/template.html
+++ b/html/html/redirect-templates/legacy/template.html
@@ -3,11 +3,16 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ACCESS MESSAGE</title>
+ <style content="text/css">
+ td.image {
+ background-image: url(data:image/gif;base64,IMAGEDATAPLACEHOLDER);
+ }
+ </style>
</head>
<body>
<table width="100%" height='100%' border="0">
<tr>
- <td colspan='3' width='100%' height='130' align="center" background="<TMPL_VAR NAME="ADDRESS">/images/background.gif">
+ <td colspan='3' width='100%' height='152px' align="center" class="image"> </td>
<tr>
<td width='10%'>
<td align='center' bgcolor='#CC000000' width='80%'>
diff --git a/lfs/openssh b/lfs/openssh
index a88b2d126..0e6acc227 100644
--- a/lfs/openssh
+++ b/lfs/openssh
@@ -100,5 +100,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
-e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \
-e 's|^#\?HostKey /etc/ssh/ssh_host_rsa_key$$|HostKey /etc/ssh/ssh_host_ecdsa_key\nHostKey /etc/ssh/ssh_host_ed25519_key\nHostKey /etc/ssh/ssh_host_rsa_key|' \
/etc/ssh/sshd_config
+
+ # install custom OpenSSH client configuration
+ install -v -m 644 $(DIR_SRC)/config/ssh/ssh_config \
+ /etc/ssh/ssh_config
+
@rm -rf $(DIR_APP)
@$(POSTBUILD)
diff --git a/lfs/web-user-interface b/lfs/web-user-interface
index 0c5688252..73aec3a8d 100644
--- a/lfs/web-user-interface
+++ b/lfs/web-user-interface
@@ -55,6 +55,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
mkdir -p /var/updatecache/{download,metadata}
cp -aR $(DIR_SRC)/html/* /srv/web/ipfire
+ # Add base64 encoded background image to Squid content access page
+ basedata="$$( base64 $(DIR_SRC)/html/html/images/background.gif | tr -d '\n' )"; \
+ sed -i "s|IMAGEDATAPLACEHOLDER|$${basedata}|g" \
+ /srv/web/ipfire/html/redirect-templates/legacy/template.html
+
# Change CONFIG_ROOT in cgi-scripts
for i in /srv/web/ipfire/cgi-bin/{*,logs.cgi/*,vpn.cgi/*}; do \
if [ -f $$i ]; then \
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2018-09-10 15:38 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180910153803.9BECC1081BD3@git01.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox