Michael Tremer

IPFire 2.21 - Core Update 124 is available for testing
by Michael Tremer, September 28

Dear IPFire Community,

finally, our latest Core Update is available for testing. It is an update full of new features and immensely improves security and performance of the whole system.

Thanks for the people who contributed to this Core Update by submitting their patches and please help us to support everyone’s work with your donation!

Kernel Hardening

We have updated the Linux kernel to version 4.14.72 which comes with a large number of bug fixes, especially for network adapters. It has also been hardened against various attack vectors by enabling and testing built-in kernel security features that prohibit access to privileged memory by unprivileged users and similar mechanisms.

Due to this, the update requires a reboot after it has been installed.

OpenSSH Hardening

Peter has contributed a number of patches that improve security of the SSH daemon running inside IPFire. For those, who have SSH access enabled, it will now require latest ciphers and key exchange algorithms that make the key handshake and connection not only more secure, but also faster when transferring data.

For those admins who use the console: The SSH client has also been enabled to show a graphic representation of the SSH key presented by the server so that comparing those is easier and man-in-the-middle attacks can be spotted quickly and easily.

Unbound Hardening

The settings of the IPFire DNS proxy unbound have been hardened to avoid and DNS cache poisoning and use aggressive NSEC by default. The latter will reduce the load on DNS servers on the internet through more aggressive caching and will make DNS resolution of DNSSEC-enabled domains faster.

EFI

IPFire now supports booting in EFI mode on BIOSes that support it. Some newer hardware only supports EFI mode and booting IPFire on it was impossible before this update. EFI is only supported on x86_64.

Existing installations won’t be upgraded to use EFI. However, the flash image and systems installed with one of the installation images of this update are compatible to be booted in both, BIOS and EFI mode.

Although this change does not improve performance and potentially increases the attack vector on the whole firewall system because of software running underneath the IPFire operating system, we are bringing this change to you to support more hardware. It might be considered to disable EFI in the BIOS if your hardware allows for it.

Misc.

Add-Ons

Michael Tremer

DNSSEC key rollover imminent
by Michael Tremer, September 9

ICANN will roll over the DNSSEC key signing key of the DNS root zone. All resolvers need to be updated so that DNS resolution will work after October 11, 2018 or no DNS entries can be resolved any more.

What do I need to do?

We have known about this key rollover for a long time and placed an automatic job that keeps the key up to date. But just to be sure, we are sending you this announcement.

IPFire needs to be at least on Core Update 106 or newer to have unbound, our new DNS proxy. No manual action is required.

What does this mean?

DNSSEC is used to verify DNS responses from any name server. With those signatures, anyone can trust that the DNS reply that was received was not forged and is the correct one to reach the web server of your bank and not somebody else.

Those signatures are generated from keys that are organised in a hierarchy starting from the DNS root zone . down to for example www.ipfire.org. Since nobody can hold all keys for all possible domains, signatures of those keys are put into the higher level of the hierarchy and signed again. But reaching the highest level, there is no higher authority available anymore. Therefore, every system that is using DNSSEC has a copy of the root key stored. Now, this key is being changed.

To repeat the most important part again: DNS resolution won’t be possible when recent updates have not been installed.

For the nerds

If you want to check if your system has already imported the new key, you can run the following command:

[root@ipfire ~]# dig @localhost trustanchor.unbound -c CH -t TXT

The output should show you two keys with ID 19036 and 20326.

ICANN is also presenting more information about checking if you have recent keys.

Michael Tremer

IPFire 2.21 - Core Update 123 is available for testing
by Michael Tremer, August 16

The next release of IPFire is available for testing. It is a house-keeping release and contains a large number of fixed and also closes some security vulnerabilities.

Thanks for the people who contributed to this Core Update by submitting their patches and please help us to support everyone’s work with your donation!


This release ships a large number of microcode updates for various processors (linux-firmware 30.7.2018, intel-microcode 20180807). Most notable, vulnerabilities in Intel processors might have been fixed or mitigations applied. Microcodes are now also being loaded into the processor earlier to avoid any attacks on the system at boot time.

This update also comes with a large number of smaller changes that improve security and fix bugs:

Add-ons

Michael Tremer

Protect yourself better against Meltdown, Spectre and other attacks with IPFire on 64 bit
by Michael Tremer, August 2

With IPFire 2.21, we have rebased the distribution on the latest long-term supported branch of the Linux kernel: Linux 4.14. That allows us to get various bug and security fixes from the upstream kernel maintainers and we will be able to update the kernel quicker and more often.

This is especially important with the latest revelations about hardware vulnerabilities in latest Intel, AMD and ARM processors. Mainly I am talking about Meltdown and Spectre here, but I guess it is safe to expect many similar vulnerabilities to come. They cannot be fixed in the hardware, because they require major changes in the architecture and hardware that is once released can obviously not be changed any more.

The Linux kernel maintainers have been working on mitigations that will no longer allow to exploit those vulnerabilities, but those come at a price. There were various articles about how the processors are slowed down excessively for various workloads and there are more downsides to those mitigations. One of them is, that they were mainly developed and tested on x86_64. The port to the 32 bit x86 architecture (i586 for IPFire) is a lot behind the 64 bit version since most systems run on the latter one now. There is efforts to port the mitigations but significantly less man-power is going into that. Therefore, we would urge everyone who’s hardware supports it to re-install the 64 bit version of IPFire.

Additionally, we had to drop grsecurity from IPFire with the latest release. From a technical perspective, this hurts us since we have lost some pro-active measures to prevent vulnerabilities to be exploited. Some have been ported into the mainline kernel which we got to keep in IPFire, too. The kernel developers again pay most attention to the modern 64 bit architectures that have more hardware features that can be used to reduce any performance penalties because of extended work that has to be done to keep the system secure. Those things never come free of any cost.

Ergo, we would like to give the same advice again and ask you to use the 64 bit version of IPFire to gain best security from these features that they and us have built but only have the lower performance penalty possible.

Hottest posts 2018 2017 2016 2015 2014 2013 2012 2011