in terms of a stable release, improving security some more has been weighing on my mind.
One of the things cero does differently than openwrt is that it uses the xinetd daemon. It rather than having things like dropbear or rsync listening directly on ports, and specifically only allows access to certain services (like ssh) from certain ip addresses. There are also sensors for connection attempts via ftp or telnet that disable all services when someone accesses them, for 120 minutes by default. See the /etc/xinetd.conf and /etc/xinetd.d dir for details However this layer of defense is incomplete as several processes, notably the configuration gui, upnp, and so on are separate daemons with their own access controls. Worse, many attacks nowadays come from the inside, and should be dealt with... Since we've been fiddling with ipsets on the bcp38 front it would be rather easy to hook up xinetd's mechanism with that to do the same blocking for *all* services from that specific IP. All it needs is a fork and exec in the sensor to run a script like this: #!/bin/sh # $1 = addr type (ipv4 or ipv6) # $2 = addr # $3 = timeout in seconds ipset add badboys-$1 $1 timeout $3 ... and use the firewall rules to check that ipset for badboy IPs. the xinetd.org site is dead seemingly, but copies of the last release are widely available. Would probably be a very small patch if someone wants to take it on... is there anything else out there as tight and secure as xinetd for spawning network services or doing intrusion monitoring? -- Dave Täht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
