Hardening of the IPFire system

roberto · 16 February 2021 14:29

Hello everyone.

This may be silly, but what about the following:

It would be to put a check which allows or not to make modifications in the IPFire system. In this way, if by obligation your computer suffers from a vulnerability, have some assurance that nothing can be installed that could exploit it.

When the “Do not allow” check is marked, it is not possible to install anything that is not from the official IPFire repository. Also don’t allow mods, Watchdog style or something like that.

I don’t know, maybe it’s silly, but how do you see it?

Regards.

peppetech · 17 February 2021 18:03

How exactly would the second checkmark work?
Do you mean it would lower the Web UI Access controls for the Admin user?

roberto · 18 February 2021 06:57

Hi @peppetech.

It is an example of how it would look, I have done it with “mspaint”.

Well, I’ll explain it to you. The problem with vulnerabilities is that if someone or something accesses the system, they could install malicious software to exploit the vulnerability suffered by the processor.

This checkbox 1) prevents the installation of software not signed and certified by IPFire developers and 2) notifies about modifications made to the system.

The first by enabling the installation of anything that is not in the official repositories and checking the signature and second, by means of a watchdog that analyzes the integrity of the system.

I am thinking that to enable / disable this function, you would need a password other than that of admin / root that would be established in the “setup” (in case you enter the IPFire).

I don’t know if it would be necessary or if this feature would be superfluous due to the existing strength of IPFire.

Perhaps with this it would not matter so much that the computer suffers from vulnerabilities. For example:

I understand (correct me if I’m wrong) that to exploit the vulnerabilities you must have access to the system to voluntarily / unintentionally install software that exploits the vulnerability. It can be you who unintentionally does it or a hacker who accesses the system and compromises the system.

Best.

peppetech · 23 February 2021 08:54

I think you are right you must have ‘root’ access to the system to install software. But I think the Web Interface has root access as well.
Even if you login as ‘admin’ and not ‘root’ you still able to install.

Good question, though, maybe need 2FA or something similar to make sure you are in charge?

sphericalumbra · 25 February 2021 01:20

Provided that it is in a package part of the Pakfire repositories. - A limitation of the web interface’s ‘admin’
Outside of that will definitely need root privileges.

The usefulness of this thing is effectively destroyed once the attacker has already achieved privilege escalation to ‘root’ privileges as root is an all-powerful user and almost nothing can prevent a root user from doing whatever they want on a GNU/Linux system.

Super low-level vulnerabilities like spectre work differently than your typical software vulnerabilities because it works on the inner workings of computers that involve the hardware+firmware level and a really smartass way is typically needed to successfully exploit this remotely i.e. a packet that your Ethernet NIC misprocesses and causes a hardware-level exploit which could be daisy chained to other vulnerabilities like Spectre to potentially gain ‘root’ privileges or higher than ‘root’ privileges that lie on the BIOS-level.

Truth be told, it’s really hard to defend against these and your best bet against this is to erect a good number of walls and combination of different kinds of devices and backup solutions to effectively deter the attackers to the point that they’ll get tired of trying to exploit this against you cause you just keep on preventing them from exploiting it or you keep on restoring whatever progress of exploitation they did against you lol.