furrywolf | ""Most of the Linux distributions we tested were vulnerable, especially Linux distributions that use a version of systemd pulled after November 28th of last year which turned reverse path filtering off,"" | 03:49 |
---|---|---|
onefang | That's very simple to check and fix. | 03:50 |
onefang | /etc/sysctl.conf should have a lines - | 03:51 |
xrogaan | what is the problem? | 03:51 |
onefang | # Uncomment the next two lines to enable Spoof protection (reverse-path filter) | 03:51 |
onefang | # Turn on Source Address Verification in all interfaces to | 03:51 |
onefang | # prevent some spoofing attacks | 03:51 |
onefang | net.ipv4.conf.default.rp_filter=1 | 03:51 |
onefang | net.ipv4.conf.all.rp_filter=1 | 03:51 |
furrywolf | I'm just amused that once again systemd is breaking something people take for granted, likely for no reason. | 03:52 |
onefang | Or something in /etc/sysctl.d should have that. | 03:52 |
onefang | The problem reported is issues with naughty people messing with your VPN connection. | 03:53 |
furrywolf | I guess I shouldn't gloat, it seems to be disabled in ascii too, without systemd being involved. | 03:57 |
onefang | It may have been inherited from Debian, I've not checked. | 03:58 |
furrywolf | hrmm, I'm not sure why it was disabled. I'm not easily finding an answer googling, and disabling it entirely seems to present a lot more security issues than just twiddling vpns. | 04:14 |
furrywolf | "Current recommended practice in RFC3704 is to enable strict mode" | 04:15 |
fsmithred | those lines are commented in my ascii | 04:50 |
furrywolf | mine as well, and sysctl -ar '\.rp_filter' confirms it's off on all interfaces | 04:50 |
gnarface | so basically the summary of this vulnerability is just don't have rp_filter off for devices on networks with untrustworthy peers still, right? | 05:01 |
gnarface | is that actually even news? | 05:02 |
gnarface | or is this like "shellshock" ? | 05:02 |
gnarface | where someone is making press about something that has been known | 05:02 |
gnarface | ...for ages | 05:02 |
gnarface | or is there actually something new? | 05:02 |
furrywolf | it seems like a new attack that is prevented by an existing mitigation that got disabled because nothing was attacking it for a while | 05:02 |
gnarface | got it | 05:03 |
gnarface | on that note, syncookies should probably be enabled too | 05:04 |
gnarface | (the next entry, and also commented out it looks like...) | 05:04 |
furrywolf | it's commented out, but it either defaults to 1, or something else turned it on, because it's showing as 1 here. | 05:05 |
gnarface | oh | 05:07 |
gnarface | well that's good | 05:07 |
gnarface | hmm, but rp_filter is not | 05:09 |
gnarface | odd | 05:09 |
furrywolf | what I can't find is why rp_filter was set to 0... everything I found says the recommendation is to have it on, as it prevents several kinds of attacks, and only breaks unusual asymetric routing schemes, the kind of which if you have one you'd probably know enough to manually disable it. | 05:09 |
gnarface | however the config file i have indicates it SHOULD be also on by default... yea | 05:09 |
gnarface | so now this looks like actual sabotage | 05:09 |
gnarface | someone changed that default in the kernel | 05:09 |
gnarface | and they forgot to cover their tracks in the config | 05:09 |
gnarface | the comments should indicate defaults by convention | 05:09 |
gnarface | that's not a smoking gun, but it's highly suspicious | 05:10 |
furrywolf | if you have a routing setup where packets for the same connection arrive on a different interface than they leave on, like old satellite setups that used a dialup model for uplink and the satellite for downlink, rp_filter will break it. there's not a lot of such connections... | 05:10 |
furrywolf | s/model/modem | 05:11 |
gnarface | right, multipath routing where your inbound packets don't arrive at the same IP as the outbound ones | 05:11 |
gnarface | right? | 05:11 |
gnarface | different than multiple devices sharing an ip | 05:12 |
furrywolf | yes | 05:13 |
furrywolf | or same ip but different interface, or something. | 05:13 |
furrywolf | basically, it objects if a packet arrives on an interface that is not the interface it would use to send a packet to that address | 05:14 |
furrywolf | like being unhappy if packets that claim to be from your local private lan block arrive on the internet connection. which is a good thing. and should not ever have been turned off. | 05:14 |
furrywolf | https://access.redhat.com/solutions/53031 even redhat defaults to it being on, and provides instructions on how to disable it for the few people with such routing. | 05:25 |
furrywolf | for debian, it could be an oversight? it seems like setting up spoofing protection was previously handled by a script, then was moved to sysctl and the procps package, and never actually done? trying to wade through various bug reports. | 05:34 |
furrywolf | someone who has figured out how to actually report bugs properly might want to report one against procps on debian | 05:44 |
furrywolf | ... although I guess now no one cares, since systemd is in charge of networking security. | 05:53 |
furrywolf | rather than maliciousness, I'm suspecting it's just an oversight... when netbase went away, a file should have been added to /etc/sysctl.d to enable spoofing protection. ubuntu adds this file to their version of procps. | 06:00 |
furrywolf | but on debian, this file was either never added, or got removed with people not realizing it was important. | 06:01 |
golinux | Do not attribute to oversight what could be pure stupidity | 06:05 |
furrywolf | I'm going to stop poking at this, as I'm not getting any further... something should be setting rp_filter to 1, but nothing is. this could be an oversight, and debian has been insecure since the netbase package was removed, or this could be a recent thing where all such duties were handed off to systemd. if the latter case, it's probably devuan's responsibility to include this file. ubuntu has a file that does it in their distro. | 06:33 |
furrywolf | on the plus side, the vulnerability report actually mentions testing it on devuan, so devuan is now popular enough that random people are using it to test vulnerabilities. :) | 06:34 |
xrogaan | We got that going for us, which is nice. | 06:37 |
enyc | furrywolf making good point, I wonder it used to be an /etc/sysctl.d/ file | 09:11 |
* enyc meows | 16:36 | |
* MinceR meows | 16:36 | |
* odinfinch nyaas | 16:57 | |
mason | Centurion_Dan, Walex, fling: So, the Syba USB audio adapter came in, and it's completely knocked out the popping issue, being a different code path, etc. It sounds absolutely lovely. Somehow I feel like it sounds better than the built-in audio, which was okay when it wasn't popping at being initially opened. | 17:40 |
mason | Seven dollar part, problem solved. | 17:40 |
mason | xrogaan: In looking for whom I'd been talking to about audio stuff, I noted your frustration with Firefox and PulseAudio. Remember: You don't need PulseAudio for Firefox in De*an. The way Debian packages it, you can just use ALSA and it works fine. I do that on multiple systems here. | 17:41 |
xrogaan | no, no, it's a firefox problem. | 17:50 |
xrogaan | if you have a .1 setup and a mono stream, firefox will output on the .1 channel and not on all channel like properly designed software needs to do. | 17:51 |
mason | xrogaan: Ah, I didn't see any context, just the one line that was saying you were annoyed. | 17:51 |
xrogaan | I am annoyed :P | 17:51 |
mason | I'm sorry. | 17:51 |
xrogaan | How do I tell pulseaudio to output a mono stream on all channel? | 17:51 |
xrogaan | giant pile of annoyances that is pulseaudio, designed by microsoft lovers surely. /s | 17:54 |
mason | xrogaan: Hrm. I suspect it's possible somehow but I'm not entirely sure how. There are certain things PulseAudio can do with redirecting and splitting sound that are arguably useful. Luckily I don't need any of them, so I just don't run it. | 18:09 |
mason | xrogaan: IIRC, there was a graphical tool I used once that let me set an arbitrary set of targets for a stream - to both a capture program and an output - so maybe looking for such a tool would be uesful. | 18:10 |
mason | useful | 18:10 |
xrogaan | yes | 18:10 |
xrogaan | hasn't really changed since the first time I used pulseaudio | 18:11 |
mason | xrogaan: http://www.6by9.net/configuring-pulseaudio-for-multiple-output-devices/ | 18:11 |
mason | Anyway, I've got to bail out, but I'll check in later. | 18:12 |
xrogaan | need to sleep too | 18:13 |
xrogaan | see, this shit isn't made for humans: | 18:14 |
xrogaan | /usr/bin/pacmd set-card-profile alsa_card.pci-0000_02_05.0 output:analog-stereo | 18:14 |
xrogaan | what's up with 0000_02_05.0?! | 18:14 |
ErRandir_ | on x86 running ASCII I have a per-user directory under /run/users/. On arm I do not have that. What creates this directory? | 23:52 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!