Turris Security report 2022/12

• Sent invitations: 1367
• Accepted invitations: 986
• Declined invitations: 77
• Expired invitations: 289
• Pending invitations: 15
• Activated routers: 944

Another major update of operating system of router Turris - Turris OS 1.4 - was released today.

List of changes:

• Connection of ucollect with server is now compressed.
• Added "flow" plugin for monitoring of duration and size of suspicious connections.
• Added option of using CZ.NIC's SMTP server for sending notifications - available in Foris configuration interface. This method has advantage in easier configuration.
• Security update of OpenSSL and Samba packages, fixing vulnerabilities of previous versions.
• Optimized sending of firewall logs.
• Support of updates requiring restart during installation.
• Added support of SATA port multipliers.
• Enabled prefetch in Unbound, yielding possible latency reduction.
• Possibility of installation of DNS server Knot 1.5.

• Sent invitations: 1313
• Accepted invitations: 959
• Declined invitations: 72
• Expired invitations: 282
• Pending invitations: 0
• Activated routers: 932

• Sent invitations: 1313
• Accepted invitations: 990
• Declined invitations: 72
• Expired invitations: 251
• Pending invitations: 0
• Activated routers: 921

We sent 16 invitations today to fill-in freed slots.

• Sent invitations: 1278
• Accepted invitations: 980
• Declined invitations: 73
• Expired invitations: 208
• Pending invitations: 20
• Activated routers: 841

• Sent invitations: 1262
• Accepted invitations: 970
• Declined invitations: 70
• Expired invitations: 201
• Pending invitations: 23
• Activated routers: 791

A new system update will be installed on routers Turris in the following hour. Besides an update of the OpenSSL library announced yesterday, there are also several bugfixes, a new version of the libnetconf library, which should improve speed of the user interface Foris and an improved mechanism for detection of usability of DNS resolvers for forwarding.

A new vulnerability called the CCS injection vulnerability (CVE-2014-0224) was discovered in the OpenSSL library. This vulnerability makes it possible to decrypt communication and tamper with the content.

In project Turris, we have already updated OpenSSL on all our servers, which is the most important step to protect our users, and are preparing an update for the routers which should be available tomorrow. Because an update was not yet present in the OpenWrt repositories, we have submitted a patch.

• Sent invitations: 1231
• Accepted invitations: 972
• Declined invitations: 70
• Expired invitations: 157
• Pending invitations: 34
• Activated routers: 743

A new section dedicated to statistics was added to the website of project Turris. It shows data collected on individual routers summed together to form a global overview.

At present, you will find for example comparison between IPv4 and IPv6 traffic, or information about packets rejected by the firewall. For these, we show an overview of port most connected to, and a map of countries from which the packets come.

It is interesting to note that most blocked packets come from the Czech Republic. This is mostly caused by broadcasts and by different neighbor discovery protocols, such as MikroTik uses on port 5678.

30 invitations expired yesterday and we sent 75 routers. Current numbers are here:

• Sent invitations: 1201
• Accepted invitations: 943
• Declined invitations: 70
• Expired invitations: 137
• Pending invitations: 53
• Activated routers: 672

Second major update of operating system of router Turris - Turris OS 1.2 - was released today.

List of changes:

• Support for accessing the administration interface over HTTPS protocol was added
• Czech localization of LuCi was updated
• Watchdog was added to look over the unbound daemon
• Packages Foris and Ucollect were updated
• A few bugs were fixed in update notifications sending - maximum delay for planned restart was limited to 10 days