Turris Security report 2022/12

Similarly to the IPv4 exhaustion in most RIRs, we have run out of invitations in project Turris. From now on, we will only be able to invite new participants when an invitation either expires or is declined.

• Sent invitations: 1129
• Accepted invitations: 901
• Declined invitations: 65
• Expired invitations: 106 (31 today)
• Pending invitations: 58
• Activated routers: 655

Until the above mentioned update, the integrated firewall was setup to perform the basic service of rejecting and logging incoming packet which are not part of an already established connection. Such packets are usually part of an attempt to enter the network or scan it.

Data gathered from such logs make it possible for us to prepare statistics of most frequent "attackers" and use them further in our research. However, it does not allow us to protect users from other kinds of problems in which the connection is either already established or comes from inside the network, for example from an infected device.

In order to improve the firewall in this area, we added two new functions:

1/ we started to log communication with known centers of botnets for which public records exists,

2/ we started to block access to addresses that are hosting malicious content active on Czech websites.

We have worked on both these functions closely with the CSIRT.CZ team, which provides us with data for blocking of malware hosting hosts and for botnet centers.

Blocking of malicious content is based on the fact that Czech websites injected with malware usually do not host it themselves, but rather …

• Sent invitations: 1053
• Accepted invitations: 843
• Declined invitations: 60
• Expired invitations: 58
• Pending invitations: 92
• Activated routers: 542

• Sent invitations: 953
• Accepted invitations: 760
• Declined invitations: 47
• Expired invitations: 34
• Pending invitations: 112
• Activated routers: 446 (+83 on the way to users)

• Sent invitations: 851
• Accepted invitations: 679
• Declined invitations: 38
• Expired invitations: 12
• Pending invitations: 122
• Activated routers: 420

First major update of operating system of router Turris was released. In order to make it easier to follow the updates, we decided to assign version numbers to major releases. Thus the current update is Turris OS 1.1.

In addition to many fixes and updates of core packages, there are also several improvements in the user interface Foris. You can newly find information about new functionality and package updates there, and it is also possible to have the same information sent by e-mail directly from your router.

This time, on frequent requests, we add the number of activated routers.

• Sent invitations: 745
• Accepted invitations: 596
• Declined invitations: 31
• Pending invitations: 118
• Activated routers: 350

• Sent invitations: 641
• Accepted invitations: 513
• Declined invitations: 22
• Pending invitations: 106

An updated version of OpenSSL was depoyed on our servers on Apr 8th, 2014. In the following days, SSL certificates for our servers were revoked and replaced with new ones. Due to overload on our certification authority's servers, the last certificate was updated on Sat Apr 12th, 2014.

Routers were updated to the new OpenSSL version on Fri Apr 11th, 2014 together with an update of server certificates. It is important that during the whole time, automated updates were safe due to digitally signed packages being used, which are signed on a machine independent of the rest of the deployment infrastructure.

At present, the whole system is updated and safe against Heartbleed.

We've performed a preventive replacement of SSL certificates of Project Turris servers because of a serious OpenSSL bug. Certificates for the main site have already been replaced but we were not able to replace the certificate for server providing the packages yet due to an overload of CA's infrastructure. We strongly discourage from installing packages on your router manually (either using opkg or in LuCI interface), automatic updates of router are safe. We will issue another update after solving this issue.

• Sent invitations: 439
• Accepted invitations: 367
• Declined invitations: 16
• Pending invitations: 56

Several users requested information about the numbers of sent invitations. We decided to publish this information periodically and here is the first batch.

• Sent invitations: 288
• Accepted invitations: 238
• Declined invitations: 10
• Pending invitations: 40