PINE64
Security Patches for the Kernel - Printable Version

+- PINE64 (https://forum.pine64.org)
+-- Forum: ROCK64 (https://forum.pine64.org/forumdisplay.php?fid=85)
+--- Forum: Linux on Rock64 (https://forum.pine64.org/forumdisplay.php?fid=88)
+--- Thread: Security Patches for the Kernel (/showthread.php?tid=12652)



Security Patches for the Kernel - kwinz - 12-28-2020

Hi,

I use the stable Ayufan kernels. The kernel automatically updates with `apt upgrade`. I am on 4.4.190-1233-rockchip-ayufan-gd3f1be0ed310 right now.
However the last release was more than a year ago on Nov 23, 2019.
https://github.com/ayufan-rock64/linux-kernel/releases

I am beginning to wonder if I can still leave the Rock64 exposted to the internet via SSH or if that's getting too risky.
Is the Rock64 kernel still getting security patches?


RE: Security Patches for the Kernel - kwinz - 01-06-2021

I take the lack of responses unfortunately as "no, not safe to use any more".

See also "FYI we are demoting the Rock64 board status to Community Supported due issues such as above." from Armbian.
https://forum.pine64.org/showthread.php?tid=6187&pid=86494#pid86494

And this thread about missing updates: https://forum.pine64.org/showthread.php?tid=12226

and this post about official Debian support: https://forum.pine64.org/showthread.php?tid=9744&pid=87100#pid87100


RE: Security Patches for the Kernel - ryo - 01-06-2021

The general thing about SSH is, it's safe if you're not making it too easy.
Have a good password and don't login on public hotspots.
Disable root login, and create a new user which can use "sudo su" instead.

Also, you can disable password based logins, and require a valid SSH keys instead, and additionally only allow access from specific IP addresses, which is what we do at the company I'm working for.
This is what all IT companies are doing where I used to work too.


RE: Security Patches for the Kernel - Rocklobster - 01-07-2021

(01-06-2021, 11:33 PM)ryo Wrote: The general thing about SSH is, it's safe if you're not making it too easy.
Have a good password and don't login on public hotspots.
Disable root login, and create a new user which can use "sudo su" instead.

Also, you can disable password based logins, and require a valid SSH keys instead, and additionally only allow access from specific IP addresses, which is what we do at the company I'm working for.
This is what all IT companies are doing where I used to work too.

That's why I opted for Armbian. Regular updates etc. Not for everyone I know but well supported.


RE: Security Patches for the Kernel - ryo - 01-07-2021

(01-07-2021, 10:27 PM)Rocklobster Wrote:
(01-06-2021, 11:33 PM)ryo Wrote: The general thing about SSH is, it's safe if you're not making it too easy.
Have a good password and don't login on public hotspots.
Disable root login, and create a new user which can use "sudo su" instead.

Also, you can disable password based logins, and require a valid SSH keys instead, and additionally only allow access from specific IP addresses, which is what we do at the company I'm working for.
This is what all IT companies are doing where I used to work too.

That's why I opted for Armbian. Regular updates etc. Not  for everyone I know but well supported.
Not sure what this even has to do with using SSH safely?


RE: Security Patches for the Kernel - kwinz - 01-08-2021

(01-07-2021, 10:33 PM)ryo Wrote: Not sure what this even has to do with using SSH safely?

Nothing in particular. My point is that a port is exposed to the internet and a deamon could potentially be compromised. And I want to be safe of Kernel exploits in the likes of dirty_COW. So I want to have a system that receives good support and regular Kernel updates:

(01-07-2021, 09:12 AM)kuleszdl Wrote: @kwinz If you don't need USB3 support you can also go with official Debian now - either the unstable/testing distribution or the stable distribution (buster) with the unstable kernel. Personally, I would discourage keeping keeping the SSH port exposed to the Internet if you are running an outdated kernel, even if the ssh server itself is regularly updated. The issue here is that there sometimes are also vulnerabilities in the TCP/IP stack of the kernel which could be exploited.



RE: Security Patches for the Kernel - kuleszdl - 01-15-2021

Quite regularly, there are so many vulnerabilities in software discovered that as a general rule of thumb I would say that it is a no-go to run any software that does not receive regular updates fully exposed to the internet. Sure, some software is more vulnerable than others. OpenSSH itself could be considered rather secure in this regard, yet it is noteworthy that it also had quite a few issues in the past:

https://www.cvedetails.com/product/585/Openbsd-Openssh.html?vendor_id=97

But OpenSSH is not the issue as I assume that you still receive updates for OpenSSH. Regarding the Linux kernel, the situation looks worse:

https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33

The best way to run "unmaintained" software in the internet is to put it behind something that is maintained, e.g. you could put your system with the unmaintained kernel/sshd behind another system that runs a secure VPN (like wireguard) for which it receives regular updates. Another option could be things like filtering by source IP etc. but - again - these filters must be implemented on a separate (sub)system that *does* receive regular security updates. But I don't think one of these solutions really makes any sense for your particular case.

I recommend switching to a system that is actively maintained. Possible options:

- switching to Armbian
- switchting to any other Distro where all relevant components receive regular updates
- using Debian unstable
- using Debian stable with a kernel from unstable (if you want to go this way you can find my recommendations how to achieve this here: https://www.kulesz.me/post/140-debian-devuan-arm64-install/ )

No matter which solution you choose, keep in mind to look for EOL announcements as these usually require manual steps for migration to a new release that is actively supported. The situation might have been more relaxed a few years back, but as you can see from many reports in the news the threats are rising (I am sure you could find scientific data on that as well but I didn't look for any). In the end, running a well-supported OS with regular automated updates also *feels* a lot better so you probably get to sleep better. :-)


RE: Security Patches for the Kernel - DusXMT - 01-16-2021

This discussion makes me wonder what the status of adding USB3 support to the mainline/upstream kernel is, since it seems like all that's missing is mentioning the USB3 controller in the Rock64's device tree, the stability issues seem to have been resolved in v5.7 with this patch: https://github.com/torvalds/linux/commit/7ba6b09fda5e0cb741ee56f3264665e0edc64822


RE: Security Patches for the Kernel - kuleszdl - 01-16-2021

Last time I tried was afair with Kernel 5.9. Meanwhile, kernel 5.11 is almost out of the door, so it's probably worth trying again.


RE: Security Patches for the Kernel - kwinz - 10-22-2021

Lesson learned: don't buy any hardware that doesn't have full mainline kernel support.
And the vendor (not just the community) needs to have at least 1 full time employee that keeps contributung to Linux for a few years.
I don't want to buy abandonware hardware again. If that costs a bit more then that's fine for me.