Security Patches for the Kernel
#1
Hi,

I use the stable Ayufan kernels. The kernel automatically updates with `apt upgrade`. I am on 4.4.190-1233-rockchip-ayufan-gd3f1be0ed310 right now.
However the last release was more than a year ago on Nov 23, 2019.
https://github.com/ayufan-rock64/linux-kernel/releases

I am beginning to wonder if I can still leave the Rock64 exposted to the internet via SSH or if that's getting too risky.
Is the Rock64 kernel still getting security patches?
  Reply
#2
I take the lack of responses unfortunately as "no, not safe to use any more".

See also "FYI we are demoting the Rock64 board status to Community Supported due issues such as above." from Armbian.
https://forum.pine64.org/showthread.php?...4#pid86494

And this thread about missing updates: https://forum.pine64.org/showthread.php?tid=12226

and this post about official Debian support: https://forum.pine64.org/showthread.php?...0#pid87100
  Reply
#3
The general thing about SSH is, it's safe if you're not making it too easy.
Have a good password and don't login on public hotspots.
Disable root login, and create a new user which can use "sudo su" instead.

Also, you can disable password based logins, and require a valid SSH keys instead, and additionally only allow access from specific IP addresses, which is what we do at the company I'm working for.
This is what all IT companies are doing where I used to work too.
母語は日本語ですが、英語も喋れます(ry
  Reply
#4
(01-06-2021, 11:33 PM)ryo Wrote: The general thing about SSH is, it's safe if you're not making it too easy.
Have a good password and don't login on public hotspots.
Disable root login, and create a new user which can use "sudo su" instead.

Also, you can disable password based logins, and require a valid SSH keys instead, and additionally only allow access from specific IP addresses, which is what we do at the company I'm working for.
This is what all IT companies are doing where I used to work too.

That's why I opted for Armbian. Regular updates etc. Not for everyone I know but well supported.
  Reply
#5
(01-07-2021, 10:27 PM)Rocklobster Wrote:
(01-06-2021, 11:33 PM)ryo Wrote: The general thing about SSH is, it's safe if you're not making it too easy.
Have a good password and don't login on public hotspots.
Disable root login, and create a new user which can use "sudo su" instead.

Also, you can disable password based logins, and require a valid SSH keys instead, and additionally only allow access from specific IP addresses, which is what we do at the company I'm working for.
This is what all IT companies are doing where I used to work too.

That's why I opted for Armbian. Regular updates etc. Not  for everyone I know but well supported.
Not sure what this even has to do with using SSH safely?
母語は日本語ですが、英語も喋れます(ry
  Reply
#6
(01-07-2021, 10:33 PM)ryo Wrote: Not sure what this even has to do with using SSH safely?

Nothing in particular. My point is that a port is exposed to the internet and a deamon could potentially be compromised. And I want to be safe of Kernel exploits in the likes of dirty_COW. So I want to have a system that receives good support and regular Kernel updates:

(01-07-2021, 09:12 AM)kuleszdl Wrote: @kwinz If you don't need USB3 support you can also go with official Debian now - either the unstable/testing distribution or the stable distribution (buster) with the unstable kernel. Personally, I would discourage keeping keeping the SSH port exposed to the Internet if you are running an outdated kernel, even if the ssh server itself is regularly updated. The issue here is that there sometimes are also vulnerabilities in the TCP/IP stack of the kernel which could be exploited.
  Reply
#7
Quite regularly, there are so many vulnerabilities in software discovered that as a general rule of thumb I would say that it is a no-go to run any software that does not receive regular updates fully exposed to the internet. Sure, some software is more vulnerable than others. OpenSSH itself could be considered rather secure in this regard, yet it is noteworthy that it also had quite a few issues in the past:

https://www.cvedetails.com/product/585/O...ndor_id=97

But OpenSSH is not the issue as I assume that you still receive updates for OpenSSH. Regarding the Linux kernel, the situation looks worse:

https://www.cvedetails.com/product/47/Li...ndor_id=33

The best way to run "unmaintained" software in the internet is to put it behind something that is maintained, e.g. you could put your system with the unmaintained kernel/sshd behind another system that runs a secure VPN (like wireguard) for which it receives regular updates. Another option could be things like filtering by source IP etc. but - again - these filters must be implemented on a separate (sub)system that *does* receive regular security updates. But I don't think one of these solutions really makes any sense for your particular case.

I recommend switching to a system that is actively maintained. Possible options:

- switching to Armbian
- switchting to any other Distro where all relevant components receive regular updates
- using Debian unstable
- using Debian stable with a kernel from unstable (if you want to go this way you can find my recommendations how to achieve this here: https://www.kulesz.me/post/140-debian-de...4-install/ )

No matter which solution you choose, keep in mind to look for EOL announcements as these usually require manual steps for migration to a new release that is actively supported. The situation might have been more relaxed a few years back, but as you can see from many reports in the news the threats are rising (I am sure you could find scientific data on that as well but I didn't look for any). In the end, running a well-supported OS with regular automated updates also *feels* a lot better so you probably get to sleep better. :-)
  Reply
#8
This discussion makes me wonder what the status of adding USB3 support to the mainline/upstream kernel is, since it seems like all that's missing is mentioning the USB3 controller in the Rock64's device tree, the stability issues seem to have been resolved in v5.7 with this patch: https://github.com/torvalds/linux/commit...e0edc64822
  Reply
#9
Last time I tried was afair with Kernel 5.9. Meanwhile, kernel 5.11 is almost out of the door, so it's probably worth trying again.
  Reply
#10
Lesson learned: don't buy any hardware that doesn't have full mainline kernel support.
And the vendor (not just the community) needs to have at least 1 full time employee that keeps contributung to Linux for a few years.
I don't want to buy abandonware hardware again. If that costs a bit more then that's fine for me.
  Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  How to boot an older, working kernel bits 0 93 11-01-2024, 04:43 PM
Last Post: bits
  Linux 5.15 Kernel - openSuse mark1250 0 1,526 12-02-2021, 04:36 PM
Last Post: mark1250
  Debian kernel stuck at 4.4.167 Enig123 5 6,558 12-29-2020, 12:57 PM
Last Post: kwinz
  Arch Linux Arm --> Kernel 5.8 breaks installation as365n4 12 14,011 08-31-2020, 01:41 AM
Last Post: as365n4
  mainline kernel sound support Openwrt lucize 2 4,551 05-01-2020, 05:09 PM
Last Post: PakoSt
  5.3 kernel support? csrf 5 8,020 04-18-2020, 11:34 PM
Last Post: CameronNemo
  Help troubleshooting kernel panic gabrielfin 3 5,193 03-02-2020, 04:18 PM
Last Post: gabrielfin
  need a dts file to set some pins as pulldown interrupts in kernel using a DTO dkebler 0 2,238 02-05-2020, 10:58 PM
Last Post: dkebler
  Any advantages to using the mainline kernel dkebler 0 2,342 11-16-2019, 12:17 PM
Last Post: dkebler
  Does anybody run the mainline kernel? CameronNemo 3 5,146 09-09-2019, 07:56 PM
Last Post: CameronNemo

Forum Jump:


Users browsing this thread: 1 Guest(s)