crappyrules
/
mistborn
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

tech details, insights, and roadmap

merge-requests/21/head
Steven Foerster 6 years ago
parent
c53f9a6892
commit
2079251659
1 changed files with 29 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 29
      README.md

29
README.md
Unescape View File

@ -268,6 +268,35 @@ Be sure to restart Docker afterward: @@ -268,6 +268,35 @@ Be sure to restart Docker afterward:
sudo systemctl restart docker
```
# Technical and Security Insights
Mistborn was designed and built by a somewhat paranoid senior CNO (computer network operations) engineer with a BS in electrical engineering and an MS in computer science. If you build computer systems and you're not paraoid: you're doing it wrong. I love open source software in general and Linux/BSD systems in particular. My family is a Linux family. We're currently using Linux Mint as a daily driver.
## Attack Surface
- **Wireguard**: Wireguard is the only way in to Mistborn. When new Wireguard profiles are generated they are attached to a random UDP port. Wireguard does not respond to unauthenticated traffic. External probes on the active Wireguard listening ports are not logged and do not appear on the Metrics page.
- **SSH**: If Mistborn is installed over SSH (most common) then an iptables rule is added allowing future SSH connections from the same source IP address. All other external SSH is blocked. Internal SSH (over the Wireguard tunnels) is allowed.
- **Traefik**: Iptables closes web ports (TCP 80 and 443) from external access and additonally all web interfaces are behind the Traefik reverse-proxy. All web requests (e.g. home.mistborn) must be resolved by Mistborn DNS (Pihole/dnsmasq) and originate from a Wireguard tunnel.
## Firewall
- **IPtables**: Iptables rules and chains are manipulated directly. If UFW is present it is disabled. IPtables-persistent is used to save a simple set of secure default rules (most importantly setting the INPUT and FORWARD policies to DROP and allowing ESTABLISHED and RELATED traffic). Additional rules and chains are created by Docker on startup. Mistborn also creates some iptables chains during installation that are saved in the persistent rules. Mistborn iptables chains and rules are designed to work with Docker's with logic that is easy to follow. A power cycle will always result in a working state.
- **PostUp/PostDown**: Wireguard configuration files on Mistborn include PostUp and PostDown directives that set routes and iptables rules for each Wireguard client individually.
- **Wireguard**: There is a one-to-one mapping between each Wireguard client and server instance listening on Mistborn. By design Wireguard clients cannot talk directly to each other but can use shared services and resources on Mistborn (e.g. Syncthing, Nextcloud, Jitisi, etc.)
- **Metrics**: In addition to the iptables INPUT policy set to DROP, an iptables chain exists that logs the packet meta data before dropping it. Mistborn redirects packets that will be dropped to this chain instead. A summary of the data about these dropped packets (unsolicited network traffic) can be found on the Metrics page.
- **Coppercloud**: Coppercloud works by populating ipsets with the ipset module in iptables to DROP (blacklist) or ACCEPT (whitelist) a given set of IP addresses. Upon system startup a celery task will compile the IP addresses, create the ipsets, and iptables rules.
## Additonal Notes
- Interface names are not hardcoded anywhere in Mistborn. Two commands that are used in different circumstances to determine the default network interface and the interface that would route a public IP address are: `ip -o -4 route show to default` and `ip -o -4 route get 1.1.1.1`.
- The "Update" button will pull updated Docker images for mistborn, postgresql, redis, pihole, and dnscrypt. Those services will then be restarted.
# Roadmap
Many features and refinements are in the works at various stages including:
- Option to upload metrics information to Cyber5K to refine each Mistborn instance's firewall
- Option to email default admin Wireguard config file
- Adding more extra services (e.g. Gitlab, Game Servers, etc.)
- Cyber5K marketplace to share Gateway access (to fixed IP addresses or domains, and for a fixed amount of time)
- Mistborn managing wireless interfaces for local access points (stripped down RaspAP)
- Optional periodic backup of local Mistborn config files and credentials to Cyber5K
# Contact
Contact me at [steven@cyber5k.com](mailto:steven@cyber5k.com)

Write Preview
Loading…
Cancel
Save