diff --git a/README.md b/README.md index e405505..a47371b 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ Ideal for teams who: Mistborn depends on these core open source technologies: - [Docker](https://www.docker.com/why-docker): containerization - [Wireguard](https://www.wireguard.com): secure VPN access -- [SSH](https://www.openssh.com): secure password-less remote management +- [SSH](https://www.openssh.com): secure remote management These tools are not vital to Mistborn itself but are integrated to enhance security, ease, and features: - [iptables](https://www.netfilter.org): The powerful Linux netfilter firewall tool @@ -311,18 +311,18 @@ New installations of 18.04 and 20.04 after 25 April 2020 don't seem to be having Owing to changes in docker NAT rules and container DNS resolution, some Wireguard client configurations generated with Mistborn before 25 April 2020 (be sure to update Mistborn) may experience issues after upgrading to Ubuntu 20.04 LTS. Symptoms: can ping but can't resolve DNS. -Solution: Edit the Wireguard client config and set: +Solution: Edit the Wireguard client config and set the DNS directive as follows: ``` DNS = 10.2.3.1 ``` -Close the config and restart the client Wireguard. +Close the config and restart the client Wireguard process. # Technical and Security Insights These are some notes regarding the technical design and implementations of Mistborn. Feel free to contact me for additional details. ## Attack Surface - **Wireguard**: Wireguard is the only way in to Mistborn. When new Wireguard profiles are generated they are attached to a random UDP port. Wireguard does not respond to unauthenticated traffic. External probes on the active Wireguard listening ports are not logged and do not appear on the Metrics page. -- **SSH**: If Mistborn is installed over SSH (most common) then an iptables rule is added allowing future SSH connections from the same source IP address. All other external SSH is blocked. Internal SSH (over the Wireguard tunnels) is allowed. Password authentication is disabled. The SSH key for the `mistborn` user is only accepted from internal source IP addresses. Fail2ban is also installed. +- **SSH**: If Mistborn is installed over SSH (most common) then an iptables rule is added allowing future SSH connections from the same source IP address. All other external SSH is blocked. Internal SSH (over the Wireguard tunnels) is allowed. Password authentication is allowed. The SSH key for the `mistborn` user is only accepted from internal source IP addresses. Fail2ban is also installed. - **Traefik**: Iptables closes web ports (TCP 80 and 443) from external access and additonally all web interfaces are behind the Traefik reverse-proxy. All web requests (e.g. home.mistborn) must be resolved by Mistborn DNS (Pihole/dnsmasq) and originate from a Wireguard tunnel. - **Docker**: When Docker exposes a port it creates a PREROUTING rule in the NAT table to catch eligible network requests. This means that even if your INPUT chain policy is DROP, your docker containers with exposed ports can receive and respond to traffic. Whenever Mistborn brings up a docker container with an exposed port it creates an iptables rule to block external traffic to that service.