Some security and privacy concerns: Ucollect, Service emulation, data collection and adaptive firewall

Hello everyone,

I own a Turris Omnia and have some questions that are very relevant for user security and privacy, but I could not find satisfying answers. I’ve looked everywhere including the CZ forum but no definitive answers. Please @Pepe , Turris project people or others that know the answers to these questions, please let me know.

My questions:

  1. Does the adaptive firewall (automatic applied, new rules against new threats from Turris) only work when participating in the data sharing program? This is essential to know because some people bought this router with this security-feature in mind. I don’t want to have a false sense of security if this function is only enabled in certain situations.

  2. Initially in the campaign you guys mentioned the honeypot system, which was later transferred into the (somewhat limited) HaaS service. Unfortunately the HaaS service is only for SSH login attempts. However there is a also a emulation option to simulate often abused services under -> Data Sharing tab. What happens to this emultate service data? Is this being sent to Turris for internal research purpose or can I see the data also? (This is really handy for identifying attacks, especially for advanced users of your products)

  3. It seems that future data collection will be handled through a new system called: Turris Sentinel, which is still in development as I’ve read. Will the user have access to this data?

Regards,
Jack

8 Likes

I was meaning to ask the same. It’s not really clear from e.g. https://project.turris.cz/en/security

I also wanted to review the rules created and applied to my router.

And I was wondering if it would be advisable to configure the preinstalled Suricata for its intended IDS/IPS purpose, utilizing e.g. these rules https://rules.emergingthreats.net/open/suricata/rules/

2 Likes

Absolutely @spike411

You made a very good point about using Suricata for it’s intended purpose. Right now all of these factors are kinda vague. To me this is NOT good since they are preaching the Turris routers as SECURE, OPEN SOFTWARE, OPEN HARDWARE. Then the least they can do is be OPEN to privacy/security related questions and be transparant about how these mechanisms work.

Regards

1 Like

To my knowledge that is the current state but it was mentioned somewhere that it would changed in a future update and the adaptive firewall rules are provided independently of the participation.


Is was rather a seperation of services and thus HaaS covers SSH as sole interest of the project.


By joining the project, your router will act as a probe which analyzes traffic between your home network and the Internet and helps to identify malicious data flows. Once such a flow is detected your router notifies the Turris headquarters which can compare the flow with data from the rest of the probes and assign it a threat level

Log into https://project.turris.cz and you are presented with

Data from your router

Hello @anon50890781

I appreciated the response. So far I’m still trying to figure out what happens when sharing data combined with running all the (additional) emulated services option and including the username and password option.

If I understand you correctly, your current understanding is that the only data visible to the end-user is the one on the project.turris.cz site.

This is kinda odd since the data is very generic, nothing in depth or of true value to detecting malicious behaviors. In the data sharing / emulation settings I’ve enabled everything and I’ve also enabled ‘collect username / passwords’ option. However it seems that the suspicious patterns or data collected, as well as possible logins and passwords are only to be seen by Project Turris internally, which is really unfortunate. I would have loved to access this data. I don’t mind giving the data, and participate, as long as I’m able to see and asses the data myself as well.

It seems that lot’s of things within Project Turris get delayed and they have a lack of time/funding. This does not really give me much confidence in their ability to dedicate resources to analyze and implement quick security fixes for possible attacks.

Therefore it would be nice if we as a community could help and also check for patterns/attacks on our own. There are plenty of people capable of analyzing the data.

There is no big deal in analyzing such data and to implement instant counter measures nor does it even require some fancy AI, at least not for the basics.

A good example as such is ConfigServer Security and Firewall (csf) – ConfigServer Services which lets the user access collected data locally though. Suppose implenting data sharing via a central point is no feat.

I used CSF on most of my other linux boxes but have recently started to deploy nft instead of ipt and former not being supported by CSF but then neither FW3 is of the TO repo.

CSF for instance can tap into data from CISCO’s TALOS Comprehensive Threat Intelligence (250+ full-time threat researchers | 1100+ decoy systems and other threat traps | Millions of telemetry agents) and it would certainly be interesting to know how Turris Sentinel fares in comparision.