Bug 11271

Summary:	Download GeoIP database via HTTPS
Product:	IPFire	Reporter:	Timmothy Wilson <itsuperhack>
Component:	---	Assignee:	Matthias Fischer <matthias.fischer>
Status:	CLOSED FIXED	QA Contact:
Severity:	- Unknown -
Priority:	- Unknown -	CC:	matthias.fischer
Version:	2
Hardware:	all
OS:	All

Description Timmothy Wilson 2016-12-12 16:20:46 UTC

The GeoIP database is updated automatically once a month via a cron-job.

However, it is downloaded via a plaintext (HTTP) connection. Since there is no integrity mechanism in place (i.e. SHA2 checksum), an attacker could easily modify information, perhaps in order to avoid getting blocked by the firewall.

MaxMind offers also free HTTPS downloads; geolite.maxmind.com got an "A" from the Qualys SSL Labs Server Test (https://www.ssllabs.com/ssltest/analyze.html?d=geolite.maxmind.com).

In ipfire-2.x/src/scripts/xt_geoip_update, only the following patch need to be applied: 

diff --git a/xt_geoip_update b/xt_geoip_update
index 5e4ffed..e9a95bb 100644
--- a/xt_geoip_update
+++ b/xt_geoip_update
@@ -25,7 +25,7 @@ TMP_FILE=$(mktemp -p $TMP_PATH)
 SCRIPT_PATH=/usr/local/bin
 DEST_PATH=/usr/share/xt_geoip
 
-DL_URL=http://geolite.maxmind.com/download/geoip/database
+DL_URL=https://geolite.maxmind.com/download/geoip/database
 DL_FILE=GeoIPCountryCSV.zip
 
 CSV_FILE=GeoIPCountryWhois.csv

This should be an easy one. :-)

Best regards,
Timmothy Wilson

Comment 1 Matthias Fischer 2017-02-04 11:28:50 UTC

Hi,

=> http://git.ipfire.org/?p=people/mfischer/ipfire-2.x.git;a=commit;h=bb7fca4ca75d902a614ff4b48ac66fda39d60c21

or

http://patchwork.ipfire.org/patch/994/

Best,
Matthias

Comment 2 Matthias Fischer 2017-02-10 12:34:29 UTC

Fixed in current 'next'.