Created attachment 926 [details] A screenshot of the IPS preventing the password to be sent, because it is in cleartext. The Dynamic DNS updater Service for No-IP uses no encryption for password authentication. The Dynamic DNS provider No-IP does provide support for updater agents via http or https. Their documentation can be seen here. https://www.noip.com/integrate/request The No-IP updater in IP-Fire uses HTTP(80) instead of HTTPS(443). I discovered this by turning on a IPS rule. Steps to reproduce on IPFire 2.25 (x86_64) - Core Update 157... Phase 1 - Setup a rule to catch this policy violation 1. Sign into IPFire. 2. Navigate to Firewall > Intrustion Prevension. 3. Checkmark "Enable Intrustion Prevension System > Click "Save". 4. Change the "Ruleset" dropdown to "Emergingthreats.net Commnity Rules" > Click "Save". 5. Find the ruleset named "emerging-policy.rules" and check its checkbox. 6. Click "Show" to the right of this ruleset, verify there is a checkmark next to the rule name "ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted", if it is not checked then check it. 7. Scroll to the bottom of the page and click "Apply". Phase 2 - Setup a DDNS to test 1. Register a DDNS at noip.com. 2. Sign into IPFire. 3. Navigate to Services > Dynamic DNS. 4. In the "Add a Host" section, change the dropdown for "Service:" to "no-ip.com", in the "Hostname:" field enter the DDNS you registered, in the "Username:" field enter the username you used to register at noip.com, in the "Password:" field enter the password you used to register at noip.com, click "Add". Phase 3 - Verify results 1. Sign into IPFire. 2. Navigate to Services > Dynamic DNS. 3. Click "Instant Update" to make sure the logs have a recent event, so it is easier to find. 4. Navigate to "Logs > System Logs". 5. In the "Section:" dropdown select "Dynamic DNS", click "Update". 6. Verify that the connection was denied. It should have two lines for a failed connect. "Dynamic DNS update for <THIS SHOULD BE YOUR DDNS> (NoIP) failed:" and "DDNSConnectionTimeoutError: Connection timeout". 7. Navigate to "Logs" > "IPS Logs". 8. Find the event from the time you clicked on Instant Update, there should be a blocked connection from your public IP to an IP owned by Vitalwerks Internet Solutions, LLC (this is the company that owns noip.com), over port 80 and blocked by the rule "ET POLICY Outgoing Basic Auth Base64 HTTP Password detected uncrypted". See my screenshot. Remarks regarding this rule (https://lists.emergingthreats.net/pipermail/emerging-sigs/2012-December/020993.html) "This event tells us that an idiot/user has sent their password to an outside site, in the clear." Please update the No-IP dynamic DNS updater Agent to use HTTPS and not HTTP.
Hello Dean, thanks for pointing this out. I've changed the request URL for noip to use the encrypted HTTPS way. https://git.ipfire.org/?p=ddns.git;a=commit;h=e00128d37b22d4eae3823ca21bdbcbb8485fdac2 Best regards, -Stefan
(In reply to Stefan Schantl from comment #1) > Hello Dean, > > thanks for pointing this out. > > I've changed the request URL for noip to use the encrypted HTTPS way. > > https://git.ipfire.org/?p=ddns.git;a=commit; > h=e00128d37b22d4eae3823ca21bdbcbb8485fdac2 > > Best regards, > > -Stefan Thank you Stefan, Excuse my ignorance to how bug fixes are released in IPFire, but I would like to know how to receive this fix? Will it be included in the next core update or is there a patch users have to manually download and install?
Hello Dean, all fixes usually will be shipped by one of the next one or two core updates. Currently core update 158 is in testing and the merge window for core 159 is closed, so I think this fix may will be part of core 160. Best regards, -Stefan
The current version of providers.py has the https url version of njo-ip. The fix for this has been implemented in Core Update 160 with the implementation of ddns-014 Therefore this bug is being closed as fixed.