Randomized hostname protocol

suse211213 · September 8, 2024, 7:35pm

Recommendations

Obviously a generic hostname is advisable, but in practice, there are limited other solutions available at present. One is to turn off any protocols that are not strictly necessary and which leak hostnames, particularly when insecure places are visited. This reduces the attack surface, but is impractical for certain protocols; for example, DHCP is necessary for Internet connectivity and many services depend on protocols such as mDNS. Another option is to use different hostnames for different purposes, rather than relying on a global hostname - this option is available on some OSes. Ultimately, a randomized hostname protocol is necessary to protect privacy, similar to methods utilized for MAC addresses.

What is a randomized hostname protocol?
Do kicksecure randomize it?

sudo hostname shows

localhost

Patrick · September 9, 2024, 10:41am

MAC randomization breaks root server and VirtualBox DHCP / IPv6PrivacyExtensions might be problematic

opened 01:11PM - 06 Jan 24 UTC

adrelanos

https://github.com/Kicksecure/security-misc/blob/master/usr/lib/NetworkManager/c…onf.d/80_randomize-mac.conf ``` [device-mac-randomization] wifi.scan-rand-mac-address=yes [connection-mac-randomization] ethernet.cloned-mac-address=random wifi.cloned-mac-address=random ``` 1) Breaks root servers, namely broke kicksecure.com. This is what the server provide sent by e-mail. ``` We have detected that your server is using different MAC addresses from those allowed by your Robot account. Please take all necessary measures to avoid this in the future and to solve the issue. We also request that you send a short response to us. This response should contain information about how this could have happened and what you intend to do about it. In the event that the following steps are not completed successfully, your server can be locked at any time after 2024-01-17 16:51:11 +0100. How to proceed: - Solve the issue - Please note, in case you have fixed the problem, please wait at least 10 minutes before rechecking: ... - After successfully testing that the issue is resolved, send us a statement by using the following link:... Please visit our FAQ here, if you are unsure how to proceed: https://docs.hetzner.com/robot/dedicated-server/faq/error-faq/#mac-errors Important note: When replying to us, please leave the abuse ID [...] unchanged in the subject line. Manual replies will only be handled in the event of a lock. Please note that we do not provide telephone support in our department. If you have any questions, please send them to us by responding to this email. Kind regards Network department ``` 2) Breaks VirtualBox DHCP when using Network Manger (in Kicksecure) after VM reboot (`sudo reboot`). It is functional for the first start after powering off and powering on the VM. [1] Might be related: https://forums.virtualbox.org/viewtopic.php?t=86753 Could be a Network Manager issue: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1116421 https://askubuntu.com/questions/307717/networkmanager-problem-with-cloned-mac-address ---- [1] Before someone says that's a VirtualBox issue, no, I mean, maybe, but that doesn't matter. VirtualBox is a valid environment. If that breaks, other environments will break as well. Broken networking is extremely frustrating. MAC randomization would be suitable for Kicksecure, but only if stable. It's not important enough to break common network configurations in common environments. ---- TODO: This bug has to be reported to Network Manager (NM) as above bug reports apparently never have reached upstream NM.

Which is blocked by:

github.com/Kicksecure/security-misc

Split the `security-misc` into `security-misc-shared`, `security-misc-desktop` and `security-misc-server`

opened 04:40PM - 13 Jan 24 UTC

monsieuremre

Servers and workstations differ heavily, and there is no universal hardening tha…t is also fine grained for both. A server is inherently a network. This package should prioritize workstations, as kicksecure is meant to be one. I do not support the idea of also being a server system. Firstly, [some of hardening](https://github.com/Kicksecure/security-misc/blob/master/usr/lib/sysctl.d/990-security-misc.conf) already eliminates the possibilty of kicksecure usage on specific server types, like a file sync or an email server might already face problems because of network hardening. They may have gone unnoticed, but this doesn't change the fact. The two reasonable options are: * Primarily good option: Forget about servers, do not try to keep support for them universally. This strips us of a very very big area of possible hardening options. If we want to support both, in terms of security, we will be the "jack of all trades, master of none". Nothing would be hardened to its full extend in this case. * Secondary, in my opinion the least favorable option, because of the unnecessary work it would require: Split this package in two. One package ```security-misc-desktop``` and one ```security-misc-server```. At this point you can choose any other name you like. But this has to be addressed in the near future, for the project to develop further.

MAC randomization is an extremely difficult technical challenge.

Neither is a priority for Kicksecure at this point due to:

So unless contributed, this won’t happen for a very long time.

Not at time of writing.

suse211213 · October 30, 2024, 6:32pm

I think this would be edited ?
Latest Qubes sys-net do randomize mac by default .
Hostname aren’t sent by default due to missing /etc/hostname

hostname randomization section

It isn’t necessary to randomize the hostname when one can simply not leak it

I would revert this, allow sent it after its randomized.

Note: wont open new thread in qubes section due to relation to this topic

Patrick · October 31, 2024, 5:32am

Updated wiki a bit just now.

Just because /etc/hostname doesn’t mean that there isn’t any hostname. Type:

hostname

result:

sys-net

If it’s sent or not needs different evidence.

Quiksilver · November 6, 2024, 1:47am

I don’t know any of any OS’s that randomize the hostname?
Are you sure your not getting confused with containerization?

Yes, there is a debate on if sending the hostname or not makes you more unique.
TailsOS doesn’t send the hostname to mitigate “DHCP hostname leaks” but arguably sending a more generic hostname may look more normal.

I think MAC randomization should come with it enabled by default like Graphene already does.
Like @suse211213 mentioned about Qubes enabling it by default it could be implemented like they do.
Shipping it enabled by default and adding a patch to the Calamaris installer to disable the config file at install could also be another route.
However idk what that has to do with hostname randomization but it could be possibly added to Kicksecure depending on implementation.

Besides DHCP what else sends your hostname?
What sandboxing or containerization could mitigate it other then virtual machines?

Patrick · November 6, 2024, 12:03pm

That’s not an answer to “MAC randomization is an extremely difficult technical challenge.”

“like they do” doesn’t translate to a tested source code contributions compatible with Kicksecure.

As per image formats, Goals:

The differences in the code base for Live Systems vs. Installer Systems vs. Installed Systems should be reduced as much as possible.

Installer specific code should be as minimal as possible.

Patrick · November 12, 2024, 6:33am

You would need to study the issue (MAC randomization breaks root server and VirtualBox DHCP / IPv6PrivacyExtensions might be problematic · Issue #184 · Kicksecure/security-misc · GitHub) and come up with solutions.

Quiksilver · November 14, 2024, 9:28pm

SSH doesn’t send the devices MAC Address at most it might send the hostname but good info about using network namespaces that might be useful for something in Kicksecure.

As far as I understand the issue related to

MAC randomization breaks root server and VirtualBox DHCP / IPv6PrivacyExtensions might be problematic

I believe they are referring to Installing Kicksecure as the OS on VPS server.
In this case I think Kicksecure should just NOT randomize Ethernet MAC addresses by commenting it out. Reason being most servers are wired in especially VPS, if you look at any server rack they aren’t going to be using wireless as that would create too much cross talk and you wouldn’t get optimized speeds.

#ethernet.cloned-mac-address=stable

Also like @anon24694737 said

This has to be set if you don’t want Network Manager to leak or revert back to permaddr cause Network Manger will.

Alternatively you could also set it to set a new mac everytime you reconnect in a session instead.

connection.stable-id=${CONNECTION}/${RANDOM}