Skip to content

Latest commit

 

History

History
120 lines (107 loc) · 8.01 KB

mitigations.md

File metadata and controls

120 lines (107 loc) · 8.01 KB

Mitigation Strategies Analysis for fatedier/frp

Mitigation Strategy: Strong Authentication (Token-Based)

  • Mitigation Strategy: Implement mandatory token-based authentication.
    • Description:
      1. Generate a Strong Token: Use a cryptographically secure random number generator or a password manager to create a long (at least 32 characters), complex token.
      2. Configure frps.ini: On the server, add: token = YOUR_GENERATED_TOKEN in the [common] section.
      3. Configure frpc.ini: On each client, add the same: token = YOUR_GENERATED_TOKEN in the [common] section.
      4. Restart: Restart both frps and frpc.
      5. Test: Verify clients can only connect with the correct token.
      6. Secure Storage: Store the token securely (e.g., password manager, secrets management system).
    • Threats Mitigated:
      • Unauthorized Client Access (Critical): Prevents unauthorized frpc connections.
      • Brute-Force Attacks (High): Makes brute-forcing the connection infeasible.
      • Replay Attacks (Medium): Reduces effectiveness (TLS further mitigates).
    • Impact:
      • Unauthorized Access: Risk reduced from Critical to Low.
      • Brute-Force: Risk reduced from High to Negligible.
      • Replay: Risk reduced from Medium to Low (with TLS).
    • Currently Implemented: (Example) Yes, in frps.ini and all frpc.ini files. Token in secrets management.
    • Missing Implementation: (Example) Automated token rotation and secrets management API integration.

Mitigation Strategy: Limit Client Privileges (Precise frpc.ini Configuration)

  • Mitigation Strategy: Restrict frpc configurations to expose only essential services.
    • Description:
      1. Identify Needs: Determine the minimum services/ports each client needs to expose.
      2. frpc.ini Specificity:
        • Use specific local_ip and local_port values. Avoid 0.0.0.0 for local_ip if possible.
        • Define only required remote_port mappings.
        • Avoid wildcards or broad port ranges.
        • Securely configure any frp plugins, enabling only if strictly necessary.
      3. Regular Review: Periodically review frpc.ini files for minimality.
    • Threats Mitigated:
      • Lateral Movement (High): Limits attacker movement if a client is compromised.
      • Information Disclosure (Medium): Reduces risk of exposing sensitive data.
      • Service Exploitation (Medium): Reduces the attack surface.
    • Impact:
      • Lateral Movement: Risk reduced from High to Medium.
      • Information Disclosure: Risk reduced from Medium to Low.
      • Service Exploitation: Risk reduced from Medium to Low.
    • Currently Implemented: (Example) Partially. Specific ports mapped, but some local_ip are 0.0.0.0.
    • Missing Implementation: (Example) Audit frpc.ini files, change local_ip where possible, document exposed service rationale.

Mitigation Strategy: TLS Encryption

  • Mitigation Strategy: Enforce TLS encryption for all frp communication.
    • Description:
      1. Obtain Certificates: Get a certificate from a trusted CA (e.g., Let's Encrypt) or generate a self-signed one (testing only!).
      2. Configure frps.ini:
        • tls_enable = true
        • tls_cert_file = /path/to/certificate.crt
        • tls_key_file = /path/to/private.key
      3. Configure frpc.ini:
        • tls_enable = true
        • (Recommended): tls_trusted_ca_file = /path/to/ca.crt (verifies server certificate).
      4. Restart: Restart frps and frpc.
      5. Verify: Use a network analyzer to confirm encryption.
    • Threats Mitigated:
      • Eavesdropping (Critical): Encrypts communication.
      • Man-in-the-Middle (MitM) Attacks (Critical): Prevents impersonation and interception (especially with CA verification).
      • Data Tampering (High): Provides integrity checks.
    • Impact:
      • Eavesdropping: Risk reduced from Critical to Negligible.
      • MitM: Risk reduced from Critical to Low (with CA) or Medium (self-signed).
      • Tampering: Risk reduced from High to Negligible.
    • Currently Implemented: (Example) Yes, Let's Encrypt certificates. tls_enable = true, tls_trusted_ca_file configured.
    • Missing Implementation: (Example) Automated certificate renewal.

Mitigation Strategy: Maximum Connections (max_pool_count)

  • Mitigation Strategy: Limit concurrent connections using frp's built-in setting.
    • Description:
      1. Estimate Capacity: Determine the maximum concurrent connections your frps server can handle.
      2. Configure frps.ini: Set max_pool_count in the [common] section (e.g., max_pool_count = 100).
      3. Monitor: Monitor server performance and adjust as needed.
    • Threats Mitigated:
      • Denial of Service (DoS) (Medium): Helps prevent connection exhaustion.
      • Resource Exhaustion (Medium): Prevents resource depletion.
    • Impact:
      • DoS: Risk reduced from Medium to Low.
      • Resource Exhaustion: Risk reduced from Medium to Low.
    • Currently Implemented: (Example) Yes, max_pool_count = 50 in frps.ini.
    • Missing Implementation: (Example) Document rationale for the value, establish review/adjustment process.

Mitigation Strategy: Keep frp Updated

  • Mitigation Strategy: Regularly update frps and frpc to the latest stable versions using official frp releases.
    • Description:
      1. Monitor for Updates: Regularly check the official frp GitHub repository.
      2. Test Updates: Before deploying to production, test in a staging environment.
      3. Update Procedure: Download new version, stop service, replace binary, restart, verify.
      4. Rollback Plan: Have a plan to revert to the previous version if needed.
    • Threats Mitigated:
      • Exploitation of Known Vulnerabilities (High): Updates often include security patches.
      • Bugs and Instability (Low): Updates can fix bugs.
    • Impact:
      • Vulnerability Exploitation: Risk reduced from High to Low (depending on update promptness).
      • Bugs/Instability: Risk reduced from Low to Negligible.
    • Currently Implemented: (Example) Partially. Occasional updates, no formal schedule/testing.
    • Missing Implementation: (Example) Formal update schedule, staging environment, documented procedures.

Mitigation Strategy: Logging (frp's built-in logging)

  • Mitigation Strategy: Enable and configure frp's built-in logging capabilities.
    • Description:
      1. Configure Logging (frps.ini and frpc.ini):
        • Set log_level to info (recommended for production) or debug (for troubleshooting).
        • Specify a log_file path.
        • Consider using log_max_days to manage log file size.
    • Threats Mitigated:
      • Intrusion Detection (Medium): Logs can show attempted/successful intrusions.
      • Debugging (Low): Logs are essential for troubleshooting.
    • Impact:
      • Intrusion Detection: Risk reduced from Medium to Low.
      • Debugging: Significantly improved.
    • Currently Implemented: (Example) Partially. Basic logging (log_level = info), no log rotation.
    • Missing Implementation: (Example) Configure log_max_days.