Very good to everyone, before entering the hardening of your team, I want to tell you that the installer that I am developing for Gentoo is already in its pre-alpha phase 😀 this means that the prototype is robust enough to be tested by others users, but at the same time there is still a long way to go, and the feedback from these stages (pre-alpha, alpha, beta) will help define important features of the process 🙂 For those interested…
https://github.com/ChrisADR/installer
. I still have the English-only version, but hopefully for beta it already has its Spanish translation as well (I'm learning this from runtime translations in python, so there's still a lot to discover)
Hardening
When we talk about hardening, we refer to a great variety of actions or procedures that hinder access to a computer system, or network of systems. That is precisely why it is a vast subject full of nuances and details. In this article I am going to list some of the most important or recommended things to take into account when protecting a system, I will try to go from the most critical to the least critical, but without delving much into the subject since each of these points it would be the subject of an article of its own.
Physical access
This is undoubtedly the first and most important problem for teams, since if the attacker has easy physical access to the team, they can already be counted as a lost team. This is true of both large data centers and laptops within a company. One of the main protection measures for this problem are the keys at the BIOS level, for all those to whom this sounds new, it is possible to put a key to the physical access of the BIOS, in this way if someone wants to modify the parameters of login and start the computer from a live system, it will not be an easy job.
Now this is something basic and it certainly works if it is really required, I have been in several companies where this does not matter, because they believe that the security "guard" at the door is more than enough to prevent physical access . But let's get to a slightly more advanced point.
LUKS
Suppose for a second that an "attacker" has already gained physical access to the computer, the next step is to encrypt every existing hard drive and partition. LUKS (Linux Unified Key Setup) It is an encryption specification, among other things LUKS allows a partition to be encrypted with a key, in this way, when the system starts, if the key is not known, the partition cannot be mounted or read.
Paranoia
Certainly there are people who need a "maximum" level of security, and this leads to safeguarding even the smallest aspect of the system, well, this aspect reaches its peak in the kernel. The linux kernel is the way in which your software will interact with the hardware, if you prevent your software from "seeing" the hardware, it will not be able to harm the equipment. To give an example, we all know how "dangerous" USB with viruses are when we talk about Windows, because certainly USB can contain code in Linux that may or may not be harmful to a system, if we make the kernel only recognize the type of usb (firmware) that we want, any other type of USB would simply be ignored by our team, something certainly a bit extreme, but it could work depending on the circumstances.
Services
When we talk about services, the first word that comes to mind is "supervision", and this is something quite important, since one of the first things an attacker does when entering a system is to maintain the connection. Performing periodic analysis of incoming and especially outgoing connections is very important in a system.
Iptables
Now, we have all heard about iptables, it is a tool that allows you to generate data entry and exit rules at the kernel level, this is certainly useful, but it is also a double-edged sword. Many people believe that by having the "firewall" they are free from any type of entry or exit from the system, but nothing is further from the truth, this can only serve as a placebo effect in many cases. It is known that firewalls work based on rules, and these can certainly be bypassed or tricked into allowing data to be transported through ports and services for which the rules would consider it to be "allowed", it's just a matter of creativity 🙂
Stability vs rolling-release
Now this is quite a contentious point in many places or situations, but let me explain my point of view. As a member of a security team that watches over many of the issues in the stable branch of our distribution, I am aware of many, almost all of the vulnerabilities that exist on our users' Gentoo machines. Now, distributions like Debian, RedHat, SUSE, Ubuntu and many others go through the same thing, and their reaction times can vary depending on many circumstances.
Let's go to a clear example, surely everyone has heard of Meltdown, Specter and a whole series of news that have flown around the internet these days, well, the most "rolling-release" branch of the kernel is already patched, the problem lies In bringing those fixes to older kernels, backporting is certainly hard and difficult work. Now after that, they still have to be tested by the developers of the distribution, and once the testing is complete, it will only be available to normal users. What do I want to get with this? Because the rolling-release model requires us to know more about the system and ways to rescue it if something fails, but that is good, because maintaining absolute passivity in the system has several negative effects for both the administrator and the users.
Know your software
This is a very valuable addition when managing, things as simple as subscribing to the news of the software you use can help you to know in advance the security notices, in this way you can generate a reaction plan and at the same time see how much It takes time for each distribution to solve the problems, it is always better to be proactive in these issues because more than 70% of attacks on companies are carried out by outdated software.
Reflection
When people talk about hardening, it is often believed that a "sheltered" team is proof against everything, and there is nothing more false. As its literal translation indicates, hardening implies making things more difficult, NOT impossible ... but many times many people think that this involves dark magic and many tricks such as honeypots ... this is an additional, but if you cannot do the most basic things like keeping a software or language updated programming ... there is no need to create phantom networks and teams with countermeasures ... I say this because I have seen several companies where they ask for versions of PHP 4 to 5 (obviously discontinued) ... things that today are known to have hundreds if not thousands of flaws security, but if the company cannot keep up with technology, it is useless if they do the rest.
Also, if we are all using free or open software, the reaction time for security bugs is usually quite short, the problem comes when we are dealing with proprietary software, but I leave that for another article that I still hope to write soon.
Thank you very much for getting here 🙂 greetings
Excellent
Thank you very much 🙂 greetings
What I like the most is the simplicity when dealing with this issue, security in these times. Thank you, I will stay in Ubuntu as long as it is not in dire need because I do not occupy the partition that I have at Windows 8.1 at the moment. Greetings.
Hello norma, certainly the Debian and Ubuntu security teams are quite efficient 🙂 I have seen how they handle cases at an amazing speed and they certainly make their users feel safe, at least if I were on Ubuntu, I would feel a little more secure 🙂
Greetings, and true, it is a simple issue ... security more than a dark art is a matter of minimum criteria 🙂
Thank you very much for your contribution!
Very interesting, especially the part of the Rolling release.
I had not taken that into account, now I have to manage a server with Gentoo to see the differences I have with Devuan.
A big greeting and ps to share this entry in my social networks so that this information reaches more people !!
Thank you!
You're welcome Alberto 🙂 I was in debt for being the first to answer the request of the previous blog 🙂 so greetings and now to continue with that list of pending to write 🙂
Well, apply hardening with specter out there, it would be like leaving the pc more vulnerable in case of the use of sanboxing for example. Curiously, your equipment will be safer against specter the less security layers you apply ... curious, right?
this reminds me of an example that could present a whole article ... using -fsanitize = address in the compiler could make us think that the compiled software would be more "secure", but nothing could be further from the truth, I know a developer who tried a Instead of doing it with the whole team ... it turned out to be easier to attack than one without using ASAN ... the same applies in various aspects, using the wrong layers when you don't know what they do, is more damaging than not using anything 😛 I guess that's something we should all consider when trying to protect a system ... which brings us back to the fact that this is not dark magic, but mere common sense 🙂 thanks for your input
For my point of view, the most serious vulnerability equated with physical access and human error, is still the hardware, leaving Meltdown and Specter aside, since old times it has been seen as variants of the LoveLetter worm wrote code in the BIOS of the equipment, as certain firmware versions on SSD allowed remote code execution and the worst from my point of view the Intel Management Engine, which is a complete aberration for privacy and security, because it no longer matters if the equipment has AES encryption, obfuscation or any kind of hardening, because even if the computer is turned off the IME is going to screw you.
And also paradoxically a 200 Tinkpad X2008 that uses LibreBoot is safer than any current computer.
The worst thing about this situation is that it has no solution, because neither Intel, AMD, Nvidia, Gygabite or any moderately known hardware manufacturer is going to release under GPL or any other free license, the current hardware design, because why invest million dollars for someone else to copy the true idea.
Beautiful capitalism.
Very true Kra 🙂 it is evident that you are quite proficient in security issues 😀 because in fact proprietary software and hardware are a matter of care, but unfortunately against that there is little to be done regarding “hardening”, since as you say, that is something that escapes almost all mortals, except those who know programming and electronics.
Greetings and thanks for sharing 🙂
Very interesting, now a tutorial for each section would be good xD
By the way, how dangerous is it if I put a Raspberry Pi and open the necessary ports to use owncloud or a web server from outside the home?
It's that I'm quite interested but I don't know if I'll have time to review access logs, check the security settings from time to time, etc etc ...
Excellent contribution, thanks for sharing your knowledge.