Linux Hardening for Home Computers and Servers

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi I'm DJ we're on this episode of the cyber gizmo I'm gonna try to answer the questions I've been getting from a few of my subscribers about how to harden Linux systems and I think that's really in the context of Linus but really this subject is much larger than what Linus covers I'm going to attempt to do as as much on this as you guys want to know so I'm gonna kind of let you guys drive where you want this to go next because that's what I'm here for I'm here I'm here to help you and and maybe I'll learn something in the process too I mean and we're all in this together stay tuned right after this [Music] Linux systems hardening this is a huge huge topic if you were to go for example full-bore system hardening and you hardened off your systems from any possible type of attack which first of all is probably infeasible but you're probably looking at an effort upwards of probably four to six months in my experience and that would be encompassing site hardening network hardening facility hardening server hardening data hardening that is a this is a broad in a very complicated subject but I'm assuming that what you want to do is harden your systems at home and so that's where I'm going to focus this I'm not gonna this is not this is not a commercial hardening exercise this is what we can do at home to maybe we have some few servers maybe we have a workstation or two maybe we have a laptop that we're taking out on the road someplace with us and using to access our systems remotely so that's what I'm going to concentrate on if there's something that's specific that you want to know about please let me know in a comment below I mean I'm always happy to hear from you guys I always want to help you in any way that I can as best that I can now I am NOT a security engineer I am AI am a enterprise systems a corporate chief architect that's what I did I have some knowledge of system hardening I have some knowledge of how i hardened my systems here and I am prepared to help you with that but if you expect me to know and be certified in cyber security a wrong guy there are other people out here on the on youtubes that are probably better suited to help you with that so I'll put my output my mice my mark in the sand and say this is as far as I can really go and trying to help you but what I know is probably more than a lot of CEP s seh covers similarly because ya certified ethical hackers pentesting yeah I've done some of that we have done some ce8 stuff but probably beyond what they teach anyway yeah let's get started and see what we got here so scope this time I have to make some assumptions when I'm starting if you're if you're more experienced in this area you know feel free to skip to the parts that you're interested in but but I'm assuming that this is the first time you have ever hardened a Linux system I'm also gonna assume that you have some basic working knowledge of Linux and are comfortable with it you're particularly with the distribution you are using I'm assuming that you want to read maybe you have some some needs and once that you want to reduce the risk of maybe one or more of these data exfiltration on are theorized access damage from malware or maybe you're just paranoid like me apparently there so you probably have heard this before the something called paranoid Linux is that a thing is that real well sorta there was some talk about some people actually wanting to build paranoid Linux for a while but it actually came from a book by Cory Doctorow called little brother it is about a an attack on San Francisco a terrorist attack and it is a book about how a group of people that were concerned about losing their liberties fought to preserve them during martial law and so that's what we're gonna I mean I'll provide a link to that book if you're interested in reading more about it but yeah it's it was really it was paranoid Linux the description in the book is it fully protects the user encrypted communications and tor I suppose threatened I think in 2013 make sure the exact date but it's somewhere in there but you can check that for yourself but by default and it had a continual network that was free of chaff and all this other stuff that was in there yeah so if you're looking for a paranoid Linux probably the closest thing you'll find today to that maybe tales or kodachi or who's Nicks those are probably the closest you would find to a paranoid Linux today but yeah paranoid Linux is not a thing it doesn't exist sadly it was a good idea though so first things first couple of quotes so this is important that you understand this the security is a process it's not a product and that's a quote by Bruce Schneier and I agree yeah it is first of all you're never done second of all don't walk away thinking that you're done because the minute you do your systems will be penetrated you're never done you can't sleep at the switch with this one and just do a few things and go that's good enough because the minute you do I mean this is a arms race and and that's what you really need to understand about it so if you want to get involved in that welcome aboard and welcome to the world of the ultra paranoid so here are some questions that I've heard people ask those Linux really need to be secure do you need a lock on your front door I mean how do you need a lock on your car door let me ask you that if you answer yes to that then yeah and Linux needs to be secure you know there's this there's this kind of a that's not telling a story there's I've always thought it kind of funny that you know that I remember working around medical records than a hospital that you could just walk into and pick up anybody's father walk out with it but the minute they put up a computer system they secured it but they didn't bother to lock the open area to just walk in and grab a file off the wall it's just like if you're gonna do security you have to think of everything you can't you can't just think of it in one particular position and so what was the first thing I said was this is kind of odd that I could walk in and just grab a medical file and yet I have to log in and get approval and and have a reason to access a medical record online that makes no sense to me and so yeah the other one is the security just marketing height so that is yeah some of it definitely is but I can assure you that that is a very serious subject it is not just marketing height and whether or not you think Linux needs it or not I guess that depends on really what you're using your Linux for so I won't say you got to have it I won't say you don't have to have it it's just a question of do you want to leave your front door unlocked or not I mean that's the question one of my favorite Linux closest to a long time ago I don't remember where I saw this but I saved it Linux was made by foreign terrorists to steal money from true American companies like Microsoft who invented computing as we know it and are being punished for their success I don't know I I don't remember where that came from I really done with problem I don't know but it's probably one of the funniest things I never remember reading it I know that Linus Torvalds Torvalds actually responded to that but yeah I don't remember what his response was but it was pretty funny maybe you can find that I'm sure you can find that somewhere so let's get into it let's talk about the first steps so even if you're doing this for home you need to think about what it is you're trying to do I mean if you don't I mean I always say this if you don't know where you're going you're just running around pulling knobs and and guessing at what things you should be looking at so first thing I think about is something answers to some questions that I have for you to answer and those are what are you trying to protect are you trying to protect your computer or are you trying to protect the data and if it's data what data are you trying to protect so think about that when you're thinking about how far you want to go with this second what are you trying to protect against are you concerned that you might leak confidential data or that you might have accidental lost up data because maybe a hard drive failed or maybe you accidentally did I remove on a directory that he didn't mean to that had the data in it you wanted to preserve or maybe you're concerned about revenue loss caused by service disruptions now that would be more of a business case but it's possible in a home situation where you are working from home and you're unable to get online to do your job and therefore unable to work because you have a loss of service so is that what you're trying to protect so think about that who you trying to protect a guest one of your users a fellow employee may be yourself my kids that would be more or a determined back that actor or group of determined people that want access to the data that you have so yeah and we always talk about risk I mean you'll never hear me say oh this is exactly what you need to do because there is a right answer and sometimes the answers that I would think are right there probably aren't anymore so yeah I mean the things change I mean things that constantly change so we talk about risks so you need to assign what if you do answer all three of those radom which one of those three what are the most important and what order would those be and then once you have the answers to those questions you can start thinking about how to create some security policy if you're doing this for home absolutely it doesn't have to be the formal but at least you need to know Oh hmm I want to I want maybe I need a firewall at my router that's coming into the network maybe I don't want my Wi-Fi on my land maybe I want my Wi-Fi out somewhere else maybe I don't want my IOT devices on the same network that I am doing company work or working from home with or maybe I have financial data that from you know from my taxes or my banks or my credit cards today I don't really want anywhere else that don't want it to get out so yeah those are some of the things so let's let's like a couple examples let's say you have an old PC and it holds some photos and those photos probably have a very high intrinsic value to you and because what would happen if you lost them you certainly couldn't reproduce them because they're probably time-based are probably pictures of your children it's probably early pictures of you and your spouse or your significant other and you know you couldn't go back in time and get those pictures again so they probably have a very high intrinsic value to you and their loss would be you know if an attacker gained access to that system now that value would be of nothing to them I mean that I mean other than maybe they would have they would know what you look like when you were 20 so the choice is how valuable is that data to you and what's the best way to protect it maybe it's just as simple as having a good backup strategy that protects that that kind of data from fire or some kind of you know natural disaster or something like that that you don't want to have in your home but you want to have a copy of it outside on the cloud somewhere that you can easily retrieve in the event that you lost your systems at home so that's one example of a security policy that you might think about another one might be if you just have a computer that you're playing around on and you're using it to learn Linux or maybe you're using it just to get a certification in a particular area of Linux that you're interested in whether that be in system administration or cybersecurity or whatever it is you're pursuing database you know whatever so if you lost that system or it wasn't it was compromised in some way how much of a loss would that be to you I mean obviously if you're taking a course that you're paid for you probably want to preserve your work in progress so again it might stem back to just having a good backup but as far as as far as an attacker they gained access system to your system what intrinsic value would they get from the information that was on it probably not much so so the reason why I'm having you think about this is that a lot of times we mix our security data on the same machine and that's not always a wise thing to do now you can do that if you exit on directories where you have different levels of information and protection on those directories although that's not something you would typically hear people recommend that you do because of a system is compromised usually it's the entire system is compromised including secure data that might be on the system so whether or not you want to take that risk again those are factors for you to decide not me but so in that case if it was just something you were playing around with an attacker probably wouldn't gain much intrinsic value from that and so it's probably not worth rooting we're protecting at all maybe all you do is monitor it for any any kind of changes maybe you see something has been modified in a package or in a configuration file that you don't remember doing and in that case you would just a blender you can pave it and start over right so whether or not how much security you want to wrap around something like that again it's up to you that's a question you have to answer not me if it's a computer where you start financial information such as Bitcoin bank accounts credit cards data and stock information any kind of finance tax information those would be of intrinsic value to an attacker and those would be a catastrophic loss to you also you wouldn't want this you wouldn't want you wouldn't want this data to be unprotected you would want it to be encrypted so yeah your first level of defenses encrypt the data that is sensitive it might be your social security information it could be insurance information that has personalized what we call personal identifiable information and if it's personally identifiable information you I want to encrypt it and you would definitely not want to store it on publicly accessible of machines that is a suggestion yeah you would also want to encrypt that data if it was backed up anywhere erasing on this information if you were to go through and purge off maybe old tax forms that were you know beyond statute of limitations or beyond the time that you need to store it those would need to be electronically shredded to the point where they weren't recognizable anymore there are some thoughts in the security world about whether or not shredding is that is really capable whether you could really if that's really a capable method of securing data and probably not destroying it by a really high heat fire is but that would probably take your disk drives out to the to the parking lot and put and and heat them at real high heat and then smash them with a hammer into small pieces if they're ceramic desks like on two and a half inch media it's real easy to destroy those who just tap them and the media will shatter into a million little pieces so if we have machines like this we need different security policies is really the point and so yeah you don't want to mix those policies on same machines if you can that's really not a good idea to do because your weak link into that chain will be the way that a determined attacker will gain access to the information even if you said it was sensitive so better it not be there constraints I mean yeah there's always a cost is if you're doing backups you're going to have to buy another dry you're gonna have to purchase an online service to back up your system it's to there's always the cost to do that oh sorry are you willing to go to secure the systems that you have and and what if it's systems fine if it's data that's a different question if you're doing it to learn good security practices great I mean I'm not the right teacher for that there are other people for that and so yeah I'm not standing up and saying yeah it's listen to me I'm an expert in security no I'm not not just somebody's been around in a long time I can tell you this with personal experience the more security you put on a system the poor will perform that is a fact that is the fact you have to live with how much of that can you live with so yeah if you're encrypting everything it's going to take you a while to get it but you know here's the greatest fairy opera always had a way of describing things to just kind of bring it back down to earth and and she said a ship and port is safe but that's not what ships are good for sail out to sea and do new things computers are exactly the same thing computer and off is safe but that does not what a computer is for so don't be afraid to use your machine for what you intend to use it for these are just suggestions yeah if you want paranoid Linux tales okay so tech surface so you could take a computer system and you can segment in everything into consistent independents us if something we had disk we have nvme which you could consider a different subsystem if you want you have backup media you have backup materials you have your network you have your memory you have your applications your configuration so you can segment all those things up and each of those systems will have its own set of rests and you should consider that when you're likely to start creating policies around them and how you want to protect that data and remember this a smaller attack surface is easier to defend that a big one so for example if I have a router at the network and I allow everything in to my network everything in then every server on it has to be protected that's a large attack surface but if I were to put a firewall that was a network firewall at the junction between the ISP and my network I only have to worry about that one to protect my internal systems it's a smaller attack surface so yeah that's what we mean by that so and another one would be if you have sensitive network services those might be things like sshd it might be that your VPN it could be maybe you have remote access to be able to see a GUI on your machines could be sync thing could be any number of utilities that are sensitive network services those should be consistent rated on a small a number of machines as possible the more machines you have again the larger the tax surface is going to be if there was let's say there was an exploit and sshd let me only give you an example so let's say that I put a version of sshd that was let's say it was FreeBSD base that would be the the one on the outside of the network and let's say that I encrypted that and I only allow people to come in that had maybe a smart card or maybe they have something like the the keys like the yuba key or something like that before they're allowed access that's an extra layer of security that your internal systems wouldn't have that system on your internal systems you could set up your firewalls to only allow SSH connections through the PF sense so you have to go through the PFF sense router to be able to get to any of the systems internally or you could turn off access from the PF sense router completely so it cannot end this sshd connections at all in that case then you're completely separated as far as your network filter is concerned you've completely blocked off the ability for someone on the outside to use SSH to come all the way through into your network so anyway that's one area where youyou kind of reduce the attack surface now I had those are suggestions those are our recommendations okay it's easier to secure a checkpoint than it is a group of individual systems is the point so yeah so you could think of it also as you have maybe have a broad-brush limit on services that are exposed that you protect from pfSense on the outside but then each one of your individual systems may have a smaller subset of rules they have to protect against so yeah and it is always advisable to run multiple firewalls absolutely let's look at a couple of maybe some possible security measures so let's say you have a server let's say you have an ad server where you're storing movies and your music collection and your photos and maybe you have some financial data on it too so if those services are publicly available in other words you want to be able to access this while you're on the road you need a secure network for so you need to secure those to make sure that they're only allowed access to you right you don't want those open up open to anyone else and so you might consider things like a VPN to be able to access them you only enable those network services that you need I mean I know that that's a but you'd be surprised how many times that even even here in my lab where after I've been working on a project that come back and I forget to turn off a network service because it's no longer use I mean that happens and if you're if you're watching if you're watching and you have monitor setup that remind you to say hey dummy you left this network service run and turn it off yeah that helps so yeah we're only human and there's only so much capacity our brains can hold and remember so things like reminders that come back and say hey you've got Network ports on here that shouldn't be on it'll tell you to turn them off and you'll know to go do that good reminders anyway change your default passwords I don't know how many times have read in the past couple of years where an attacker has gained access to a commercial system because simply because they left the default passwords employees and that and IOT devices that happens all the time it happens all the time for a number of reasons and the biggest reason when it happens is because the IOT devices don't document the ones that are open on it yeah so you don't know I told somebody publishes a report that someone is getting access to an account you didn't know existed on that device but so it changed the default passwords where you can I don't like systems that install with default passwords I prefer them to tell me to change the password and I'll install and I feel much better when that happens I'm sure you do to use two-factor logins for the external access if you're all truly and paranoid you can use it internally too yeah I mean I'm yeah yeah you've seen my diagrams on my network they're out here I've done presentations on it before the other one is too install failed again failed to beyond the limits that brute-force attempts that you can do so let's say you have SSH SSH D running well I mean I can guarantee you there are people there out there looking for us as HD and then I see it on my firewalls all the time see these guys just cruising by trying to find sshd open and one day just for the heck but I said I think I'll turn that pour it on and see what happens and sure enough thing that that's the they've been backed up and it started hammering away at a password and started going through look like a list it just just was he continually hammering and hammering at it eventually they may get lucky and get in failed a ban will only allow X number of attempts and then it locks the entire Machine down for a period of time so it so it really spoils the number of attempts they can do in a given time frame and a lot of times these automated systems will just move on and then they'll come back and look at you again later so yeah that failed Amana does help HTTP if you do have an exposed web server use HTTP because remember that also protects your cookies while they're in transit as well what about a laptop so are you traveling with the laptop then it's risk there is being stolen and the data on it would be would be of course be there's they would have everything that would be accessible to it unless you had full disk encryption turned on the other one is there's risk of data being collected at Wi-Fi hotspots I mean we all know about the man-in-the-middle attacks a lot of these Wi-Fi hotspots are insecure and therefore your data is unencrypted so the only way you can prevent that from being a problem is have a VPN that you turn on when you get to those sites that does two things that make sure that even a man-in-the-middle attack can't jump in and and become your hotspot but you would still have to be careful of what you're doing and when you're making your connections it's making sure that you're on the right particular one that's always that's always kind of an issue that you're on the one provided by the facility at McDonald's or the Starbucks or whatever it is that you're using to connect to also remember that a firewall is needed to protect you out there as well if you have services that are running on your laptop you don't want those accessible from the outside ports also yeah VPN access you would need as well and that also might be to your home servers so you might have a VPN that's encrypting your traffic going to your VPN provider and you might also have a VPN that is being used to access your home servers possible security measures that you might consider on network since this again to say all the services that are needed if there are if no firewall and network services up it's available to anyone so that's the problem you have I mean in the in the most key most of the cases Linux is trusting so yeah if you do you got an SSH D system run it with no firewall in front of it it's available to everybody on that's cable to connect to your network and get get to that address and the other problem that you have with a lot of services there's no authorization credentials that's one of my biggest problems with some of the our applications and is that they they they do have some but they're the dot our files and those might as well not even be there so you want to turn those off or not allow them access through the firewall services also could be running as root and if you're they're able to jump to a shell they would have full administrative privileges on your box yeah not good firewall filtering gateway types are one type and those are firewalls installed on routers that would be example so that would be like PF sense or open that open sense etc and then you also have the note filter or the IP filter which would be those that would be provided by Linux and would be installed on the individual machine so yeah you can use a combination of both there's no problem with that in fact you can go as far as for each yeah I mean you can get so paranoid with the filters that you can in the and the - and the from column of where you want the IP addresses you can say this machine is only allowed to connect the sshd to that machine and you yeah you can actually get that far now of course IP addresses can be spoofed right it can be but yeah you can't get that far down if you want what about monitoring and logging your CI your system so one of the things that I use is long check and lock check can email you messages containing entries from your system logs that are unusual so if it's and you can control it yeah there's a broad-based control called paranoid and server and workstation they can set and you can also go ahead and set individual rules if you want to make it even more fine-grained but so if you just set it to paranoid it's gonna get real chatty and it's gonna fill up your email box a lot with long messages yeah it's very verbose you probably want to reserve that for servers that have sensitive data on them or maybe your firewall gateways but I certainly went to paranoid on every single one you he'd be flooded so much with that junk you might as well just go read they the log files directly yeah it might be faster monitoring age top top and glances are all good tools to monitor now a we think of okay let's just go and see how much memory the systems are taken and how busy they are and maybe we look at what processes are running here what you're really looking for is the gain kind of a historical memory of what those systems are doing most of the time and what you're looking for is unusual CPU network activity maybe disconnect in a higher volume than normal but there's something else going on that you're like wait a minute I not an install anything new on that machine why is it taking more resources today and I mean significantly more resources right that you're looking for not just a 5 or 10% increase in activity but something really going on that you don't know what it is and in that case you might want to go investigate the logs take a look at what has happened what about detecting changes so packages are some of the areas that we're always concerned about because even though there are I mean Debian and RP a-- and Red Hat they all have very good mechanisms arch has very good mechanisms for indicating that these are authentic but what happens after they're installed what prevents something from overlaying files that you had thought you had locked down and you knew what was in them but something else he didn't know about comes along and modify something outside of its scope that's always a possibility so you have Debian systems you can use DPP QJ - verify and it'll go through and I'll look for the packages you have installed and the files that have been installed and it starts to look down through them to determine what's been modified in them and it'll give you a list and there's a coded list and you can go look it up in man page as to what that means some of the times it means that this was a legitimate change this is an approved change you know like an update it has something update has come along and it's updated a config file or this is one that we're not sure where this update came from and then you'll have to go back to you know what did you do to the system or whether or not something else modified it Red Hat systems has a similar method it's called rpm - verify - a you can do the - verify and do individual packages with rpm or you can do - a which does everything and again there's a set of codes that are in the man pages that you can look at for that yeah ade is also another good way of detecting changes that is a or tripwire or something like that those are methods that you can use to that go through and it creates a fingerprint for each of the files on your system now you can control what directories you want it to look at I'm not going to make any suggestions specifically about which ones you should protect or not but there is a configuration file that controls the areas of the system that you want aids to manage if you haven't managed everything on your system that can take some time to run because it calculates a checksum on every single file in it and then it publishes it in a database and then it doesn't the next time it runs it does a comparison between the old database and the new so every time you make a change you do an update you have to copy the new database up to the old manually to do that but it will then check to see whether or not there is a difference between the file it discovers on disk and the last time it calculated a checksum for it there's another thing that it's kind of an interesting thing that if you're looking for a command you're not sure what it is you can use a proposed and a proposed we'll take a keyword and I'll search your your command your man pages and I'll come back with a list of everything that matches so let's say you were looking for a copy and you type in a proposed copy is the keyword it'll come back with CPE it'll come back with I think there's a bunch of others that comes back with like some of these utilities to do individual copies or bitwise copies and all that kind of stuff but it'll show a discrete way to search for hand pages using keywords when you're not quite sure of what command to look for but you have an idea of what you want it to do you can just do that propose and that's on most of the systems that I've ever been around for Linux so so that's the end of part one where this goes from here really up to you so in the coming lessons this is some of my thoughts and I'd like to hear yours as well how to configure a firewall and whether that be PF sense or would that be at IP filters or net filters yeah certainly wanting to teach you how to do that turn on other detection features there are other things you can do in Linux and Linus does help you it will kind of coach you through and say you need to have this on and this on in this on so you will go through some of that package and package cache management it's it's always a good idea to keep that clean mean and and clean as we say there are times to where the package management system and its cache can become corrupt or it can contain files that are not really there or even worse that are there but aren't properly checked in and that happens sometimes during failed updates so or in partial uninstalls and so you'll find you may find versions of packages that are different than the ones that's that are installed in the cache that that is a common problem so we'll talk about how to clean that mess up handling problems after your upgrade yes upgrades can reverse system hardening decisions that were made absolutely they can how to detect Nuart members coming into your network and that would be MAC addresses that show up that aren't part of your network and you're going wait I didn't put any new machines on that get in here audit your system for a specific changes that would compromise security now that might be your password file you might be your shadow file might be a group file might be some obvious places to look there might be others where you should where should your default umask be set what's a recommended setting password expiration the Linux way so yeah probably should talk about that a little bit and get your systems so that they actually are expiring your passwords because you don't want to keep the same password for very long in just in case you happen to be using and never use the same password on more than one system how to back up and test your backup and there's an exception to that if you use an LDAP so you can do that because that's what LDAP does how to backup and test your backup so we'll talk about that that should be part of any security discussion making your disparate run off a USB key why would you do that so you can take it with you anywhere and but how to take it securely with you anywhere what to do if you have to new can pave after compromise yeah we hope never that happens but if it does happen and you suspect you've been compromised you don't know what they've done and if you're not tracking what's changed in your system you'll never find out and chances are they'll cover their tracks anyway so yeah they're pretty savvy if somebody gets in that is savvy it really knows what the heck's going on they will cover their tracks so that could be very hard to detect and I know that some of these systems have gone undetected for many months before they finally find out that they had they really had been compromised so yeah it's really up to you where we go from here so that we get my mouse back yeah that's kind of where I wanted to stop today this is a big lesson this is not something I can cover in 30 minutes it's not something I can cover in an hour it's probably not something I can cover really in a lifetime but you know we can attempt to go down through some of the basics I can get you started I can give you some places to go to get some more information that's better than I can give you I don't idle and minded mitten that I don't know everything I certainly don't so I'm learning too and it's still learning and probably will continue to do so and I hope to see you all getting off soon hope you enjoyed this video and if you did as always please like and subscribe good to see you oh I'll get role soon bye for now
Info
Channel: DJ Ware
Views: 14,783
Rating: undefined out of 5
Keywords: DJ Ware, CyberGizmo, Linux, Linux Hardening, Linux Hardening for Home, Home Computer Security, Debian, Redhat
Id: GXLdzmGmSlY
Channel Id: undefined
Length: 40min 0sec (2400 seconds)
Published: Mon Jun 22 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.