securing a host - start [apnic training wiki] · hardening a host •differs per operating system...

securingahostMatsuzaki ‘maz’Yoshinobu

<maz@iij.ad.jp>

Hardeningahost

• Differsperoperatingsystem• Windows:userscannotbetrustedtomakesecurityrelateddecisionsinalmostallcases

• OSX:makethingsworkmagicallyforusers.Trytohandlesecurityissuesinthebackground

• Linux:variesbydistribution:• Ubuntu:trylikeOSXtomakethingsjustwork.• RedHat:includeveryusefultoolsbutturnedoffbydefault

• BSD:userswillfigureitout

• Changeswithtime

Generalconsideration

• Defineapersonalusageprofileandpolicy.• Whathardwaredoyouuse?• Whatsoftwaretasksdoyoudoonyourcomputer?• Dothefirsttwochangewhenyoutravel?• Whathabitsfromtheabovetwodoyouneedtochangetobemoresecure?

• Decideifyoureally needVPNaccesstoyournetworkwhiletravelling.

Generalpractices

• Installonlytheservicesandsoftwareyouactuallyneed.

• Uninstallordisableallsoftwareandservicesyoudonotuseorneed.

• Periodicallyactivelyscanyourmachineforvulnerabilities.

• Haveasfewuseraccountsonyoursystemsaspossible• Protectyouradministrativeaccount.Haveastrongpassword,donotpermitremotepasswordbasedloginsanddonotloginasanadministratorunlessyouneedtodoanadministrativetask.

SecuringMacOS X

• disableunused“sharing”services• setting->sharing

• updatesoftware• AppStore ->update

• checkservices• $netstat -an|grepLISTEN

• enablefirewall• setting->security&privacy ->firewall

SecuringLinux:minimalizepkg

• CentOS#yumlistinstalled#yumremove<PackageName>

• Ubuntu>16#aptlist--installed#aptremove<PackageName>

SecuringLinux:updatepkg

• CentOS#yumupgrade

• Ubuntu>16#aptupdate#aptupgrade

SecuringLinux:checkingservices

• CentOS• ss -nl

• Ubuntu>16• netstat -nl

SecuringLinux:firewall

• CentOS• iptables• firewalld (frontendforiptables)

• Ubuntu>16• iptables• ufw (frontendforiptables)

SecuringWindows:minimalizeservices• services.msc

SecuringWindows:updating

• >startms-settings:windowsupdate

Securingwindows:checkingservices• >netstat -na

Securingwindows:fiwewall

• wf.msc

Securingwindows:firewall

• TheWindowsfirewalloffersfourtypesofrules:• Program– Blockorallowaprogram.• Port– Blockoraallowaport,portrange,orprotocol.

WindowsNetworkCategory

• executepowershell asadministrator• toconfirm

• >Get-NetConnectionProfile

• tochangeittoPublic>Set-NetConnectionProfile -Network”<NetworkName>”-NetworkCategory public

• tochangeittoPrivate>Set-NetConnectionProfile -Network”<NetworkName>”-NetworkCategory private

Hardware

• Rule1:allbetsareoffwithphysicalaccesstoyourdevices.

• Considerremovinghardwareyouneveruse– saybluetooth.

• DisableinBIOSorEFIoryouroperatingsystemthehardwareorfeaturesyoucannotremovephysically.

• wakeonlan• Bluetoothdiscoverability• USBports?

• BIOSpasswordsnotthatuseful• BIOSlevelencryp8on/lockingofharddisksmaynotbeportable

Compromisedsystem

• Anyfileonthesystemisalreadysuspicious• Youmaybeabletoremoveamalware• therecouldbeanotheronethatyoucannotdetect

Wipe

• Don’tusefilesinthecompromisedsystem• programs• documents• images

• Cleanupthestoragesthatwasconnectedtothesystem

• HDD• SSD• flashmemory

Howcanwerescueinformationfromsuspiciousdatafiles•convertitintoanotherformat

• png ->jpg,jpg ->png• doc->txt• excel->csv• pdf->png/jpg

• infectedcodecannotsurvivesuchadrasticmodification

Wipetogiveaway

• dataisstillthereevenifit’sformatted• expertscanreadthedatabyusingspecialtools• anelectricmicroscopecanreadmore• leakageofsecretdata

• youneedtomakesurethedataiserased• #dd if=/dev/urandom of=/dev/<disk>bs=16M

Recover

• ‘cleaninstall’fromascratch• formatthedisk,useaproperOSimage

• applylatestOSpatchestobeup-to-date• itcouldbevulnerablebeforepatched• doupdateinasecurenetwork

• installneededapplications• checkupgrades,ofcourse

Recover(cont.)

• disableunnecessaryservices• thesameashardeningprocedure

• checkconfigurations• ifanyweakness

• changeallpasswordonthesystem• anypasswordmightbestolen

Replacingmightbeyourchoice

• securingthecompromisedsystemasis• forfurtherinvestigation• malwarethatstaysinthememoryonly

• justreplacethecompromisedsystem• sparehardware

Backups

• Encryption• Automation• Generations

Encryption

• Assumetheftandlost• Yourbackupsmusthaveatminimumthesameencryptionlevelasthesourcedata

Automation

• Wearelazy!• easytoforget

• automatedbackupwillhelpyou• mostsystemshavescheduledbackup

Generations

• youshoud havea‘good’versionofbackupthere• ifasystemiscompromised,malwaremightbealsobackupinthearchive,youwon’twanttorestorethatthough

• ifsomethinggoeswrongbychange,youmayrestorethepreviousversion

• finda‘good’versionfromyourarchives

Off-sitearchives

• 2011Tohokuearthquakeandtsunami• flushedbuildings,datacenters• 4localgovernmentslostwholedataonthefamilyregistrationsystem

• Theyhaveoff-sitebackupsJ• tookabout1monthtorecoverthough• wantedtomakesurenothingismissed

HTTPandSecureChannel

BhutanNOG4 29

IP IP

TCPTCP

HTTP TLS

HTTP

SSL/TLS• SSL and TLS

• SSL v3.0 specified in an I-D in 1996 (draft-freier-ssl-version3-02.txt) and now in RFC6101

• TLS v1.0 specified in RFC2246• TLS v1.0 = SSL v3.1 ≈ SSL v3.0

• TLS v1.1 specified in RFC4346• TLS v1.2 specified in RFC5246

• Goals of protocol• Secure communication between applications• Data encryption• Server authentication• Message integrity• Client authentication (optional)

BhutanNOG4 30

SSLisnotsecureanymore

• SSL2.0andSSL3.0haveknownvulnerabilitiesinprotocolspecifications

• downgradeattack• POODLEattack• RFC6176- ProhibitingSecureSocketsLayer(SSL)Version2.0

• RFC7568- DeprecatingSecureSocketsLayerVersion3.0

• UseTLSinstead

BhutanNOG4 31

TLSProperties• Connection is private

• Encryption is used after an initial handshake to define a secret key.

• Symmetric cryptography used for data encryption

• Peer’s identity can be authenticated • Asymmetric cryptography is used (RSA or ECDSA)

• Connection is reliable • Message transport includes a message integrity

check using a keyed MAC. • Secure hash functions (such as SHA384, SHA256)

are used for MAC computations.

BhutanNOG4 32

33

TheTLSHandshakeProcess

Internet

TLS Client TLS Server

Client initiates TLS connection / sends supported cipher suites

Server returns digital certificate to client and selected cipher suite

Client sends shared secret encrypted with server’s public key

Message encryption and integrity algorithms are negotiated

Secure session tunnel is established

Session keys are generated

1

6

5

4

3

2

BhutanNOG4

34

TLSClientAuthentication

- Clientauthentication(certificatebased)isoptionalandnotoftenused

-Manyapplicationprotocolsincorporatetheirownclientauthenticationmechanismsuchasusername/passwordorS/Key

- TheseauthenticationmechanismsaremoresecurewhenrunoverTLS

BhutanNOG4

35

TLSIANAAssignedPort#s

Protocol Defined Port Number

TLS Port Number

HTTP 80 443NNTP 119 563POP 110 995FTP-Data 20 989FTP-Control 21 990Telnet 23 992

CertificateAuthority

• issuesadigitalcertificatewhichissignedbytheCA’sprivatekey

• Youcanverifythecertificateusingthecorrespondingpublickey

• ifyoutrustthepublickey

• …andCAcanhavehierarchicaltrustmodel

BhutanNOG4 36

Trustchain

BhutanNOG4 37

rootCA

intermidiateCA

endentitycert

sign

sign

endentitycert

sign

https://www.apricot.net

BhutanNOG4 38

trustedCA

BhutanNOG4 39

CAandcertificates

• CAcanissueacertificateforanydomainname• ifyoutrusttheCA,thecertificatelookslegitimate

• ifyouhaveamaliciousCAinyourtrustedkeychain,anattackercanmonitor/modifyyourTLSsessiondata

• Yes,wehavecases• https://support.lenovo.com/nz/en/product_security/superfish

• https://www.dell.com/support/article/us/en/19/SLN300321

BhutanNOG4 40

CheckyourtrustedCA

• Windows• certlm.msc

• MacOSX• KeychainAccess.app

• Firefox• Setting->Advanced->Certificates->

ViewCertificates

BhutanNOG4 41