Monday, July 13, 2015

Encryption - Basics

Linux - Encryption
by Jeff Hatfield pd: July 13, 2015

Encryption: The very “evil” thing the UK and US governments are looking to banish from the Internet is baked into Linux distributions. From whole-disk encryption, single files, email GPG encryption or Secure shell (ssh), Linux has you covered. The very fact Open Source encryption tools exist insures encryption will not ever disappear. Some of our “friends” at the big 3-letter agencies or nation-state entities use encryption to protect their data, so why shouldn’t you?
That said, it is also possible for such 3-letter agencies or government officials to force your hand and provide the decryption key for your data. In many situations where you would want to ensure even this could not happen, other options such as encrypting specific sets of data on your encrypted drive via hidden volumes utilizing multiple assorted keys (including images or other files along with your passphrase) with Truecrypt would provide foolproof protections against such strong-arm tactics.

Disk Encryption

If you use encryption you can be sure your files are stored on the disk in an encrypted form. Protection of is provided since your files only become available to the operating system and applications in readable form while the system is running and unlocked by a trusted user. Anyone looking at the disk contents directly will only find garbled random-looking data instead of actual files.
What instances would you think of where such encryption would be helpful?
  • Your drive or system is located in a place where non-trusted people might gain access. Certain nefarious types or entities might attempt to install malware, keyloggers or Trojan horse programs on your system, but would be thwarted by an encrypted disk at rest.
  • Your system is lost or stolen, as with laptops, netbooks or external storage devices
  • Your shiny new laptop is in the repair shop
  • After its useful lifetime to you, either discarded or donated to a charity

Be mindful of these items:

  • You must consider threats to your system in a powered state including keyloggers and other malware designed specifically to take control while the system and access data before it is encrypted.
  • Advanced crackers and nation states have the wherewithal, funding and incentives to perform such attacks, even on your encrypted system. In addition, anyone could wipe all data from your drive and repurpose or sell your system.
  • The better option for security of your data would be to perform regular backups and if possible, use a trusted computing module (TPM) or hardware encryption device.

Data or System

Data encryption

Most of your data on a Linux system is located within the /home directory, but could be stored on removable media like a data DVD or external hard drive, USB stick or SDCard just as easily. And though it is the simplest and least intrusive method to encrypt your data, it does have some significant disadvantages.
There are many background processes caching metadata or parts of the data itself in non-encrypted areas of the hard drive. These areas include partitions for swap, /tmp, or /var. I’ve found the best solution for a normal home workstation or laptop is to keep maintain only the root partition / with the a swap and /home partitions, both of which can be encrypted as well.
System encryption
This method encrypts all content on a system including the operating system and user data and helps to address some of the inadequacies of data encryption.
Benefits:
  • Prevents unauthorized physical access to (and tampering with) operating system files
  • Prevents unauthorized physical access to private data that may be cached by the system
Disadvantages:
  • Unlocking of the encrypted parts of the disk can no longer happen during or after user login; it must now happen at boot time
In practice, there is not always a clear line between data encryption and system encryption, and many different compromises and customized setups are possible.
In any case, disk encryption should only be viewed as an adjunct to the existing security mechanisms of the operating system - focused on securing offline physical access, while relying on other parts of the system to provide things like network security and user-based access control.


Next topic: Encryption methods
at No comments:

Host Hardening

Host Hardening

by: Jeff Hatfield
pd: July 13, 2015

Linux helps keep you secure through Security In Depth. Below are some additional measures to improve the security posture of your system.

Firewall

Cyber security experts recommend the use of a firewall even if your system is behind another firewall such as a home router. Fortunately, Linux has a built-in firewall called iptables. Many distributions come with this firewall enabled by default to block network inbound traffic. Traffic  which most certainly could offer a relatively easy means of compromise to your system.


With iptables you can secure your system against inbound and outbound traffic, but the learning curve can be lowered by using GUI tools. Such tools are provided in both Fedora and Linux Mint distributions (and others), but both vary in tools and implementation.
Fedora 22 has firewalld (similar to iptables) enabled on first boot of the system, whereas Linux Mint has iptables, but is disabled on first boot. Although having a firewall turned on is wise, most Linux distributions do not have network accessible services listening (or open) by default.
Linux includes many services that can be enabled and this list is just a short sample: samba (windows file sharing), ssh (secure shell), http (web server), ipp or cups (network print server), kodi (media center), and mpd (music player daemon), ...


Fedora Linux's Firewall Configuration tool
The terminal can be used to open the ‘system-config-firewall’ tool and perform configuration changes. The example shows the Trusted Services with a single item checked - SSH. This would allow ssh access into the system.
Additional information can be found at the Fedora FirewallD wiki.
Simple iptables configuration
Iptables configuration files are stored in different locations based upon the distro’s specific requirements, but in general you’ll find the file below /etc/
Fedora’s iptables config. with additional rules to prevent ping attacks & sample zones.
/etc/sysconfig/iptables
*filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :FORWARD_ZONES - [0:0]
 :FORWARD_direct - [0:0]
 :INPUT_ZONES - [0:0]
 :INPUT_direct - [0:0]
 :IN_ZONE_public - [0:0]
 :IN_ZONE_public_allow - [0:0]
 :IN_ZONE_public_deny - [0:0]
 :OUTPUT_direct - [0:0]
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -j INPUT_direct
 -A INPUT -j INPUT_ZONES
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i lo -j ACCEPT
 -A FORWARD -j FORWARD_direct
 -A FORWARD -j FORWARD_ZONES
 -A FORWARD -p icmp -j ACCEPT
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 -A OUTPUT -j OUTPUT_direct
 -A IN_ZONE_public -j IN_ZONE_public_deny
 -A IN_ZONE_public -j IN_ZONE_public_allow
 -A IN_ZONE_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
 -A IN_ZONE_public_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT

Controlling ssh access:
External TCP Port
Modify the router’s port forwarding to use a random high port (from 2400-65535) to throw off script kiddies and bots from the normal port ssh port 22. This simple trick reduced my bot attacks from unmanageable attempted access levels (thousands per day on port 22) down to Zero. By keeping the server’s ssh port on 22, I can maintain access simply by using ssh username@server.mydomain.
Disable ssh root login
# vi /etc/ssh/sshd_config
## change the value ‘PermitRootLogin yes’ to
PermitRootLogin no

 Client Authentication
A bullet-proof method of allowing login on a server with ssh access is to utilize public key authentication. Once username/password login has been disabled and PKI enabled, the server is protected from bot-based password attacks.
# vi /etc/ssh/sshd_config
## Add or uncomment the line
PubkeyAuthentication yes
Copy public key
Save the sshd_config file and generate your private/public key on your laptop, desktop or android app.
Copy the public key into the server’s ~/.ssh/authorized_keys file with the tool ssh-copy-id user@server.domain (see man page for additional information).
Restart the sshd daemon (service sshd restart or systemctl restart sshd) and ssh into the server as the username you have on the server.
TCP Wrappers
The system’s /etc/hosts.allow provides further restriction to the system’s ssh service by allowing only a specific host or zone to ssh into the system. This option may not be practical if a user requires external access to a system within your network (i.e. from a smart phone app such as JuiceSSH, ConnectBot or a laptop on a remote network).
# vi /etc/hosts.allow
 ALL: 127.0.0.1 # localhost
ALL: 192.168.1.0/24 # Internal Network
Restrict ssh Access
If a group of users named ‘internal’ require ssh access into the system, access can be tightly controlled by adding the requirement to the sshd configuration file.


# vi /etc/ssh/sshd_config
## add the group ‘ssh-users’
AllowGroups ssh-users
ssh Cipher Suites
Restricting the encryption Ciphers used for the ssh application to only those known to provide adequate further increases security (ref stribika.github.io for more info).
# vi /etc/ssh/sshd_config
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,\ aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr


Next topic of discussion - Encryption.
at No comments:

Consider Linux


Consider Linux
Oh no you say, this is another blog about the wonders of Linux.Think again my friend. You see, Linux has a way of making you sleep easier at night. No, really. Once you you have installed Linux and experienced the power and security you have at your fingertips, you too will sleep well at night.
They say knowledge is power, but heed the initial warning from the sudo command: “Remember, with great power comes great responsibility”. Learn to control that power and your systems and network will be a fortress of solitude.
Ok, so enough of the superhero references. On to the matter at hand.
You go about your daily life running an OS which came with your laptop. More than likely, if you are interested in reading this blog, you may be running one of a variety of the Windows OS. If not, then this blog may be something of a refresher in system security.
How can Linux provide more security than my current OS and what security do I speak of you ask?
For starters, Linux was designed with the Internet in mind and in fact, it was created and released released onto the Internet by Linus Torvalds way back in 1991 to allow developers to review and improve the code. Developers  took the source code and grabbed the opportunity to contribute to the Linux Kernel. As of the date of this article, Linux has over 20 million lines of code and is used in millions upon millions of devices the world over (and above on the ISS).

Linux is supported by developers the world over and is controlled by the Linux Foundation, a nonprofit whose primary purpose is Linux development, support and education.

Some of the topics I'll cover:
  • Host Hardening
  • Browser Security
  • Windows programs
  • Disk destruction
at No comments:
Subscribe to: Comments (Atom)

Wireshark - A GUI Packet Analyzer

Wireshark Wireshark is a FLOSS (Free Libre Open Source Software) package for network troubleshooting and analysis which runs on Lin...

  • Computer Security - Part 2
    Malware - Backdoors ... Backdoors are methods of bypassing normal security or authentication on a system or within software which is of...
  • Encryption Methods - Part 2
    More PAM: In Linux PAM provides for separation of authentication tasks into each of four groups for management: Validation, Identity, P...