Welcome!

Linux Containers Authors: Lori MacVittie, Elizabeth White, Pat Romanski, AppDynamics Blog, APM Blog

Related Topics: Linux Containers, Cloud Security

Linux Containers: Blog Feed Post

Linux: Secure as a Brick

Best practices I’ve learned over the years

People who are familiar with me know that there are two things I’m not forgiving about. The first is backups, the second is security.

If backups interest you, perhaps we can discuss it some other time. This time we’re going to discuss security.

I’m going to outline in the following article some of the best practices I’ve learned along the years and help you “almost brick up, but not just yet” or “harden” your Linux server.

While reading this article, however, I suggest also reading this article as well. As we both try to tackle the same issues. I believe both articles eventually represent the same views in a different guise.

All of the ideas I’m coming up with are already implemented in shk. I suggest downloading shk, reviewing the code and using it.

Security
Do you know what is secure? – a brick.

Yes, but a brick is not functional.

When I’m trying to build a secure system, I’m using the same concepts as if I’d like to secure my house.

Yes, a house is functional.

Where Is Your Front Door?
Is the front door of your house in a conventional place? – if it is it does make it easier not only for you, but also for everybody else to enter.

Imagine the door to your house would be placed 30 meters away from the house and you’d have to remove leaves and branches over a floor door, unlock it, open it, crawl 30 meters to your house, open  and unlock the house’s main door, and only then you’ll be at home.

I bet such an entrance would surprise any potential burglar.

So what’s your door for accessing your machine?

Yes, it’s usually SSH. If it’s telnet, rsh, or any other unencrypted protocol, you live in the 1970s, please update yourself, together with your haircut.

SSH on port 22 would usually get knocked quite a lot, be it bots, or kiddies, trying to see what’s in.

Don’t believe me? – run:

 # lastb 

It’ll list all the incorrect login attempts which would usually be via SSH attempts.

How do we dig the trench away from the house and install the neat floor door? – simply move SSH to a different port. It’ll fend off most of the scanning attempts.

Port knocking can add some extra security here, but I believe that port knocking also requires you to walk around with a crowbar on a daily basis – as port knocking more or less means you keep the floor door jammed – and only the correct crowbar would open it.

Since I’m not Gordon Freeman – I’m not wandering around with a crowbar and do not use port knocking.

Who Has the Key?
With SSH moved to a different port, you should ask yourself if your door is really secure.

Is your root password strong? Honestly?

And other users on the system? Do they have a secure password? Does it matter?

After you’ve reset the root password to something which is really strong, it’s time to enforce SSH to allow only the root user.

This more or less means that even if you gave your neighbor the key to your house – in order to feed the cat – she wouldn’t be able to do it. Yes, your cat might get a bit hungry, but your house will stay in tact and the and cats usually tent to find a solution when it comes to food…

And the Windows?
You’ve just installed a super-secure door, but what about your windows? Have you left any of these unbarred? Redundant?

A redundant window might be a NFS service which runs for no reason at all on your server.

On the other hand, an unbarred window might be a HTTP service which is supposed to be exposed only internally.

It is highly recommended to instantly remove services and packages you don’t use and brick these windows up.

You can use:

 # netstat -pan | grep “\bLISTEN\b” 

This will list the services that are waiting for connections.

Install bars on the unbarred windows, in other words – use a firewall. If your HTTP service is supposed to be used only internally – seal it with a firewall.

Generally speaking, it should be easy for you – the SysAdmin – to easily know which ports of a system should be exposed externally. The rest of the ports you should lock down.

And When Someone Got In?
If someone got into your house, even if it’s dark – he can always use a headlamp and pick up whatever he wants to. If someone hacked into your system and got regular user privileges – usually it’ll be super easy for him to gain root access.

Hence, it doesn’t matter if you login as a regular user and than ‘su -’ or ‘sudo’ to root, it’s all the same. I prefer to just login as root and no other user. It’ll also make you treat things more seriously.

I also don’t bother to remove useful utilities for day-to-day use. I want my systems to be comfortable for me to maintain. I can’t be bothered if comfortability for me means comfortability also for potential attackers. Once they got in they’ll be as comfortable whether there is a sofa in the living room or not.

And I do want the sofa in the living room.

Bring It On!
Lock your house – then let your friends hack in.

Security audits are invaluable and should be carried out quite often. Whether by automatic tools such as Monitis or by colleagues.

Monitis Monitoring Platform

If you never try to hack in – you’ll never know how hard it is for an attacker.

When a system is properly secure – it’s hard also for you to hack in. And if it’s hard for you – an attacker would usually find it at least twice as hard, even if he is experienced.. A random attacker has much less information and knowledge as to how your system is built, comparing to you.

A Crack in a Wall
Cracks in a wall can cause the whole wall to collapse, rendering your defenses useless.

A crack in the wall can come in the shape of an outdated apache server – with a recent exploit on the wild.

Another crack in the wall could be a 3rd party piece of software you can’t audit – but must expose to the outside world. Be extra cautious with these.

Sending your root password in plain text emails is highly discouraged just as well for the same reasons.

Aftermath
Got hacked?

In real life we will not burn a house that was broken into, but if you did get hacked, assess the situation. In 99% of the cases I would suggest to reinstall the machine freshly. The reason for that is that an attacker could install numerous back doors and it might take you ages to find them.

Reinstalling is a big headache if your system is not setup properly, or if you don’t have proper backups.

But do trust me – in the long run, it is highly recommended to avoid future problems.

Unbreakable?
If you have a house, people can break into it. Period.

Do trust me though, that usually, if you’ve decided to place your door in a non-trivial place, the casual attacker/burglar will just decide to bother the next server/house.

Carry out the rest of the defenses that are outlined here and you are more than good to go.

It sounds very simplistic, I know. But if there’s something ironic I’ve seen in life is an uber-extra-comprehensive  firewall setup on an extremely secure system, and a login of admin/123456 that caused everything to collapse.

shk
shk
will help you do the tasks I’ve outlined through this article. Tasks such as:

  • Firewall configuration
  • Altering SSH configuration
  • Setting sysctl parameters
  • Disabling services
  • Removing packages

shk is written purely in Bash and is supposed to work on most Redhat and Debian systems.

The default configuration is a bit forgiving, feel free to play with it as much as you need.

shk is free – I’d be more than happy to receive contributions and suggestions for improvement.

Read the original blog entry...

More Stories By Hovhannes Avoyan

Hovhannes Avoyan is the CEO of PicsArt, Inc.,

@ThingsExpo Stories
If you’re responsible for an application that depends on the data or functionality of various IoT endpoints – either sensors or devices – your brand reputation depends on the security, reliability, and compliance of its many integrated parts. If your application fails to deliver the expected business results, your customers and partners won't care if that failure stems from the code you developed or from a component that you integrated. What can you do to ensure that the endpoints work as expect...
An IoT product’s log files speak volumes about what’s happening with your products in the field, pinpointing current and potential issues, and enabling you to predict failures and save millions of dollars in inventory. But until recently, no one knew how to listen. In his session at @ThingsExpo, Dan Gettens, Chief Research Officer at OnProcess, will discuss recent research by Massachusetts Institute of Technology and OnProcess Technology, where MIT created a new, breakthrough analytics model f...
SYS-CON Events announced today that Bsquare has been named “Silver Sponsor” of SYS-CON's @ThingsExpo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. For more than two decades, Bsquare has helped its customers extract business value from a broad array of physical assets by making them intelligent, connecting them, and using the data they generate to optimize business processes.
Technology vendors and analysts are eager to paint a rosy picture of how wonderful IoT is and why your deployment will be great with the use of their products and services. While it is easy to showcase successful IoT solutions, identifying IoT systems that missed the mark or failed can often provide more in the way of key lessons learned. In his session at @ThingsExpo, Peter Vanderminden, Principal Industry Analyst for IoT & Digital Supply Chain to Flatiron Strategies, will focus on how IoT de...
Fact is, enterprises have significant legacy voice infrastructure that’s costly to replace with pure IP solutions. How can we bring this analog infrastructure into our shiny new cloud applications? There are proven methods to bind both legacy voice applications and traditional PSTN audio into cloud-based applications and services at a carrier scale. Some of the most successful implementations leverage WebRTC, WebSockets, SIP and other open source technologies. In his session at @ThingsExpo, Da...
Digital transformation is too big and important for our future success to not understand the rules that apply to it. The first three rules for winning in this age of hyper-digital transformation are: Advantages in speed, analytics and operational tempos must be captured by implementing an optimized information logistics system (OILS) Real-time operational tempos (IT, people and business processes) must be achieved Businesses that can "analyze data and act and with speed" will dominate those t...
SYS-CON Events announced today that Roundee / LinearHub will exhibit at the WebRTC Summit at @ThingsExpo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. LinearHub provides Roundee Service, a smart platform for enterprise video conferencing with enhanced features such as automatic recording and transcription service. Slack users can integrate Roundee to their team via Slack’s App Directory, and '/roundee' command lets your video conference ...
Information technology is an industry that has always experienced change, and the dramatic change sweeping across the industry today could not be truthfully described as the first time we've seen such widespread change impacting customer investments. However, the rate of the change, and the potential outcomes from today's digital transformation has the distinct potential to separate the industry into two camps: Organizations that see the change coming, embrace it, and successful leverage it; and...
There is growing need for data-driven applications and the need for digital platforms to build these apps. In his session at 19th Cloud Expo, Muddu Sudhakar, VP and GM of Security & IoT at Splunk, will cover different PaaS solutions and Big Data platforms that are available to build applications. In addition, AI and machine learning are creating new requirements that developers need in the building of next-gen apps. The next-generation digital platforms have some of the past platform needs a...
SYS-CON Events announced today that Numerex Corp, a leading provider of managed enterprise solutions enabling the Internet of Things (IoT), will exhibit at the 19th International Cloud Expo | @ThingsExpo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Numerex Corp. (NASDAQ:NMRX) is a leading provider of managed enterprise solutions enabling the Internet of Things (IoT). The Company's solutions produce new revenue streams or create operating...
Almost two-thirds of companies either have or soon will have IoT as the backbone of their business in 2016. However, IoT is far more complex than most firms expected. How can you not get trapped in the pitfalls? In his session at @ThingsExpo, Tony Shan, a renowned visionary and thought leader, will introduce a holistic method of IoTification, which is the process of IoTifying the existing technology and business models to adopt and leverage IoT. He will drill down to the components in this fra...
IoT is fundamentally transforming the auto industry, turning the vehicle into a hub for connected services, including safety, infotainment and usage-based insurance. Auto manufacturers – and businesses across all verticals – have built an entire ecosystem around the Connected Car, creating new customer touch points and revenue streams. In his session at @ThingsExpo, Macario Namie, Head of IoT Strategy at Cisco Jasper, will share real-world examples of how IoT transforms the car from a static p...
I'm a lonely sensor. I spend all day telling the world how I'm feeling, but none of the other sensors seem to care. I want to be connected. I want to build relationships with other sensors to be more useful for my human. I want my human to understand that when my friends next door are too hot for a while, I'll soon be flaming. And when all my friends go outside without me, I may be left behind. Don't just log my data; use the relationship graph. In his session at @ThingsExpo, Ryan Boyd, Engi...
SYS-CON Events announced today that Pulzze Systems will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Pulzze Systems, Inc. provides infrastructure products for the Internet of Things to enable any connected device and system to carry out matched operations without programming. For more information, visit http://www.pulzzesystems.com.
The Internet of Things can drive efficiency for airlines and airports. In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect with GE, and Sudip Majumder, senior director of development at Oracle, will discuss the technical details of the connected airline baggage and related social media solutions. These IoT applications will enhance travelers' journey experience and drive efficiency for the airlines and the airports. The session will include a working demo and a technical d...
SYS-CON Events announced today that Commvault, a global leader in enterprise data protection and information management, has been named “Bronze Sponsor” of SYS-CON's 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Commvault is a leading provider of data protection and information management solutions, helping companies worldwide activate their data to drive more value and business insight and to transform moder...
The Transparent Cloud-computing Consortium (abbreviation: T-Cloud Consortium) will conduct research activities into changes in the computing model as a result of collaboration between "device" and "cloud" and the creation of new value and markets through organic data processing High speed and high quality networks, and dramatic improvements in computer processing capabilities, have greatly changed the nature of applications and made the storing and processing of data on the network commonplace.
The vision of a connected smart home is becoming reality with the application of integrated wireless technologies in devices and appliances. The use of standardized and TCP/IP networked wireless technologies in line-powered and battery operated sensors and controls has led to the adoption of radios in the 2.4GHz band, including Wi-Fi, BT/BLE and 802.15.4 applied ZigBee and Thread. This is driving the need for robust wireless coexistence for multiple radios to ensure throughput performance and th...
Enterprise IT has been in the era of Hybrid Cloud for some time now. But it seems most conversations about Hybrid are focused on integrating AWS, Microsoft Azure, or Google ECM into existing on-premises systems. Where is all the Private Cloud? What do technology providers need to do to make their offerings more compelling? How should enterprise IT executives and buyers define their focus, needs, and roadmap, and communicate that clearly to the providers?
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.