Welcome!

Linux Containers Authors: Liz McMillan, Mehdi Daoudi, Pat Romanski, Elizabeth White, Yeshim Deniz

Related Topics: Linux Containers, Cloud Security

Linux Containers: Blog Feed Post

Linux: Secure as a Brick

Best practices I’ve learned over the years

People who are familiar with me know that there are two things I’m not forgiving about. The first is backups, the second is security.

If backups interest you, perhaps we can discuss it some other time. This time we’re going to discuss security.

I’m going to outline in the following article some of the best practices I’ve learned along the years and help you “almost brick up, but not just yet” or “harden” your Linux server.

While reading this article, however, I suggest also reading this article as well. As we both try to tackle the same issues. I believe both articles eventually represent the same views in a different guise.

All of the ideas I’m coming up with are already implemented in shk. I suggest downloading shk, reviewing the code and using it.

Security
Do you know what is secure? – a brick.

Yes, but a brick is not functional.

When I’m trying to build a secure system, I’m using the same concepts as if I’d like to secure my house.

Yes, a house is functional.

Where Is Your Front Door?
Is the front door of your house in a conventional place? – if it is it does make it easier not only for you, but also for everybody else to enter.

Imagine the door to your house would be placed 30 meters away from the house and you’d have to remove leaves and branches over a floor door, unlock it, open it, crawl 30 meters to your house, open  and unlock the house’s main door, and only then you’ll be at home.

I bet such an entrance would surprise any potential burglar.

So what’s your door for accessing your machine?

Yes, it’s usually SSH. If it’s telnet, rsh, or any other unencrypted protocol, you live in the 1970s, please update yourself, together with your haircut.

SSH on port 22 would usually get knocked quite a lot, be it bots, or kiddies, trying to see what’s in.

Don’t believe me? – run:

 # lastb 

It’ll list all the incorrect login attempts which would usually be via SSH attempts.

How do we dig the trench away from the house and install the neat floor door? – simply move SSH to a different port. It’ll fend off most of the scanning attempts.

Port knocking can add some extra security here, but I believe that port knocking also requires you to walk around with a crowbar on a daily basis – as port knocking more or less means you keep the floor door jammed – and only the correct crowbar would open it.

Since I’m not Gordon Freeman – I’m not wandering around with a crowbar and do not use port knocking.

Who Has the Key?
With SSH moved to a different port, you should ask yourself if your door is really secure.

Is your root password strong? Honestly?

And other users on the system? Do they have a secure password? Does it matter?

After you’ve reset the root password to something which is really strong, it’s time to enforce SSH to allow only the root user.

This more or less means that even if you gave your neighbor the key to your house – in order to feed the cat – she wouldn’t be able to do it. Yes, your cat might get a bit hungry, but your house will stay in tact and the and cats usually tent to find a solution when it comes to food…

And the Windows?
You’ve just installed a super-secure door, but what about your windows? Have you left any of these unbarred? Redundant?

A redundant window might be a NFS service which runs for no reason at all on your server.

On the other hand, an unbarred window might be a HTTP service which is supposed to be exposed only internally.

It is highly recommended to instantly remove services and packages you don’t use and brick these windows up.

You can use:

 # netstat -pan | grep “\bLISTEN\b” 

This will list the services that are waiting for connections.

Install bars on the unbarred windows, in other words – use a firewall. If your HTTP service is supposed to be used only internally – seal it with a firewall.

Generally speaking, it should be easy for you – the SysAdmin – to easily know which ports of a system should be exposed externally. The rest of the ports you should lock down.

And When Someone Got In?
If someone got into your house, even if it’s dark – he can always use a headlamp and pick up whatever he wants to. If someone hacked into your system and got regular user privileges – usually it’ll be super easy for him to gain root access.

Hence, it doesn’t matter if you login as a regular user and than ‘su -’ or ‘sudo’ to root, it’s all the same. I prefer to just login as root and no other user. It’ll also make you treat things more seriously.

I also don’t bother to remove useful utilities for day-to-day use. I want my systems to be comfortable for me to maintain. I can’t be bothered if comfortability for me means comfortability also for potential attackers. Once they got in they’ll be as comfortable whether there is a sofa in the living room or not.

And I do want the sofa in the living room.

Bring It On!
Lock your house – then let your friends hack in.

Security audits are invaluable and should be carried out quite often. Whether by automatic tools such as Monitis or by colleagues.

Monitis Monitoring Platform

If you never try to hack in – you’ll never know how hard it is for an attacker.

When a system is properly secure – it’s hard also for you to hack in. And if it’s hard for you – an attacker would usually find it at least twice as hard, even if he is experienced.. A random attacker has much less information and knowledge as to how your system is built, comparing to you.

A Crack in a Wall
Cracks in a wall can cause the whole wall to collapse, rendering your defenses useless.

A crack in the wall can come in the shape of an outdated apache server – with a recent exploit on the wild.

Another crack in the wall could be a 3rd party piece of software you can’t audit – but must expose to the outside world. Be extra cautious with these.

Sending your root password in plain text emails is highly discouraged just as well for the same reasons.

Aftermath
Got hacked?

In real life we will not burn a house that was broken into, but if you did get hacked, assess the situation. In 99% of the cases I would suggest to reinstall the machine freshly. The reason for that is that an attacker could install numerous back doors and it might take you ages to find them.

Reinstalling is a big headache if your system is not setup properly, or if you don’t have proper backups.

But do trust me – in the long run, it is highly recommended to avoid future problems.

Unbreakable?
If you have a house, people can break into it. Period.

Do trust me though, that usually, if you’ve decided to place your door in a non-trivial place, the casual attacker/burglar will just decide to bother the next server/house.

Carry out the rest of the defenses that are outlined here and you are more than good to go.

It sounds very simplistic, I know. But if there’s something ironic I’ve seen in life is an uber-extra-comprehensive  firewall setup on an extremely secure system, and a login of admin/123456 that caused everything to collapse.

shk
shk
will help you do the tasks I’ve outlined through this article. Tasks such as:

  • Firewall configuration
  • Altering SSH configuration
  • Setting sysctl parameters
  • Disabling services
  • Removing packages

shk is written purely in Bash and is supposed to work on most Redhat and Debian systems.

The default configuration is a bit forgiving, feel free to play with it as much as you need.

shk is free – I’d be more than happy to receive contributions and suggestions for improvement.

Read the original blog entry...

More Stories By Hovhannes Avoyan

Hovhannes Avoyan is the CEO of PicsArt, Inc.,

@ThingsExpo Stories
"We're a cybersecurity firm that specializes in engineering security solutions both at the software and hardware level. Security cannot be an after-the-fact afterthought, which is what it's become," stated Richard Blech, Chief Executive Officer at Secure Channels, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. Jack Norris reviews best practices to show how companies develop, deploy, and dynamically update these applications and how this data-first...
Intelligent Automation is now one of the key business imperatives for CIOs and CISOs impacting all areas of business today. In his session at 21st Cloud Expo, Brian Boeggeman, VP Alliances & Partnerships at Ayehu, will talk about how business value is created and delivered through intelligent automation to today’s enterprises. The open ecosystem platform approach toward Intelligent Automation that Ayehu delivers to the market is core to enabling the creation of the self-driving enterprise.
The question before companies today is not whether to become intelligent, it’s a question of how and how fast. The key is to adopt and deploy an intelligent application strategy while simultaneously preparing to scale that intelligence. In her session at 21st Cloud Expo, Sangeeta Chakraborty, Chief Customer Officer at Ayasdi, will provide a tactical framework to become a truly intelligent enterprise, including how to identify the right applications for AI, how to build a Center of Excellence to ...
SYS-CON Events announced today that Massive Networks will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Massive Networks mission is simple. To help your business operate seamlessly with fast, reliable, and secure internet and network solutions. Improve your customer's experience with outstanding connections to your cloud.
Everything run by electricity will eventually be connected to the Internet. Get ahead of the Internet of Things revolution and join Akvelon expert and IoT industry leader, Sergey Grebnov, in his session at @ThingsExpo, for an educational dive into the world of managing your home, workplace and all the devices they contain with the power of machine-based AI and intelligent Bot services for a completely streamlined experience.
Because IoT devices are deployed in mission-critical environments more than ever before, it’s increasingly imperative they be truly smart. IoT sensors simply stockpiling data isn’t useful. IoT must be artificially and naturally intelligent in order to provide more value In his session at @ThingsExpo, John Crupi, Vice President and Engineering System Architect at Greenwave Systems, will discuss how IoT artificial intelligence (AI) can be carried out via edge analytics and machine learning techn...
SYS-CON Events announced today that Datera, that offers a radically new data management architecture, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datera is transforming the traditional datacenter model through modern cloud simplicity. The technology industry is at another major inflection point. The rise of mobile, the Internet of Things, data storage and Big...
Consumers increasingly expect their electronic "things" to be connected to smart phones, tablets and the Internet. When that thing happens to be a medical device, the risks and benefits of connectivity must be carefully weighed. Once the decision is made that connecting the device is beneficial, medical device manufacturers must design their products to maintain patient safety and prevent compromised personal health information in the face of cybersecurity threats. In his session at @ThingsExpo...
In his session at @ThingsExpo, Arvind Radhakrishnen discussed how IoT offers new business models in banking and financial services organizations with the capability to revolutionize products, payments, channels, business processes and asset management built on strong architectural foundation. The following topics were covered: How IoT stands to impact various business parameters including customer experience, cost and risk management within BFS organizations.
SYS-CON Events announced today that CA Technologies has been named "Platinum Sponsor" of SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business - from apparel to energy - is being rewritten by software. From planning to development to management to security, CA creates software that fuels transformation for companies in the applic...
From 2013, NTT Communications has been providing cPaaS service, SkyWay. Its customer’s expectations for leveraging WebRTC technology are not only typical real-time communication use cases such as Web conference, remote education, but also IoT use cases such as remote camera monitoring, smart-glass, and robotic. Because of this, NTT Communications has numerous IoT business use-cases that its customers are developing on top of PaaS. WebRTC will lead IoT businesses to be more innovative and address...
An increasing number of companies are creating products that combine data with analytical capabilities. Running interactive queries on Big Data requires complex architectures to store and query data effectively, typically involving data streams, an choosing efficient file format/database and multiple independent systems that are tied together through custom-engineered pipelines. In his session at @BigDataExpo at @ThingsExpo, Tomer Levi, a senior software engineer at Intel’s Advanced Analytics ...
SYS-CON Events announced today that App2Cloud will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. App2Cloud is an online Platform, specializing in migrating legacy applications to any Cloud Providers (AWS, Azure, Google Cloud).
Recently, IoT seems emerging as a solution vehicle for data analytics on real-world scenarios from setting a room temperature setting to predicting a component failure of an aircraft. Compared with developing an application or deploying a cloud service, is an IoT solution unique? If so, how? How does a typical IoT solution architecture consist? And what are the essential components and how are they relevant to each other? How does the security play out? What are the best practices in formulating...
SYS-CON Events announced today that MobiDev, a client-oriented software development company, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MobiDev is a software company that develops and delivers turn-key mobile apps, websites, web services, and complex software systems for startups and enterprises. Since 2009 it has grown from a small group of passionate engineers and business...
Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devic...
SYS-CON Events announced today that Dasher Technologies will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Dasher Technologies, Inc. ® is a premier IT solution provider that delivers expert technical resources along with trusted account executives to architect and deliver complete IT solutions and services to help our clients execute their goals, plans and objectives. Since 1999, we'v...
SYS-CON Events announced today that Ayehu will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Ayehu provides IT Process Automation & Orchestration solutions for IT and Security professionals to identify and resolve critical incidents and enable rapid containment, eradication, and recovery from cyber security breaches. Ayehu provides customers greater control over IT infrastructure throu...
SYS-CON Events announced today that Grape Up will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company specializing in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market across the U.S. and Europe, Grape Up works with a variety of customers from emergi...