There was a recent link posted to YCombinator Hacker News titled “My First 10 Minutes on a Server” (Link to article, link post is here). With seeing that it reminded me that I have meant to start working on securing the web test server (which is currently not web accessible).
There are some things mentioned here that I thought were useful. Those are the following items:
- Root Password
- This partially extends to user passwords
- Also involves issues of logging into root account
- SSH setup
- Require that people use keys
- Testing if logging in with key works
- Setup SUDO
- Test that it is working
- There are some things to look at here:
- IPTables vs. IPChains (I may be way behind on things here)
- Using shortcut services such as ufw
- Kernel support
- Having some degree of automatic updates is very important in keeping things secure
- Gentoo uses the Portage package management system, finding how best to handle this could be difficult
- Blocking “probable attack IP addresses”
- It is recommended (and nothing wrong I can see with this) to use “fail2ban” to automatically create rules.
- Use of Two Factor Authentication
- I recommend this for any service storing critical information (which surprisingly is pretty much every one).
- Have something which monitors your logs
All of these things really will need to be dealt with in detail I think in future posts. I will try to deal with them more clearly in the rest of this post to give a bit of an idea where I am going in the next little bit with securing the server.
I am not entirely sure what I think of the mess of suggestions about passwords out there. There generally are passwords which no one can argue are hackable. These passwords are next to impossible to remember, are very long, and are made of a mixture of letters (upper and lower case), numbers, and special characters.
These are exactly the kinds of passwords you would like to use for a high security situation such as a root password on a server which has a web facing interface, especially one which would allow root access with that password.
The problem with such passwords, it is pretty much impossible for someone to actually get one which really meets these requirements in a manner that they will be able to be remembered. If you consider a password which is 15 or more characters long, which is composed of random characters, most people will not be able to remember them.
That requires a password manager of some sort to remember them.
Using Password Managers
I have not looked very far on the different password managers that people use. I am not all that happy with the solution I currently have. There have been issues with security of it, and with any of the “big name” password managers, they are a high-profile target for being attacked.
Part of the reason that there are big efforts on the point of crackers to attack particularly password managers is, that if they do manage to crack a particular user account on a password management site, they often will gain access to dozens if not hundreds of passwords from a single user account, accessing the whole database, will open things up a great deal more.
With LastPass they say that the passwords which are stored on their site, are stored in a manner which would require your password and username to recover them. So, provided you have an uncrackable password as your master password, you should be safe. But what does uncrackable mean?
The idea that some passwords are uncrackable is based on the idea of password strength. The majority of “password strength checkers” are deficient in the sense that the password, “password” is as “strong” according them as “dpraosws” which of course you are probably thinking that is a little silly to consider them both the same.
The reason they treat them the same way, is because the majority of them only look at the number of characters of a given type. So a password “strength” metre will look at a given word as the same strength as those same letters which are random (or near random). While, I believe that they are a good “estimate”.
The problem with this simplistic approach is that it treats each letter individually. If you are using anything approaching a “dictionary word” you are using something which would run on a “first pass” of cracking. Cracking passwords almost never just throws random passwords as tries.
Those lists of “most common passwords” are based entirely on that idea. For the most part, even with access to the entire database, you can’t actually pull the passwords out of it, (you shouldn’t be able to) but only test a given stored “hash” against a password. Many sites actually thrown an additional layer on top of that, in that the password isn’t what is hashed, but there is at least one additional layer, which requires access to that bit of information as well to even test passwords.
So, what really are uncrackable? Long strings of random (looking) characters with a “broad character set”. A password like “!a5#C356C2345asfcedfr@#” is pretty much uncrackable (I wouldn’t suggest using any static string such as that particular one as there is probably a good chance that some crawler will add that particular “word” into crackers’ dictionaries) given that no one can realistically “find” it without too much difficulty.
Password managers are almost all able to create strong passwords. Some might have a simple “strength” setting. Others may have multiple variables which are used to generate the password.
I intend to look deeper into the question on password managers in the future, and what ways you can generate passwords which are secure, but sufficiently memorable to be able to use for a master password for your password manager.
Setting Up SSH
SSH (Secure SHell) is a way to log into a machine and get an interactive shell session. There are a number of ways which you can set up how you can log in. The most common way to log in is with a password. There are a number of issues with this, which include that you have to remember the password, and that if you can easily remember the password, chances are low that you will be using a very secure password.
Another way to log in, is to use a “key pair”. This is generally considered more secure. And once it is setup, it only requires that the person just connect. Unless there is another layer as well in place.
I agree that at least for remote connections, you probably want to set things up to reject password login attempts.
For now I am going to leave that discussion at that.
SUDO is a way to execute a “single command” as another user. It has become more or less a replacement for SU which allowed you to “become” another user. The reason for using SUDO over SU is that it means that you only will be executing commands which require higher (or different) privileges as that different user.
If you have created a directory with a bunch of temporary files in it, and are trying to delete it, when you type a command which tries to delete every file on the system, at worst the command will delete all files you have rights to delete. Which could well be way more files than you intended, but usually it would not break anything major on your system.
With SUDO setup, you can run a command by prefixing it with the command “sudo”. It will then require a password before doing anything more.
The whole setup for SUDO is probably a whole blog post itself. So I will leave things here for now.
As I mentioned above, there are at least a few different ways to handle firewalling on Linux (I am running Gentoo as the distribution of Linux I am using).
There are three different systems which are available (as far as I can see) which are IPTables, IPChains, and IPFWADM. My understanding is that IPTables is the newest version of it, and IPFWADM is the oldest. They are all part of the IP Masquerading system. IPTables was introduced around 1998, so it is relatively mature. As of 2002 there was some talk of it not being mature enough for some use cases. I do not know if there is any reason to believe this is still the case.
With this in mind, I will be looking at setting up IPTables I think for this server.
There are different ways to help automate this, which I haven’t looked into. The article I heard mentioned was ufw, and it looks like fail2ban. Will look into both.
Setting up Automatic Updates
I am not really sure how this will be done. The place which I saw this information was talking about Ubuntu/Debian, and this will be dramatically different as Gentoo uses a different package management. I have set a couple of jobs up to handle this. One which should give a list of packages which can be updated, and another which updates the “portage tree”.
This isn’t automatic updating, but it is getting closer.
Two Factor Authentication
I don’t know how this will actually work. This is something I will have to look into. Two factor authentication is adding an additional level of requiring a device to get a code to enter before being authenticated. This may be something which will happen fairly quickly.
Logwatch is a way to monitor logs. There probably is more to do with this than simply installing it. Right now, that will be the last of this post. Changes will be made to link to the other pages with this.