Kali Linux: Security Policy, Protecting Computers and Network Services
→ Part 1. Kali Linux: security policy, protecting computers and network services
→ Part 2. Kali Linux: filtering traffic using netfilter
→ Part 3. Kali Linux: monitoring and logging
→ Part 4. Kali Linux: system protection and monitoring exercises
Recently we asked the Habr community a question about the expediency of translating the book “ Kali Linux Revealed ”. After some thought, having taken note of the voting results and comments on the material, we decided to translate some parts of the book. Let's start with chapter 7: “Protection and Monitoring Kali”. In particular, this material provides a translation of sections 7.1-7.3, which are devoted to the system security policy, the protection of servers, laptops and network services.
As you begin to use Kali Linux in increasingly demanding and large-scale projects, you will probably need to take your own system more seriously. We begin this chapter by talking about security policies.
')
Here we will highlight the various points that are worth paying attention to when determining the security policy, we will show some of the threats to which both computers and professional pentesters themselves are exposed. In addition, we will discuss security measures applicable to laptops and desktop systems, paying particular attention to firewalls and packet filtering. Finally, we will focus on monitoring tools and strategies, show how to set up monitoring to identify potential threats.
It makes no sense to talk about security in general terms, since the concept of "security" is made up of a wide range of concepts, tools and procedures that are not applicable in all situations without exception. The choice of exactly what is needed requires a clear understanding of the goals of the one who is going to protect something. Protection of the system begins with the answers to several questions. Having rushed headlong to introduce the first available means of ensuring security, anyone runs the risk of paying attention not to what is really important.
It is usually best to start with a specific goal. For this it is useful to find answers to the following questions:
The term “risk” is usually used to refer to all these three factors: what to protect, what needs to be prevented, and who can cause it. Risk modeling requires answers to the three questions above. A security policy can be created on the basis of the constructed risk model, after which it can be implemented by performing specific actions.
Forming a security policy, it is worthwhile to take into account additional restrictions, since they can narrow the range of available tools. How far are you ready to go in order to protect the system? This issue has a decisive impact on the decision about what should be done. Too often, the answer to it is expressed only in terms of value, but other aspects need to be taken into account. Among them - the complexity of the user or performance drop.
After completing the risk modeling, you can start thinking about the development of the security policy itself.
For example, here are a couple of examples that demonstrate extremes in deciding what level of security you need to implement. On the one hand, providing a basic level of security is very simple.
For example, the system to be protected is an old computer, the only role of which is to help add up a couple of numbers at the end of the working day. The decision not to do something special to protect such a computer would be quite reasonable. The objective value of the system is small, and the value of the data is zero at all, since they are not stored on this computer.
A potential attacker who has penetrated this system will only have a calculator at his disposal. The cost of protecting such a system is likely to be higher than the loss from its hacking.
On the other hand, the value spectrum of systems is the task of ensuring the confidentiality of sensitive data using the most advanced means of protection. Everything else in this scenario does not matter. In this case, a suitable measure would be the complete destruction of data (it is safe to erase files, break the hard disk into pieces, dissolve these pieces in acid, and so on). If there is an additional requirement that the data should be saved for future use (although they do not necessarily have to be easily accessible), and if the cost of the question does not matter, then you need to start by writing the data to the iridium-platinum plates that are stored in bomb shelters built in the depths of the mountains in several places of the globe, each of which (of course) must be completely secret and guarded by an army.
Although these examples may seem very extreme, they, despite this, may constitute an adequate response to certain risks, as long as they are the result of reflection, during which the goals and limitations of information security are taken into account. Any security policy based on a reasoned decision is acceptable.
Let's return to more typical cases. An information system can be broken down into homogeneous, and mainly independent subsystems. Each subsystem will be characterized by its own requirements and limitations. As a result, risk analysis and the development of a security policy structure should be performed separately for each of these subsystems. There is one valuable principle about which it is important to remember when working on a security policy: it is easier to defend a small attack surface than a large one. The network should also be organized accordingly. Especially important services should be collected on a small number of computers accessible through the minimum number of routes or checkpoints. There is a clear logic behind this: it is easier to protect these control points than to protect valuable computers from the whole outside world. It is in this situation that the utility of network filtering (including the one that is executed by firewalls) becomes obvious. Filtering can be implemented on the basis of dedicated hardware, but a simpler and more flexible solution is to use software firewalls, such as the one integrated into the Linux kernel.
As mentioned in the previous section, there is no one right answer to the question of how to protect Kali Linux. It all depends on how you use it and what exactly you are trying to protect.
If you are using Kali Linux on a public server, you will most likely need to protect network services by changing the standard passwords that can be set in the configuration files (for more details see section 7.3., “ Protection of network services ”), and perhaps by restricting access to them using a firewall (for more information, see Section 7.4., Firewall or Packet Filtering ).
If you give out to other users accounts either on the server itself or on one of the services, you need to check that they are set to crack-resistant passwords, such that are able to withstand the attack by brute force. At the same time, it may be advisable to install
If you support web services, you should probably arrange to access them via HTTPS in order to prevent an attacker from analyzing your traffic (which may contain authentication cookies).
A pentester's laptop is not subject to the same risks as a public server. For example, it is less likely to fall prey to random scans that hack amateurs perform, and even if this happens, you probably will not have network services turned on.
The real risk often arises when you move from one client to another. For example, your laptop may be stolen along the way; it may be confiscated at customs. That is why you most likely should use full disk encryption (more on this in section 4.2.2., “ Installing on a fully encrypted file system ”), and possibly setting up a self-destruct function (on this, see “ Installing self-destruct password to increase security "). The data you collected during the course of the study are confidential, they need the best protection.
In addition, you may need to set firewall rules (for more details, see section 7.4., “ Firewall or packet filtering ”), but not for the same purpose as on the server. You will probably consider it necessary to block all outgoing traffic except for the one that your VPN generates. This means the organization of secure networking. If, for example, your VPN connection stops working, you will immediately know about it (instead of switching to local network access). As a result, you do not disclose the IP addresses of your client, browsing websites or doing something else on the Internet. In addition to this, if you are performing a local external check, it is best to keep everything you do under control in order to reduce the “noise” that you create on the network, which can attract the attention of users and their protection systems.
It is recommended to disable unused network services. In Kali, most network services are disabled by default.
As long as services are disabled, they do not pose a security risk. However, including them, you should be vigilant for the following reasons:
In this article you have read some of the considerations that relate to the formation of a system security policy, learn about approaches to protecting servers, laptops and network services. Next time we will share with you the translation of section 7.4., Which is dedicated to firewall and packet filtering in Kali LInux.
Dear readers! How do you approach the formation of a security policy? How do you protect computers for various purposes?
→ Part 2. Kali Linux: filtering traffic using netfilter
→ Part 3. Kali Linux: monitoring and logging
→ Part 4. Kali Linux: system protection and monitoring exercises
Recently we asked the Habr community a question about the expediency of translating the book “ Kali Linux Revealed ”. After some thought, having taken note of the voting results and comments on the material, we decided to translate some parts of the book. Let's start with chapter 7: “Protection and Monitoring Kali”. In particular, this material provides a translation of sections 7.1-7.3, which are devoted to the system security policy, the protection of servers, laptops and network services.
Chapter 7. Kali Protection and Monitoring
As you begin to use Kali Linux in increasingly demanding and large-scale projects, you will probably need to take your own system more seriously. We begin this chapter by talking about security policies.
')
Here we will highlight the various points that are worth paying attention to when determining the security policy, we will show some of the threats to which both computers and professional pentesters themselves are exposed. In addition, we will discuss security measures applicable to laptops and desktop systems, paying particular attention to firewalls and packet filtering. Finally, we will focus on monitoring tools and strategies, show how to set up monitoring to identify potential threats.
7.1. Security Policy Definition
It makes no sense to talk about security in general terms, since the concept of "security" is made up of a wide range of concepts, tools and procedures that are not applicable in all situations without exception. The choice of exactly what is needed requires a clear understanding of the goals of the one who is going to protect something. Protection of the system begins with the answers to several questions. Having rushed headlong to introduce the first available means of ensuring security, anyone runs the risk of paying attention not to what is really important.
It is usually best to start with a specific goal. For this it is useful to find answers to the following questions:
- What are you trying to protect? Security policy will vary depending on whether you want to protect computers or data. In the latter case, in addition, you need to know exactly what the data is.
- What are you protecting yourself from? Is this leaked confidential data? Accidental data loss? Loss of revenue caused by the failure of a service?
- From whom are you defending? Security measures will vary greatly, for example, when protecting against the error of a regular user of the system and when protecting against a seriously tuned external group of hackers.
The term “risk” is usually used to refer to all these three factors: what to protect, what needs to be prevented, and who can cause it. Risk modeling requires answers to the three questions above. A security policy can be created on the basis of the constructed risk model, after which it can be implemented by performing specific actions.
▍Safety is a process
Bruce Schneier, a world-renowned security expert (and not only by computer), is trying to tackle one of the most important security myths, stating: "Security is a process, not a result." What they defend changes over time, the same thing happens with threats and tools that are accessible to potential attackers. Even if the security policy was initially ideally designed and implemented, you should never be content with what has been achieved. The risk components are evolving and the response must evolve accordingly.
Forming a security policy, it is worthwhile to take into account additional restrictions, since they can narrow the range of available tools. How far are you ready to go in order to protect the system? This issue has a decisive impact on the decision about what should be done. Too often, the answer to it is expressed only in terms of value, but other aspects need to be taken into account. Among them - the complexity of the user or performance drop.
After completing the risk modeling, you can start thinking about the development of the security policy itself.
For example, here are a couple of examples that demonstrate extremes in deciding what level of security you need to implement. On the one hand, providing a basic level of security is very simple.
For example, the system to be protected is an old computer, the only role of which is to help add up a couple of numbers at the end of the working day. The decision not to do something special to protect such a computer would be quite reasonable. The objective value of the system is small, and the value of the data is zero at all, since they are not stored on this computer.
A potential attacker who has penetrated this system will only have a calculator at his disposal. The cost of protecting such a system is likely to be higher than the loss from its hacking.
On the other hand, the value spectrum of systems is the task of ensuring the confidentiality of sensitive data using the most advanced means of protection. Everything else in this scenario does not matter. In this case, a suitable measure would be the complete destruction of data (it is safe to erase files, break the hard disk into pieces, dissolve these pieces in acid, and so on). If there is an additional requirement that the data should be saved for future use (although they do not necessarily have to be easily accessible), and if the cost of the question does not matter, then you need to start by writing the data to the iridium-platinum plates that are stored in bomb shelters built in the depths of the mountains in several places of the globe, each of which (of course) must be completely secret and guarded by an army.
Although these examples may seem very extreme, they, despite this, may constitute an adequate response to certain risks, as long as they are the result of reflection, during which the goals and limitations of information security are taken into account. Any security policy based on a reasoned decision is acceptable.
Let's return to more typical cases. An information system can be broken down into homogeneous, and mainly independent subsystems. Each subsystem will be characterized by its own requirements and limitations. As a result, risk analysis and the development of a security policy structure should be performed separately for each of these subsystems. There is one valuable principle about which it is important to remember when working on a security policy: it is easier to defend a small attack surface than a large one. The network should also be organized accordingly. Especially important services should be collected on a small number of computers accessible through the minimum number of routes or checkpoints. There is a clear logic behind this: it is easier to protect these control points than to protect valuable computers from the whole outside world. It is in this situation that the utility of network filtering (including the one that is executed by firewalls) becomes obvious. Filtering can be implemented on the basis of dedicated hardware, but a simpler and more flexible solution is to use software firewalls, such as the one integrated into the Linux kernel.
7.2. About security measures
As mentioned in the previous section, there is no one right answer to the question of how to protect Kali Linux. It all depends on how you use it and what exactly you are trying to protect.
▍7.2.1. Server security
If you are using Kali Linux on a public server, you will most likely need to protect network services by changing the standard passwords that can be set in the configuration files (for more details see section 7.3., “ Protection of network services ”), and perhaps by restricting access to them using a firewall (for more information, see Section 7.4., Firewall or Packet Filtering ).
If you give out to other users accounts either on the server itself or on one of the services, you need to check that they are set to crack-resistant passwords, such that are able to withstand the attack by brute force. At the same time, it may be advisable to install
fail2ban , which will make it difficult to brute force passwords over the network (by filtering IP addresses from which the limit on failed login attempts has been exceeded). To install fail2ban , run the following commands: apt update apt install fail2ban If you support web services, you should probably arrange to access them via HTTPS in order to prevent an attacker from analyzing your traffic (which may contain authentication cookies).
▍7.2.2. Laptop protection
A pentester's laptop is not subject to the same risks as a public server. For example, it is less likely to fall prey to random scans that hack amateurs perform, and even if this happens, you probably will not have network services turned on.
The real risk often arises when you move from one client to another. For example, your laptop may be stolen along the way; it may be confiscated at customs. That is why you most likely should use full disk encryption (more on this in section 4.2.2., “ Installing on a fully encrypted file system ”), and possibly setting up a self-destruct function (on this, see “ Installing self-destruct password to increase security "). The data you collected during the course of the study are confidential, they need the best protection.
In addition, you may need to set firewall rules (for more details, see section 7.4., “ Firewall or packet filtering ”), but not for the same purpose as on the server. You will probably consider it necessary to block all outgoing traffic except for the one that your VPN generates. This means the organization of secure networking. If, for example, your VPN connection stops working, you will immediately know about it (instead of switching to local network access). As a result, you do not disclose the IP addresses of your client, browsing websites or doing something else on the Internet. In addition to this, if you are performing a local external check, it is best to keep everything you do under control in order to reduce the “noise” that you create on the network, which can attract the attention of users and their protection systems.
7.3. Network services protection
It is recommended to disable unused network services. In Kali, most network services are disabled by default.
As long as services are disabled, they do not pose a security risk. However, including them, you should be vigilant for the following reasons:
- By default, the firewall is not enabled, so if the service listens on all network interfaces, they actually become publicly available.
- Some services do not have authentication credentials, they let you set them when you first use them. Some have standard accounts, their logins and passwords are widely known. Check that the passwords for access to services have been set, or changed to those that only you know.
- Many services operate under the superuser, with full administrative privileges, so unauthorized access to them or holes in their security system usually lead to serious consequences.
▍About Standard Accounts
We will not list here all the programs that, after installation, are configured to use standard credentials. In order to find out the details of the corresponding package, it is worth looking at its README.Debian file, and also looking for information on docs.kali.org and tools.kali.org to find out if some service needs special actions to ensure it security.
If you use the system in Live mode, the password for the “root” account is “toor”. As a result, you should not enable SSH until the password for the root account is changed, or until its configuration is configured to prevent connections using a password.
In addition, please note that the BeEF program (from the already installed beef-xss package) has the default credentials of the user “beef” and the password “beef”, which are recorded in the standard configuration file.
Results
In this article you have read some of the considerations that relate to the formation of a system security policy, learn about approaches to protecting servers, laptops and network services. Next time we will share with you the translation of section 7.4., Which is dedicated to firewall and packet filtering in Kali LInux.
Dear readers! How do you approach the formation of a security policy? How do you protect computers for various purposes?
Source: https://habr.com/ru/post/338338/
All Articles