How to protect your IT infrastructure: 7 basic tips
Information about data leaks is increasingly appearing on the news , and large companies are spending fabulous sums to increase security. As IDC consulting organization notes , by 2020 world spending on IT Security will exceed $ 100 billion.
However, to build a secure IT infrastructure, it is not necessary to spend a lot of money. For example, the Linux system has built-in protection mechanisms, which, if properly configured, reflect the most popular types of attacks on the OS and network.
In this article, we consider a few basic tips that reduce the likelihood of hacking IT infrastructure and information compromise. Examples in the post are for Linux-based systems, however, some of the described practices are applicable for other operating systems.
')
/ Flickr / Cezary Borysiuk / PD
This item is quite obvious, and the importance of regular updating of applications has been written before, but, unfortunately, it still does not lose relevance. Just look at the OpenSSL vulnerability - Heartbleed (CVE-2014-0160).
It allows attackers to extract the server's private key and use it to decrypt the transmitted traffic. At the time of publication of information about the error in 2014, the number of vulnerable sites numbered 500 thousand. At the same time, Google developers Bodo Möller and Adam Langley prepared a patch that eliminated the vulnerability. However, the update was not all installed, and, according to Shodan, Heartbleed is still subject to almost 200 thousand websites.
To keep your systems up to date, we recommend setting up auto-update security for the OS. Most vendors offer a tool to automatically install patches. For example, for Debian there is the Unattended Upgrades utility, and for Red Hat- based systems, AutoUpdates . Yum-cron is available on CentOS, and dnf-automatic is available on Fedora.
You can update using package managers. For example, for Debian :
Automatic installation of patches has its drawbacks, for example, there are situations when updates lead to a system crash. Therefore, before installing updates in the production environment, it is worth conducting preliminary testing of the software in the sandbox.
Service pack developers try to make sure that software products do not make potentially dangerous changes to the system, but they cannot test all possible combinations of applications and services. For example, the recently released patch KB4041676 for Windows 10 sent the computers of some users to an infinite reboot cycle and issued a "blue screen of death".
At the same time, a part of the systems after the upgrade still remains vulnerable to exploits until all the related processes are restarted. For example, in 2014, OpenSSL discovered several vulnerabilities allowing attackers to conduct DDoS attacks. In the Debian version 1.0.1e-2 + deb7u10, they were closed , but in order for them to take effect, it was necessary to reload all applications related to OpenSSL. The community has developed checkrestart and needs-restarting utilities to search for programs that need a reboot.
In modern systems there are dozens of demons and programs that are owned by different users. The traditional Unix model (DAC - Discretionary Access Control), called voluntary, works with three parameters when assigning access rights: user, group-user, and others, which complicates the application management process.
To give administrators more options for configuring security policies, security extensions were developed based on the Mandatory Access Control (MAC) model, that is, forced access control. They complement the classic model and provide an opportunity to establish security policies for all processes. For example, “order” the web server to listen on the specified port, or allow it to read files only from the specified directory.
Among the security applications, you can select SELinux, AppArmor and GrSecurity (there are others ), each of which has its own advantages and disadvantages. Next, we will briefly look at the possibilities of SELinux, since it is the most secure (this application was created for use in government systems) and, as the system administrator and the creator of nixCraft Vivek Gite (Vivek Gite), has the most powerful access control mechanisms.
It has three modes of operation. Enforcing is the default mode that blocks actions that violate established security policies. The second mode (Permissive) fixes all violations in the log, but does not block them. The third state - Disabled - means that the system is disabled.
You can find out which mode is set by writing the following command:
To enable SELinux, type (for Fedora):
The utility provides several models of access control:
As an example of a situation in which SELinux protects the infrastructure, a configuration error can be given . DNS servers often perform a so-called zone transfer when they replicate data between themselves. Attackers can use this procedure to broadcast false information to servers. When working with BIND on Fedora, even if an administrator forgets to limit the range of servers that are allowed to share information, the SELinux policy will prevent changes to zone files during replication.
SELinux also allows you to deny access for processes to files used by other processes. For example, an attacker will not be able to compromise a Samba server, and then change the files of other systems, say, the MySQL database, through it.
Other yuzkeysy in which SELinux protects, is according to the link . A detailed guide to setting up SELinux on Debian can be found here , and the guide for Fedora is here .
This point is also quite obvious, but does not cease to be relevant. According to a study conducted by Intermedia in 2015 among two thousand office workers, 93% of respondents admitted that they had at least once neglected information security requirements. At the same time, 67% of workers in the IT industry responded that they share usernames and passwords from various accounts with colleagues.
Weak and general passwords increase the likelihood of "infecting" the company's infrastructure, and improperly configured access rights open loopholes to the organization's systems. Therefore, we do not recommend connecting to the server as an administrator (root). It is better to create a new user, restrict his rights and work through this account, and administer the administration using sudo.
As noted by residents of the Stack Exchange, this approach complicates the life of attackers. Hackers can use bots that send a connection request over SSH (ssh root @ $ IP) and then select a password using standard combinations (“root” or “password123” are one of the most popular) or brute force . If they manage to gain access through root, they gain “unlimited power” over the system.
But if root cannot connect via SSH, bots will first have to guess the username, which makes the hacking procedure difficult.
To create a new user in Debian and Ubuntu, enter the following command in the console:
The administrator field can be changed to any. Further, the password is prescribed. In Password Depot, it is recommended to invent passwords with a length of 8–10 characters with letters of different register, numbers and special characters. Jeff Atwood, the author of the Coding Horror blog and co-founder of the Stack Overflow and Stack Exchange platforms, notes that a password of 10 or more characters reduces the likelihood of it appearing in the most popular list by 80%.
Yes, about the need to compile complex and long passwords is well known, but in practice this rule is not all followed. The SplashData team analyzed more than 5 million passwords from the accounts of corporate employees “merged” in 2016. The researchers concluded that most passwords were completely unsafe. The password “123456” became the most popular and used 4% of the accounts of the entire “test” set. Approximately the same percentage typed the password "password".
You should also take care of the data to authorize other users of the north. You can identify weak passwords using the John the ripper utility. To make sure that there are no “passwordless” users in the system, the command will help:
To make the creation of passwords a mandatory procedure and set the “aging time” of a password, change the settings in the pam_cracklib.so file:
Disable the reuse of old passwords in pam_unix.so and set a limit on the number of login attempts.
If you have several applications, each of which can access various critical information, you should launch them from separate accounts and close one application’s access to the data of another.
As noted in Mailgun, a company that develops an API for embedding mail services in applications, the goal of this approach is to reduce the number of “options” for a hacker, if he still succeeds in penetrating the system. When the list of application actions is limited to the necessary minimum, the attacker will not be able, for example, to raise his access rights and cause serious damage.
“Demonize” the service so that it immediately starts under the desired user. There are two ways to do this. The first is using OS scripts ( init or systemd ) to start / stop the application and the monitoring tool ( monit ) to restart it in case of a crash. The second approach is to use a process control system ( supervisord , s6 , daemontools ), which will manage the operation of the application independently.
/ Flickr / reynermedia / CC
A vulnerability ( CVE-2017-15908 ) was recently discovered in the systemd manager, allowing for DDoS attacks. When a vulnerable system sent a DNS request to a DNS server controlled by hackers, it returned a special request that entered systemd into an infinite loop causing the CPU load to be 100%.
One way to protect against this type of attack is to configure a firewall — specifically, in this case, the firewall is instructed to block potentially malicious packets that contain resource records described in section 4 of RFC 4034 .
In general, opening only a small number of services to access from the outside, you reduce the number of “contact points” and, as a result, reduce the likelihood of penetration into the system.
When installing firewall rules, the Mailgun team recommends adhering to these principles:
To implement all these recommendations, Mailgun wrote its own script for customization - you will find it by reference .
First, generate a strong SSH key. This can be done using ssh-keygen:
After that, you need to enter a password phrase that will protect the key if it is compromised. For the organization of SSH-connection, you can use OpenSSH, which has a decent standard configuration. Detailed information about the OpenSSH parameters can be found in the Mozilla manual or on the CentOS wiki page .
For our part, we recommend using a pair of cryptographic keys for SSH access. The second key significantly complicates brute-force hacking. As noted above, the longer the password, the more secure it is, and the SSH key can be, for example, 2048 bits long.
To do this, create new keys and upload the public key to the server. From the local computer, type:
Replace admin with the name of the key owner, and 1.1.1.1 with the IP address of your server. To test the connection you need to reconnect.
You can also completely disable the SSH connection by entering a password for everyone to use the keys. Then the value of the PasswordAuthentification parameter in the / etc / ssh / sshd_config file should be marked as no.
In Ubuntu (or Debian), it will look like this:
Note that additional connection security can be provided using 2FA ( two-factor authentication ).
Protecting infrastructure from intruders involves the use of cryptography. Do not store personal and credentials unencrypted. Even if your passwords are in a private repository on GitHub. So you protect your infrastructure in the event of a GitHub compromise, which has already happened the year before last. The attacker, using a list of passwords and email addresses compiled as a result of hacking into other services, compromised several user accounts and gained access to corporate information.
When choosing a tool or library for encryption, the Mailgun team , as well as residents of the Stack Exchange, are advised to follow these rules:
On the Stack Exchange in the appropriate thread, users provide many tools for creating encryption systems (for example, entlib or Bouncy Castle ). If you really need, you can create your own utility, but residents of Reddit and Quora say that this approach only increases the risk of hacking. As noted on the Stack Exchange, most often homemade ciphers rarely withstand the attacks of hacking tools for hacking polyalphabetic ciphers and substitution ciphers .
Additionally, we cite several sources that can be found before starting work with cryptographic systems. The first is the course of Crypto101 , which is taught by Laurens Van Houtven, director of the Principal, which is responsible for preparing start-up security teams. The second resource, the matasano crypto challenges , contains 48 exercises that demonstrate attacks on real ciphers. The authors argue that this is a more effective way of studying cryptographic principles than reading books on a topic.
The issue with backups is a little out of the general theme of the topics listed above, it is also important to ensure the security of the infrastructure. Again, this topic is “chewed” in many materials, but we consider it necessary to repeat it, since even large companies make mistakes in these matters.
From recent examples - the removal of part of the database with requests to change the documentation and code of projects of users of GitLab by a sysadmin from the Netherlands. Then the company noted that none of the five backup storage systems implemented helped restore the information.
Therefore, it is worth creating backups and checking their readiness as often as possible, naturally, taking into account business requirements. For example, engineers at Neon Rain, a web application developer, create backup copies of files once a week, and database backups every night. Daily backup copies of databases and Cloud Academies. As for checking backups, for example, in the Chalvington Group, the ability to restore is evaluated every morning.
In general, creating a backup copy once a day is a normal practice. The main thing is to restrict access to servers with backups, and for accounts that will still access them, you should use different authorization mechanisms from those used by the main infrastructure.
If you do not want to organize your own backup infrastructure, then it makes sense to transfer this task to an outside vendor who will take care of storing backup copies for yourself. For example, we in 1cloud perform backup once a day, and the client himself selects the required storage time for copies (7, 14, 21 or 28 days).
The above tools and settings will help you secure the system. Yes, it’s physically impossible to protect the IT infrastructure for 100% of all types of attacks, however, it is possible to make life difficult for hackers and limit the number of potential exploits. By being careful, careful, and cautious, you can gain the time you need to make key decisions and take protective countermeasures.
Three materials on the topic from our corporate blog 1cloud:
However, to build a secure IT infrastructure, it is not necessary to spend a lot of money. For example, the Linux system has built-in protection mechanisms, which, if properly configured, reflect the most popular types of attacks on the OS and network.
In this article, we consider a few basic tips that reduce the likelihood of hacking IT infrastructure and information compromise. Examples in the post are for Linux-based systems, however, some of the described practices are applicable for other operating systems.
')
/ Flickr / Cezary Borysiuk / PD
1. Install current security updates.
This item is quite obvious, and the importance of regular updating of applications has been written before, but, unfortunately, it still does not lose relevance. Just look at the OpenSSL vulnerability - Heartbleed (CVE-2014-0160).
It allows attackers to extract the server's private key and use it to decrypt the transmitted traffic. At the time of publication of information about the error in 2014, the number of vulnerable sites numbered 500 thousand. At the same time, Google developers Bodo Möller and Adam Langley prepared a patch that eliminated the vulnerability. However, the update was not all installed, and, according to Shodan, Heartbleed is still subject to almost 200 thousand websites.
To keep your systems up to date, we recommend setting up auto-update security for the OS. Most vendors offer a tool to automatically install patches. For example, for Debian there is the Unattended Upgrades utility, and for Red Hat- based systems, AutoUpdates . Yum-cron is available on CentOS, and dnf-automatic is available on Fedora.
You can update using package managers. For example, for Debian :
apt-get update && apt-get upgrade Automatic installation of patches has its drawbacks, for example, there are situations when updates lead to a system crash. Therefore, before installing updates in the production environment, it is worth conducting preliminary testing of the software in the sandbox.
Service pack developers try to make sure that software products do not make potentially dangerous changes to the system, but they cannot test all possible combinations of applications and services. For example, the recently released patch KB4041676 for Windows 10 sent the computers of some users to an infinite reboot cycle and issued a "blue screen of death".
At the same time, a part of the systems after the upgrade still remains vulnerable to exploits until all the related processes are restarted. For example, in 2014, OpenSSL discovered several vulnerabilities allowing attackers to conduct DDoS attacks. In the Debian version 1.0.1e-2 + deb7u10, they were closed , but in order for them to take effect, it was necessary to reload all applications related to OpenSSL. The community has developed checkrestart and needs-restarting utilities to search for programs that need a reboot.
2. Activate security extensions
In modern systems there are dozens of demons and programs that are owned by different users. The traditional Unix model (DAC - Discretionary Access Control), called voluntary, works with three parameters when assigning access rights: user, group-user, and others, which complicates the application management process.
To give administrators more options for configuring security policies, security extensions were developed based on the Mandatory Access Control (MAC) model, that is, forced access control. They complement the classic model and provide an opportunity to establish security policies for all processes. For example, “order” the web server to listen on the specified port, or allow it to read files only from the specified directory.
Among the security applications, you can select SELinux, AppArmor and GrSecurity (there are others ), each of which has its own advantages and disadvantages. Next, we will briefly look at the possibilities of SELinux, since it is the most secure (this application was created for use in government systems) and, as the system administrator and the creator of nixCraft Vivek Gite (Vivek Gite), has the most powerful access control mechanisms.
It has three modes of operation. Enforcing is the default mode that blocks actions that violate established security policies. The second mode (Permissive) fixes all violations in the log, but does not block them. The third state - Disabled - means that the system is disabled.
You can find out which mode is set by writing the following command:
$ /usr/sbin/getenforce To enable SELinux, type (for Fedora):
rpm -qa | grep selinux rpm -q policycoreutils rpm -qa | grep setroubleshoot # The utility provides several models of access control:
- Type Enforcement (TE): The main access control mechanism. Flexible but time consuming. All objects and subjects are marked with identifiers, which can then be used to assign rules and policies.
- Role-Based Access Control (RBAC): systems are assigned roles associated with one or more domain types. A chart with them can be found here .
- Multi-Level Security (MLS): all objects of the system receive a certain level of access, which limits their capabilities. At its level, services can read and write information, at the levels above, only write, and below, only read. A diagram with security levels is available by reference .
As an example of a situation in which SELinux protects the infrastructure, a configuration error can be given . DNS servers often perform a so-called zone transfer when they replicate data between themselves. Attackers can use this procedure to broadcast false information to servers. When working with BIND on Fedora, even if an administrator forgets to limit the range of servers that are allowed to share information, the SELinux policy will prevent changes to zone files during replication.
SELinux also allows you to deny access for processes to files used by other processes. For example, an attacker will not be able to compromise a Samba server, and then change the files of other systems, say, the MySQL database, through it.
Other yuzkeysy in which SELinux protects, is according to the link . A detailed guide to setting up SELinux on Debian can be found here , and the guide for Fedora is here .
3. Configure access rights and set password policies
This point is also quite obvious, but does not cease to be relevant. According to a study conducted by Intermedia in 2015 among two thousand office workers, 93% of respondents admitted that they had at least once neglected information security requirements. At the same time, 67% of workers in the IT industry responded that they share usernames and passwords from various accounts with colleagues.
Weak and general passwords increase the likelihood of "infecting" the company's infrastructure, and improperly configured access rights open loopholes to the organization's systems. Therefore, we do not recommend connecting to the server as an administrator (root). It is better to create a new user, restrict his rights and work through this account, and administer the administration using sudo.
As noted by residents of the Stack Exchange, this approach complicates the life of attackers. Hackers can use bots that send a connection request over SSH (ssh root @ $ IP) and then select a password using standard combinations (“root” or “password123” are one of the most popular) or brute force . If they manage to gain access through root, they gain “unlimited power” over the system.
But if root cannot connect via SSH, bots will first have to guess the username, which makes the hacking procedure difficult.
To create a new user in Debian and Ubuntu, enter the following command in the console:
adduser administrator The administrator field can be changed to any. Further, the password is prescribed. In Password Depot, it is recommended to invent passwords with a length of 8–10 characters with letters of different register, numbers and special characters. Jeff Atwood, the author of the Coding Horror blog and co-founder of the Stack Overflow and Stack Exchange platforms, notes that a password of 10 or more characters reduces the likelihood of it appearing in the most popular list by 80%.
Yes, about the need to compile complex and long passwords is well known, but in practice this rule is not all followed. The SplashData team analyzed more than 5 million passwords from the accounts of corporate employees “merged” in 2016. The researchers concluded that most passwords were completely unsafe. The password “123456” became the most popular and used 4% of the accounts of the entire “test” set. Approximately the same percentage typed the password "password".
You should also take care of the data to authorize other users of the north. You can identify weak passwords using the John the ripper utility. To make sure that there are no “passwordless” users in the system, the command will help:
awk -F: '($2 == "") {print}' /etc/shadow To make the creation of passwords a mandatory procedure and set the “aging time” of a password, change the settings in the pam_cracklib.so file:
chage -M 60 -m 7 -W 7 UserName Disable the reuse of old passwords in pam_unix.so and set a limit on the number of login attempts.
If you have several applications, each of which can access various critical information, you should launch them from separate accounts and close one application’s access to the data of another.
As noted in Mailgun, a company that develops an API for embedding mail services in applications, the goal of this approach is to reduce the number of “options” for a hacker, if he still succeeds in penetrating the system. When the list of application actions is limited to the necessary minimum, the attacker will not be able, for example, to raise his access rights and cause serious damage.
“Demonize” the service so that it immediately starts under the desired user. There are two ways to do this. The first is using OS scripts ( init or systemd ) to start / stop the application and the monitoring tool ( monit ) to restart it in case of a crash. The second approach is to use a process control system ( supervisord , s6 , daemontools ), which will manage the operation of the application independently.
/ Flickr / reynermedia / CC
4. Configure rules and exceptions for firewalls.
A vulnerability ( CVE-2017-15908 ) was recently discovered in the systemd manager, allowing for DDoS attacks. When a vulnerable system sent a DNS request to a DNS server controlled by hackers, it returned a special request that entered systemd into an infinite loop causing the CPU load to be 100%.
One way to protect against this type of attack is to configure a firewall — specifically, in this case, the firewall is instructed to block potentially malicious packets that contain resource records described in section 4 of RFC 4034 .
In general, opening only a small number of services to access from the outside, you reduce the number of “contact points” and, as a result, reduce the likelihood of penetration into the system.
When installing firewall rules, the Mailgun team recommends adhering to these principles:
- Before setting up new rules, delete existing ones.
- By default, to process incoming traffic, set the DROP parameter (any traffic that does not meet the established rules will not be skipped). After that, you can gradually begin to "open up" access to the external network.
- Do not completely restrict Internet Control Message Protocol (ICMP) traffic. Routers and hosts use it to transmit critical information about the availability of services, packet sizes, etc. As noted on the Stack Exchange, ICMP can be restricted, but the format of these restrictions will depend on the company's infrastructure.
- If you are not using IPv6, limit this traffic.
To implement all these recommendations, Mailgun wrote its own script for customization - you will find it by reference .
5. Establish a secure connection via SSH
First, generate a strong SSH key. This can be done using ssh-keygen:
ssh-keygen -t rsa -b 4096 -C foo@example.com After that, you need to enter a password phrase that will protect the key if it is compromised. For the organization of SSH-connection, you can use OpenSSH, which has a decent standard configuration. Detailed information about the OpenSSH parameters can be found in the Mozilla manual or on the CentOS wiki page .
For our part, we recommend using a pair of cryptographic keys for SSH access. The second key significantly complicates brute-force hacking. As noted above, the longer the password, the more secure it is, and the SSH key can be, for example, 2048 bits long.
To do this, create new keys and upload the public key to the server. From the local computer, type:
ssh-copy-id admin@1.1.1.1 Replace admin with the name of the key owner, and 1.1.1.1 with the IP address of your server. To test the connection you need to reconnect.
You can also completely disable the SSH connection by entering a password for everyone to use the keys. Then the value of the PasswordAuthentification parameter in the / etc / ssh / sshd_config file should be marked as no.
In Ubuntu (or Debian), it will look like this:
nano /etc/ssh/sshd_config ... PasswordAuthentication no Note that additional connection security can be provided using 2FA ( two-factor authentication ).
6. Use cryptography
Protecting infrastructure from intruders involves the use of cryptography. Do not store personal and credentials unencrypted. Even if your passwords are in a private repository on GitHub. So you protect your infrastructure in the event of a GitHub compromise, which has already happened the year before last. The attacker, using a list of passwords and email addresses compiled as a result of hacking into other services, compromised several user accounts and gained access to corporate information.
When choosing a tool or library for encryption, the Mailgun team , as well as residents of the Stack Exchange, are advised to follow these rules:
- Use modern symmetric ciphers: the most popular options are AES and Salsa20 (NaCl).
- Use MAC (message authentication code) to monitor the integrity and authentication of the data source. Good options are HMAC-SHA-512 or Poly1305.
- Pay attention to quality randomizers for generating keys and time codes. For example, / dev / urandom .
- If the tool works with passphrases, make sure that it uses KDF .
On the Stack Exchange in the appropriate thread, users provide many tools for creating encryption systems (for example, entlib or Bouncy Castle ). If you really need, you can create your own utility, but residents of Reddit and Quora say that this approach only increases the risk of hacking. As noted on the Stack Exchange, most often homemade ciphers rarely withstand the attacks of hacking tools for hacking polyalphabetic ciphers and substitution ciphers .
Additionally, we cite several sources that can be found before starting work with cryptographic systems. The first is the course of Crypto101 , which is taught by Laurens Van Houtven, director of the Principal, which is responsible for preparing start-up security teams. The second resource, the matasano crypto challenges , contains 48 exercises that demonstrate attacks on real ciphers. The authors argue that this is a more effective way of studying cryptographic principles than reading books on a topic.
7. Regularly create and check backups
The issue with backups is a little out of the general theme of the topics listed above, it is also important to ensure the security of the infrastructure. Again, this topic is “chewed” in many materials, but we consider it necessary to repeat it, since even large companies make mistakes in these matters.
From recent examples - the removal of part of the database with requests to change the documentation and code of projects of users of GitLab by a sysadmin from the Netherlands. Then the company noted that none of the five backup storage systems implemented helped restore the information.
Therefore, it is worth creating backups and checking their readiness as often as possible, naturally, taking into account business requirements. For example, engineers at Neon Rain, a web application developer, create backup copies of files once a week, and database backups every night. Daily backup copies of databases and Cloud Academies. As for checking backups, for example, in the Chalvington Group, the ability to restore is evaluated every morning.
In general, creating a backup copy once a day is a normal practice. The main thing is to restrict access to servers with backups, and for accounts that will still access them, you should use different authorization mechanisms from those used by the main infrastructure.
If you do not want to organize your own backup infrastructure, then it makes sense to transfer this task to an outside vendor who will take care of storing backup copies for yourself. For example, we in 1cloud perform backup once a day, and the client himself selects the required storage time for copies (7, 14, 21 or 28 days).
The above tools and settings will help you secure the system. Yes, it’s physically impossible to protect the IT infrastructure for 100% of all types of attacks, however, it is possible to make life difficult for hackers and limit the number of potential exploits. By being careful, careful, and cautious, you can gain the time you need to make key decisions and take protective countermeasures.
Three materials on the topic from our corporate blog 1cloud:
Source: https://habr.com/ru/post/346466/
All Articles