![Page 2: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/2.jpg)
Hardeningahost
• Differsperoperatingsystem• Windows:userscannotbetrustedtomakesecurityrelateddecisionsinalmostallcases
• OSX:makethingsworkmagicallyforusers.Trytohandlesecurityissuesinthebackground
• Linux:variesbydistribution:• Ubuntu:trylikeOSXtomakethingsjustwork.• RedHat:includeveryusefultoolsbutturnedoffbydefault
• BSD:userswillfigureitout
• Changeswithtime
![Page 3: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/3.jpg)
Generalconsideration
• Defineapersonalusageprofileandpolicy.• Whathardwaredoyouuse?• Whatsoftwaretasksdoyoudoonyourcomputer?• Dothefirsttwochangewhenyoutravel?• Whathabitsfromtheabovetwodoyouneedtochangetobemoresecure?
• Decideifyoureally needVPNaccesstoyournetworkwhiletravelling.
![Page 4: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/4.jpg)
Generalpractices
• Installonlytheservicesandsoftwareyouactuallyneed.
• Uninstallordisableallsoftwareandservicesyoudonotuseorneed.
• Periodicallyactivelyscanyourmachineforvulnerabilities.
• Haveasfewuseraccountsonyoursystemsaspossible• Protectyouradministrativeaccount.Haveastrongpassword,donotpermitremotepasswordbasedloginsanddonotloginasanadministratorunlessyouneedtodoanadministrativetask.
![Page 5: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/5.jpg)
SecuringMacOS X
• disableunused“sharing”services• setting->sharing
• updatesoftware• AppStore ->update
• checkservices• $netstat -an|grepLISTEN
• enablefirewall• setting->security&privacy ->firewall
![Page 6: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/6.jpg)
SecuringLinux:minimalizepkg
• CentOS#yumlistinstalled#yumremove<PackageName>
• Ubuntu>16#aptlist--installed#aptremove<PackageName>
![Page 7: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/7.jpg)
SecuringLinux:updatepkg
• CentOS#yumupgrade
• Ubuntu>16#aptupdate#aptupgrade
![Page 8: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/8.jpg)
SecuringLinux:checkingservices
• CentOS• ss -nl
• Ubuntu>16• netstat -nl
![Page 9: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/9.jpg)
SecuringLinux:firewall
• CentOS• iptables• firewalld (frontendforiptables)
• Ubuntu>16• iptables• ufw (frontendforiptables)
![Page 10: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/10.jpg)
SecuringWindows:minimalizeservices• services.msc
![Page 11: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/11.jpg)
SecuringWindows:updating
• >startms-settings:windowsupdate
![Page 12: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/12.jpg)
Securingwindows:checkingservices• >netstat -na
![Page 13: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/13.jpg)
Securingwindows:fiwewall
• wf.msc
![Page 14: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/14.jpg)
Securingwindows:firewall
• TheWindowsfirewalloffersfourtypesofrules:• Program– Blockorallowaprogram.• Port– Blockoraallowaport,portrange,orprotocol.
![Page 15: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/15.jpg)
WindowsNetworkCategory
• executepowershell asadministrator• toconfirm
• >Get-NetConnectionProfile
• tochangeittoPublic>Set-NetConnectionProfile -Network”<NetworkName>”-NetworkCategory public
• tochangeittoPrivate>Set-NetConnectionProfile -Network”<NetworkName>”-NetworkCategory private
![Page 16: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/16.jpg)
Hardware
• Rule1:allbetsareoffwithphysicalaccesstoyourdevices.
• Considerremovinghardwareyouneveruse– saybluetooth.
• DisableinBIOSorEFIoryouroperatingsystemthehardwareorfeaturesyoucannotremovephysically.
• wakeonlan• Bluetoothdiscoverability• USBports?
• BIOSpasswordsnotthatuseful• BIOSlevelencryp8on/lockingofharddisksmaynotbeportable
![Page 17: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/17.jpg)
Compromisedsystem
• Anyfileonthesystemisalreadysuspicious• Youmaybeabletoremoveamalware• therecouldbeanotheronethatyoucannotdetect
![Page 18: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/18.jpg)
Wipe
• Don’tusefilesinthecompromisedsystem• programs• documents• images
• Cleanupthestoragesthatwasconnectedtothesystem
• HDD• SSD• flashmemory
![Page 19: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/19.jpg)
Howcanwerescueinformationfromsuspiciousdatafiles•convertitintoanotherformat
• png ->jpg,jpg ->png• doc->txt• excel->csv• pdf->png/jpg
• infectedcodecannotsurvivesuchadrasticmodification
![Page 20: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/20.jpg)
Wipetogiveaway
• dataisstillthereevenifit’sformatted• expertscanreadthedatabyusingspecialtools• anelectricmicroscopecanreadmore• leakageofsecretdata
• youneedtomakesurethedataiserased• #dd if=/dev/urandom of=/dev/<disk>bs=16M
![Page 21: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/21.jpg)
Recover
• ‘cleaninstall’fromascratch• formatthedisk,useaproperOSimage
• applylatestOSpatchestobeup-to-date• itcouldbevulnerablebeforepatched• doupdateinasecurenetwork
• installneededapplications• checkupgrades,ofcourse
![Page 22: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/22.jpg)
Recover(cont.)
• disableunnecessaryservices• thesameashardeningprocedure
• checkconfigurations• ifanyweakness
• changeallpasswordonthesystem• anypasswordmightbestolen
![Page 23: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/23.jpg)
Replacingmightbeyourchoice
• securingthecompromisedsystemasis• forfurtherinvestigation• malwarethatstaysinthememoryonly
• justreplacethecompromisedsystem• sparehardware
![Page 24: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/24.jpg)
Backups
• Encryption• Automation• Generations
![Page 25: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/25.jpg)
Encryption
• Assumetheftandlost• Yourbackupsmusthaveatminimumthesameencryptionlevelasthesourcedata
![Page 26: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/26.jpg)
Automation
• Wearelazy!• easytoforget
• automatedbackupwillhelpyou• mostsystemshavescheduledbackup
![Page 27: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/27.jpg)
Generations
• youshoud havea‘good’versionofbackupthere• ifasystemiscompromised,malwaremightbealsobackupinthearchive,youwon’twanttorestorethatthough
• ifsomethinggoeswrongbychange,youmayrestorethepreviousversion
• finda‘good’versionfromyourarchives
![Page 28: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/28.jpg)
Off-sitearchives
• 2011Tohokuearthquakeandtsunami• flushedbuildings,datacenters• 4localgovernmentslostwholedataonthefamilyregistrationsystem
• Theyhaveoff-sitebackupsJ• tookabout1monthtorecoverthough• wantedtomakesurenothingismissed
![Page 29: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/29.jpg)
HTTPandSecureChannel
BhutanNOG4 29
IP IP
TCPTCP
HTTP TLS
HTTP
![Page 30: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/30.jpg)
SSL/TLS• SSL and TLS
• SSL v3.0 specified in an I-D in 1996 (draft-freier-ssl-version3-02.txt) and now in RFC6101
• TLS v1.0 specified in RFC2246• TLS v1.0 = SSL v3.1 ≈ SSL v3.0
• TLS v1.1 specified in RFC4346• TLS v1.2 specified in RFC5246
• Goals of protocol• Secure communication between applications• Data encryption• Server authentication• Message integrity• Client authentication (optional)
BhutanNOG4 30
![Page 31: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/31.jpg)
SSLisnotsecureanymore
• SSL2.0andSSL3.0haveknownvulnerabilitiesinprotocolspecifications
• downgradeattack• POODLEattack• RFC6176- ProhibitingSecureSocketsLayer(SSL)Version2.0
• RFC7568- DeprecatingSecureSocketsLayerVersion3.0
• UseTLSinstead
BhutanNOG4 31
![Page 32: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/32.jpg)
TLSProperties• Connection is private
• Encryption is used after an initial handshake to define a secret key.
• Symmetric cryptography used for data encryption
• Peer’s identity can be authenticated • Asymmetric cryptography is used (RSA or ECDSA)
• Connection is reliable • Message transport includes a message integrity
check using a keyed MAC. • Secure hash functions (such as SHA384, SHA256)
are used for MAC computations.
BhutanNOG4 32
![Page 33: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/33.jpg)
33
TheTLSHandshakeProcess
Internet
TLS Client TLS Server
Client initiates TLS connection / sends supported cipher suites
Server returns digital certificate to client and selected cipher suite
Client sends shared secret encrypted with server’s public key
Message encryption and integrity algorithms are negotiated
Secure session tunnel is established
Session keys are generated
1
6
5
4
3
2
BhutanNOG4
![Page 34: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/34.jpg)
34
TLSClientAuthentication
- Clientauthentication(certificatebased)isoptionalandnotoftenused
-Manyapplicationprotocolsincorporatetheirownclientauthenticationmechanismsuchasusername/passwordorS/Key
- TheseauthenticationmechanismsaremoresecurewhenrunoverTLS
BhutanNOG4
![Page 35: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/35.jpg)
35
TLSIANAAssignedPort#s
Protocol Defined Port Number
TLS Port Number
HTTP 80 443NNTP 119 563POP 110 995FTP-Data 20 989FTP-Control 21 990Telnet 23 992
![Page 36: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/36.jpg)
CertificateAuthority
• issuesadigitalcertificatewhichissignedbytheCA’sprivatekey
• Youcanverifythecertificateusingthecorrespondingpublickey
• ifyoutrustthepublickey
• …andCAcanhavehierarchicaltrustmodel
BhutanNOG4 36
![Page 37: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/37.jpg)
Trustchain
BhutanNOG4 37
rootCA
intermidiateCA
endentitycert
sign
sign
endentitycert
sign
![Page 38: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/38.jpg)
https://www.apricot.net
BhutanNOG4 38
![Page 39: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/39.jpg)
trustedCA
BhutanNOG4 39
![Page 40: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/40.jpg)
CAandcertificates
• CAcanissueacertificateforanydomainname• ifyoutrusttheCA,thecertificatelookslegitimate
• ifyouhaveamaliciousCAinyourtrustedkeychain,anattackercanmonitor/modifyyourTLSsessiondata
• Yes,wehavecases• https://support.lenovo.com/nz/en/product_security/superfish
• https://www.dell.com/support/article/us/en/19/SLN300321
BhutanNOG4 40
![Page 41: securing a host - start [APNIC TRAINING WIKI] · Hardening a host •Differs per operating system •Windows: users can not be trusted to make security related decisions in almost](https://reader030.vdocument.in/reader030/viewer/2022040612/5f039c6d7e708231d409e7ca/html5/thumbnails/41.jpg)
CheckyourtrustedCA
• Windows• certlm.msc
• MacOSX• KeychainAccess.app
• Firefox• Setting->Advanced->Certificates->
ViewCertificates
BhutanNOG4 41