Making Servers And Websites Stand Hacker Attacks

Introduction

I recently got a coment from someone asking how to defend against hacker attacks. So here is the post with some of my thoughts on that matter.

General Information

First of all, its important to note that on some articles the autor makes a difference if he says Hacker or Cracker. The difference would be that a hacker is hacking stuff like servers, phones, websites and so on to show the weekness and help both the owner and society to be more conceus of the problems assosiated with modern tecnology and how to protect against those. Whilest the clracker is also hacking system he is more focust on the criminal aspect like stealing account passwords or even moey from your bank account. For simplicity I will not make such a distinguishment in this article.

 

In order to know how we can protect against hacker attacks we must first understand two things.

  • Why would anyone want to hack a system
  • How can a system be hacked

The why question is a rather simple one. The answer to that is very similar if not equal as to that in the real, physical world. Its one or a combination of those: for funn, for profit (stealing money),  and probably many more.

The how question involves a little knowledge of the system. The holywood style where no hacks seems to be impolible is of course bullshit. The are prettty good mecanisms in todays tecnology that prevent hacking attacks. A notable exceptions are industrie automation and CCTV those are verry verry easy to hack for someone with even moderate skill (If you  want to know more on that just visit the DEFCON youtube chanel).

 

Making systems hacker proof

Well, forget about hacker proof you  can oly make it harder but not imposible.

Your Website

  • Use an encrypted connection to your website. If you dont everyone can just sniff your network traffic and just read the password. Those connections are usualy indicated by the browser with a lock symbol next to the website adress. In order to encrypt your website you will have to get a TLS certificate which can cost quite some money. A free alternative is Lets Encrypt I suggest you check that out.
  • Use strong passwords. Well that one is obviouse, the more charactes in a password the more time it would take to find a password by trying all posible variations. Also if your password can be found in a dictionarry it will be found. You should also avoid very common passwords like “love” or “12345” and so on. Also it is recomended that you use one password for one service or website. You could even go to the extreme and change a password every X month.  However that is not practical. My personal opinoion is that its ok to have multible passwords for one kind of service for example one for all social media one for all online banking and so on provided those passwords are changed regularly and combined with One Time Passwords.
  • Use One Time Passwords when ever posible. You remember the last time you did some online banking and Im not speaking of PayPal I mean the old feshioned one. You moast likely got a unique number send to your phone by SMS. Well, you can install a OTP Pluin in your CMS two. The advantage here is, that even if someone gets ahold of your password he still needs to know a unique number which is genereated by an app on your phone so only you can know. Google Authenticator is one such app.
  • Also you should update your website frequently to get the moast recent security fixes. Now here some CMS have a auto update feature. The advantage here clearly is that you dont have to do anything to get the newest version…..except if the auto update fails. So my suggestion would be to not use this feature instead update manualy.
  • Defenetly automatic backups are a great idea as freqent as posible. Manualy does not work because you cant do a backup by hand every day.

 

 

Your Linux Server

Wen it comes to your linux server theres an overwhelming mass on options you have. I do however suggest not to overdo those because the more security layers you add the harder overall managament will get. Usability usualy suffers from security so wheight that out very carefully you dont want to get hacked yet you want a system thas usable.

Here are some thoughts you could start with:

  • Bruteforce protection (Also read: Fail2Ban)
  • Disable network services you dont need
  • Regular automated backup
  • Get the file permissions right
  • Do only install software form trusted sources. Every linux distribution has its own repository its like the AppStore for servers. It usualy has everything you need.
  • When installing new software search for spesific security considerations.

If youre more advanced and wnat to have even better security you could also do those things:

  • Install a sandbox like AppArmor
  • Run regular integrity tests (Make and compare checksums of files to see what a hacker might have changed)
  • If you run regular server integrity tests with cron and get the results via email. Those emails would be send in plain text for everyone to read – this includes the hacker who wnats to hack your server. So my suggestion here would be to use either GPG or S/MIME to encrypt those confidential emails. (Also read: Encrypt cron emails with S/Mime or Encrypt cron emails with GPG)

 

Remember: Linux server security is way to large of a subject to fit in on one website. I encourage you to continue researching the entire internet on this topic.

 

Your Windows Server

Dont use a windows server if security is an issue. A Linux server might seem very complicated to maintain at the beginning and I promise you – that wont change with time. But its defenitly the secure version of both.

Go fore windows if you dont know linux and dont want to spend time on that. Windows is way easier to maintain and the licence cost isnt so bad if compared with the time you spend on linux servers.

Fail2Ban Report

Introduction

See where the Attacks against your server come from.

 

Report Layout

The Report will look something like this:

 

Report Script

Encrypting cron emails with GPG

Introduction

You might have your server setup in such a way that it runs a few tasks with cron so you don’t have to worry about them. Except.. you should. That is if the scheduled tasks send mission critical information over the internet. Now assume you have some kind of security audit software running like say lynis. You sure don’t want that report in the wrong hands since an attacker could really use that information to break into your server way easier than otherwise.

 

Assumptions

  • You are familiar with GPG
  • You have root access to your linux web server
  • Your server runs on a recent Ubuntu
  • Cron is already configured to send emails

 

Encrypting

There are basically two ways of encrypting emails one is GPG and the other S/MIME. We will be using GPG. Further this article assumes you are familiar with GPG.

 

  1. Upload your public key (ending in .asc) to your server /home is a good place.
  2. That the key can actually be read by the command we will be using, it has to be slightly modified. To be precise the ASCII amor has to be removed we need the key in binary form. This is archived by the following command.
  3. Add this line at the top of your /etc/crontab just after MAILTO=you@example.de. You need to replace the email address and the public key path.
  4. For this command to work we need the program  ifne installed. Usually if a command has no output to /dev/stdout or /dev/stderr gpg would encrypt an empty string and you would receive an encrypted email that has no content once decrypted. This would be annoying ifne  prevents this. To install it run.
  5. Now in /etc/crontab you can simply pipe the output to gpg and enjoy encrypted emails.

     

 

 

If you want to have a more in depth understanding of what is going on here I suggest you read this article as well. This is also where some of the inspiration for the exact parameters to gpg came from.

Server Authentication With Client Certificate X.509

Introduction

Basics of setting up certificate based authentication on Apache.

 

Assumptions

Your Server is already configured to use SSL/TLS. This is required because the browser refuses to use its certificate for authentication on an insecure connection.

 

Creating all the files we need

WARNING: Further investigation has to be made whether this is the optimal way.

WARNING: The key sizes and expiration dates must be adjusted to suite your need.

 

Create the CA

Create a signing request and signing it with the CA private key

Convert the alice.crt to alice.p12 so a browser knows what to do with it. (Note: On safari the .p12 file has to have a password for the import to work)

Convert the .p12 to .pam so tools like curl can use it

 

Configuring Apache

copy your CA.pem in a file readable by apache. In my case it is /home/CA.pem but this might differ for your server.

in your virtual hosts configuration file add  SSLCACertificateFile  and  SSLVerifyClient  like shown below.

 

 

Finally… we can use it

To use the certificate with curl

 

To install in Safari on a Mac just double click the .p12 file and follow the instructions

To install on iOS the file can be send by email (messengers don’t work) and installed by tapping on it and following the instructions. If the file is considered a production file it should NOT be send over the internet instead plug in a usb cord and transfer via iTunes.

 

Change OS on the Fly

How to change the OS of your Raspberry Pi while it is running.

WARNING: This guide is incomplete

 

  1. Download Raspbian from https://www.raspberrypi.org/downloads/raspbian/
  2. Burn the image to a spare SD card
  3. Boot the Pi with it and SSH into it
  4. Download Ubuntu Core from http://cdimage.ubuntu.com/ubuntu-core/16/stable/current/ubuntu-core-16-pi3.img.xz
  5. Running  fdisk -l  and  fdisk -l ubuntu-core-16-pi3.img  shows that the raspbian boot partition  has only 63MiB while Ubuntu Core needs 128MiB here.

 

There are basically two ways of installing a noter OS while the RPi is running.

One is overriding the boot and root partitions and the other is to override the content of them. Overriding the content will result in a lot of artefacts let on the system but might be easier to implement and those artefacts can be removed in subsequent updates.

Overriding the partitions itself maybe even recreating is damn complicated while easy for the boot partition the root partition is of the EXT4 type that means it can’t be unmounted while its used. Now its not exactly fun nor possible to SSH into a machine stop the SSHD and other services which are using the partition basically locking yourself out and THEN shrinking the partition. So one way around this would be to use the boot process itself to shrink the partition while its not yet mounted this might work with the cmdline.txt on the /boot partition   however I’m not sure which tools are a viable running a simple which fdisk  gives /sbin/fdisk so thats on the root partition so not a viable during the boot process. A way around would probably be to use a custom initrd.img that supplies the needed tools and partitioning with that.

 

Basically the point where I don’t yet have a satisfying solution. If you do know a better way let me know.

 

 

Boot process

http://elinux.org/RPi_Software#Overview

 

LED meanings during boot process

Red LED on: Power OK

Red LED blink or off: Problem with Power

Green LED off: bootloader.bin not found. Make sure there is a FAT32 partition with that file on the sd card. It is interesting to not that the RPi does not use a MBR (Master Boot Record) instead the firmere (in the SoC or GPU?) looks for the first FAT32 partition and looks for the bootloader.bin file there. This means that no nasty placing to a specific disk sector has to be made the file can just be copied over which is nice.

Green LED blink 5 times periodically : bootloader.bin found. Problems with the next stage (missing or invalid?) start.elf.

Green LED blink 7 times periodically: kernel.img not found.

Green LED blink 2 times only once on startup: (fixup.dat or cmdline.txt or config.txt not found? / everything ok turning off led for later sd card access indicator?)

 

Helpful links

RPi boot error led blink codes: http://www.techradar.com/how-to/computing/how-to-fix-raspberry-pi-boot-problems-1310697/2

https://www.tummy.com/blogs/2007/07/30/reducing-the-size-of-your-root-partition/