Linux server hardening and security verification
Tips and tools for sane configuration, penetration testing, and fuzz testing your systems.
Complete system security is an unreachable goal in today's technological landscape. As Dennis Hughes of the FBI has been quoted as saying, “The only secure computer is one that's unplugged, locked in a safe, and buried twenty feet under the ground in a secret location... and I'm not even too sure about that one.” In a world where securing systems by unplugging, locking, and burying them is not an option, there are steps that you can take to reduce the attack surface of your systems. The Attack Surface Analysis Cheat Sheet by the Open Web Application Security Project (OWASP) provides additional information about the attack surface.
Processes such as sane system configuration can diminish the attack surface, while penetration testing and fuzz testing can help engineers harden a system by breaking it with skilled exploitation and unexpected input to find vulnerabilities that can be fixed. Such techniques improve system security by detecting and removing vulnerabilities before malicious entities have a chance to exploit them.
Sane configurations are key to hardening any system because any vulnerability is exploitable to some degree. For instance, support of legacy ciphers for SSH such as arcfour or protocols such as TLSv1.0 for web servers is a way for an attacker to gain access to and compromise a system. To prevent these and other vulnerabilities, follow the principle of least privilege when it comes to user authorizations; give a user or process the bare minimum access and clearance that is needed to complete required tasks. Prevent intrusions from the network by closing unused ports to reduce the accessible entry points from network attackers. Additionally, ensure that firewall protocols are enabled, which further restricts possible network attacks. Use a facility such as seccomp to filter system call availability to a process thereby reducing the exposed kernel surface.
Unused packages are potential attack vectors that offer no additional functionality. Verify that installed applications and packages are required and remove the ones that are not. A simple example is if the system is accessed through the console only, remove all unused GUI support. The Configuration Assessment Tool available from the Center for Internet Security (CIS-CAT) is a useful application that allows users to run varying depths of hardening benchmarks to indicate where a system falls short of meeting the wanted standard. CIS-CAT is highly recommended to help you discover the subtler configuration hardening vulnerabilities of your system.
In addition to system hardening, software distributors provide important software and security updates to users. Code fixes and improvements make an impact on system security. Systems that are out of date are easier targets for attackers. According to the United States Computer Emergency Readiness Team, up to 85% of targeted attacks could be avoided if the victim had a properly updated system (https://www.us-cert.gov/ncas/alerts/TA15-119A). Attack success rates can be drastically reduced if systems are properly updated. Common attacks are widely known to the public, including malicious entities. Conscientious vendors make efforts to release patches in a timely manner. However, if system administrators fail to apply updates, the patches are useless for protecting the systems and the services they offer. Efforts must be made to ensure that all systems receive timely updates.
Penetration testing is a method of finding system vulnerabilities by using automated tools or customized attacks. The goal of penetration testing is to subvert system security and gain access to data through unintended modes of operation without the expected permissions or credentials. These attacks use known exploits and vulnerabilities present in the targeted system. Penetration testing requires a different mindset than traditional verification methods such as verification testing. Unlike more conventional testing, penetration testers attempt to access system components and data by using the tools and approach of a malicious attacker. Though the philosophy of penetration testing might appear backwards, it provides a more transparent and complete system security profile than conventional testing alone.
The penetration testing toolchain includes examples such as Metasploit, a fully featured penetration testing framework that contains databases of known exploits as well as tools to scan networks and exposed systems. Other examples, such as, Nmap and Wireshark test the network with port scans or packet inspection respectively. Both of these tools give insight into how the system acts and responds on the network. Port scans show which applications and system utilities are actively available through the network as well as showing which ports are unused and should be considered for blocking. Anything accessible from the network is a possible target, so locking down access is a priority. The following tools offer automated vulnerability detection on a variety of targets and are incredibly useful:
In addition to scans and tools, deep knowledge of the system that is being attacked is always beneficial. Creating a specific exploit and manually executing the payload is much more complex than the automation that defines many forms of penetration testing. Once an exploit is found, automated tests and payload delivery systems can be created, but finding such attacks is a painstaking process.
Deciding on potential targets for an attack can be difficult. When attempting to exploit a complex system, decide on which attack vectors are more fruitful than others. If there is a process running that has a web interface or networked components, it might be a better target than a less exposed application. An additional indicator is the presence of specialized software. Rather than attempting to use a vector that has an established community and support history, targeting software that fills a specific purpose or one that is built to run within a niche environment is likely a better option.
Fuzz testing, which is defined by OWASP as “finding implementation bugs using malformed/semi-malformed data injection in an automated fashion” (https://www.owasp.org/index.php/Fuzzing), is another method to verify the stability of the system and supported applications. An example fuzz on an application would be on a program that accepts only integers as inputs. What happens when floats, strings, or any other unexpected data are input? Ideally, the application can handle malformed inputs. If the application crashes or other unexpected behavior occurs, then the stability and security of the system is at risk. One highly recommended application fuzz testing tool is american fuzzy lop (AFL) which found multiple bugs in popular applications such as QEMU, Clang, OpenSSH, Bash, and Mozilla Firefox. AFL runs on any executable application and works from user supplied “good” input, which allows the user to customize the starting environment that AFL will fuzz. Another tool, OWASP Zap is both a web vulnerability scanner and a web application fuzzer. The application spiders through available links, sending fuzzed input as well as known malicious attacks. IBM Security Appscan has similar functionality on web applications, but the software also offers versions that test application source code with fuzzed input.
Running any fuzzing application places a heavy load on system resources. In addition to the system resource requirements, fuzzing takes time to deliver results. However, even with an enormous amount of time, the pseudo-random inputs that are used does not guarantee that all potential issues are discovered.
Server hardening and verification require continuous effort. With new exploits and vulnerabilities being discovered daily, the security of your systems is constantly in jeopardy. System auditing, penetration testing, and fuzz testing each offer unique perspective on the system state. These methods should be used in addition to testing standards such as unit and function tests to help heighten your confidence in the system.