• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • Create a VM ($25 Credit)
  • Buy a Domain
  • 1 Month free Back Blaze Backup
  • Other Deals
    • Domain Email
    • Nixstats Server Monitoring
    • ewww.io Auto WordPress Image Resizing and Acceleration
  • About
  • Links

IoT, Code, Security, Server Stuff etc

Views are my own and not my employer's.

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

View all of my posts.

  • Cloud
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • How to buy a new domain and SSL cert from NameCheap, a Server from Digital Ocean and configure it.
    • Setting up a Vultr VM and configuring it
    • All Cloud Articles
  • Dev
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • How to setup pooled MySQL connections in Node JS that don’t disconnect
    • NodeJS code to handle App logins via API (using MySQL connection pools (1000 connections) and query parameters)
    • Infographic: So you have an idea for an app
    • All Development Articles
  • MySQL
    • Using the free Adminer GUI for MySQL on your website
    • All MySQL Articles
  • Perf
    • PHP 7 code to send object oriented sanitised input data via bound parameters to a MYSQL database
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • Measuring VM performance (CPU, Disk, Latency, Concurrent Users etc) on Ubuntu and comparing Vultr, Digital Ocean and UpCloud – Part 1 of 4
    • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
    • Setting up a website to use Cloudflare on a VM hosted on Vultr and Namecheap
    • All Performance Articles
  • Sec
    • Using the Qualys FreeScan Scanner to test your website for online vulnerabilities
    • Using OWASP ZAP GUI to scan your Applications for security issues
    • Setting up the Debian Kali Linux distro to perform penetration testing of your systems
    • Enabling TLS 1.3 SSL on a NGINX Website (Ubuntu 16.04 server) that is using Cloudflare
    • PHP implementation to check a password exposure level with Troy Hunt’s pwnedpasswords API
    • Setting strong SSL cryptographic protocols and ciphers on Ubuntu and NGINX
    • Securing Google G Suite email by setting up SPF, DKIM and DMARC with Cloudflare
    • All Security Articles
  • Server
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • All Server Articles
  • Ubuntu
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • Useful Linux Terminal Commands
    • All Ubuntu Articles
  • VM
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • All VM Articles
  • WordPress
    • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
    • Installing and managing WordPress with WP-CLI from the command line on Ubuntu
    • How to backup WordPress on a host that has CPanel
    • Moving WordPress to a new self managed server away from CPanel
    • Moving a CPanel domain with email to a self managed VPS and Gmail
    • All WordPress Articles
  • All

security

Setup two factor authenticator protection at login on Ubuntu or Debian

October 14, 2018 by Simon

This is a quick post that shows how I set up two-factor authenticator protection at login on Ubuntu or Debian

Aside

If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.

Buy a domain name here

Domain names for just 88 cents!

Now on with the post.

Backup

I ensured I had a backup of my server. This is easy to do on UpCloud. If something goes wrong I will rollback.

Sever Backup Confirmed

Why Setup 2FA on SSH connections

1) Firewalls or whitelists may not protect you from detection.

2) SSH authorisation bypass bugs may appear.

I’ve just relased libssh 0.8.4 and 0.7.6 to address CVE-2018-10933. This is an auth bypass in the server. Please update as soon as possible! https://t.co/Qhra2TXqzm

— Andreas Schneider (@cryptomilk) October 16, 2018

2FA authorisation is another lube of defence.

Yubico Yubi Key

Read my block post here to learn how to use the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software

Timezone

It is important that you set the same timezone as the server you are trying to secure two 2FA. I can run this command on Linux to set the timezone.

On Debian, I set the time using this guide.

dpkg-reconfigure tzdata

Check the time command

> timedatectl
> Local time: Tue 2019-06-25 16:45:20 UTC
> Universal time: Tue 2019-06-25 16:45:20 UTC
> RTC time: Wed 2019-06-26 02:37:44
> Time zone: Etc/UTC (UTC, +0000)
> Network time on: yes
> NTP synchronized: yes
> RTC in local TZ: no

sudo hwclock --show

I set the timezone

> sudo timedatectl set-timezone Australia/Sydney

I confirmed the timezone

> timedatectl
> Local time: Wed 2019-06-26 02:47:42 AEST
> Universal time: Tue 2019-06-25 16:47:42 UTC
> RTC time: Wed 2019-06-26 02:40:06
> Time zone: Australia/Sydney (AEST, +1000)
> Network time on: yes
> NTP synchronized: yes
> RTC in local TZ: no

I installed a npt time server

I followed this guide to install an NTP time server (failed at: ntpdate linuxconfig.ntp) and this guide to manually sync

I installed the Google Authenticator app

sudo apt install libpam-google-authenticator
sudo apt-get install libpam-google-authenticator

Configure Google Authenticator

Run google-authenticator and answer the following questions

Q1) Do you want authentication tokens to be time-based (y/n): Y

You will be presented with a token you can add to the Yubico Authenticator or other authenticator apps,

2FA Code

TIP: Write down any recovery codes displayed

Scan the code with your 2FA Authenticator app (e.g Google Authenticator, Yubico Authenticator or freeOTP from https://freeotp.github.io)

Scan 2FA Code

The 2FA code is now available for use in my YubiCo Authenticator app

Authenticator App Ready

Q2) Do you want me to update your “/root/.google_authenticator” file? (y/n): Y

Q3) Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n): Y

Q4) By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between the authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y: Y

Q5) If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n): Y

Review Google Authenticator Config

sudo nano ~/.google_authenticator

You can change this if need be.

sudo nano ~/.google_authenticator

Edit SSH Configuration (Authentication)

sudo nano /etc/pam.d/sshd

Add the line below the line “@include common-auth”

auth required pam_google_authenticator.so

Comment out the following line (this is the most important step, this forces 2FA)

#@include common-auth

Edit SSH Configuration (Challenge Response Authentication)

Edit the ssh config file.

sudo nano /etc/ssh/sshd_config

Search For

ChallengeResponseAuthentication

Set this to

yes

Ensure the following line exists

UsePAM yes

Add the following line

AuthenticationMethods publickey,password publickey,keyboard-interactive

Edit Common Auth

sudo nano /etc/pam.d/common-auth

Add the following line before the line that says “auth [success=1 default=ignore] pam_unix.so nullok_secure”

auth required pam_google_authenticator.so

Restart the SSH service and test the codes in a new terminal before rebooting.

TIP: Do not exit the working connected session and you may need it to fix issues.

Restart the SSH service a tets it

/etc/init.d/ssh restart
[ ok ] Restarting ssh (via systemctl): ssh.service.

If you have failed to set it up authenticator codes will fail to work.

Failed attempts

Further authentication required
Using keyboard-interactive authentication.
Verification code:
Using keyboard-interactive authentication.
Verification code:
Using keyboard-interactive authentication.
Verification code:

When it is configured OK (at login SSH connection) I was prompted for further information

Further Information required
Using keyboard-interactive authentication
Verification Code: ######
[email protected]#

I am now prompted at login to insert a 2FA token (after inserting my YubiKey)

Working 2FA in Unix

Turn on 2FA on other sites

Check out https://www.turnon2fa.com and tutorials here.

I hope this guide helps someone.

Please consider using my referral code and get $25 UpCloud VM credit if you need to create a server online.

https://www.upcloud.com/register/?promo=D84793

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

V1.4 June 2019: Works on Debian 9.9

V1.3 turnon2fa.com

V1.2 ssh auth bypass

v1.1 Authenticator apps

v1.0 Initial Post

Filed Under: 2FA, 2nd Factor, Auth, Authorization, Code, Debian, Security, Ubuntu, UpCloud, Yubico, YubiKey Tagged With: app, at, authenticator, debian, factor, login, on, or, Protection, security, Setup, two, ubuntu, Yubico, YubiKey

Set up Feature-Policy, Referrer-Policy and Content Security Policy headers in Nginx

July 17, 2018 by Simon

This is a quick post that shows how I set up the “Feature-Policy”, “Referrer-Policy” and “Content Security Policy” headers in Nginx to tighter security and privacy.

Aside

If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.

Buy a domain name here

Domain names for just 88 cents!

Now on with the post.

Add a Feature Policy Header

Upon visiting https://securityheaders.com/ I found references to a Feature-Policy header (WC3 internet standard) that allows you to define what browse features you webpage can use along with other headers.

Google mentions the Feature-Policy header here.

Browser features that we can enable or block with feature-policy headers.

  • geolocation
  • midi
  • notifications
  • push
  • sync-xhr
  • microphone
  • camera
  • magnetometer
  • gyroscope
  • speaker
  • vibrate
  • fullscreen
  • payment

Feature Policy Values

  • * = The feature is allowed in documents in top-level browsing contexts by default, and when allowed, is allowed by default to documents in nested browsing contexts.
  • self = The feature is allowed in documents in top-level browsing contexts by default, and when allowed, is allowed by default to same-origin domain documents in nested browsing contexts, but is disallowed by default in cross-origin documents in nested browsing contexts.
  • none = The feature is disallowed in documents in top-level browsing contexts by default and is also disallowed by default to documents in nested browsing contexts.

My Final Feature Policy Header

I added this header to Nginx

sudo nano /etc/nginx/sites-available/default

This essentially disables all browser features when visitors access my site

add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";

I reloaded Nginx config and restart Nginx

nginx -t
nginx -s reload
/etc/init.d/nginx restart

Feature-Policy Results

I verified my feature-policy header with https://securityheaders.com/

Feature Policy score from https://securityheaders.com/?q=fearby.com&followRedirects=on

Nice, Feature -Policy is now enabled.

Now I need to enable the following headers

  • Content-Security-Policy (read more here)
  • Referer-Policy (read more here)

Add a Referrer-Policy Header

I added this header configuration in Nginx to prevent referrers being leaked over insecure protocols.

add_header Referrer-Policy "no-referrer-when-downgrade";

Referrer-Policy Results

Again, I verified my referrer policy header with https://securityheaders.com/

Referrer Policy resu;ts from https://securityheaders.com/?q=fearby.com&followRedirects=on

Done, now I just need to setup Content Security Policy.

Add a Content Security Policy header

I read my old guide on Beyond SSL with Content Security Policy, Public Key Pinning etc before setting up a Content Security policy again (I had disabled it a while ago). Setting a fully working CSP is very complex and if you don’t want to review CSP errors and modify the CSP over time this may not be for you.

Read more about Content Security Policy here: https://content-security-policy.com/

I added my old CSP to Nginx

> add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; script-src 'self' 'unsafe-inline' https://fearby.com:* https://fearby-com.exactdn.com:* https://*.google-analytics.com https://*.google.com https://www.googletagmanager.com:* https://www.google-analytics.com:*; style-src 'self' 'unsafe-inline' https://fearby.com:* https://fearby-com.exactdn.com:* https://fonts.googleapis.com:* https://www.googletagmanager.com:* https://www.google-analytics.com:*; img-src 'self' https://fearby.com:* https://fearby-com.exactdn.com:* https://*.google-analytics.com https://*.google.com https://www.googletagmanager.com:* https://secure.gravatar.com:* https://www.google-analytics.com:*; font-src 'self' data: https://fearby.com:* https://fearby-com.exactdn.com:* https://fonts.googleapis.com:* https://fonts.gstatic.com:* https://cdn.joinhoney.com:* https://www.googletagmanager.com:* https://www.google-analytics.com:*; connect-src 'self' https://fearby.com:* https://fearby-com.exactdn.com:* https://*.google-analytics.com https://*.google.com https://www.googletagmanager.com:* https://www.google-analytics.com:*; media-src 'self' https://fearby.com:* https://fearby-com.exactdn.com:* https://*.google-analytics.com https://*.google.com https://www.googletagmanager.com:* https://secure.gravatar.com:* https://www.google-analytics.com:*; child-src 'self' https://player.vimeo.com https://fearby-com.exactdn.com:* https://www.youtube.com https://www.googletagmanager.com:* https://www.google-analytics.com:*; form-action 'self' https://fearby.com:* https://fearby-com.exactdn.com:* https://fearby-com.exactdn.com:* https://www.googletagmanager.com:* https://www.google-analytics.com:*; " always;

I then imported the CSP into https://report-uri.com/home/generate and enabled more recent CSP values.

add_header Content-Security-Policy "default-src 'self' ; script-src * 'self' data: 'unsafe-inline' 'unsafe-eval' https://fearby.com:* https://fearby-com.exactdn.com:* https://*.google-analytics.com https://*.google.com https://www.googletagmanager.com:* https://www.google-analytics.com:* https://pagead2.googlesyndication.com:* https://www.youtube.com:* https://adservice.google.com.au:* https://s.ytimg.com:* about; style-src 'self' data: 'unsafe-inline' https://fearby.com:* https://fearby-com.exactdn.com:* https://fonts.googleapis.com:* https://www.googletagmanager.com:* https://www.google-analytics.com:*; img-src 'self' data: https://fearby.com:* https://fearby-com.exactdn.com:* https://*.google-analytics.com https://*.google.com https://www.googletagmanager.com:* https://secure.gravatar.com:* https://www.google-analytics.com:* https://a.impactradius-go.com:* https://www.paypalobjects.com:* https://namecheap.pxf.io:* https://www.paypalobjects.com:* https://stats.g.doubleclick.net:* https://*.doubleclick.net:* https://stats.g.doubleclick.net:* https://www.ojrq.net:* https://ak1s.abmr.net:* https://*.abmr.net:*; font-src 'self' data: https://fearby.com:* https://fearby-com.exactdn.com:* https://fonts.googleapis.com:* https://fonts.gstatic.com:* https://cdn.joinhoney.com:* https://www.googletagmanager.com:* https://www.google-analytics.com:* https://googleads.g.doubleclick.net:*; connect-src 'self' https://fearby.com:* https://fearby-com.exactdn.com:* https://*.google-analytics.com https://*.google.com https://www.googletagmanager.com:* https://www.google-analytics.com:*; media-src 'self' https://fearby.com:* https://fearby-com.exactdn.com:* https://*.google-analytics.com https://*.google.com https://www.googletagmanager.com:* https://secure.gravatar.com:* https://www.google-analytics.com:*; object-src 'self' ; child-src 'self' https://player.vimeo.com https://fearby-com.exactdn.com:* https://www.youtube.com https://www.googletagmanager.com:* https://www.google-analytics.com:*; frame-src 'self' https://www.youtube.com:* https://googleads.g.doubleclick.net:* https://*doubleclick.net; worker-src 'self' ; frame-ancestors 'self' ; form-action 'self' https://fearby.com:* https://fearby-com.exactdn.com:* https://fearby-com.exactdn.com:* https://www.googletagmanager.com:* https://www.google-analytics.com:* https://www.google-analytics.com:*; upgrade-insecure-requests; block-all-mixed-content; disown-opener; reflected-xss block; base-uri https://fearby.com:*; manifest-src 'self' 'self' 'self'; referrer no-referrer-when-downgrade; report-uri https://fearby.report-uri.com/r/d/csp/enforce;" always;

I restarted Nginx

nginx -t
nginx -s reload
/etc/init.d/nginx restart

I loaded the Google Developer Console to see any CSP errors when loading my site.

CPS Errors

I enabled reporting of CSP errors to https://fearby.report-uri.com/r/d/csp/enforce

Fyi: Content Security Policy OWASP Cheat Sheet.

You can validate CSP with https://cspvalidator.org

Now I won’t have to check my Chrome Developer Console and visitors to my site will report errors. I can see my site’s visitors CSP errors at https://report-uri.com/

report-cri.com Report

Content Security Policy Results

I reviewed the reported errors and made some more CSP changes. I will continue to lock down my CSP and make more changes before making this CSP policy live.

I verified my header with https://securityheaders.com/

Security Headers report from https://securityheaders.com/?q=https%3A%2F%2Ffearby.com&followRedirects=on

Testing Policies

TIP: Use the header name of “Content-Security-Policy-Report-Only” instead of “Content-Security-Policy” to report errors before making CSP changes live.

I did not want to go live too soon, I had issues with some WordPress plugins not working in the WordPress admins screens.

Reviewing Errors

Do check your reported errors and update your CSP often, I had a post with a load of Twitter-related errors.

Do check report-uri errors.

I hope this guide helps someone.

Please consider using my referral code and get $25 UpCloud VM credit if you need to create a server online.

https://www.upcloud.com/register/?promo=D84793

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

V1.3 https://cspvalidator.org

v1.2 OWASP Cheat Sheet.

v1.1 added info on WordPress errors.

v1.0 Initial Post

Filed Under: Audit, Cloud, Content Security Policy, Development, Feature-Policy, HTTPS, NGINX, Referrer-Policy, Security, Ubuntu Tagged With: Content Security Policy, CSP, Feature-Policy, nginx, Referrer-Policy, security

Using OWASP ZAP GUI to scan your Applications for security issues

March 17, 2018 by Simon

OWASP is a non-profit that lists the Top Ten Most Critical Web Application Security Risks, they also have a GUI Java tool called OWASP Zap that you can use to check your apps for security issue.

I have a number of guides on moving hosting away form CPanel , Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. It is important that you always update your site and software and test your sites and software for vulnerabilities. Zap is free and completely open source.

Disclaimer, I am not an expert (this Zap post and my past Kali Linux guide will be updated as I learn more).

OWASP Top 10

OWASP has a top 10 list of things to review.

OWASP Top 10

Download the OWASP 10 10 Application security risks PDF here form here.

Using the free OWASP Zap Tool

Snip from https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

“The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It’s also a great tool for experienced pentesters to use for manual security testing.”

Zap Overview

Here is a quick demo of Zap in action.

Do check out the official Zap videos on youtube: https://www.youtube.com/user/OWASPGLOBAL/videos if you want to learn more.

Installing Zap

Download Zap from here.

Download Zap

Download Options

Download

Download contents

Run Install

Copy to the app to the OSX Application folder

Installing

App Installed

App Insatalled

Open OSX’s Privacy and Security screen and click Open Anyway

Open Anwway

OWASP Zap is now Installed

Insallled

Ready for a Scan

Blind Scan

But before we do let’s check out the Options

Options

OWASP Zap allows you to label reports to ad from anyone you want.

Report Label Options

Now let’s update the program and plugins, Click Manage Add-ons

Manage Adons

Click Update All to Update addons

Updates

I clicked Update All

Plugins

Installed some plugins

Marketplace

Zap is Ready

Zap

Add a site and right click on the site and you can perform an active scan or port scan.

Right click Zap

First Scan (https failed)

https failed

I enabled unsafe SSL/TLS Renegotiation.

Allow Unsafe HTTPS

This did not work and this guide said I needed to install the “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files” from here.

Cryptography Files OSX

The extract files to /Library/Java/JavaVirtualMachines/%your_jdk%/Contents/Home/jre/lib/security

Extract

I restarted OWASP Zap and tried to scan my site buy it appears Cloudflare (that I recently set up) was blocking my scans and reported error 403. I decided to scan another site of mine that was not on Cloudflare but had the same Lets Encrypt style SSL cert.

fyi: I own and set up the site I queried below.

Zap Results

OWASP Zap scan performed over 800 requests and tried traversal exploits and many other checks. Do repair any major failures you find.

Zan Scan

Generating a Report

To generate a report click Report then the appropriate generation menu of choice.

Generate Report

FYI: The High Priority Alert is a false positive with an HTML item being mistaken for a CC number.

I hope this guide helps someone. Happy software/server hardening and good luck.

More Reading

Check out my Kali Linux guide.

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

V1.3 fixed hasting typo.

v1.2 False Positive

v1.1 updated main features

v1.0 Initial post

Filed Under: Cloud, Cloudflare, Code, DNS, Exploit, Firewall, LetsEncrypt, MySQL, owasp, Secure, Security, ssl, Ubuntu Tagged With: Applications, for, gui, issues, OWASP, scan, security, to, Using, your, ZAP

Ubuntu 16.04: Spectre, Meltdown Security Vulnerabilities (and how to patch).

January 10, 2018 by Simon

Below is a post about the Spectre and Meltdown Security vulnerabilities and mostly how it relates to Ubuntu.

Spectre and Meltdown Background

Google Project Zero found a server-side hardware bug (undocumented feature) that allows reading of privileged memory by leveraging a CPU (and possibly any GPU and SOC) feature to execute code ahead of time in “if” code branches before the result of the “if” case is known. This execute code ahead of demand feature was added to speed up processors to assists the FETCH, DECODE, EXECUTE and WRITE-BACK stages in the execution pipeline preparation.

Processors hate reading from main memory (it is too slow) so if data can be PREFETCHED or CACHED before being executed in the CPU allowing the CPU can do more work. This bug/flaw is not really a bug/flaw IMHO but an insecure efficiency feature.

Read more on the Spectre and Meltdown bug here at Wired.

CPU History

Aside: Check out the Red Hill Hardware guide and the evolution (documentation) of early CPU’s.

  • Intel 4004
  • Intel 286
  • Intel 386
  • Intel 486
  • Pentium and 686
  • AMD Athlon
  • Further Reading

You can read more about the Pentium 4’s cache, rapid execution engine and instruction set additions to learn more about the evolution of CPU efficiency here.

Making processors faster (adding more MHZ) may be futile if the cache is too small or slow, and simply adding more cache can increase costs. Branch prediction was a way to increase performance (by using idle clock cycles or saving clock cycles) without adding extra cache or silicone (extra cost). I suspect in the future branch prediction and read ahead features may be locked down or processor manufacturers may swing back to adding more MHZ/Cores/Cache.

Anandtech https://www.anandtech.com have a great article on branch prediction (I can’t find the article now but will add it when I find it later) but this guide gives the gist.

CPU 101

A CPU is much like a checkout area at a grocery store, and a multi-core CPU is like a grocery store with multiple checkouts.

  • Things (processing and reading to/from memory) happen sequentially (per core).
  • Only one item can be scanned (processed) at a time (per core).
  • Customers trolleys and items are like program threads and items to scan (to be calculated in the CPU).
  • Customers trolleys (programs with things to calculate) line up and wait for the CPU (attendant) to scan (execute) items. PRE-FETCH and other CPU tasks help organize data related to instructions.
  • One checkout line (core) cannot read or affect items at another checkout (thread safety).

When a price check is called on an item (causing huge delays while the price is being checked by a runner (reading from main memory)) the checkout attendant (CPU core) processes the next items at the checkout (items in the processor execution pipeline). Branch predicting will read ahead in idle times to prevent idle delays or cache-misses to prevent slowdown. Processors usually make sure things are in the processors L3, L2 or L1 memory before they are executed but some commands with pre-requisite data cannot be pre-cached.

CPU instruction information

Here is a list of x86 instructions

Troy Hunt in Weekly Update 68 https://www.troyhunt.com/weekly-update-68/ mentioned a twitter thread by Graham Sutherland (@gsuberland) https://twitter.com/gsuberland/status/948907452786933762 that summaries speculative execution more succinctly. Meltdown and Spectre bugs are due to the speculative execution in the processor.

Official Information on Spectre and Meltdown

Spectre (Security Vulnerability Wikipedia Article)

Meltdown (Security Vulnerability Wikipedia Article)

Proof of concepts exploits in the wide

Proof of concept and exploits are no doubt in the wild (as reported by Michael Schwarz – @misc0110)

Ubuntu Impact

I have a number of Ubuntu servers and I have updated them to fix Spectre and Meltdown issues.

UpCloud is my favourite cloud provider.

  • Setting up a Vultr VM (Ubuntu) and configuring it
  • How to buy a new domain and SSL cert from NameCheap, (Ubuntu) Server from Digital Ocean and configure it
  • Creating and configuring a CentOS server on Digital Ocean
  • Creating an AWS EC2 Ubuntu 14.04 server with NGINX, Node and MySQL and phpMyAdmin

Ubuntu said here that is has been notified by Intel of this issue since November 09 2017.

Ubuntu Timeline (16.04 related snip from here)

  • 2017 Nov 09: the Ubuntu Security team is notified by Intel under NDA.
  • 2017 Nov 20: the CRD is established as 2018-01-09.
  • 2017 Dec: the Ubuntu Security team receives notifications from additional silicon vendors about the impact to their products.
  • 2018 Jan 03: issue becomes public a few days before the CRD.
  • 2018 Jan 04: Canonical publicly communicates the planned update schedule.
  • 2018 Jan 04: Mozilla releases timing attack mitigations.
  • 2018 Jan 05: Ubuntu Firefox updates are made available in USN 3516-1.
  • 2018 Jan 07: Candidate kernels are beginning to be made available for testing at ppa:canonical-kernel-team/pti. This initial round will address CVE-2017-5754 (aka Meltdown or Variant 3) for x86_64. We will address CVE-2017-5715 and CVE-2017-5753 (aka Spectre or Variant 1 & 2) in a subsequent round. We will also address additional architectures in subsequent rounds. Kernels currently available are as follows. We will continue to update this table as more become available:
  • Package: linux, Version: 4.4.0-108.131, Series: Xenial 16.04
  • -2018 Jan 09: NVIDIA driver updates published, see USN-3521-1.
  • Cloud image updates.
  • Core image updates.

At this time it looks like this has been fixed on Ubuntu 16.04 LTS (Xenial Xerus) with released (57.0.4+build1-0ubuntu0.16.04.1). Consider updating your Ubuntu servers.

You can follow the Ubuntu CVE listing here to be ahead of future security issues.
https://people.canonical.com/~ubuntu-security/cve/main.html

Spectre and Meltdown related Ubuntu CVE’s

Spectre – CVE-2017-5715

Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

Link: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715.html

Spectre – CVE-2017-5753

Description: Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

Ubuntu-Description: Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via side-channel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory.

Link: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5753.html

Meltdown – CVE-2017-5754

Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

Ubuntu-Description: Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via side-channel attacks. This flaw is known as Meltdown. A local attacker could use this to expose sensitive information, including kernel memory.

Link: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5754.html

Links

Ubuntu Security News https://usn.ubuntu.com/usn/

Subscribe to the Ubuntu Security Announcement Distribution List https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

Ubuntu CVE Tracker (Main) http://people.canonical.com/~ubuntu-security/cve/main.html

Links from CVE articles

https://spectreattack.com/
https://meltdownattack.com/
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
http://www.amd.com/en/corporate/speculative-execution
https://developer.arm.com/support/security-update
https://www.qemu.org/2018/01/04/spectre/
https://usn.ubuntu.com/usn/usn-3516-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
http://nvidia.custhelp.com/app/answers/detail/a_id/4611
https://usn.ubuntu.com/usn/usn-3521-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
https://github.com/IAIK/KAISER
https://gruss.cc/files/kaiser.pdf
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html

FYI: Ubuntu 17.04 will not be getting the Spectre and Meltdown fixes, this is a good reason why not to use a non-LTS (long time support) release of Ubuntu (abandoned after 9 months):
https://lists.ubuntu.com/archives/ubuntu-announce/2018-January/000227.html

How to update Ubuntu

As always backup your server and configuration first (consider taking a snapshot). I run the following command to update my system and reboot.

Warning: Some packages may overwrite in-production configuration files (or break production servers) so take your time updating, use test servers (green and blue or dev, test and prod) and only upgrade production when you are ready.

sudo apt update && sudo apt upgrade && shutdown -r now

fyi: AWS related Speculative Execution post: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

Impact on Future Program Build Times

Twitter user Peter Czanik (@PCzanik https://twitter.com/PCzanik) reports that compile times that fix speculative execution have increased his build times from 4 minutes to 21 minutes.

Windows Impacts

Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems

https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/

OSX Impacts
Report: Intel CPUs suffer from major security flaw, fix could bring notable performance hit to macOS

Web Browser and JavaScript Impacts

General

Here’s what every Chrome user should do in the wake of #Spectre

http://mashable.com/2018/01/04/google-chrome-spectre-precaution-meltdown/

Microsoft reveals how Spectre updates can slow your PC down

https://www.theverge.com/2018/1/9/16868290/microsoft-meltdown-spectre-firmware-updates-pc-slowdown

Microsoft halts AMD Meltdown and Spectre patches after reports of unbootable PCs

Review: https://twitter.com/search?q=spectre%20meltdown

Viewing the Change log of updatable packages

View the changelog of updatable packages for a certain Cve.

sudo apt-get update

sudo apt-get changelog ntp | grep CVE-2017-5715

The output will show matches of updatable packages that match.

Ubuntu Cloud Tips

Read my guide on Useful Linux Terminal Commands https://fearby.com/article/useful-linux-terminal-commands/

Read my guide on how to setting up a Vultr VM (Ubuntu) and configuring it https://fearby.com/article/setting-vultr-vm-configuring/

Good luck.

Scott Manley’s breakdown of Spectre and Meltdown

More Reading

Anandtech – Understanding Meltdown & Spectre: What To Know About New Exploits That Affect Virtually All CPUs.

More Fearby.com Reading

  • Run and Ubuntu Security scan with Lynis
  • WordFence security plugin for WordPress
  • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
  • Setting up additional server storage on cloud servers (block storage on Vultr)

Donate and make this blog better

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v1.4 Scott Manleys link

v1.3 Added Anandtech article.

v1.2 Wired link.

v1.1 view the changelog of updatable packages.

v1.0 Initial Copy.

Hope this helps someone.

Filed Under: SpectreMeltdown Tagged With: 16.04, Branch, cpu, CVE, Execulative Execution, How, Meltdown, patch, security, Spectre, to, ubuntu, Vulnerabilities

Security checklist for securing a self-managed Ubuntu server in the cloud

November 2, 2017 by Simon

Below is a (perpetually updated) security checklist for securing a self-managed Ubuntu server. Recently WordPress released patch v4.8.3  that fixed some SQL injection issues.  Is your OS, Database, Web Server, OS and software up to date?

Although I have recently blogged about securing Ubuntu in the cloud, and running a server Audit with Lynus,  this new post is really about obtaining a mindset change and allocating time (each week) to ensure your self-managed servers and software is kept up to date. You can easily list down the actions you need to follow but keeping a system up to date is hard work. Sites like www.shodan.io will reveal what servers or services are vulnerable, let software updates lapse long enough and an open exploit may open a hole to your system.  It only takes minutes to set up a $2.5  a month Ubuntu server with Vultr, $5 a month Digital Ocean Server or AWS server but you need to maintain it.

I highly recommend that you watch the following video that highlights the need for even minor vulnerabilities to be patched asap. If you leave one minor vulnerability open you will give hackers a foothold into your system.

Follow @jawache on twitter.

Troy Hunt has a great post about the simplicity of hacking. Hacking is child’s play.

General Security Checklist

  • Do Setup a Firewall and only allow needed ports to accept data (use tools like Portscan and Shodan.io to find open ports).
  • Use least access permissions (on NGINX, PHP and MySQL processes).
  • Use strong unique passwords for every service (1Password and sites like Gibson Research Corp have password generators, use www.howsecureismypassword.net to check tour passwords strength)
  • Enable logging.

Find log files on your system:

cd /
find -iname "*.log"

Output (handy logs to review):

./var/log/mongodb/mongod.log
./var/log/fail2ban.log
./var/log/mysql/error.log
./var/log/ufw.log
./var/log/lynis.log
./var/log/dpkg.log
./var/log/nginx/error.log
./var/log/nginx/nginxcriterror.log
./var/log/nginx/access.log
./var/log/audit/audit.log
./var/log/php7.0-fpm.log
./var/log/mail.log
./backup/backup.log
./scripts/boot.log
etc
  • Enable brute force detection and banning (fail2ban etc) Read more here.
  • Secure folders with service accounts.
  • Do secure software (e.g WordPress Wordfence)
  • Do use SSL Certificates (and use modern cyphers and test with https://www.ssllabs.com/ssltest/)
  • Monitor SSL vulnerabilities.
  • Do a Lynis security report.
  • Install a Virus scanner (read here).
  • Secure MySQL/Databases.

First, find the version of MySQL

mysql --version
mysql  Ver 14.14 Distrib 5.7.19, for Linux (x86_64)

Read the official MySQL manual here and security guidelines here.

Read this Digital Ocean guide on securing MySQL.

  • Other: _______

Application (coding) checklist

Retain and protect information.

  • Disable errors (PHP: turn off or here)
  • Enable logging (web server, PHP and or node)
  • Sanitize data (never trust uses data) in code (see how to do this in PHP 7)
  • Do no develop on production boxes (use parameterised queries and follow OWASP application security procedures.
  • Read the OWASP Secure Coding Practices – Quick Reference Guide

Infrastructure

Plan for the worst, hope for the best.

  • Use the latest Long Term Support (LTS) version or Ubuntu
  • Update packages

View app packages (Ubuntu 16.04) with updates

sudo /usr/lib/update-notifier/apt-check -p

View app packages (Ubuntu 16.04) with updates

apt list --upgradable

To update packages type (remember to backup data and config files first)

sudo apt-get update && sudo apt-get upgrade

Among other things, you will see the following information

The following packages will be upgraded:
  binutils certbot cracklib-runtime curl distro-info-data grub-common grub-pc grub-pc-bin grub2-common initramfs-tools initramfs-tools-bin initramfs-tools-core libapache2-mod-php7.0
  libcrack2 libcurl3 libcurl3-gnutls libgnutls-openssl27 libgnutls30 libicu55 libpam-systemd libsystemd0 libudev1 linux-firmware linux-libc-dev lshw mdadm mysql-client-5.7
  mysql-client-core-5.7 mysql-common mysql-server mysql-server-5.7 mysql-server-core-5.7 nodejs php7.0 php7.0-cli php7.0-common php7.0-curl php7.0-dev php7.0-fpm php7.0-gd php7.0-imap
  php7.0-intl php7.0-json php7.0-ldap php7.0-mbstring php7.0-mysql php7.0-opcache php7.0-pgsql php7.0-phpdbg php7.0-pspell php7.0-readline php7.0-recode php7.0-snmp php7.0-tidy
  php7.0-xml php7.0-zip python-acme python-certbot python-certbot-nginx python-cffi-backend python-chardet python-idna python-six python3-chardet python3-distupgrade python3-six
  python3-update-manager systemd systemd-sysv ubuntu-release-upgrader-core udev update-manager-core wget

Show available updates

/usr/lib/update-notifier/apt-check --human-readable
0 packages can be updated.
0 updates are security updates.
  • Only work on code checked into GitHub or BitBucket (You will thank me when data or servers disappear).
  • Backup configuration files or backup to remote servers (my rsync guide here)
  • Use snapshots of VM’s.
  • Use Green/Blue server deployments (toggle one server a Prod and the other and Dev/Test and have one ready for a hot spare). Digital Ocean has a good guide here.
  • Consider forcing Content Security Polic and Public Key Pinning or at least using LetsEncrypt SSL certificates.
  • Take Snapshots of VM’s (automate)
  • Backup MySQL databases:
sudo mysqldump --all-databases > /backup/dump-$( date '+%Y-%m-%d_%H-%M-%S' ).sql -u root -p

Other Useful Linus Terminal Commands.

Mindset/Culture

Dedicate time to securing your site.

  1. Spend one day a week (or automate) the updating of the OS/Software (no excuses).
  2. Follow people on twitter and subscribe to newsletters of those that are security conscious

Don’t forget to read securing Ubuntu in the cloud blog post here.

And check out the extensive Hardening a Linux Server guide at thecloud.org.uk: https://thecloud.org.uk/wiki/index.php?title=Hardening_a_Linux_Server

More to come..

Donate and make this blog better


Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

v1.2 added link to Hardening Linux Server link

v1.1 added @jawache link

Short (Article):

Filed Under: OS, Secure, Security, VM Tagged With: a, checklist, cloud, for, in, securing, security, self managed, server, the, ubuntu

Flaw in WPA2 protocol (KRACK) is a reminder of the limited life of all technology.

October 17, 2017 by Simon

The recent KRACK flaw in the WPA2 protocol is a reminder of the limited life of all technology. All technology has a finite lifespan (intended or not) and you should not bet on a piece of technology being around long.

Wireless Broken (Again)

WEP wireless security was launched in 1997 and lasted until 2004, WPA and WPA2 replaced WEP but the recent flaw in WPA2 (originated from WEP) will forge an update to WPA2 or launch a WPA3. WPA2 was just a certified WPA.

WPA wireless encryption uses TKIP and AES encryption subsets, TKIP is similar to WEP and should not be used. AES subset is a more rigorous encryption subset available in WPA2 (and is used by the US Government. AES’s main weakness is a brute force attack to find the wireless password so ALL of your passwords must be unique and strong. Do not use common or shared passwords and make sure passwords are as strong as allowed.  I personally use the 1Password Password Manager to generate strong passwords and if you are feeling nerdy you can use the GRC Password Generator. https://howsecureismypassword.net/ is a good site that allows you to see how secure a password is (how long a brute force attack would take to obtain your password by brute force).

What can you do to fix wifi

  1. If you are using TKIP in WPA use AES instead.
  2. Check your WiFi routers manufacturer and ask for a new firmware that will fix the KRACK attack.

@TPLINK @TPLINKHelp When will new firmware be available for the TD-W8961N fo fix krackattacks.com ?

It is up to you to know the rick for each technology you use and when you stop using it.

Support Windows

Most operating systems and web browsers have support windows but security protocols, encryption and cyphers do not? why?

Not just Wifi is Broken

As a developer always assume things are insecure and always prepare for the worst, you should ensure brute force attacks are blocked by setting up a firewall on your serves, run a security audit and install software level plugins to ban IP’s when brute force attacks happen.  Don’t forget to set up an SSL certificate (read my Lets Encrypt guide here) and if you want extra security read here on SSL certificate Public Key Pinning.

You can deploy a server in the cloud for as low as $2.5 a month (guide here) on Vultr or set up a server on Digital Ocean (first 2 months are free) read my setup guide here.

Depreciation of libraries and code

Software developers are all too familiar with the depreciation of libraries and code, recently I had to switch from mysql_connect routines that was deprecated in PHP 5.5, luckily a mysqli_connect was available so not a real problem.

Having to switch technology to a faster and or more secure version is a win-win IMHO.

Backup

Whats your backup plan? Don’t forget you can easily backup with RSync. There is no excuse for backing up your data.

Git

You should also use source code repositories like GitHub or BitBucket to manage code versions and restore environments when things go bad.

Social Media

Security-related twitter followers, I personally follow to keep up to date with security news.
 
GFDI Foundation:
https://twitter.com/GDI_FDN
 
0xDUDE
https://twitter.com/0xDUDE
 
Security Now Podcaster:
https://twitter.com/SGgrc
 
Australian Security Researcher Troy Hunt:
https://twitter.com/troyhunt

Hashtags are also a great way to stay up to date on exploits (#KRACK, #vuln, #CVE etc).

Handy links

Read more on hackers Tactics, Techniques & Common Knowledge.

Read the OWASP guide to pick up software security best practices.

Stay safe: Research, Secure and Backup.

More Soon.

Donate and make this blog better




Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v1.1 Added support windows..

etc

Filed Under: Security Tagged With: CRACK, CVE, security, WAp, wireless, WPA, WPA2

Wordfence Security Plugin for WordPress

October 10, 2017 by Simon

WordFence is a great security plugin for WordPress that allows you to secure your WordPress installation and prevent brute force attacks, rate-limit visitors (or Bots), block banned IP’s that are accessing your site and more.

Fyi

20th Dec 2017: Wordfence report Backdoor in Captcha Plugin Affects 300K WordPress Sites

Backup

Before I started I performed a quick mysql backup from the command line to ensure my WordPress is backed up. Read my guide on installing WordPress from the command line (here) and securin Ubuntu (here).

/usr/bin/mysqldump --all-databases > /mysql-database-dump-prewordfence.sql -u 'user' -p'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

Don’t forget to backup your WordPress files.

sudo cp -R /www-root/* /backup/www-backup/

Download and extract WordFence

I downloaded and installed the Wordfence plugin via command line. I visited https://wordpress.org/plugins/wordfence/ and got the plugin URL for the latest version (e.g https://downloads.wordpress.org/plugin/wordfence.6.3.19.zip).

I downloaded the plugin zip file from the command line to my WordPress plugins folder. Read my guide (here) on managing WordPress from the command line.

cd /www-root/wp-content/plugins/
sudo wget https://downloads.wordpress.org/plugin/wordfence.6.3.19.zip
sudo unzip /www-root/wp-content/plugins/wordfence.6.3.19.zip
rm -R /www-root/wp-content/plugins/*.zip

Now the Wordfence plugin can be activated in WordPress.

Activate Wordfence

Enter your email to receive Wordfence alerts.

WordFence EmmiL Alerts

Your Wordfence Dashboard will show local and global issues and statistics.

WordFence Dashboard

I set these default Wordfence options.

ON

More Wordfence Options

More Options

Set Permissions (for Firewall)

You may need to create a log folder (e.g /www/wp-content/wflogs/)  and set permissions to allow Wordfence to work.

cd /www-root/wp-content/
mkdir wflogs
sudo chmod -R 777 /www-root/wp-content/wflogs/

Now I can enable the Wordfence firewall via the WordFence plugin at /wp-admin/admin.php?page=WordfenceWAF

Wordfence Firewall

Don’t forget to configure the Wordfence firewall.

WordFence Firewall

Firewall Install Options

I do not have FTP setup so I’ll do a manual install based on these instructions.

WordPress Install Options

I manually added this to my ~/nxinx/sites-available/default config.

I added this to my nginx config.

location ~ ^/\.user\.ini {
    deny all;
}

This did not work as specified in the official Wordfence docs (https://docs.wordfence.com/en/Web_Application_Firewall_FAQ#NGINX) so I added the following.

location ~ (\.ini) {
    return 403;
}

Accessing a test /test.user.ini file in a web browser returns a 403  (always test access)

403 Forbidden

nginx

I added this to my active php.ini configuration file.

auto_prepend_file = '/www-root/wordfence-waf.php'

I restart PHP.

sudo systemctl restart php7.0-fpm

I added my IP to the Wordfence whitelist textbox to ensure I am not blocked: /wp-admin/admin.php?page=WordfenceSecOpt 

Tip: Grab your IPV4 address from https://ipv4.icanhazip.com/

Recent Wordfence Scan Summary (1st Scan)

Wordfence Dashboard allows you to see local and global stats.

Recent Scan

Wordfence (In Progress) Scan summary.

Scan Summary

My Issues

Wordfence alerted me that I needed to update WordPress and some plugins  (see my guide on installing and managing your WordPress via the Command Line here).

I updated my WordPress core files (via the command line).

sudo wp core update
> Success: WordPress is up to date.

I updated my  WordPress plugins (via the command line).

sudo wp plugin update --all

Output:

>Enabling Maintenance mode...
>Downloading update from https://downloads.wordpress.org/plugin/>add-to-any.1.7.19.zip...
>Unpacking the update...
>Installing the latest version...
>Removing the old version of the plugin...
>Plugin updated successfully.
>Downloading update from https://downloads.wordpress.org/plugin/>display-posts-shortcode.2.9.0.zip...
>Unpacking the update...
>Installing the latest version...
>Removing the old version of the plugin...
>Plugin updated successfully.
>Downloading update from https://downloads.wordpress.org/plugin/>wordpress-seo.5.5.1.zip...
>Unpacking the update...
>Installing the latest version...
>Removing the old version of the plugin...
>Plugin updated successfully.
>Disabling Maintenance mode...
>+-------------------------+-------------+-------------+---------+
>| name                    | old_version | new_version | status  |
>+-------------------------+-------------+-------------+---------+
>| add-to-any              | 1.7.17      | 1.7.19      | Updated |
>| display-posts-shortcode | 2.8.0       | 2.9.0       | Updated |
>| wordpress-seo           | 5.4.2       | 5.5.1       | Updated |
>+-------------------------+-------------+-------------+---------+
>Success: Updated 3 of 3 plugins.

I manually updated my WordPress theme (from my.studiopress.com website) and uploaded via SSH

 scp ~/Downloads/genesis.2.5.3.zip [email protected]:/www-root/wp-content/themes/genesis.2.5.3.zip

I could then SSH into my server and extract the theme.

cd /www-root/wp-content/themes/
unzip genesis.2.5.3.zip
rm -R genesis.2.5.3.zip

Wordfence Dashboard

Wordfence allows you to see worldwide Blocked IP’s by the Wordfence network.

IPs

You can also see local successful or failed login attempts. The Ukraine IP 91.200.12.49 tried to log in to my WordPress installation but was banned globally as it was seen unsuccessfully logging into 900 other global servers, good work Wordfence.

Failed Logins

Attacks blocked locally.

Stats

View global WordPress attacks by countries

Global Attack Stats

Wordfence Features I like

  • Finding abandoned plugins
  • See Globally banned IP’s
  • See local failed login attempts
  • Brute force protection.
  • Stats on local blocked events.
  • Identification of old files.
  • Simple reports.

Wordfence Features I don’t like

  • Your mouse must be active in the window for scans to complete/seen.
  • Setup firewall almost requires FTP.

Wordfence: 7.02 updated (listed here)

Revised Dashboard looks nice

Wordfence 702

More to come, I will update this guide over time.

Donate and make this blog better




Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]Revision Historyv1.2 added info on Wordfence 7.0.2

v1.1 added info on Captcha plugin backdoor detected by Wordfence

v1.0 Initial Post

etc

Filed Under: Cloud, DB, Firewall, Malware, MySQL, Security, VM, Vultr, Wordpress Tagged With: plugin, security, Wordfence, wordpress

Run an Ubuntu VM system audit with Lynis

September 11, 2017 by Simon

Following on from my Securing Ubuntu in the cloud blog post I have installed Lynis open source security audit tool to check out to the security of my server in the cloud.

Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defences of their Linux and Unix-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners. https://cisofy.com/lynis and https://github.com/CISOfy/lynis.

It is easy to setup a server in the cloud (create a server on Vultr or Digital Ocean here). Guides on setting up servers exist ( setup up a Vultr VM and configure it and digital ocean server) but how about securing it? You can install a LetsEncrypt SSL certificate in minutes or setup Content Security Policy and Public Key Pinning but don’t forget to get an external in-depth review of the security of your server(s).

Lynis Security Auditing Tool

Preparing install location (for Lynis)

cd /
mkdir utils
cd utils/

Install Lynis

sudo git clone https://www.github.com/CISOfy/lynis
Cloning into 'lynis'...
remote: Counting objects: 8357, done.
remote: Compressing objects: 100% (45/45), done.
remote: Total 8357 (delta 28), reused 42 (delta 17), pack-reused 8295
Receiving objects: 100% (8357/8357), 3.94 MiB | 967.00 KiB/s, done.
Resolving deltas: 100% (6121/6121), done.
Checking connectivity... done.

Running a Lynus system scan

./lynis audit system -Q

Lynis Results 1/3 Output (removed sensitive output)

[ Lynis 2.5.5 ]

################################################################################
  Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
  welcome to redistribute it under the terms of the GNU General Public License.
  See the LICENSE file for details about using this software.

  2007-2017, CISOfy - https://cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)
################################################################################


[+] Initializing program
------------------------------------
- Detecting OS...  [ DONE ]
- Checking profiles... [ DONE ]

  ---------------------------------------------------
  Program version:           2.5.5
  Operating system:          Linux
  Operating system name:     Ubuntu Linux
  Operating system version:  16.04
  Kernel version:            4.4.0
  Hardware platform:         x86_64
  Hostname:                  yourservername
  ---------------------------------------------------
  Profiles:                  /linis/lynis/default.prf
  Log file:                  /var/log/lynis.log
  Report file:               /var/log/lynis-report.dat
  Report version:            1.0
  Plugin directory:          ./plugins
  ---------------------------------------------------
  Auditor:                   [Not Specified]
  Test category:             all
  Test group:                all
  ---------------------------------------------------
- Program update status...  [ NO UPDATE ]

[+] System Tools
------------------------------------
- Scanning available tools...
- Checking system binaries...

[+] Plugins (phase 1)
------------------------------------
: plugins have more extensive tests and may take several minutes to complete - Plugin pam
    [..]
- Plugin systemd
    [................]

[+] Boot and services
------------------------------------
- Service Manager [ systemd ]
- Checking UEFI boot [ DISABLED ]
- Checking presence GRUB [ OK ]
- Checking presence GRUB2 [ FOUND ]
- Checking for password protection [ OK ]
- Check running services (systemctl) [ DONE ]
: found 24 running services
- Check enabled services at boot (systemctl) [ DONE ]
: found 30 enabled services
- Check startup files (permissions) [ OK ]

[+] Kernel
------------------------------------
- Checking default run level [ RUNLEVEL 5 ]
- Checking CPU support (NX/PAE)
 support: PAE and/or NoeXecute supported [ FOUND ]
- Checking kernel version and release [ DONE ]
- Checking kernel type [ DONE ]
- Checking loaded kernel modules [ DONE ]
active modules
- Checking Linux kernel configuration file [ FOUND ]
- Checking default I/O kernel scheduler [ FOUND ]
- Checking for available kernel update [ OK ]
- Checking core dumps configuration [ DISABLED ]
- Checking setuid core dumps configuration [ PROTECTED ]
- Check if reboot is needed [ NO ]

[+] Memory and Processes
------------------------------------
- Checking /proc/meminfo [ FOUND ]
- Searching for dead/zombie processes [ OK ]
- Searching for IO waiting processes [ OK ]

[+] Users, Groups and Authentication
------------------------------------
- Administrator accounts [ OK ]
- Unique UIDs [ OK ]
- Consistency of group files (grpck) [ OK ]
- Unique group IDs [ OK ]
- Unique group names [ OK ]
- Password file consistency [ OK ]
- Query system users (non daemons) [ DONE ]
- NIS+ authentication support [ NOT ENABLED ]
- NIS authentication support [ NOT ENABLED ]
- sudoers file [ FOUND ]
- Check sudoers file permissions [ OK ]
- PAM password strength tools [ OK ]
- PAM configuration files (pam.conf) [ FOUND ]
- PAM configuration files (pam.d) [ FOUND ]
- PAM modules [ FOUND ]
- LDAP module in PAM [ NOT FOUND ]
- Accounts without expire date [ OK ]
- Accounts without password [ OK ]
- Checking user password aging (minimum) [ DISABLED ]
- User password aging (maximum) [ DISABLED ]
- Checking expired passwords [ OK ]
- Checking Linux single user mode authentication [ OK ]
- Determining default umask
- umask (/etc/profile) [ NOT FOUND ]
- umask (/etc/login.defs) [ SUGGESTION ]
- umask (/etc/init.d/rc) [ SUGGESTION ]
- LDAP authentication support [ NOT ENABLED ]
- Logging failed login attempts [ ENABLED ]

[+] Shells
------------------------------------
- Checking shells from /etc/shells
: found 6 shells (valid shells: 6).
- Session timeout settings/tools [ NONE ]
- Checking default umask values
- Checking default umask in /etc/bash.bashrc [ NONE ]
- Checking default umask in /etc/profile [ NONE ]

[+] File systems
------------------------------------
- Checking mount points
- Checking /home mount point [ SUGGESTION ]
- Checking /tmp mount point [ SUGGESTION ]
- Checking /var mount point [ SUGGESTION ]
- Query swap partitions (fstab) [ NONE ]
- Testing swap partitions [ OK ]
- Testing /proc mount (hidepid) [ SUGGESTION ]
- Checking for old files in /tmp [ OK ]
- Checking /tmp sticky bit [ OK ]
- ACL support root file system [ ENABLED ]
- Mount options of / [ NON DEFAULT ]
- Checking Locate database [ FOUND ]
- Disable kernel support of some filesystems
- Discovered kernel modules: cramfs freevxfs hfs hfsplus jffs2 udf 

[+] Storage
------------------------------------
- Checking usb-storage driver (modprobe config) [ NOT DISABLED ]
- Checking USB devices authorization [ ENABLED ]
- Checking firewire ohci driver (modprobe config) [ DISABLED ]

[+] NFS
------------------------------------
- Check running NFS daemon [ NOT FOUND ]

[+] Name services
------------------------------------
- Searching DNS domain name [ UNKNOWN ]
- Checking /etc/hosts
- Checking /etc/hosts (duplicates) [ OK ]
- Checking /etc/hosts (hostname) [ OK ]
- Checking /etc/hosts (localhost) [ SUGGESTION ]
- Checking /etc/hosts (localhost to IP) [ OK ]

[+] Ports and packages
------------------------------------
- Searching package managers
- Searching dpkg package manager [ FOUND ]
- Querying package manager
- Query unpurged packages [ NONE ]
- Checking security repository in sources.list file [ OK ]
- Checking APT package database [ OK ]
- Checking vulnerable packages [ OK ]
- Checking upgradeable packages [ SKIPPED ]
- Checking package audit tool [ INSTALLED ]

[+] Networking
------------------------------------
- Checking IPv6 configuration [ ENABLED ]
 method [ AUTO ]
 only [ NO ]
- Checking configured nameservers
- Testing nameservers
: 108.xx.xx.xx [ OK ]
: 2001:xxx:xxx:xxx::6 [ OK ]
- Minimal of 2 responsive nameservers [ OK ]
- Checking default gateway [ DONE ]
- Getting listening ports (TCP/UDP) [ DONE ]
* Found 18 ports
- Checking promiscuous interfaces [ OK ]
- Checking waiting connections [ OK ]
- Checking status DHCP client [ NOT ACTIVE ]
- Checking for ARP monitoring software [ NOT FOUND ]

[+] Printers and Spools
------------------------------------
- Checking cups daemon [ NOT FOUND ]
- Checking lp daemon [ NOT RUNNING ]

[+] Software: e-mail and messaging
------------------------------------
- Sendmail status [ RUNNING ]

[+] Software: firewalls
------------------------------------
- Checking iptables kernel module [ FOUND ]
- Checking iptables policies of chains [ FOUND ]
- Checking for empty ruleset [ OK ]
- Checking for unused rules [ FOUND ]
- Checking host based firewall [ ACTIVE ]

[+] Software: webserver
------------------------------------
- Checking Apache (binary /usr/sbin/apache2) [ FOUND ]
: No virtual hosts found
* Loadable modules [ FOUND (106) ]
- Found 106 loadable modules 
- anti-DoS/brute force [ OK ]
- web application firewall [ OK ]
- Checking nginx [ FOUND ]
- Searching nginx configuration file [ FOUND ]
- Found nginx includes [ 2 FOUND ]
- Parsing configuration options
- /etc/nginx/nginx.conf
- /etc/nginx/sites-enabled/default
- SSL configured [ YES ]
- Ciphers configured [ YES ]
- Prefer server ciphers [ YES ]
- Protocols configured [ YES ]
- Insecure protocols found [ NO ]
- Checking log file configuration
- Missing log files (access_log) [ NO ]
- Disabled access logging [ NO ]
- Missing log files (error_log) [ NO ]
- Debugging mode on error_log [ NO ]

[+] SSH Support
------------------------------------
- Checking running SSH daemon [ FOUND ]
- Searching SSH configuration [ FOUND ]
- SSH option: AllowTcpForwarding [ SUGGESTION ]
- SSH option: ClientAliveCountMax [ SUGGESTION ]
- SSH option: ClientAliveInterval [ OK ]
- SSH option: Compression [ SUGGESTION ]
- SSH option: FingerprintHash [ OK ]
- SSH option: GatewayPorts [ OK ]
- SSH option: IgnoreRhosts [ OK ]
- SSH option: LoginGraceTime [ OK ]
- SSH option: LogLevel [ SUGGESTION ]
- SSH option: MaxAuthTries [ SUGGESTION ]
- SSH option: MaxSessions [ SUGGESTION ]
- SSH option: PermitRootLogin [ SUGGESTION ]
- SSH option: PermitUserEnvironment [ OK ]
- SSH option: PermitTunnel [ OK ]
- SSH option: Port [ SUGGESTION ]
- SSH option: PrintLastLog [ OK ]
- SSH option: Protocol [ OK ]
- SSH option: StrictModes [ OK ]
- SSH option: TCPKeepAlive [ SUGGESTION ]
- SSH option: UseDNS [ OK ]
- SSH option: VerifyReverseMapping [ NOT FOUND ]
- SSH option: X11Forwarding [ SUGGESTION ]
- SSH option: AllowAgentForwarding [ SUGGESTION ]
- SSH option: AllowUsers [ NOT FOUND ]
- SSH option: AllowGroups [ NOT FOUND ]

[+] SNMP Support
------------------------------------
- Checking running SNMP daemon [ NOT FOUND ]

[+] Databases
------------------------------------
- MySQL process status [FOUND ]

[+] LDAP Services
------------------------------------
- Checking OpenLDAP instance [ NOT FOUND ]

[+] PHP
------------------------------------
- Checking PHP [ FOUND ]
- Checking PHP disabled functions [ FOUND ]
- Checking expose_php option [ OFF ]
- Checking enable_dl option [ OFF ]
- Checking allow_url_fopen option [ ON ]
- Checking allow_url_include option [ OFF ]
- Checking PHP suhosin extension status [ OK ]
- Suhosin simulation mode status [ OK ]

[+] Squid Support
------------------------------------
- Checking running Squid daemon [ NOT FOUND ]

[+] Logging and files
------------------------------------
- Checking for a running log daemon [ OK ]
- Checking Syslog-NG status [ NOT FOUND ]
- Checking systemd journal status [ FOUND ]
- Checking Metalog status [ NOT FOUND ]
- Checking RSyslog status [ FOUND ]
- Checking RFC 3195 daemon status [ NOT FOUND ]
- Checking minilogd instances [ NOT FOUND ]
- Checking logrotate presence [ OK ]
- Checking log directories (static list) [ DONE ]
- Checking open log files [ DONE ]
- Checking deleted files in use [ FILES FOUND ]

[+] Insecure services
------------------------------------
- Checking inetd status [ NOT ACTIVE ]

[+] Banners and identification
------------------------------------
- /etc/issue [ FOUND ]
- /etc/issue contents [ OK ]
- /etc/issue.net [ FOUND ]
- /etc/issue.net contents [ OK ]

[+] Scheduled tasks
------------------------------------
- Checking crontab/cronjob [ DONE ]
- Checking atd status [ RUNNING ]
- Checking at users [ DONE ]
- Checking at jobs [ NONE ]

[+] Accounting
------------------------------------
- Checking accounting information [ NOT FOUND ]
- Checking sysstat accounting data [ NOT FOUND ]
- Checking auditd [ NOT FOUND ]

[+] Time and Synchronization
------------------------------------
- NTP daemon found: ntpd [ FOUND ]
- NTP daemon found: systemd (timesyncd) [ FOUND ]
- Checking for a running NTP daemon or client [ OK ]
- Checking valid association ID's [ FOUND ]
- Checking high stratum ntp peers [ OK ]
- Checking unreliable ntp peers [ FOUND ]
- Checking selected time source [ OK ]
- Checking time source candidates [ OK ]
- Checking falsetickers [ OK ]
- Checking NTP version [ FOUND ]

[+] Cryptography
------------------------------------
- Checking for expired SSL certificates [0/1] [ NONE ]

[+] Virtualization
------------------------------------

[+] Containers
------------------------------------

[+] Security frameworks
------------------------------------
- Checking presence AppArmor [ FOUND ]
- Checking AppArmor status [ ENABLED ]
- Checking presence SELinux [ NOT FOUND ]
- Checking presence grsecurity [ NOT FOUND ]
- Checking for implemented MAC framework [ OK ]

[+] Software: file integrity
------------------------------------
- Checking file integrity tools
- Checking presence integrity tool [ NOT FOUND ]

[+] Software: System tooling
------------------------------------
- Checking automation tooling
- Automation tooling [ NOT FOUND ]
- Checking presence of Fail2ban [ FOUND ]
- Checking Fail2ban jails [ ENABLED ]
- Checking for IDS/IPS tooling [ FOUND ]

[+] Software: Malware
------------------------------------

[+] File Permissions
------------------------------------
- Starting file permissions check
/root/.ssh [ OK ]

[+] Home directories
------------------------------------
- Checking shell history files [ OK ]

[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile
- fs.protected_hardlinks (exp: 1) [ OK ]
- fs.protected_symlinks (exp: 1) [ OK ]
- fs.suid_dumpable (exp: 0) [ DIFFERENT ]
- kernel.core_uses_pid (exp: 1) [ DIFFERENT ]
- kernel.ctrl-alt-del (exp: 0) [ OK ]
- kernel.dmesg_restrict (exp: 1) [ DIFFERENT ]
- kernel.kptr_restrict (exp: 2) [ DIFFERENT ]
- kernel.randomize_va_space (exp: 2) [ OK ]
- kernel.sysrq (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_redirects (exp: 0) [ OK ]
- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1) [ OK ]
- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_redirects (exp: 0) [ OK ]
- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
- net.ipv4.tcp_syncookies (exp: 1) [ DIFFERENT ]
- net.ipv4.tcp_timestamps (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_redirects (exp: 0) [ OK ]
- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]

[+] Hardening
------------------------------------
- Installed compiler(s) [ FOUND ]
- Installed malware scanner [ NOT FOUND ]

[+] Custom Tests
------------------------------------
- Running custom tests...  [ NONE ]

[+] Plugins (phase 2)
------------------------------------
- Plugins (phase 2) [ DONE ]

================================================================================

...

Lynis Results 2/3 – Warnings

  Warnings (1):
  ----------------------------
  ! Found one or more vulnerable packages. [REMOVED-FIXED] 
      https://cisofy.com/controls/REMOVED-FIXED/
...

I resolved the only warning by typing

apt-get update
apt-get upgrade
shutdown -r now

After updating the Lynis system scan I re-ran the text and got

 -[ Lynis 2.5.5 Results ]-

  Great, no warnings

Lynis Results 3/3 – Suggestions

  Suggestions (44):
  ----------------------------
  * Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] 
      https://cisofy.com/controls/BOOT-5122/

  * Configure minimum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/controls/AUTH-9286/

  * Configure maximum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/controls/AUTH-9286/

  * Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] 
      https://cisofy.com/controls/AUTH-9328/

  * Default umask in /etc/init.d/rc could be more strict like 027 [AUTH-9328] 
      https://cisofy.com/controls/AUTH-9328/

  * To decrease the impact of a full /home file system, place /home on a separated partition [FILE-6310] 
      https://cisofy.com/controls/FILE-6310/

  * To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310] 
      https://cisofy.com/controls/FILE-6310/

  * To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310] 
      https://cisofy.com/controls/FILE-6310/

  * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] 
      https://cisofy.com/controls/STRG-1840/

  * Check DNS configuration for the dns domain name [NAME-4028] 
      https://cisofy.com/controls/NAME-4028/

  * Split resolving between localhost and the hostname of the system [NAME-4406] 
      https://cisofy.com/controls/NAME-4406/

  * Install debsums utility for the verification of packages with known good database. [PKGS-7370] 
      https://cisofy.com/controls/PKGS-7370/

  * Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades [PKGS-7392] 
      https://cisofy.com/controls/PKGS-7392/

  * Install package apt-show-versions for patch management purposes [PKGS-7394] 
      https://cisofy.com/controls/PKGS-7394/

  * Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] 
      https://cisofy.com/controls/NETW-3032/

  * Check iptables rules to see which rules are currently not used [FIRE-4513] 
      https://cisofy.com/controls/FIRE-4513/

  * Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640] 
      https://cisofy.com/controls/HTTP-6640/

  * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643] 
      https://cisofy.com/controls/HTTP-6643/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowTcpForwarding (YES --> NO)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : ClientAliveCountMax (3 --> 2)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : Compression (DELAYED --> NO)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : LogLevel (INFO --> VERBOSE)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxAuthTries (2 --> 1)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxSessions (10 --> 2)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : PermitRootLogin (YES --> NO)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : Port (22 --> )
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : TCPKeepAlive (YES --> NO)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : X11Forwarding (YES --> NO)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowAgentForwarding (YES --> NO)
      https://cisofy.com/controls/SSH-7408/

  * Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [PHP-2376] 
      https://cisofy.com/controls/PHP-2376

  * Check what deleted files are still in use and why. [LOGG-2190] 
      https://cisofy.com/controls/LOGG-2190/

  * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] 
      https://cisofy.com/controls/BANN-7126/

  * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] 
      https://cisofy.com/controls/BANN-7130/

  * Enable process accounting [ACCT-9622] 
      https://cisofy.com/controls/ACCT-9622/

  * Enable sysstat to collect accounting (no results) [ACCT-9626] 
      https://cisofy.com/controls/ACCT-9626/

  * Enable auditd to collect audit information [ACCT-9628] 
      https://cisofy.com/controls/ACCT-9628/

  * Check ntpq peers output for unreliable ntp peers and correct/replace them [TIME-3120] 
      https://cisofy.com/controls/TIME-3120/

  * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] 
      https://cisofy.com/controls/FINT-4350/

  * Determine if automation tools are present for system management [TOOL-5002] 
      https://cisofy.com/controls/TOOL-5002/

  * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] 
      https://cisofy.com/controls/KRNL-6000/

  * Harden compilers like restricting access to root user only [HRDN-7222] 
      https://cisofy.com/controls/HRDN-7222/

  * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] 
    - Solution : Install a tool like rkhunter, chkrootkit, OSSEC
      https://cisofy.com/controls/HRDN-7230/

  Follow-up
  ----------------------------
  - Show details of a test (lynis show details TEST-ID)
  - Check the logfile for all details (less /var/log/lynis.log)
  - Read security controls texts (https://cisofy.com)
  - Use --upload to upload data to central system (Lynis Enterprise users)

================================================================================

  Lynis security scan details

  Hardening index : 64 [############        ]
  Tests performed : 255
  Plugins enabled : 2

  Components
  - Firewall               [V]
  - Malware scanner        [X]

  Lynis Modules
  - Compliance Status      [?]
  - Security Audit         [V]
  - Vulnerability Scan     [V]

  Files
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat

================================================================================

  Lynis 2.5.5

  Auditing, system hardening, and compliance for UNIX-based systems
  (Linux, macOS, BSD, and others)

  2007-2017, CISOfy - https://cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)

================================================================================

  [TIP] Enhance Lynis audits by adding your settings to custom.prf (see /linis/lynis/default.prf for all settings)

Installing a Malware Scanner

Install ClamAV

sudo apt-get install clamav

Download virus and malware definitions (this takes about 30 min)

sudo freshclam

Output:

sudo freshclam
> ClamAV Update process started at Wed Nov 15th 20:44:55 2017
> Downloading main.cvd [10%]

I had an issue on some boxes with clamav reporting I could not run freshclam

sudo freshclam
ERROR: /var/log/clamav/freshclam.log is locked by another process
ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).

This was fixed by typing

rm -rf /var/log/clamav/freshclam.log
sudo freshclam

Troubleshooting clamav

Clam AV does not like low ram boxes and may produce this error

Downloading main.cvd [100%]
ERROR: Database load killed by signal 9
ERROR: Failed to load new database

It looks like the solution is to increase your total ram.

fyi: Scan with ClamAV

sudo clamscan --max-filesize=3999M --max-scansize=3999M --exclude-dir=/www/* -i -r /

Re-running Lynis gave me the following malware status

- Malware scanner        [V]

Lynis Security rating

Hardening index : 69 [##############      ]

Installed

sudo apt-get install apt-show-versions
sudo apt-get install arpwatch
sudo apt-get install arpon

After re-running the test I got this Lynis security rating score (an improvement of 1)

Hardening index : 70 [#############       ]

Installed and configured debsums and auditd

sudo apt-get install debsums
sudo apt-get install audit

Now I get the following Lynis security rating score.

Hardening index : 71 [##############      ]

Conclusion

Lynis is great at performing an audit and recommending areas of work to allow you to harden your system (brute force protection, firewall, etc)

Security Don’ts

  • Never think you are done securing a system.

Security Do’s

  • Update Software (and remove software you do not use.)
  • Check Lynis Suggestions and try and resolve.
  • Security is an ongoing process, Do install a firewall, do ban bad IP’s, Do whitelist good IP’s, Do review Logs,
  • Do limit port access, make backups and keep on securing.

I will keep on securing and try and get remove all issues.

Read my past post on Securing Ubuntu in the cloud.

Scheduling an auto system updates is not enough in Ubuntu (as it is not recommended as the administrator should make decisions, not a scheduled job).

apt-get update
apt-get upgrade

fyi: CISOFY/Lynis do have paid subscriptions to have external scans of your servers: https://cisofy.com/pricing. (why upgrade?)

Lynis Plans

I will look into this feature soon.

Updating Lynis

I checked the official documentation and ran an update check

./lynis --check-update
This option is deprecated
Use: lynis update info

./lynis update info

 == Lynis ==

  Version            : 2.5.5
  Status             : Outdated
  Installed version  : 255
  Latest version     : 257
  Release date       : 2017-09-07
  Update location    : https://cisofy.com/lynis/


2007-2017, CISOfy - https://cisofy.com/lynis/

Not sure how to update?

./lynis update
Error: Need a target for update

Examples:
lynis update check
lynis update info

./lynis update check
status=outdated

I opened an issue about updating v2.5.5 here. I asked Twiter for help.

Twitter

Official Response: https://packages.cisofy.com/community/#debian-ubuntu

Git Response

Waiting..

I ended up deleting Lynis 2.5.5

ls -al
rm -R *
rm -rf *
rm -rf .git
rm -rf .gitignore
rm -rf .travis.yml
cd ..
rm -R lynis/
ls -al

Updated

./lynis update check
status=up-to-date

And reinstalled to v2.5.8

sudo git clone https://www.github.com/CISOfy/lynis

Output:

sudo git clone https://www.github.com/CISOfy/lynis
Cloning into 'lynis'...
remote: Counting objects: 8538, done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 8538 (delta 0), reused 0 (delta 0), pack-reused 8534
Receiving objects: 100% (8538/8538), 3.96 MiB | 2.01 MiB/s, done.
Resolving deltas: 100% (6265/6265), done.
Checking connectivity... done.

More actions post upgrade to 2.5.8

  • Added a legal notice to “/etc/issues”, “/etc/issues.net” file’s.

Installing Lynis via apt-get instead of git clone

The official steps can be located here: https://packages.cisofy.com/community/#debian-ubuntu

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F
apt install apt-transport-https
echo 'Acquire::Languages "none";' > /etc/apt/apt.conf.d/99disable-translations
echo "deb https://packages.cisofy.com/community/lynis/deb/xenial main" > /etc/apt/sources.list.d/cisofy-lynis.list
apt update
apt install lynis
lynis show version

Unfortunately, I had an error with “apt update”

Error:

E: Malformed entry 1 in list file /etc/apt/sources.list.d/cisofy-lynis.list (Component)
E: The list of sources could not be read.

Complete install output

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F
Executing: /tmp/tmp.Dz9g9nKV6i/gpg.1.sh --keyserver
keyserver.ubuntu.com
--recv-keys
C80E383C3DE9F082E01391A0366C67DE91CA5D5F
gpg: requesting key 91CA5D5F from hkp server keyserver.ubuntu.com
gpg: key 91CA5D5F: public key "CISOfy Software (signed software packages) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

# apt install apt-transport-https
Reading package lists... Done
Building dependency tree
Reading state information... Done
apt-transport-https is already the newest version (1.2.24).
The following packages were automatically installed and are no longer required:
  gamin libfile-copy-recursive-perl libgamin0 libglade2-0 libpango1.0-0 libpangox-1.0-0 openbsd-inetd pure-ftpd-common update-inetd
Use 'apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 8 not upgraded.

# echo 'Acquire::Languages "none";' > /etc/apt/apt.conf.d/99disable-translations

# echo "deb https://packages.cisofy.com/community/lynis/deb/ xenial main" > /etc/apt/sources.list.d/cisofy-lynis.list

# apt update
E: Malformed entry 1 in list file /etc/apt/sources.list.d/cisofy-lynis.list (Component)
E: The list of sources could not be read.

I reopened Github issue 491. A quick reply revealed that I did not put a space before “xenial” (oops)

fyi: I removed the dead keystore from apt by typing…

apt-key list
apt-key del 91CA5D5F
rm -rf /etc/apt/sources.list.d/cisofy-lynis.list

I can now install and update other packages with apt and not have the following error

E: Malformed entry 1 in list file /etc/apt/sources.list.d/cisofy-lynis.list (Component)
E: The list of sources could not be read.
E: Malformed entry 1 in list file /etc/apt/sources.list.d/cisofy-lynis.list (Component)
E: The list of sources could not be read.

I will remove the git clone and re-run the apt version later and put in more steps to get to a High 90’s Lynis score.

More

Read the official documentation https://cisofy.com/documentation/lynis/

Next: This guide will investigate the enterprise version of https://cisofy.com/pricing/ soon.

Hope this helps. If I have missed something please let me know on Twitter at @FearbySoftware

Donate and make this blog better



Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

v1.46 Git hub response.

Filed Under: Advice, Cloud, Computer, Firewall, OS, Security, Server, Software, ssl, Ubuntu, VM, Vultr Tagged With: Audit, Lynis, secure, security, ubuntu

Raspberry Pi 2/B Security Webcam

June 4, 2017 by Simon

The Raspberry Pi is an inexpensive ARM based computer that is ideal for use as a home security camera.

What will you need?

  • Web server CPanel or dedicated web server to upload images to. (I use a $2.5 a month Vultr server).
  • Raspberry Pi (Raspberry Pi 2/b setup guide here).
  • Raspberry Pi 8MP camera.

Remote Web server

Install and configure FTP on the remote web server. This is where the Raspberry Pi’s will upload new images. It is important that you setup a folder for images (e.g/webcam/1/ and configure a new dedicated FTP account to log into that location by default.

Raspberry Pi

Wifi dongle (TP-link TL-WN821N), 2500ma power supply, Raspberry Pi 8MP Camera.

Other

You should have booted into your Pi and configured it, connected it to your wireless network and obtained it’s Mac network address (use terminal: ifconfig), enabled remote ssh access, changed the default password, set a static IP address on your local LAN/router and configured the date. If you did not want to stratx and use the GUI to setup the Pi you van use raspi-config command.

Previously I had a working security camera using a bash and a python script but this time decided to use Perl (thanks to Marc Fearby already writing a Perl script. and my old python script failing).

Install Packages and Pre-Requisites.

Type the following to install Perl and ImageMagick

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install -y perl
sudo apt-get install -y imagemagick

ImageMagick is used to add images and text on to an image.

Also installed wput (to download an image) and ftp and other tools. You can skip this step if you don’t need Python, local ftp or wput.

sudo apt-get install -y wput
sudo apt-get install -y vsftpd
sudo apt-get install -y rpi-chromium-mods
sudo apt-get install -y python-sense-emu
sudo apt-get install -y python3-sense-emu
sudo apt-get install -y python-senseemu-doc
sudo apt-get install -y python-sense-emu-doc
sudo apt-get install -y realvnc-vnc-
sudo apt-get install -y python3-picamera
sudo apt-get install -y python3-pip

I made a scripts and images folder on the raspberry pi

mkdir /scripts
mkdir /scripts/1/
mkdir /scripts/2/
mkdir /scripts/3/
mkdir /scripts/4/

I did set permissions on the local folders

sudo chown -R 777 /scripts/
sudo chown -R pi /scripts/

I made image folders on the remote web server

mkdir ./webcam
mkdir ./webcam/1/
mkdir ./webcam/2/
mkdir ./webcam/3/
mkdir ./webcam/4/

I placed an empty index.php in each folder.

A reboot is a good idea here

sudo reboot

Raspberry Pi Script.

Make the sync image Perl script.

sudo nano /scripts/syncimage.pl

Here is my final Perl script. Hopefully, it is self-explanatory and debug information is clear. Printf if debug information and system is where Perl runs a command in the background.

use strict;
use Net::FTP;
use warnings;
use Time::Piece;
use Time::Seconds;
use Time::Piece;
use 5.010;

printf "Security Camera: Your Camera Name Here\n";

printf "Getting Timestamp\n";
my $mytimestamp = localtime(time) -> strftime ( "%d-%m-%Y-%H-%M-%S" );
printf "timestamp: $mytimestamp \n";

printf "\nTaking new image.\n";
printf "Saving image to /scripts/1/$mytimestamp.jpg\n";
system("raspistill -vf -hf -o /scripts/1/$mytimestamp.jpg");
printf "Captured: /scripts/1/$mytimestamp.jpg\n";
my $filename = "/scripts/1/$mytimestamp.jpg";
my @stat = stat $filename;
printf " Size: $stat[7]\n\n";
printf " Modified: $stat[9]\n\n";

printf "Adding Text to image.\n";
system("/usr/bin/convert /scripts/1/$mytimestamp.jpg -pointsize 36 -fill white -annotate +1+40 'Your Camera Name Here: $mytimestamp' /s$
printf "Done\n";

printf "Adding image to image\n";
system("/usr/bin/convert /scripts/1/$mytimestamp.jpg /scripts/avatar.jpg -geometry +1+1 -composite /scripts/2/$mytimesta$
printf "Done\n\n";

printf "\nUploading /scripts/1/$mytimestamp.jpg to ftp site ftp.yopurservernamehere.com\n";
my $ftp = Net::FTP->new("ftp.yopurservernamehere.com", Debug => 1, Passive => 1)
        or die "Can't open ftp.yopurservernamehere.com: [email protected] \n";

printf "\nLogging in to ftp..\n";
$ftp->login("yourloginusernamehere", "yourloginpasswordhere")
         or die "Cannot login to ftp.yopurservernamehere.com\n", $ftp->message;

printf "\nChanging ftp directory to /1/.\n";
$ftp->cwd("/1/")
         or die "Cannot change directory to /1/ on ftp.fearby.com", $ftp->message;
printf "\nSwitching ftp mode to binary.\n";
$ftp->binary();

printf "\nUploading $mytimestamp.jpg to ftp site.\n";
$ftp->put("/scripts/1/$mytimestamp.jpg","/1/$mytimestamp.jpg");

printf "\nDisconnecting from ftp.\n";
$ftp->close();
printf "\nDone.\n";

printf "\nRemoving old captured image: /scripts/1/*.jpg\n";
system("rm /scripts/1/*.jpg");

printf "\nDone..\n";

Multiple Pi’s

You can duplicate this setup on other pic and just change the /1/ path to /2/ or a higher number.

Security

You should have A+ rated SSL as a minimum (guide here). you should not be using the default Pi password.

index.php Viewer on the web server 

displaying the latest uploaded image in a web server folder as an HTML image tag. This PHP code chunk can be inseRted into your own PHP files and it will show the latest uploaded image file.

<?php	
$show = 1;
$files = glob( '/home/yourwebserverpath/public_html/webcam/1/*.{jpg}', GLOB_BRACE );
usort( $files, create_function('$b, $a', 'return filemtime( $a ) - filemtime( $b );') );
for ( $i = 0; $i < $show; ++$i ) {

	$image = $files[$i];
    
    $image2 = str_replace('/home/yourwebserverpath/public_html/', '/', $image); 
    echo "$image2<br />";

    echo "<img style=\"outline : none;max-width:100%;max-height:100%;\" src=\"" . $image2 . "\"></a><br><br>"; //display images

}
?>

More code will be added to this article on displaying all server site images as [5m][10m][15m][420M] (minutes ago) etc

Automating the syncing of images

Open the terminal and type

sudo contab -e

Enter this into the last line of the crontab and save (this will call the script every 5 mins automatically). Change the 5 to a 1 to have the Perl file called every 1 minute. 

*/5 * * * * /usr/bin/perl /scripts/syncimage.pl > /dev/null 2>&1

Manual syncing images

sudo perl /scripts/syncimage.pl

output:

Security Camera: Your Camera Name Here
Getting Timestamp
timestamp: 29-05-2017-06-19-25

Taking new image.
Saving image to /scripts/2/29-05-2017-06-19-25.jpg
Captuered: /scripts/2/29-05-2017-06-19-25.jpg
 Size: 3719361

 Modified: epochtimeremoved

Adding Text to image.
Done
Adding image to image
Done

Uploading /scripts/2/29-05-2017-06-19-25.jpg to ftp site ftp.yourwebservernamehere.com
Net::FTP>>> Net::FTP(2.79)
Net::FTP>>>   Exporter(5.71)
Net::FTP>>>   Net::Cmd(2.30)
Net::FTP>>>   IO::Socket::INET(1.35)
Net::FTP>>>     IO::Socket(1.38)
Net::FTP>>>       IO::Handle(1.35)
Net::FTP=GLOB(0xafaef0)<<< 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Net::FTP=GLOB(0xafaef0)<<< 220-You are user number 1 of 150 allowed.
Net::FTP=GLOB(0xafaef0)<<< 220-Local time is now 06:19. Server port: 21.
Net::FTP=GLOB(0xafaef0)<<< 220-This is a private system - No anonymous login
Net::FTP=GLOB(0xafaef0)<<< 220 You will be disconnected after 15 minutes of inactivity.

Logging in to ftp..
Net::FTP=GLOB(0xafaef0)>>> USER yourftpusernamehere
Net::FTP=GLOB(0xafaef0)<<< 331 User yourftpusernamehere OK. Password required
Net::FTP=GLOB(0xafaef0)>>> PASS ....
Net::FTP=GLOB(0xafaef0)<<< 230-OK. Current restricted directory is /
Net::FTP=GLOB(0xafaef0)<<< 230 750756 Kbytes used (36%) - authorized: 2048000 Kb

Changing ftp directory to /1/.
Net::FTP=GLOB(0xafaef0)>>> CWD /1/
Net::FTP=GLOB(0xafaef0)<<< 250 OK. Current directory is /2

Switching ftp mode to binary.
Net::FTP=GLOB(0xafaef0)>>> TYPE I
Net::FTP=GLOB(0xafaef0)<<< 200 TYPE is now 8-bit binary

Uploading 29-05-2017-06-19-25.jpg to ftp site.
Net::FTP=GLOB(0xafaef0)>>> PASV
Net::FTP=GLOB(0xafaef0)<<< 227 Entering Passive Mode 
Net::FTP=GLOB(0xafaef0)>>> STOR /2/29-05-2017-06-19-25.jpg
Net::FTP=GLOB(0xafaef0)<<< 150 Accepted data connection
Net::FTP=GLOB(0xafaef0)<<< 226-754131 Kbytes used (36%) - authorized: 2048000 Kb
Net::FTP=GLOB(0xafaef0)<<< 226-File successfully transferred
Net::FTP=GLOB(0xafaef0)<<< 226 32.397 seconds (measured here), 104.18 Kbytes per second

Disconnecting from ftp.

Done.

Removing old captured image: /scripts/1/*.jpg

Misc

  • Make sure the Ppi has a 2500+ ma power pack minimum
  • Ensure the Pi lens of protected from the sun.
  • Test

Images

IMG_9206

IMG_9213

IMG_9211

Device Choices

Using a full Raspberry Pi has the benefits of using full-size USD Devices while debugging but it may draw more power (still 5v but more amps/watts).

A Raspberry Pi Zero W is a good choice if you have micro USB devices (I did not and the bits I ordered were not compatible with older Rasbian installations, read my setup guide here). A Raspberry Pi Zeo W is a  single core device and used a tiny bit of power.

I would like to setup a  camera on a NodeMSU ESP8266 (read my setup guide here ) device or an ESP32 sometime soon for using even less power.

Misc

downloading an image with wget.

sudo /usr/bin/wget http://youwebserver.com/avatar.jpg

Todo:

  • Only capture in set hours (exit Perl script)
  • Show last images (server)
  • Auto remove images older than xx hours (server).
  • Local web interface.
  • SMS alerts
  • Raspberry Pi zero

Donate and make this blog better




Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

v1.7 fixed typo, checking guide (Jan 2018)

v1.6 add info on device choices.

Filed Under: IoT, Security Tagged With: camera, raspberry pi, security

Beyond SSL with Content Security Policy, Public Key Pinning etc

December 6, 2016 by Simon

A big shoutout goes to Troy Hunt and Leo Laporte and Steve Gibson from https://www.grc.com/securitynow for sharing their security knowledge.

Pre-Requisite: SSL Certificate

I have mentioned before how to obtain an A+ rating on your SSL certificate with the help of https://ssllabs.com/ssltest before in my Digital Ocean and AWS and Vultr Ubuntu server (NGINX, NodeJS etc) setup guides. Also an SSL certificate can be free and installed in 1 minute.

I will assume you have an SSL Labs A+ server rating on your site and you want to secure your site some more. You will need to secure your site some more by enabling content headers for Content Security Policy and Public Key Pinning.

Why

Read this article from Troy Hunt that explains why CSP is important: The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries

HTTP Public Key Pinning

Full credit goes to this site for explaining how to setup HTTP Public Key Pin and (add a NGINX header to reference two new keys that we link to the main certificate). Basically, we need to generate two new certificates on our server (linked to our master certificate from our CA) and deliver the hashes to the client as a header.

 cd /etc/nginx/
 mkdir ssl.bak
 sudo cp -R ./ssl/* ./ssl.bak/
 cd ssl

openssl x509 -pubkey < chained.crt | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
> Base64Output01Removed###########################=

openssl genrsa -out chained.first.pin.key 4096
> Generating RSA private key, 4096 bit long modulus
> …

openssl req -new -key yourserver.first.pin.key -sha256 -out yourserver.first.pin.csr
> Country Name (2 letter code) [AU]:
> State or Province Name (full name) [Some-State]:
> Locality Name (eg, city) []:
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:
> Organizational Unit Name (eg, section) []:
> Common Name (e.g. server FQDN or YOUR name) []:
> Email Address []:
> Please enter the following ‘extra’ attributes
> to be sent with your certificate request
> A challenge password []:
> An optional company name []:

openssl req -pubkey < yourserver.first.pin.csr | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
> Base64Output02###########################=

openssl genrsa -out chained.second.pin.key 4096
> Generating RSA private key, 4096 bit long modulus
> …

openssl req -new -key yourserver.second.pin.key -sha256 -out yourserver.second.pin.csr
> Country Name (2 letter code) [AU]:
> State or Province Name (full name) [Some-State]:
> Locality Name (eg, city) []:
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:
> Organizational Unit Name (eg, section) []:
> Common Name (e.g. server FQDN or YOUR name) []:
> Email Address []:
> Please enter the following ‘extra’ attributes
> to be sent with your certificate request
> A challenge password []:
> An optional company name []:

openssl req -pubkey < yourserver.second.pin.csr | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
> Base64Output03###########################=

# Add the following to the NGINX default configuration

server {
…
add_header Public-Key-Pins ‘pin-sha256=”Base64Output01###########################=”; pin-sha256=”Base64Output02###########################=”; pin-sha256=”Base64Output03###########################=”; max-age=2592000; includeSubDomains’;
…
}

nginx -t
nginx -s reload
/etc/init.d/nginx restart

This should solve the pinning ratings. I can check with https://securityheaders.io

Content Security Policy

Content Security Policy helps prevent cross-site scripting (XSS), clickjacking and other code injection attacks on your site by allowing your site to pre-define where resources can load from. Content Security Policy is supported in modern web browsers only. Here is a good explanation of CSP and a hackers cheat sheet for how to XSS Inject a site.

You can use this site to review your websites (or your bank’s website security): https://securityheaders.io/

I decided to check a big bank’s CSP/XSS configuration.

websecurity-001

St George Bank appears to be missing a number of potential security configurations (above). I ran the checker over a site I was building and I got a missing Content Security Polity warning also.

If your site just delivers text (no images or media) and does not use Google Analytics or content from remote CDN’s then defining a Content Security Policy is easy in NGINX.

add_header Content-Security-Policy "default-src " always;
add_header X-Content-Security-Policy "default-src " always;
add_header X-WebKit-CSP "default-src https: " always;

But chances are you will need to generate a detailed CSP to allow Google Analytics, Font’s and scripts to load/run.

There are loads of sites that will help you generate you a CSP ( here, here etc) but it is best to add the configuration above to your NGINX config then load your website google chrome and look for any CSP errors and then add them into the CSP generator, export to NGINX, save and recheck in google chrome until all issues are solved.

A recent version of Google Chrome will give you a good indication of what resources it blocked (that were not covered in your Content Security Policy).

websecurity-006

I suggest you go to https://report-uri.io/home/generate and for each failing resource resolve that issue by defining the allowed resources in your policy.

After about 20 reloads of my CSP at https://report-uri.io/home/generate on my site and CSP validation with https://cspvalidator.org/ I have a working minimum Content Security Policy allowing resources on my site (real names redacted, note my CDN server that I use for misc resources).

websecurity-007

My Final Content Security Policy.

script-src 'self' 'unsafe-inline' https://myservername.com:* https://myservername-cdn:* https://*.google-analytics.com https://*.google.com; style-src 'self' 'unsafe-inline' https://myservername.com:* https://fonts.googleapis.com:*; img-src 'self' https://myservername.com:* https://*.google-analytics.com https://*.google.com; font-src 'self' data: https://myservername.com:* https://myservername-cdn:* https://fonts.googleapis.com:* https://fonts.gstatic.com:*; connect-src 'self' https://myservername.com:* https://myservername-cdn:* https://*.google-analytics.com https://*.google.com; media-src 'self' https://myservername.com:* https://myservername-cdn:* https://*.google-analytics.com https://*.google.com; child-src 'self' https://player.vimeo.com https://www.youtube.com; form-action 'self' https://myservername.com:* https://myservername-cdn:*;

Spaced out to see what is set.

script-src 'self' 'unsafe-inline' https://myservername.com:* https://myservername-cdn:* https://*.google-analytics.com https://*.google.com; 
	style-src 'self' 'unsafe-inline' https://myservername.com:* https://fonts.googleapis.com:*; 
	img-src 'self' https://myservername.com:* https://*.google-analytics.com https://*.google.com; 
	font-src 'self' data: https://myservername.com:* https://myservername-cdn:* https://fonts.googleapis.com:* https://fonts.gstatic.com:*; 
	connect-src 'self' https://myservername.com:* https://myservername-cdn:* https://*.google-analytics.com https://*.google.com; 
	media-src 'self' https://myservername.com:* https://myservername-cdn:* https://*.google-analytics.com https://*.google.com; 
	child-src 'self' https://player.vimeo.com https://www.youtube.com; 
	form-action 'self' https://myservername.com:* https://myservername-cdn:*;

Here is what I added to my NGINX configuration (but with my real servers names)

add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' https://myservername.com:* https://myservername-cdn:* https://*.google-analytics.com https://*.google.com; style-src 'self' 'unsafe-inline' https://myservername.com:* https://fonts.googleapis.com:*; img-src 'self' https://myservername.com:* https://*.google-analytics.com https://*.google.com; font-src 'self' data: https://myservername.com:* https://myservername-cdn:* https://fonts.googleapis.com:* https://fonts.gstatic.com:*; connect-src 'self' https://myservername.com:* https://myservername-cdn:* https://*.google-analytics.com https://*.google.com; media-src 'self' https://myservername.com:* https://myservername-cdn:* https://*.google-analytics.com https://*.google.com; child-src 'self' https://player.vimeo.com https://www.youtube.com; form-action 'self' https://myservername.com:* https://myservername-cdn:*; " always;
add_header X-Content-Security-Policy "script-src 'self' 'unsafe-inline' https://myservername.com:* https://myservername-cdn:* https://*.google-analytics.com https://*.google.com; style-src 'self' 'unsafe-inline' https://myservername.com:* https://fonts.googleapis.com:*; img-src 'self' https://myservername.com:* https://*.google-analytics.com https://*.google.com; font-src 'self' data: https://myservername.com:* https://myservername-cdn:* https://fonts.googleapis.com:* https://fonts.gstatic.com:*; connect-src 'self' https://myservername.com:* https://myservername-cdn:* https://*.google-analytics.com https://*.google.com; media-src 'self' https://myservername.com:* https://myservername-cdn:* https://*.google-analytics.com https://*.google.com; child-src 'self' https://player.vimeo.com https://www.youtube.com; form-action 'self' https://myservername.com:* https://myservername-cdn:*; " always;
add_header X-WebKit-CSP "script-src 'self' 'unsafe-inline' https://myservername.com:* https://myservername-cdn:* https://*.google-analytics.com https://*.google.com; style-src 'self' 'unsafe-inline' https://myservername.com:* https://fonts.googleapis.com:*; img-src 'self' https://myservername.com:* https://*.google-analytics.com https://*.google.com; font-src 'self' data: https://myservername.com:* https://myservername-cdn:* https://fonts.googleapis.com:* https://fonts.gstatic.com:*; connect-src 'self' https://myservername.com:* https://myservername-cdn:* https://*.google-analytics.com https://*.google.com; media-src 'self' https://myservername.com:* https://myservername-cdn:* https://*.google-analytics.com https://*.google.com; child-src 'self' https://player.vimeo.com https://www.youtube.com; form-action 'self' https://myservername.com:* https://myservername-cdn:*; " always;

Misc SSL Certificate Issues

https://www.ssllabs.com/ssltest is the go-to site for checking your sites SSL certificate for issues.

websecurity-005

Basic Server testing with asafaweb.com

https://asafaweb.com/ is a great site that tests your server to common security issues. Click on the orange or red buttons for an explanation and resolution.

websecurity-004

Testing with SecurityHeaders.io

If everything is configured you will get all green.

websecurity-003

CVE Exploits Database

After your server is secure you cannot sit back and pat yourself on the back, vulnerabilities can appear overnight and it is up to you to patch and update your server, services and software.

  • NGINX from time to time has vulnerabilities that need urgent patching.
  • OpenSSL needs checking for vulnerabilities from time to time. A bug was found in June this year that required urgent patching (blog post here).
  • Spectre and Meltdown bug

Your Code

Once you have a secure web server, SSL, XSS pinning and other security configuration setup you will need to ensure any code you develop is secure too.

Read the Open Web Application Security Project’s Top 10 Developer Security considerations.

About OWASP.

Security

As a precaution, do check your website often in https://www.shodan.io and see if it has open software or is known to hackers.
Keep Yourself Informed

Follow as many security researchers as you can on Twitter and keep up to date. (e.g 0xDUDE)

Check out the extensive Hardening a Linux Server guide at thecloud.org.uk: https://thecloud.org.uk/wiki/index.php?title=Hardening_a_Linux_Server

Good luck.

Donate and make this blog better




Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

V1.9 Added Let’s Encrypt info

V1.8 added Troy Hunt article on CSP

v1.7 added link to Hardening a Linux Server link

V1.6 security

Filed Under: Development, Security Tagged With: CSP, security, ssl, XSS

  • Go to page 1
  • Go to page 2
  • Go to Next Page »

Primary Sidebar

Poll

What would you like to see more posts about?
Results

Support this Blog

Create your own server today (support me by using these links

Create your own server on UpCloud here ($25 free credit).

Create your own server on Vultr here.

Create your own server on Digital Ocean here ($10 free credit).

Remember you can install the Runcloud server management dashboard here if you need DevOps help.

Advertisement:

Tags

2FA (9) Advice (17) Analytics (9) App (9) Apple (10) AWS (9) Backup (21) Business (8) CDN (8) Cloud (49) Cloudflare (8) Code (8) Development (26) Digital Ocean (13) DNS (11) Domain (27) Firewall (12) Git (7) Hosting (18) HTTPS (6) IoT (9) LetsEncrypt (7) Linux (20) Marketing (11) MySQL (24) NGINX (11) NodeJS (11) OS (10) PHP (13) Scalability (12) Scalable (14) Security (44) SEO (7) Server (26) Software (7) SSH (7) ssl (17) Tech Advice (9) Ubuntu (39) Uncategorized (23) UpCloud (12) VM (44) Vultr (24) Website (14) Wordpress (25)

Disclaimer

Terms And Conditions Of Use All content provided on this "www.fearby.com" blog is for informational purposes only. Views are his own and not his employers. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. Never make changes to a live site without backing it up first.

Advertisement:

Footer

Popular

  • Backing up your computer automatically with BackBlaze software (no data limit)
  • How to back up an iPhone (including photos and videos) multiple ways
  • Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App
  • Setup two factor authenticator protection at login on Ubuntu or Debian
  • Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software
  • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
  • Monitor server performance with NixStats and receive alerts by SMS, Push, Email, Telegram etc
  • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
  • Add Google AdWords to your WordPress blog

Security

  • Check the compatibility of your WordPress theme and plugin code with PHP Compatibility Checker
  • Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App
  • Setup two factor authenticator protection at login on Ubuntu or Debian
  • Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software
  • Setting up DNSSEC on a Namecheap domain hosted on UpCloud using CloudFlare
  • Set up Feature-Policy, Referrer-Policy and Content Security Policy headers in Nginx
  • Securing Google G Suite email by setting up SPF, DKIM and DMARC with Cloudflare
  • Enabling TLS 1.3 SSL on a NGINX Website (Ubuntu 16.04 server) that is using Cloudflare
  • Using the Qualys FreeScan Scanner to test your website for online vulnerabilities
  • Beyond SSL with Content Security Policy, Public Key Pinning etc
  • Upgraded to Wordfence Premium to get real-time login defence, malware scanner and two-factor authentication for WordPress logins
  • Run an Ubuntu VM system audit with Lynis
  • Securing Ubuntu in the cloud
  • No matter what server-provider you are using I strongly recommend you have a hot spare ready on a different provider

Code

  • How to code PHP on your localhost and deploy to the cloud via SFTP with PHPStorm by Jet Brains
  • Useful Java FX Code I use in a project using IntelliJ IDEA and jdk1.8.0_161.jdk
  • No matter what server-provider you are using I strongly recommend you have a hot spare ready on a different provider
  • How to setup PHP FPM on demand child workers in PHP 7.x to increase website traffic
  • Installing Android Studio 3 and creating your first Kotlin Android App
  • PHP 7 code to send object oriented sanitised input data via bound parameters to a MYSQL database
  • How to use Sublime Text editor locally to edit code files on a remote server via SSH
  • Creating your first Java FX app and using the Gluon Scene Builder in the IntelliJ IDEA IDE
  • Deploying nodejs apps in the background and monitoring them with PM2 from keymetrics.io

Tech

  • Backing up your computer automatically with BackBlaze software (no data limit)
  • How to back up an iPhone (including photos and videos) multiple ways
  • US v Huawei: The battle for 5G
  • Check the compatibility of your WordPress theme and plugin code with PHP Compatibility Checker
  • Is OSX Mojave on a 2014 MacBook Pro slower or faster than High Sierra
  • Telstra promised Fibre to the house (FTTP) when I had FTTN and this is what happened..
  • The case of the overheating Mac Book Pro and Occam’s Razor
  • Useful Linux Terminal Commands
  • Useful OSX Terminal Commands
  • Useful Linux Terminal Commands
  • What is the difference between 2D, 3D, 360 Video, AR, AR2D, AR3D, MR, VR and HR?
  • Application scalability on a budget (my journey)
  • Monitor server performance with NixStats and receive alerts by SMS, Push, Email, Telegram etc
  • Why I will never buy a new Apple Laptop until they fix the hardware cooling issues.

Wordpress

  • Replacing Google Analytics with Piwik/Matomo for a locally hosted privacy focused open source analytics solution
  • Setting web push notifications in WordPress with OneSignal
  • Telstra promised Fibre to the house (FTTP) when I had FTTN and this is what happened..
  • Check the compatibility of your WordPress theme and plugin code with PHP Compatibility Checker
  • Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App
  • Monitor server performance with NixStats and receive alerts by SMS, Push, Email, Telegram etc
  • Upgraded to Wordfence Premium to get real-time login defence, malware scanner and two-factor authentication for WordPress logins
  • Wordfence Security Plugin for WordPress
  • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
  • Installing and managing WordPress with WP-CLI from the command line on Ubuntu
  • Moving WordPress to a new self managed server away from CPanel
  • Moving WordPress to a new self managed server away from CPanel

General

  • Backing up your computer automatically with BackBlaze software (no data limit)
  • How to back up an iPhone (including photos and videos) multiple ways
  • US v Huawei: The battle for 5G
  • Using the WinSCP Client on Windows to transfer files to and from a Linux server over SFTP
  • Connecting to a server via SSH with Putty
  • Setting web push notifications in WordPress with OneSignal
  • Infographic: So you have an idea for an app
  • Restoring lost files on a Windows FAT, FAT32, NTFS or Linux EXT, Linux XFS volume with iRecover from diydatarecovery.nl
  • Building faster web apps with google tools and exceed user expectations
  • Why I will never buy a new Apple Laptop until they fix the hardware cooling issues.
  • Telstra promised Fibre to the house (FTTP) when I had FTTN and this is what happened..

Copyright © 2023 · News Pro on Genesis Framework · WordPress · Log in

Some ads on this site use cookies. You can opt-out if of local analytics tracking by scrolling to the bottom of the front page or any article and clicking "You are not opted out. Click here to opt out.". Accept Reject Read More
GDPR, Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT