CS Security Guide: Difference between revisions

From Computer Science Wiki
Jump to navigation Jump to search
Miket (talk | contribs)
Miket (talk | contribs)
 
(33 intermediate revisions by 3 users not shown)
Line 2: Line 2:
This document was created with the purpose of assisting new administrators in maintaining secure research systems within the department. It represents the views of the technical staff at the time of publication, and should be viewed as a starting point for security and not a comprehensive document. 
This document was created with the purpose of assisting new administrators in maintaining secure research systems within the department. It represents the views of the technical staff at the time of publication, and should be viewed as a starting point for security and not a comprehensive document. 
==Scope==
==Scope==
The scope of this document is limited to only the most basic of security recommendations. These are intended to be quick wins that will stop the largest portion of passive threats to our networks. These are the things that the Security Office is scanning for. 
The scope of this document is limited to only the most basic of security recommendations. These are intended to be quick wins that will stop the largest portion of passive threats to our networks. This includes the things that the Security Office is scanning for. As such you will not find suggestions or instructions on how to secure a specific service (Such as Apache, MySQL or anything similar). If you want more information on those topics there are pages of documentation that can assist you. 
As such you will not find suggestions or instructions on how to secure a specific service (Such as Apache, MySQL or anything similar). If you want more information on those topics there are pages of documentation that can assist you. 
 
==Responsibility==
==Responsibility==
It is the responsibility of any user granted Root (or Administrator) Access, to ensure that the System in question is as secure as possible from outside threats.  ([https://policies.vt.edu/assets/7010.pdf Policy 7010])
It is the responsibility of any user granted Root (or Administrator) Access, to ensure that the System in question is as secure as possible from outside threats.  ([https://policies.vt.edu/assets/7010.pdf Policy 7010])
Line 14: Line 14:
#Accounts with Sudo access are just as dangerous if compromised.
#Accounts with Sudo access are just as dangerous if compromised.
=Passwords=
=Passwords=
==Complexity==
 
Secure passwords feature a number of special characters, numbers, and a mix of upper and lowercase letters (8+ Characters), or are of significant length (16+ Characters).
==Guidelines==
Even following these complexity rules can result in a password that is insecure. For instance take a “four seasons” password (Example: Winter2020! ) This password is 11 characters long, features mixed-case, numbers and a special character, and yet exists in common password lists. 
# Complexity - Secure passwords feature a number of special characters, numbers, and a mix of upper and lowercase letters (8+ Characters), or are of significant length (16+ Characters). Even following these complexity rules can result in a password that is insecure. For instance take a “four seasons” password (Example: Winter2020! ) This password is 11 characters long, features mixed-case, numbers and a special character, and yet exists in common password lists. 
==Sharing==
# Sharing - Do not share passwords for your personal account or an admin account. It is also recommended not creating a shared account. 
Do not share passwords for your personal account or an admin account. It is also recommended not creating a shared account. 
# Reuse - Do not reuse passwords, especially for accounts with Admin Privileges. This means do not use the same password for more than one account. And it also means do not change back to the password at a later time.
==Reuse==
# Checking for Compromise - A variety of password managers will review your list of passwords periodically against a list of compromised passwords to ensure that your password doesn't appear in a dictionary that attackers are using. You can also check at a variety of websites the standard being [https://haveibeenpwned.com/Passwords HaveIBeenPwned]
Do not reuse passwords, especially for accounts with Admin Privileges. This means do not use the same password for more than one account. And it also means do not change back to the password at a later time.
# Common/Default Passwords - Most password lists include common and default passwords (ie: password, toor, admin, etc) If a device has a documented default password it is most likely included on the lists.
 
=Firewalls=
=Firewalls=
==General==
It is recommended that you use a firewall to secure any open ports on your Server/Virtual Machine. The baseline recommendation for this is to restrict access to only the campus networks. Since there are a number of options available and different options for each operating system instructions on how to set up a firewall goes beyond the scope of this document. Please refer to the Howto::Firewall page listed below for more information.  
Limit your ssh port access using a counter in combination with a time limit.  Unless a service needs to be public access, leave it blocked at the firewall.  Limit access to a specific IP address range for services that need remote access but should not be globally public.
 
==Centos==
 
IPTables or Firewalld should be used to prevent/limit outside access to ports and services.
[[Howto::Firewall]]
==Ubuntu==
 
UFW can be used to do the same limitations as above for ubuntu.
=Databases, NFS Shares, and Printers=
=Databases, NFS Shares, and Printers=
These services almost never need public internet access and should be among the first ports you restrict access to with your firewalls or Access Control Lists (Printers). 
These services almost never need public internet access and should be among the first ports you restrict access to with your firewalls or Access Control Lists (Printers). 
=SSH=
=SSH=
Based on recent attack history, SSH brute forcing tends to be one of most common infiltration methods we have been seeing. Often times in relation to insecure password generation (see above).
==Keys==
==Keys==
The IT Security Office currently recommends the use of SSH keys requiring a password as the preferred method of securing root access and providing multifactor authentication for remote access.
* [https://wiki.cs.vt.edu/index.php/Howto::SSH_Key CS SSH Key Guide]
* [https://4help.vt.edu/sp?id=kb_article&sys_id=7afe908fdb67e4106ee1d2cb4b961982#client 4help - SSH Key Guide]
==Fail2Ban==
==Fail2Ban==
There are guides on using fail2ban to dynamically block an IP that is making repeated failed login attempts through SSH. This would limit the effectiveness of password spray attacks and brute forcing.
=Unneeded Public Services=
=Unneeded Public Services=
Common sense goes a long way here, if you installed a service which people can connect to from outside of campus and are no longer using it, disable the service. The smaller attack surface you present to the outside world the less options you give an attacker. 
Common sense goes a long way here, if you installed a service which people can connect to from outside of campus and are no longer using it, disable the service. The smaller attack surface you present to the outside world the less options you give an attacker. 
Line 40: Line 49:
This topic is similar to patching but more serious. As OS developers strive to improve their OS it becomes essential to drop support for older versions to focus on the newer versions. When this happens an OS stops receiving important updates and security patches. Any new vulnerabilities found in the system going forward are not serviced and the system becomes less secure as time goes on. 
This topic is similar to patching but more serious. As OS developers strive to improve their OS it becomes essential to drop support for older versions to focus on the newer versions. When this happens an OS stops receiving important updates and security patches. Any new vulnerabilities found in the system going forward are not serviced and the system becomes less secure as time goes on. 
Please use a current operating system.  If your operating system is no longer supported or the provider is no longer providing security patches for your OS, you need to upgrade or reinstall.
Please use a current operating system.  If your operating system is no longer supported or the provider is no longer providing security patches for your OS, you need to upgrade or reinstall.
We have a page established for Operating system End of Life Dates which can be found here [[OS-EOL | Operating System End of Life]].
=Exposed Files=
=Exposed Files=
Lately ITSO has been scanning systems with open ports for specific files. Each time one is found they alert us and open a security ticket. These files either give an attacker information about the environment or in more serious cases can occasionally contain passwords.  Below is a list of these files and their services.
Lately ITSO has been scanning systems with open ports for specific files. Each time one is found they alert us and open a security ticket. These files either give an attacker information about the environment or in more serious cases can occasionally contain passwords.  Below is a list of these files and their services.
{|
{| class="wikitable"
|+!Exposed File
|+ Caption: Exposed Files Table
|-
!Exposed File
!Service 
!Service 
!Suggested Remediation
!Suggested Remediation
|+.env Python Remove or Restrict Access
|-
Django
|.env
|+.git github Restrict Access to the folder containing this file in Apache
|Python & Django
|+.htaccess Apache Restrict Access to this file in your configuration
|Remove or Restrict Access
nginx
|-
|.git
|github
|Restrict Access to the folder containing this file in Apache
|-
|.htaccess
|Apache & nginx
|Restrict Access to this file in your configuration
|}
|}


=Backups=
=Backups=
One of the most common attacks in the Education sector right now is Ransomware. The best defense against having to pay to decrypt your data is having an up to date offsite backup. That said it is important to think about your backup strategy long before the need to restore arises.
Currently our recommendation is Nightly backups for 7 days and weekly snapshots for a month, then monthly snapshots.
=Linux Hardening Scripts=
Here are a couple of example scripts to help get you started.<BR>
- ([https://version.cs.vt.edu/techstaff/ansible Ansible])<BR>
- ([https://version.cs.vt.edu/rhunter/cs-linux-hardening-script Bash])
=Training=
Below are some links for training.
==Linux Training==
===LinkedIn Learning===
[https://www.linkedin.com/learning/linux-security-and-hardening-essential-training/welcome?u=57888345 Linux Security & Hardening Essentials]
==MacOS==
===Apple Support===
[https://support.apple.com/guide/mac-help/set-up-your-mac-to-be-secure-flvlt003/mac Set Up your Mac to Be Secure]
==Windows 10==
===LinkedIn Learning===
[https://www.linkedin.com/learning/windows-10-security/securing-network-traffic-by-using-ipsec?u=57888345 Securing Network Traffic by Using IPSec]

Latest revision as of 10:24, 8 November 2024

Introduction

This document was created with the purpose of assisting new administrators in maintaining secure research systems within the department. It represents the views of the technical staff at the time of publication, and should be viewed as a starting point for security and not a comprehensive document. 

Scope

The scope of this document is limited to only the most basic of security recommendations. These are intended to be quick wins that will stop the largest portion of passive threats to our networks. This includes the things that the Security Office is scanning for. As such you will not find suggestions or instructions on how to secure a specific service (Such as Apache, MySQL or anything similar). If you want more information on those topics there are pages of documentation that can assist you. 

Responsibility

It is the responsibility of any user granted Root (or Administrator) Access, to ensure that the System in question is as secure as possible from outside threats.  (Policy 7010)

Admin Access

Admin access can be defined as anyone who has an administration account, sudo access, or access to the root account. 

  1. Admin access should be restricted to as few people as necessary.
  2. Where possible only use an Admin account for the duration of the changes necessary then return to a lower privileged account.
  3. Admin accounts should lock after a specified period of inactivity (shorter durations is better).
  4. Accounts with Sudo access are just as dangerous if compromised.

Passwords

Guidelines

  1. Complexity - Secure passwords feature a number of special characters, numbers, and a mix of upper and lowercase letters (8+ Characters), or are of significant length (16+ Characters). Even following these complexity rules can result in a password that is insecure. For instance take a “four seasons” password (Example: Winter2020! ) This password is 11 characters long, features mixed-case, numbers and a special character, and yet exists in common password lists. 
  2. Sharing - Do not share passwords for your personal account or an admin account. It is also recommended not creating a shared account. 
  3. Reuse - Do not reuse passwords, especially for accounts with Admin Privileges. This means do not use the same password for more than one account. And it also means do not change back to the password at a later time.
  4. Checking for Compromise - A variety of password managers will review your list of passwords periodically against a list of compromised passwords to ensure that your password doesn't appear in a dictionary that attackers are using. You can also check at a variety of websites the standard being HaveIBeenPwned
  5. Common/Default Passwords - Most password lists include common and default passwords (ie: password, toor, admin, etc) If a device has a documented default password it is most likely included on the lists.

Firewalls

It is recommended that you use a firewall to secure any open ports on your Server/Virtual Machine. The baseline recommendation for this is to restrict access to only the campus networks. Since there are a number of options available and different options for each operating system instructions on how to set up a firewall goes beyond the scope of this document. Please refer to the Howto::Firewall page listed below for more information.


Howto::Firewall

Databases, NFS Shares, and Printers

These services almost never need public internet access and should be among the first ports you restrict access to with your firewalls or Access Control Lists (Printers). 

SSH

Based on recent attack history, SSH brute forcing tends to be one of most common infiltration methods we have been seeing. Often times in relation to insecure password generation (see above).

Keys

The IT Security Office currently recommends the use of SSH keys requiring a password as the preferred method of securing root access and providing multifactor authentication for remote access.

Fail2Ban

There are guides on using fail2ban to dynamically block an IP that is making repeated failed login attempts through SSH. This would limit the effectiveness of password spray attacks and brute forcing.

Unneeded Public Services

Common sense goes a long way here, if you installed a service which people can connect to from outside of campus and are no longer using it, disable the service. The smaller attack surface you present to the outside world the less options you give an attacker. 

Patching

Patching is important for securing applications and operating systems. This is extremely important for systems that have public facing services. If there is a security patch for one of your services, there is a pretty good chance that it has been found to be vulnerable and could potentially be used to exploit your system.

Operating System End of Life

This topic is similar to patching but more serious. As OS developers strive to improve their OS it becomes essential to drop support for older versions to focus on the newer versions. When this happens an OS stops receiving important updates and security patches. Any new vulnerabilities found in the system going forward are not serviced and the system becomes less secure as time goes on.  Please use a current operating system.  If your operating system is no longer supported or the provider is no longer providing security patches for your OS, you need to upgrade or reinstall.

We have a page established for Operating system End of Life Dates which can be found here Operating System End of Life.

Exposed Files

Lately ITSO has been scanning systems with open ports for specific files. Each time one is found they alert us and open a security ticket. These files either give an attacker information about the environment or in more serious cases can occasionally contain passwords.  Below is a list of these files and their services.

Caption: Exposed Files Table
Exposed File Service  Suggested Remediation
.env Python & Django Remove or Restrict Access
.git github Restrict Access to the folder containing this file in Apache
.htaccess Apache & nginx Restrict Access to this file in your configuration

Backups

One of the most common attacks in the Education sector right now is Ransomware. The best defense against having to pay to decrypt your data is having an up to date offsite backup. That said it is important to think about your backup strategy long before the need to restore arises.

Currently our recommendation is Nightly backups for 7 days and weekly snapshots for a month, then monthly snapshots.

Linux Hardening Scripts

Here are a couple of example scripts to help get you started.
- (Ansible)
- (Bash)

Training

Below are some links for training.

Linux Training

LinkedIn Learning

Linux Security & Hardening Essentials

MacOS

Apple Support

Set Up your Mac to Be Secure

Windows 10

LinkedIn Learning

Securing Network Traffic by Using IPSec