Security Onion 2018

Something I’ve had reason to play a lot with over the last few months is Security Onion, a free and open source product that frankly compares damn well to a number of *very* expensive proprietary products.

It requires no small amount of Linux and tech knowledge to start digging into, but you get an ELK stack, full packet capture, a number of GUI options for visibility into network and file system alerts.. it’s really neat.

I struggled to get my ELK stack working properly but the eventual culprit was memory: I’d recommend a minimum of 4-8 gigs of RAM.

I’m now looking into ways to build cheap nsm sensors out of something akin to Raspberry Pis, but I don’t know how feasible that is yet.

Google Advanced Protection

Google has introduced the Advanced Protection Program. As far as I can tell, these are the big takeaways:

To provide the strongest defense against phishing, Advanced Protection goes beyond traditional 2-Step Verification. You will need to sign into your account with a password and a physical Security Key. Other authentication factors, like codes sent via SMS or the Google Authenticator app, will no longer work.

A physical key being a Yubikey in this case, looks like.

When you sign up for new apps or services, you are sometimes asked for access to your data, like your emails or documents. By giving permission, you might introduce vulnerabilities that could be used to access your personal data. For example, an app you trust could be exploited or impersonated.

To protect you from this threat, Advanced Protection will automatically limit third-party apps from accessing your most sensitive data – your emails and your Drive files.

I suspect this is going to be implemented more broadly over time to non-Advanced Protection accounts, but we’ll see.

A common way that hackers try to gain access to your account is by impersonating you and pretending they have been locked out of your account.

To provide you with the strongest safeguards against this type of fraudulent account access, Advanced Protection adds extra steps to verify your identity. If you ever lose access to your account and both of your Security Keys, these added verification requirements will take a few days to restore access to your account.

Another thing that will probably see parts trickle to mainstream account protection, but yeah.

Looks like it’s intended to target high-risk Google users as customers, but it’s free, so I’m imagining a number of tech folks will hop on board too. Looking into signing up for it myself this morning.

I’d like to write up something about the WPA2 flaw ongoing but I’m waiting for a bit more to develop.

Hardening SSH With Configuration Changes

Hardening SSH can be a challenge, but it’s critical to get done.

hardening ssh - version

OpenSSH is the administrative tool of choice for any good Unix/Linux sysadmin, and every bad guy in the world knows it. There’s a lot of scanning constantly looking for low-hanging fruit like misconfigured SSH services.

Continue reading “Hardening SSH With Configuration Changes”

Configuring Fail2Ban To Protect Services

There are a number of automated banning tools that check for bad behavior but I like fail2ban as it’s flexible and extensible. Configuring fail2ban requires adjustment and testing but can be comprehensive. Certainly sshguard and denyhosts are solid options and if you’re only looking for something to monitor ssh, those are a great way to go.

installing configuring fail2ban
some of the wonderful ssh tools available to bad guys

Note: This a guide to one security tool. You are responsible for securing and exposing a service to the internet. I would not put a fresh box up with ssh open on the internet with only fail2ban installed, for example. (You might also want to harden the service directly.)

Continue reading “Configuring Fail2Ban To Protect Services”