wiki:Notes/Security

  1. Security
    1. Is SSH Evil ?
    2. Incorruptible Logging
    3. When Is Insecure Good Enough ?
    4. Good Enough Security
      1. Private Network
      2. "Semi-Private"
      3. "Semi-Public"
      4. Public Network
    5. Server Issues
      1. Virtual Server
      2. HTTP Attacks
      3. Shared Hosting Risks
      4. Site Lockdown
      5. A New Generation of Bad Hackers ?
      6. Is PHP Usable On Public Servers ?
      7. Why Is Email So Insecure ?
    6. Resources
    7. List of Tools
    8. Also See

Security

General security-related subjects.

See PythonSecurity

Is SSH Evil ?

No question that SSH is useful, maybe essential for some functions. But is it necessary for PyWacket approach to platform integration ?

Certainly, the hurdles to using SSH in a multi-platform environment are significant, especially in MS Windows. There are restrictive design policies and technical solutions to bypass or at least mitigate the problems of ownership/permissions etc. But is the real problem deeper than technical solution.

Does some sort of "Principle of Responsibility" say that processes running on a given machine/OS should initiated by that machine and no other ? If one of the essential features of PyWacket is a portable monitor/process controller, does it make more sense that each machine ( which knows what it is and what it is capable of doing ) should initiate and control its own processes ? Sounds natural to me ...

So no SSH as it would violate the proper delegation ( or maybe migration ) of responsibility to its natural possessor - the machine running the process.

This implies some sort of peer-to-peer command processor, maybe a process launcher - something like message "LAUNCH ftp_launcher.py DIR: C:\user\mydir". I was tempted to include "USING PORT: 8822", but notice that specifying a port that way violates a strict "Principle of Responsibility"

The message queue mechanism would provide the transport backplate, both for the launch and feedback, for example rendezvous info ( like port number ), errors ( an error queue ), missing info prompts ( an error handler ? ), logging, process admin, server admin channels (start/stop), etc. etc.

The notion of no SSH except in extreme functional unction is worth some thought ... it might make implementation easier, a more abstract process construct with fewer exceptions built into the design.

See: MicrosoftWindows#SSHforWindows

Incorruptible Logging

Usually one thinks of a super-duper secure server watching over its flock.

But is it possible to do in a peer to peer environment ? Does BlockChain technology hold the answer ? The answer may be 'yes'.

See: PeerNetworks#BitcoinandBlockchain

When Is Insecure Good Enough ?

Are there super-duper uncool security practices that are very useful and good enough security for local/home networks ?

For instance, running python under lightpd or even worse exposing bin directories with relaxed permissions ...

Good Enough Security

Four basic service types ?

Are these service types paired with a user type ( root, me, pywacket, some service, etc. )

Private Network

Assumed basic firewall at router and nothing else, lockdown, all locahost

"Semi-Private"

On private network but vulnerable, maybe port forwarded to public server or using unknown, uses suspect or vulnerable public services

"Semi-Public"

On public server but masked or tunnelled ( port forwarded ), protected server but still connected and vulnerable to attacks

Public Network

Come and hack me, my port 22 is your port 22 ( more or less )

Server Issues

Various and sundry ...

Virtual Server

  1. Is more secure ?
  1. Is more time consuming ?

About Linode on semantastic.com

https://www.linode.com/docs/security/linux-security-basics - use fail2ban or denyhosts

See Notes/IPTables

HTTP Attacks

http://www.cgisecurity.com/

http://www.cgisecurity.com/fingerprinting-port80-attacks-a-look-into-web-server-and-web-application-attack-signatures-part-two.html

Shared Hosting Risks

http://resources.infosecinstitute.com/risks-on-a-shared-hosting-server/

http://blog.pclewis.com/2010/01/the-dangers-of-shared-hosting/

Site Lockdown

Good to have the ability to use linux user permissions for read-only DB file. Sleep better knowing ...

A New Generation of Bad Hackers ?

http://www.net-security.org/article.php?id=2154

Enterprises must prepare for attacks on supply chain and POS in 2015

Is PHP Usable On Public Servers ?

https://www.phpsecure.info/pNews

See PHP

Why Is Email So Insecure ?

https://en.wikipedia.org/wiki/Email_injection

https://en.wikipedia.org/wiki/Category:Injection_exploits

njection exploits are computer exploits that use some input or data entry feature to introduce some kind of data or code that subverts the intended operation of the system. Usually these exploits exploit vulnerabilities resulting from insufficient data validation on input and so forth.

Why is it that the "and so forth" worries me so much ?

http://www.damonkohler.com/2008/12/email-injection.html - old article

Resources

https://www.suse.com/communities/conversations/ssh-secure-shell-tricks/

SSH (Secure Shell) Tricks ...

The tricks that will be cover in this article are “port forwarding”, “reverse port forwarding”, “executing remote commands without the need of logging in” and “restricting user to SFTP access only”.

https://www.ethicalhacker.net/features/book-reviews/anatomy-of-a-hack

This chapter is excerpted from the book titled “Protect Your Windows Network: From Perimeter to Data” By Jesper Johansson, Steve Riley,

http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines

https://www.owasp.org/index.php/Cheat_Sheets

http://www.adminbuntu.com/security

http://www.andrewault.net/2010/05/17/securing-an-ubuntu-server/

http://denyhosts.sourceforge.net/ - add auth.log offenders to deny.hosts

Denyhosts periodically scans /var/log/auth.log for repeated failures to access the system via SSH. It then adds these offenders to /etc/hosts.deny.

http://en.wikipedia.org/wiki/Russian_Business_Network

The Russian Business Network (commonly abbreviated as RBN) is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale. It is the originator of MPack and an alleged operator of the now defunct Storm botnet.

http://en.wikipedia.org/wiki/Category:Cybercrime

https://blog.malwarebytes.org/intelligence/2013/02/tools-of-the-trade-exploit-kits/

List of Tools

From: https://coderwall.com/p/kopgca/setting-a-ssh-server-in-fedora-20

You can mitigate brute force attack with the follow:

  • DenyHosts is a Python based security tool for SSH servers.
  • Fail2ban is a similar program that prevents brute force attacks against SSH.
  • security/sshguard-pf protects hosts from brute force attacks against ssh and other services using pf.
  • security/sshguard-ipfw protects hosts from brute force attacks against ssh and other services using ipfw.
  • security/sshguard-ipfilter protects hosts from brute force attacks against ssh and other services using ipfilter.
  • security/sshblock blocks abusive SSH login attempts.
  • security/sshit checks for SSH/FTP bruteforce and blocks given IPs.
  • BlockHosts is an automatic blocking of abusive IP hosts.
  • Blacklist geta rid of those bruteforce attempts.
  • Brute Force Detection is a modular shell script for parsing application logs and checking for authentication failures.
  • IPQ BDB filter may be considered as a fail2ban lite.

Also See

Search wiki for 'security'

Search wiki for 'email'

Last modified 14 months ago Last modified on 10/16/2016 11:19:17 AM