Tag: Open Source

Posted on
by

Using cipherscan to test the TLS certificate configuration of my web server.

Cipherscan tests the ordering of the SSL/TLS cyphers on a given target, for all major versions of SSL and TLS. It also extracts some certificates information, TLS options, OCSP stapling and more. Cipherscan is a wrapper above the OpenSSL s_client command line.

Cipherscan is meant to run on all flavors of UNIX. It ships with its own built of OpenSSL for Linux/64 and Darwin/64. On other platforms, it will use the OpenSSL version provided by the operating system (which may have limited ciphers support), or your own version provided in the -o command line flag.

Posted on
by
Photo by Markus Spiske on Unsplash

Photo by Markus Spiske on Unsplash

It’s been a while since I had dedicated Linux server in my home. In the early days of my career, I maintained a small “data centre” in my basement. It included BSD based network storage via FreeNAS, a LAMP installation, a Linux-based firewall and directory server, and a Windows domain controller. I spent a lot of time trying testing my ideas and messing around with open source software. Over time I replaced these machines with commercial off the shelf products or moved services to the cloud. Eventually everything was replaced. The move seems to coincide with my then employer’s outsourcing of network and system administration and application development. I think in the back of my mind I was thinking that it was pointless to learn to do something that couldn’t use. It’s like learning to play a sport but never getting on the field. I got better at using my “soft” skills even as my hard skills atrophied.

I recently started consulting independently (again) and I realised that my knowledge wasn’t as current as I wanted it to be. While it’s great to have business skills that clients find important to help bridge the communications gaps between the non-technical and technical staff I wanted to stay sharp. I also realised that I missed my early days in information security when I was responsible for vulnerability management. I wanted back in and I especially want to develop and hone a penetration testing skillset. I felt it was time to re-build my lab.

I have two Raspberry Pi (RPi) devices on my home network and two Macs. The Macs are running OS X Yosemite and the RPi are running Raspian. I consider the iMac and MacBook Air as capable workstations but I think they are inadequate for a server. The RPi is too underpowered and to limited by memory and storage constraints. I installed and configured ownCloud on one of the RPi machines but performance was terrible. I spent two days getting ownCloud up and running on the RPi but removed the software and reconfigured the machine after only one day of use. I decided that a used server might be a better solution.

Server Hardware

My intentions were to install a set of open source security tools including network and system vulnerability scanning, security and event monitoring, intrusion detection, file integrity monitoring, and some sort of configuration management system. I wanted something that is powerful enough to handle the software stack with enough storage to allow me to install, configure and test other software. After scouring eBay for a week I purchased a Dell PowerEdge 1950 server for $160.Information on the Dell PowerEdge:

  • Two Intel Xeon 3.0GHz Dual Core CPU
  • 4GB of RAM
  • Two 146GB SAS 15K RPM Hard Drives
  • Dual Power Supplies
  • Dual Gigabit network cards
  • VGA/Serial/USB Ports
  • CD-ROM Drive

When the server arrived — it is larger and heavier than I expected — I went to the basement to set up. But … I had no power cords, no keyboard and no display. Over the years I was spoiled by Apple products. With the exception of the Mac mini and Mac Pro, all Macs ship with a display and a keyboard. This was a frustrating set back but a few weeks later I now have a power cord, keyboard, and a display. The power cord and keyboard were donated by an office colleague from the excess he had sitting in a drawer. The display, a Dell P1913S, was purchased used from eBay. It has a small tear but the price, $50, was good for my budget. It supports VGA, HDMI and DisplayPort.Waiting and acquiring the peripherals took some time but I had everything in place last night when I installed Ubuntu. When I booted the device I noticed a BIOS error. After poking around in the BIOS I realized that one of the two 146GB drives had failed. I tried rebuilding the drive but that failed so I pulled the drive from the chassis.

Building the Install Media

My intention was to install Ubuntu from a flash drive. The general procedure to install Ubuntu from a USB flash drive is:

  • Acquire the correct Ubuntu installation files (‘the ISO’)
  • Put Ubuntu onto your USB flash drive
  • Configure your computer to boot from USB flash drive and boot from it
  • Install Ubuntu to your internal drive (hard disk drive or solid state drive).

I thought I could just download a supported ISO for the Dell PowerEdge 1950 from Canonical’s website and use the OS X Disk Utility (DU) app to create a bootable USB. This didn’t work. I am not sure why. Some Google search foo revealed that I first needed to convert the ISO to an IMG file and then do some other things to create a bootable USB flash install on OS X.

:~$ sudo hdiutil convert -format UDRW -o ubuntu-10.04.4-server-amd64.img ubuntu-10.04.4-server-amd64.iso

After converting the ISO I followed the instructions to burn the IMG to disk. It seemed like the flash drive imaging was taking forever. I lost my patience after about 20 minutes. I wanted to get started right away. So while the USB flash drive was being imaged I tried burning the ISO to DVD with DU. That failed too. After a few minutes scratching, my head I burned the IMG I just created to DVD with DU. This method finished before the USB flash drive was ready. Time for the OS install.

Screenshot 2015-03-30 20.22.22

Install the OS

I booted the Dell from the install DVD, answered a bunch of questions, and created the root and a standard user account. Once the server booted into Ubuntu I made sure that the SSH daemon was running and sat on the couch with my MacBook Air to complete the initial security configuration. This is one thing I love about UNIX/Linux. Almost anything can be accomplished from the terminal — remote of local. I used apt to install missing OS patches but after doing that, I realized I should do an OS release update instead.

:~$ sudo do-release-upgrade

The release upgrade seemed to take forever but once it was complete I configured the server firewall using UWF. I remember in the past when I had to create Linux iptables firewall rules by hand. UFW make changing the firewall rules trivial. I edited /etc/default/ufw to make sure IPV6 support was enabled (IPV6=yes) and started creating firewall rules. At a, minimum I need a way to secure remote access to the server and allow web services. From a security perspective I wanted to follow my practice of “that which is not explicitly allowed is denied”. I enabled access to SSH on port 22 and secure web services on port 443 via a firewall on Ubuntu with UFW.

:~$ sudo ufw allow ssh
:~$ sudo ufw allow www
:~$ sudo ufw allow 443
:~$ sudo ufw enable
:~$ sudo ufw logging on

Next Steps

My next steps are to install other security software on the Ubuntu server. I took an early stab at installing Tripwire and OpenVAS but I’ll need more time to understand how to configure these correctly.

Posted on
by
Raspberry Pi's

  • Aperture—ƒ/2.8
  • Camera—Canon EOS 60D
  • Taken—10 June, 2013
  • Exposure bias—-1/3EV
  • Flash fired—no
  • Focal length—50mm
  • ISO—320
  • Shutter speed—1/800s

I recently realised that although I have worked in the information security space for almost 13 years, the last few years I have done less “hands on” work. When my last full-time employer made the switch to a full outsourced IT stack there was less of a need for the security analyst to work with technology. The team made the transition to a governance, risk and compliance (GRC) model with my role morphing into more of an internal security consultant. I was no longer responsible for doing the day-to-day task of vulnerability assessment, network intrusion detection and log management.

This didn’t mean I had no skills. It just means that my current skill set was more suited to building or advising on information security architectures, critical controls, policies, procedures, and standards. I have good to great presentation skills. I had practised my writing over the years and written a few internal white papers. I could stand in front of a room of senior managers and directors and discuss business strategy and collaborate across multiple business units to achieve shared goals. I can talk and walk in the language of technology and business.

When my role was eliminated in 2013, I went back to working as an independent security consultant, I realised how much my hands-on skill set had atrophied. I found myself stumbling to remember how to use NMAP and wasn’t up to date on the latest open source security tools. I wasn’t even aware that OpenVAS was really Nessus. I panicked, thinking “I’m over the hill now!”.

These hands-on technical skills are not what my current client finds valuable. Most of what I’ve accomplished in my projects over the last two years of consulting has been to help build an information security architecture to achieve certain business compliance objectives. It’s what my client’s wants/needs and they are very appreciative of my efforts and the results.

However, I want to expand on what I can offer future clients. There is an uptick in demand for experienced information security professionals and I want to position my skill-set and service offering to take full advantage. The question I asked myself was “how can I brush the dust from my technical skills and polish them”.

There are two strategies I am pursuing simultaneously.

  • Training
  • Building a lab

I want to develop my penetration testing and vulnerability assessment skills. Perhaps due to a large number of highly public security breaches in 2013 and 2014, many organisations are realising that they need to do more find and fix the flaws in their systems. The attackers have become very good at exploring weakness — some of which have been around for decades — in some of the core services of operating systems and networks. I think penetration and vulnerability testing is one area where demand will continue to grow. However, pursuing training is the toughest one to deal with.

Many of the training classes I want to take are expensive. A single SANS course is about $5000. The cost of the course plus the loss of income during the week I am attending the courses makes the overall cost difficult to swallow. But … if I want to be successful I have to find a way.

The other option is for me to do all the training online. This would allow me the flexibility of working during the day and studying at night. Online courses tend to be cheaper as well. Some of the courses provide a lab for students to test out the techniques taught in the course. I haven’t made any decisions on training as yet but I have put some thought into building a lab where I can play around with some of the open-source security tools.

At first, I thought that perhaps I would build out the lab using OS X. I could use my iMac for assessment and monitoring and my MacBook Air for the pen-testing machine. I could certainly find OS X ports of most of (if not all) the tools. But I use these two machines for other purposes. The iMac is for photo editing and writing and the MacBook Air is my minimal viable mobile office and presentation device. I really want to have devices dedicated to security related tasks.

To build a test lab I bought a used Dell Blade Server on eBay. It has enough CPU, memory and storage for this purpose. I plan on installing a Linux distort. I’m not sure if it would be better to install Ubuntu Server and then install or build the security tools or just install a Linux distro like Kali Linux that’s geared toward pen testers. I’m not sure as yet.

I plan on installing and configuring the following assessment tools.

  • OpenVAS for network and system vulnerability assessment
  • ZMap for network scanning
  • Nmap for network discovery and server profiling
  • Nikto for application security assessment
  • WhatWeb for application profiling

In addition to the tools mentioned I want to try network and system monitoring tools such as Snort, OpenSCAP, Open Source Tripwire and Splunk. It will be nice to re-familiarize myself with tools such as Snort and Splunk.

My home network has 19 IP-enabled devices. I have iOS devices, a few Macs, two Raspberry Pi, and some embedded Linux devices. I think these will give me enough traffic to test these tools out.

So far progress has been slow. I have my blade server sitting in the basement but I have yet to install the OS and connect it to the network. Many years ago (circa 2008?) I got rid of all the superfluous PC style machines in my basement and bought an iMac and MacBook. I’ve bought only Macs since then. Part of the reason for the delay is that I have no power cables, display, or keyboards to attach to the server. I may have to do another search on eBay for a small used display and keyboard. I only need it to install the OS and setup SSH. After that, I can connect to it remotely.

In the meantime I installed Kali Linux on one of my Raspberry Pi machines. I still can’t use it since Kali Linux defaults to having no running services. I can’t login to turn on the service without a display. I am also hoping to repurpose and old Mac mini G4 to run Linux. Again, the lack of a display hinders those efforts.

So … I’m off to eBay. I need a minimum of a 14” monitor and a keyboard to get started.