Tag: Open Source

Setting Up an Open Source Security Lab with Ubuntu

[exif id="36254"]

Photo by Markus Spiske on Unsplash

It's been a while since I had dedicated Linux server in my home. In the early days of my career, I maintained a small "data centre" in my basement. It included BSD based network storage via FreeNAS, a LAMP installation, a Linux-based firewall and directory server, and a Windows domain controller. I spent a lot of time trying testing my ideas and messing around with open source software. Over time I replaced these machines with commercial off the shelf products or moved services to the cloud. Eventually everything was replaced. The move seems to coincide with my then employer's outsourcing of network and system administration and application development. I think in the back of my mind I was thinking that it was pointless to learn to do something that couldn't use. It's like learning to play a sport but never getting on the field. I got better at using my "soft" skills even as my hard skills atrophied.

I recently started consulting independently (again) and I realised that my knowledge wasn't as current as I wanted it to be. While it's great to have business skills that clients find important to help bridge the communications gaps between the non-technical and technical staff I wanted to stay sharp. I also realised that I missed my early days in information security when I was responsible for vulnerability management. I wanted back in and I especially want to develop and hone a penetration testing skillset. I felt it was time to re-build my lab.

I have two Raspberry Pi (RPi) devices on my home network and two Macs. The Macs are running OS X Yosemite and the RPi are running Raspian. I consider the iMac and MacBook Air as capable workstations but I think they are inadequate for a server. The RPi is too underpowered and to limited by memory and storage constraints. I installed and configured ownCloud on one of the RPi machines but performance was terrible. I spent two days getting ownCloud up and running on the RPi but removed the software and reconfigured the machine after only one day of use. I decided that a used server might be a better solution.

Server Hardware

My intentions were to install a set of open source security tools including network and system vulnerability scanning, security and event monitoring, intrusion detection, file integrity monitoring, and some sort of configuration management system. I wanted something that is powerful enough to handle the software stack with enough storage to allow me to install, configure and test other software. After scouring eBay for a week I purchased a Dell PowerEdge 1950 server for $160.Information on the Dell PowerEdge:

  • Two Intel Xeon 3.0GHz Dual Core CPU
  • 4GB of RAM
  • Two 146GB SAS 15K RPM Hard Drives
  • Dual Power Supplies
  • Dual Gigabit network cards
  • VGA/Serial/USB Ports
  • CD-ROM Drive

When the server arrived -- it is larger and heavier than I expected -- I went to the basement to set up. But ... I had no power cords, no keyboard and no display. Over the years I was spoiled by Apple products. With the exception of the Mac mini and Mac Pro, all Macs ship with a display and a keyboard. This was a frustrating set back but a few weeks later I now have a power cord, keyboard, and a display. The power cord and keyboard were donated by an office colleague from the excess he had sitting in a drawer. The display, a Dell P1913S, was purchased used from eBay. It has a small tear but the price, $50, was good for my budget. It supports VGA, HDMI and DisplayPort.Waiting and acquiring the peripherals took some time but I had everything in place last night when I installed Ubuntu. When I booted the device I noticed a BIOS error. After poking around in the BIOS I realized that one of the two 146GB drives had failed. I tried rebuilding the drive but that failed so I pulled the drive from the chassis.

Building the Install Media

My intention was to install Ubuntu from a flash drive. The general procedure to install Ubuntu from a USB flash drive is:

  • Acquire the correct Ubuntu installation files ('the ISO')
  • Put Ubuntu onto your USB flash drive
  • Configure your computer to boot from USB flash drive and boot from it
  • Install Ubuntu to your internal drive (hard disk drive or solid state drive).

I thought I could just download a supported ISO for the Dell PowerEdge 1950 from Canonical's website and use the OS X Disk Utility (DU) app to create a bootable USB. This didn't work. I am not sure why. Some Google search foo revealed that I first needed to convert the ISO to an IMG file and then do some other things to create a bootable USB flash install on OS X.

:~$ sudo hdiutil convert -format UDRW -o ubuntu-10.04.4-server-amd64.img ubuntu-10.04.4-server-amd64.iso

After converting the ISO I followed the instructions to burn the IMG to disk. It seemed like the flash drive imaging was taking forever. I lost my patience after about 20 minutes. I wanted to get started right away. So while the USB flash drive was being imaged I tried burning the ISO to DVD with DU. That failed too. After a few minutes scratching, my head I burned the IMG I just created to DVD with DU. This method finished before the USB flash drive was ready. Time for the OS install.

Screenshot 2015-03-30 20.22.22

Install the OS

I booted the Dell from the install DVD, answered a bunch of questions, and created the root and a standard user account. Once the server booted into Ubuntu I made sure that the SSH daemon was running and sat on the couch with my MacBook Air to complete the initial security configuration. This is one thing I love about UNIX/Linux. Almost anything can be accomplished from the terminal -- remote of local. I used apt to install missing OS patches but after doing that, I realized I should do an OS release update instead.

:~$ sudo do-release-upgrade

The release upgrade seemed to take forever but once it was complete I configured the server firewall using UWF. I remember in the past when I had to create Linux iptables firewall rules by hand. UFW make changing the firewall rules trivial. I edited /etc/default/ufw to make sure IPV6 support was enabled (IPV6=yes) and started creating firewall rules. At a, minimum I need a way to secure remote access to the server and allow web services. From a security perspective I wanted to follow my practice of "that which is not explicitly allowed is denied". I enabled access to SSH on port 22 and secure web services on port 443 via a firewall on Ubuntu with UFW.

:~$ sudo ufw allow ssh
:~$ sudo ufw allow www
:~$ sudo ufw allow 443
:~$ sudo ufw enable
:~$ sudo ufw logging on

Next Steps

My next steps are to install other security software on the Ubuntu server. I took an early stab at installing Tripwire and OpenVAS but I'll need more time to understand how to configure these correctly.

Starting a Security Tools Lab at Home

[exif id="17435"]
I recently realised that although I have worked in the information security space for almost 13 years, the last few years I have done less “hands on” work. When my last full-time employer made the switch to a full outsourced IT stack there was less of a need for the security analyst to work with technology. The team made the transition to a governance, risk and compliance (GRC) model with my role morphing into more of an internal security consultant. I was no longer responsible for doing the day-to-day task of vulnerability assessment, network intrusion detection and log management.

This didn’t mean I had no skills. It just means that my current skill set was more suited to building or advising on information security architectures, critical controls, policies, procedures, and standards. I have good to great presentation skills. I had practised my writing over the years and written a few internal white papers. I could stand in front of a room of senior managers and directors and discuss business strategy and collaborate across multiple business units to achieve shared goals. I can talk and walk in the language of technology and business.

When my role was eliminated in 2013, I went back to working as an independent security consultant, I realised how much my hands-on skill set had atrophied. I found myself stumbling to remember how to use NMAP and wasn’t up to date on the latest open source security tools. I wasn’t even aware that OpenVAS was really Nessus. I panicked, thinking “I’m over the hill now!”.

These hands-on technical skills are not what my current client finds valuable. Most of what I’ve accomplished in my projects over the last two years of consulting has been to help build an information security architecture to achieve certain business compliance objectives. It’s what my client's wants/needs and they are very appreciative of my efforts and the results.

However, I want to expand on what I can offer future clients. There is an uptick in demand for experienced information security professionals and I want to position my skill-set and service offering to take full advantage. The question I asked myself was “how can I brush the dust from my technical skills and polish them”.

There are two strategies I am pursuing simultaneously.

  • Training
  • Building a lab

I want to develop my penetration testing and vulnerability assessment skills. Perhaps due to a large number of highly public security breaches in 2013 and 2014, many organisations are realising that they need to do more find and fix the flaws in their systems. The attackers have become very good at exploring weakness — some of which have been around for decades — in some of the core services of operating systems and networks. I think penetration and vulnerability testing is one area where demand will continue to grow. However, pursuing training is the toughest one to deal with.

Many of the training classes I want to take are expensive. A single SANS course is about $5000. The cost of the course plus the loss of income during the week I am attending the courses makes the overall cost difficult to swallow. But … if I want to be successful I have to find a way.

The other option is for me to do all the training online. This would allow me the flexibility of working during the day and studying at night. Online courses tend to be cheaper as well. Some of the courses provide a lab for students to test out the techniques taught in the course. I haven’t made any decisions on training as yet but I have put some thought into building a lab where I can play around with some of the open-source security tools.

At first, I thought that perhaps I would build out the lab using OS X. I could use my iMac for assessment and monitoring and my MacBook Air for the pen-testing machine. I could certainly find OS X ports of most of (if not all) the tools. But I use these two machines for other purposes. The iMac is for photo editing and writing and the MacBook Air is my minimal viable mobile office and presentation device. I really want to have devices dedicated to security related tasks.

To build a test lab I bought a used Dell Blade Server on eBay. It has enough CPU, memory and storage for this purpose. I plan on installing a Linux distort. I’m not sure if it would be better to install Ubuntu Server and then install or build the security tools or just install a Linux distro like Kali Linux that’s geared toward pen testers. I’m not sure as yet.

I plan on installing and configuring the following assessment tools.

  • OpenVAS for network and system vulnerability assessment
  • ZMap for network scanning
  • Nmap for network discovery and server profiling
  • Nikto for application security assessment
  • WhatWeb for application profiling

In addition to the tools mentioned I want to try network and system monitoring tools such as Snort, OpenSCAP, Open Source Tripwire and Splunk. It will be nice to re-familiarize myself with tools such as Snort and Splunk.

My home network has 19 IP-enabled devices. I have iOS devices, a few Macs, two Raspberry Pi, and some embedded Linux devices. I think these will give me enough traffic to test these tools out.

So far progress has been slow. I have my blade server sitting in the basement but I have yet to install the OS and connect it to the network. Many years ago (circa 2008?) I got rid of all the superfluous PC style machines in my basement and bought an iMac and MacBook. I’ve bought only Macs since then. Part of the reason for the delay is that I have no power cables, display, or keyboards to attach to the server. I may have to do another search on eBay for a small used display and keyboard. I only need it to install the OS and setup SSH. After that, I can connect to it remotely.

In the meantime I installed Kali Linux on one of my Raspberry Pi machines. I still can’t use it since Kali Linux defaults to having no running services. I can’t login to turn on the service without a display. I am also hoping to repurpose and old Mac mini G4 to run Linux. Again, the lack of a display hinders those efforts.

So … I’m off to eBay. I need a minimum of a 14” monitor and a keyboard to get started.

I'm (mostly) free of the Google "Collective"

I'm (mostly) free of the Google "Collective"

Google launched Google+, their social network for nerds1, in 2011. It had almost no impact on real people, and growth was slow. Being the impatient type -- wanting Facebook type numbers without the effort -- Google decided to force everyone using any Google service to use Google+. They have been inflating their numbers via tricks on Gmail signups, requiring Google accounts for Google Play and YouTube comments and turning Google search into a social ranking system. They've managed to convince the cheapskates of the world -- the people addicted to FREE -- to hand over information that Google then mines and sells to advertisers. You are the product, not the customer. Your web behaviour is being tracked and analysed in EVERY Google service even when telling Google, not to and Android device. Google probably knows you better than you know you.

But unlike Google's legions of fandroids and glassholes, I know better. For the head-up-Googles' ass types who might be reading this, if you have no worries about privacy and nothing to hide, I suggest attaching a GoPro -- sorry, I forgot you have Google Glass -- to your body and live streaming your life to your personal YouTube Channel. Your sex life, your showers, your masturbation habits, your intimate conversations ... broadcast them all. You have nothing to hide, and you don't need privacy.

I am on a quest to reduce my reliance on Google services. I am willing to delete my Gmail account, one that I've had since the beta launched in 2004, and move to another service. I'm eager to move my Google Calendar, the one letting Google know who I'm with, when and where. I'll find a way to share photos without using Picasa web and without having Google do face recognition them so that they can better track us. I'll find a less creepy way to share documents and videos than Google Docs and YouTube. Google won't be able to track my phone calls and text and listen to my voice-mail anymore.

Browser

I will no longer use Google Chrome. I don't trust it. For day-to-day use, I have switched to using the WhiteHat Aviator or Safari with the Disconnect privacy extension.

WhiteHat Aviator comes ready-to-go with hardened security and privacy settings, giving hackers less to work with. And our browser downloads to you – without any hidden user-tracking functionality. Our default search engine is DuckDuckGo – not Google, which logs your activity. For good measure, Aviator integrates Disconnect – a crucial extension that blocks advertisements and much of the privacy-destroying tracking users across the Internet.

Email

I plan to move my Gmail and Google Apps hosted email accounts to a paid IMAP service provider. The shortlist includes FastMail and Runbox. These services offer trial accounts, and I moved one domain during the trial period. These two services offer migration tools for importing all existing mail, including folders, to the new account.

Gmail has some great spam filters. I'm not sure either FastMail or Runbox can match it. I'm already looking for alternatives. I don't mind paying a nominal fee for spam filtering.

Documents

I've never been a heavy user of Google Drive or Google Docs. I prefer Dropbox or Box. Apple updated iCloud this summer, and it now offers similar functionality to Google Docs. In fact, on the Mac, it's better. I can start a presentation in Keynote on OS X, save to iCloud and continue working on my Pages on my iPad, or make edits in Pages in a browser in iCloud.com. Dropbox or Box documents can be opened/saved via any iWork apps on iOS or OS X. The combination of Dropbox/Box and iCloud easily replaces Google Drive. Office365 is a great paid replacement for Google Drive if you prefer Microsoft products.

Telephony

I found a few alternatives to Google Voice. I created an account with Line2, and I am researching [Phonebooth] and SendHub. Neither Line2 nor Phonebooth seems to match the features of Google Voice -- call forwarding and voicemail being the major ones. SendHub seems feature complete but won't be cheap. But that's a small price to pay compared to starving Google of the value of my personal phone call information.

[Phonebooth]: https://phone booth.com

Calendar

Moving my calendar should be relatively easy. While Google Calendar integrates more easily with Google+ events, there are no benefits to Google Calendar over iCloud.com, Live Calendar, or Zoho Calendar.

Video

I've started to upload my videos to Vimeo. The free account limits my bandwidth to only a few videos uploaded per month and limits the quality of the video. That's good enough for now. I may, at some point, decide that the quality gap is too high and upgrade to a paid account. In the meantime, I've deleted my YouTube account. I've had that account for almost a decade, but I didn't have any qualms about deleting all my videos and the user account.

Photos

I've had a Flickr account before PicasaWeb (now Google+ Photos) and integrated it into their data collection empire. I've started to rely on that service more in the short term. Yahoo and Google are in the same data collection business. I also have a paid account on 500px but prefer to reserve that account for only my best. I want a platform to share photos with my friends and family. Perhaps a paid user account with SmugMug might be best.

  1. Seriously, it's a photo/tech nerd sausage fest. Nothing you say will convince me otherwise. Frack off!