Posts

Locking down a terminal server

Create an OU for your terminal servers and put all of your terminal servers in this OU
Create a new GPO(Group Policy Object) for the lockdown of the terminal servers
Under the computer settings of the GPO to use “loopback processing” with the “Replace” option.
Once you create the group policy link it to the OU that you created in step one.
This step is important, you must go into the security properties of the GPO that you created and add the name of ther server with a “$” at the end and give it the “apply” permission.
Add the group that you want to apply this lockdown policy to. You can add authenticated users or domain users.
Make sure the administrator account or administrators group has the deny checkbox for “apply” in the security tab. Entire article can be found here.

My Linux Asterisk server getting hacked!

After seeing numerous entries to hack my linux box I decided it is time to learn how to implement iptables for security.
A copy of the log file an be found here log-file.
The way I can tell I’m being attacked is if I open my /var/log/messages file, which you can see in its entirety below. I see what appears to be a brute force SSH attack. I can see the attackers IP is 211.151.64.106. If I do a Arin lookup on this IP I see the network is in Asia and the ISP owns 210.0.0.0 – 211.255.255.255. Lucky for me I don’t need anyone in Asia access my box so I’m going to block this entire network.

First thing I need to do is very iptables is installed by typing:
iptables

The return I get is below this is good means iptables is already installed:
Try `iptables -h’ or ‘iptables –help’ for more information.
Next thing I need to do is list my current iptables rules:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

You can see from these rules I have absolutely none configured.
Next I’m going to add my rules to block the IP that is attacking my machine:
iptables -A INPUT -s 210.1.1.1/8 -j DROP
iptables -A INPUT -s 211.1.1.1/8 -j DROP
iptables -A INPUT -s 212.1.1.1/8 -j DROP

These are actually entire subnets that I’m blocking because they’re registered in Asia and my server doesn’t need to communicate with this ISP anyways.
The next thing I’m going to do is save my active iptables to my startup iptables so that these rules load when my computer reboots:
/etc/init.d/iptables save active
The next thing I’m going to do is reboot my server and verify these rules still exist:
shutdown -r now
Once the PC is back online I verify my rules:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all — 210.0.0.0/8 anywhere
DROP all — 211.0.0.0/8 anywhere
DROP all — 212.0.0.0/8 anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

You can see now that I have 3 active rules which will block all incoming communication from these three IP addresses.
Now don’t get me wrong I’m no Unix expert and I’m sure there is a way to combine all of these into one but I don’t feel like trying to figure out what it is right now. So this should get the job done.
If you want to delete any of these rules you can type the following respectively:
iptables -D INPUT 1
iptables -D INPUT 2
iptables -D INPUT 3

These three commands will effectively delete all of the entries I’ve made.
After going through my log file and blocking out all these IP’s I noticed a trend. They are all registered to foreign countries. Luckily for me my voice server doesn’t need to communicate with these countries. So I’ve decided to block all traffic to the Asian continent. You can do the same by copying and pasting the code here:
iptable-entry-syntax1 
A note on this if you decide you want to start over from scratch you can delete all of your chains by typing in
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X

My next step here is monitoring my /var/log/messages for awhile realtime to make sure I’m not getting attacked still. I can do this by typing the following:
tail -f /var/log/messages

Data Encryption

Computers give us a remarkable amount of convenience. With one machine, we can send mail and pictures to friends, go shopping, pay bills, make appointments and confirm any number of different pieces of information in our lives. But all of this convenience can be horribly misused in the case of computer hacks and information exploits. With identity theft as a big worry these days, some home users are turning to data encryption as a way to protect important documents. Data encryption is a way to keep files and folders safe from unauthorized access and there are several free options out there for the home user. There are several tips that the average pc user can use to decide which program to choose when deciding on a data encryption option.
Ease of use – is the program or hardware simple to use? Most people don’t have a great deal of time to learn to use new software, or to spend hours installing and configuring new hardware.
Functionality – not all data encryption programs are created equally. Some will encrypt files and folders on your computer, while others will encrypt an entire data drive. Still others encrypt email and chat conversations for increased privacy and security. Look carefully to decide which of these options best fits your requirements.
Portability – if you have a lot of data on USB flash drives or portable hard drives, portable data encryption is an ideal solution to ensure that your data that travels remains secure.
Price – pricing for data encryption varies widely. Some options are free, while others may cost as much as a few hundred dollars to implement. Compare functionality and easy of use carefully before deciding to shell out big bucks for that shiny new encryption choice.
With the myriad of data encryption options currently available, even the private home user can take steps to protect vital information. Given all that we use our computers for, and all of the data we transmit day in and day out, data encryption for home users just makes sense.

Is your Wireless Network Secure

Networking professionals are encouraging people to think
twice about wireless network security. You might be
thinking I use WEP-128 bit encryption with MAC address
filtering, I’m safe. Or you may be you’ve never even heard
of WEP, if this is the case you might want to unplug your
wireless access point immediately. But then again look at
the bright side at least you don’t have the false sense of
security that your network is secure. Perhaps you are the
smart guy who knows how insecure wireless networks are. You
too are at just an equal risk!
Your computer consultant might be partially right when they
say WEP will protect your network. It will protect your
network from casual snooping but that is about it. Last
year the FBI was able to crack a WEP protected network in
less than 3 minutes with tools widely available on the
internet. Since then it’s been downhill for WEP.
At this point you might be thinking, “Oh well, someone gets
on my network and uses the internet”. This is completely
false. If someone has gone through the process of getting
on your network chances are the only thing they want is not
internet access. Any computer security professional will
tell you that physical access to the network is 95% of the
security battle. Once this has been accomplished you can
consider all of your data compromised. Customer invoices,
customer data, credit card numbers and passwords to
financial institutions will all be in the hands of a hacker.
One in many methods can be used to gain access to your
personal data, whether it’s through Key loggers, Trojans, or
just by sniffing your plaintext network traffic.
Maybe, just maybe, I have not convinced you of the
insecurities of wireless networks. Let me tell you about
another attack that hackers can use to gain access to your
network. Let’s say your access points are completely locked
down, to your knowledge. A user from your network goes and
flips on their laptop while sitting in an airport terminal
waiting for a plane. They see an available insecure
wireless network so they click on it and connect. None of us
have ever done this before right, itching to check their
email one last time before heading out of town? Unbeknownst
to them they have just clicked on a fake honeypot wireless
network, set up by a rogue hacker that before they can even
realize their machine is already being scanned. Picture for
a moment that user could be anywhere, even sitting at a desk
in your network. Just as long as the rogue access point is
stronger than your AP’s radio signal you’re security is
done.
May be you fall into the category of never setting up
wireless networks because you read about their insecurities.
How then can you be at risk? Just consider for a moment
that a user in your organization fires up his wireless card.
See’s a wireless network that is named XYZCorp after your
company. So they connect to it and immediately a script is
hammering their machine for security vulnerabilities. Once
again they connected to a rogue access point setup by a
hacker. Now you might be thinking. “C’mon you must have to
be a computer genius to find and run these tools.” Think
again, thanks to the kind people over at remote-exploit.org
all these tools can be downloaded in one big happy ISO file.
Burned to a CD as an image and bang you’re done, ready to
take a drive to the nearest business and start sniffing
credit card numbers. Everything wrapped into a nice package
just waiting for the next script kiddy to start running the
programs. You may be thinking ok this is a major problem so
what should I do? Give up my organizations ability to use
wireless networks? This isn’t exactly what we are saying.
A newer wireless security technology has taken over in 2004
called WPA. It is more secure than WEP. And so far tools
are not as readily available to hack your network. But
consider the following. WEP was ratified in the late 1990’s
less than six years later it was exploited. This is typical
of almost every computer technology. It is only a matter of
time before technologies are exploited. Just always
remember Security is a multi-tiered companywide
responsibility. From providing physical security to web
site security all matters should be considered serious and
not taken lightly. So before you grab a wireless access
point and slap it in your network, I urge you to think
twice.
You may think you are in a sinking boat because you are a
small organization not able to implement the latest
technologies and afford the newest access points. Or maybe
you cannot afford to pay an IT staff over 100k-200k a year
to maintain your medium size network. Executives at
N2
Network Solutions say you should consider IT outsourcing or
IT consulting. You can get Industry certified engineers on
a project by project basis. Contractual relationships are
also available to dump the responsibility of your network
into their hands for a fraction of the price. To keep your
small to medium size network performing like a Fortune 500
machine invest the capital and secure your assets.