Showing posts with label it security. Show all posts
Showing posts with label it security. Show all posts

Monday, 18 May 2026

Linux Home Server Security Checklist: Hardening a Cheap Homelab Without Going Crazy

Cheap home servers are great.

You take an old Dell, Lenovo, ThinkCentre, NUC, laptop, Raspberry Pi or whatever was cheap enough not to hurt the wallet, throw Linux on it, add Docker, maybe some file sharing, maybe a media server, maybe a few scripts, and suddenly it becomes “production”.

Production in quotes, of course.

Because at home, production usually means:

  • if it dies, someone complains;
  • if the disk fills, something stops working;
  • if SSH gets exposed by mistake, the internet starts knocking;
  • if updates are forgotten for six months, the box becomes a tiny museum of old packages.

So this is my practical Linux home server security checklist. Not enterprise paranoia. Not “install 47 tools and build a SOC in the kitchen”. Just sensible hardening for a cheap homelab machine that is always on and probably doing more than it should.

The goal is simple: make the server boring.

Boring is good. Boring means patched, firewalled, backed up, logged, and not silently accepting nonsense from the network.

Read more »
Posted by at No comments:
Labels: , , , , , , ,

Friday, 9 October 2020

How to secure your Linux

How to secure your linux? (easily)

Now days computer security is on the top trending topics for several reasons, the pandemic confiment also boosted the search for this topic. So you have a linux, is it secure? Most likely yes, is it vulnerable, even if daily updated (also see how to speed up apt-update ) due to default values of some configurations.

An easy way to enhance Linux security or hardening Linux? Using lynis (also works on OSX)
What's hardening?  Basically is just tunning and configuring some features that by default might allow someone to exploit or use that as a vulnerability. (not just one feature per se, but some combined might create something exploitable)

How to install lynis on Linux?

There are two instalation methods, easy and easiest. The main difference is  the version you download from the Lynis site is always the latest one where the apt-get version might take sometime to get to the lastest. 
An example is allowing access to compilers, an intruder can pass a bunch of string and in the end compile them and there you go, someone uploaded some string and created an executable on your machine. Another example is not enforcing secure password, 1234, Joe, and Password aren't exactly secure passwords, but if the system won't allow anything rather than ex: JustATinny123Pass**Again is virtual impossible to guess or crack.
 
In ubuntu/mint lynis installation (easiest):
  • sudo apt install lynis
In ubuntu/mint lynis installation (easy):
  1. Go to Lynis webpage and download the rar
  2. Unrar-It
  3. Done  

How to run Lynis on your Linux machine?

Previous Note: You should always run it as root user 
  • If the installation was done via apt-get the just type "lynis audit system" else, just go to the directory where you extracted Lynis and run "./lynis audit system".
This might take a while depending on our system ( 40sec plus). 

What do you get? Whell for start you get a score! 0-100points... if you use a default ubuntu 20 LTS from scratch you'll get around 65points depending on installed packages.

Lynis score



There's a list of issues to be solved, their solution (if possible in your system), solve one by one and in the end run it again. In the end you improve your score and harden your system.
Examples which I focus a LOT, since some of my machines are only accessible by network: sshd connections hardening.

Lynis recommendations


Posted by at No comments:
Labels: , , , ,

Thursday, 30 May 2019

Honeypot deployment on Linux - OpenCanary

What’s a honeypot what what it’s purpose ?

It’s basically a computer or Virtual Machine emulating some services (ex: ssh, ftp, telnet, netbios, https, samba server etc) and accepting, logging and sending warnings of all incoming connections. You can use it as intrusion detection or early warning system but it also might go a little further and allow one to get inside the intruders ”head” since you get to log every interaction.

How and where should it be placed?

Let’s start with “where”. I usually place them in specific areas to get an idea how/or if the network is tested from outside or inside. So I have about three major areas; behind firewalls, in “sensible zones” where only pre-defined machines should have access and in the “public zone” such as administrative/general network.

Placing a honeypot behind firewalls/”sensible zones” will ensure that the firewall is doing it’s and if you get a hit that means you have a miss-configurations or a serious intrusion. Honeypots placed in the “public zone” will give you a glimpse if you have some outsider skimming your network, an inside threat or just a very network-enthusiastic co-worker… to put it mildly.

How to place it? This answer can be split in two parts, hardware and timeline.
  • Since the minimum hardware requirements are very low Virtual Machines are the best option. 1 vCPU and 512 RAM will be enough for each instance.
  • Timeline; If you have the resources (basically mature security team with proper tools) then all of them at the same time. If not, deploying the honeypots from the most to the least secure zones in the network is recommended. In the most secure zone you should have no events at all where as in the least you might get a couple, his approach will give some time to understand eventual breaches and mature responses. (opposite to having lots of hits all across the network and spreading resources in order to understand what’s happening)

Which software and how to install it?

A very simple honeypot is opencanary. It’s freeware, it emulates windows/linux server, as well as mysqlServer, ftp, ssh, I can generate events to syslog files, log file and via email. Usually I ran it on an Ubuntu Server with 1vCpu and 512ram.

  • Install Ubuntu server version and make all the security updates
  • Install necessary libs and the honeypot
$ sudo apt-get install python-dev python-pip python-virtualenv
$ virtualenv env/
$ . env/bin/activate
$ pip install opencanary
$ sudo apt-get install -y build-essential libssl-dev libffi-dev python-dev
$ pip install rdpy
  • Finally run it for the first time (default configuration)
. env/bin/activate
$ opencanaryd --copyconfig
$ opencanaryd --start

Edit the file /.opencanary.confand set the this line "http.enabled":true and restart the service with the command: opencanaryd --restart This will enable the http server. Now point your browser to http://your-ip-addr and check your brand new Synology RackStation!

Try your luck by logging In with some commonly used user/passwords. Now check some opencanary logs in the file /var/tmp/opencanary.log


Your webserver fake page


OpenCanary Log file


Pretty interesting humm? Timestamp, user/pass tries, ip addresses…

Edit the configuration!


Now let’s create some services so the honeypot gets really sweet. Edit the configuration file /.opencanary.conf


{
"device.node_id": "HoneyPot-ServerName-Good-idea-to-change-it",
"git.enabled": false,
"git.port" : 9418,
"ftp.enabled": true,
"ftp.port": 21,
"ftp.banner": "FTP server ready",
"http.banner": "Apache/2.2.22 (Ubuntu)",
"http.enabled": true,
"http.port": 80,
"http.skin": "nasLogin",
"http.skin.list": [
{
"desc": "Plain HTML Login",
"name": "basicLogin"
},
{
"desc": "Synology NAS Login",
"name": "nasLogin"
}
],
"httpproxy.enabled" : false,
"httpproxy.port": 8080,
"httpproxy.skin": "squid",
"httproxy.skin.list": [
{
"desc": "Squid",
"name": "squid"
},
{
"desc": "Microsoft ISA Server Web Proxy",
"name": "ms-isa"
}
],
"logger": {
"class": "PyLogger",
"kwargs": {
"formatters": {
"plain": {
"format": "%(message)s"
}
},
"handlers": {
"console": {
"class": "logging.StreamHandler",
"stream": "ext://sys.stdout"
},
"file": {
"class": "logging.FileHandler",
"filename": "/var/tmp/opencanary.log"
}
}
}
},
"portscan.enabled": false,
"portscan.logfile":"/var/log/kern.log",
"portscan.synrate": 5,
"portscan.nmaposrate": 5,
"portscan.lorate": 3,
"smb.auditfile": "/var/log/samba-audit.log",
"smb.enabled": false,
"mysql.enabled": false,
"mysql.port": 3306,
"mysql.banner": "5.5.43-0ubuntu0.14.04.1",
"ssh.enabled": true,
"ssh.port": 22,
"ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4",
"redis.enabled": false,
"redis.port": 6379,
"rdp.enabled": false,
"rdp.port": 3389,
"sip.enabled": false,
"sip.port": 5060,
"snmp.enabled": false,
"snmp.port": 161,
"ntp.enabled": false,
"ntp.port": "123",
"tftp.enabled": false,
"tftp.port": 69,
"tcpbanner.maxnum":10,
"tcpbanner.enabled": false,
"tcpbanner_1.enabled": false,
"tcpbanner_1.port": 8001,
"tcpbanner_1.datareceivedbanner": "",
"tcpbanner_1.initbanner": "",
"tcpbanner_1.alertstring.enabled": false,
"tcpbanner_1.alertstring": "",
"tcpbanner_1.keep_alive.enabled": false,
"tcpbanner_1.keep_alive_secret": "",
"tcpbanner_1.keep_alive_probes": 11,
"tcpbanner_1.keep_alive_interval":300,
"tcpbanner_1.keep_alive_idle": 300,
"telnet.enabled": true,
"telnet.port": "23",
"telnet.banner": "",
"telnet.honeycreds": [
{
"username": "admin",
"password": "$pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA"
},
{
"username": "admin",
"password": "admin1"
}
],
"mssql.enabled": false,
"mssql.version": "2012",
"mssql.port":1433,
"vnc.enabled": false,
"vnc.port":5000
}

Read more »
Posted by at 2 comments:
Labels: , , , ,
Subscribe to: Posts (Atom)