This is work in progress.
Category Archives: Information Security
A+ TLS config for ubuntu + nginx
These are my config notes for getting a brand new Xenial + nginx server online.
Install Tor:
sudo apt install tor apt-transport-tor
sudo gpg --keyserver keys.gnupg.net --recv 886DDD89 sudo gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
Edit the sources list by removing all the lines and adding these:
sudo vim /etc/apt/sources.list
deb tor+https://deb.torproject.org/torproject.org xenial main deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial main restricted universe multiverse deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial-updates main restricted universe multiverse deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial-security main restricted universe multiverse
Update the repos:
sudo add-apt-repository ppa:nginx/development sudo add-apt-repository ppa:ondrej/nginx sudo add-apt-repository ppa:ondrej/php sudo add-apt-repository ppa:certbot/certbot
Add “tor+” to all of the above sources files in /etc/apt/sources.list.d/*
Update and restart:
sudo apt update && sudo apt upgrade -V && sudo apt autoremove -y && sudo shutdown -r now
Install nginx + certbot:
sudo apt install python-certbot-nginx -V
Add server_name to (replacing “_”):
sudo vim /etc/nginx/sites-available/default
server_name domain.net;
Get Let’s Encrypt cert for nginx:
sudo certbot --nginx -d domain.net --redirect --rsa-key-size 4096
Further harden the TLS config:
sudo vim /etc/letsencrypt/options-ssl-nginx.conf
ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!3DES:!aNULL:!DES:!DSS:!eNULL:!EXP:!IDEA:!LOW:!MD5:!PSK:!RC4:!SEED";
Delete the “SSL” config:
sudo vim /etc/nginx/nginx.conf
Edit the nginx config:
sudo vim /etc/nginx/sites-available/default
replace “domain.net”
server { listen 80 default_server; listen [::]:80 default_server; server_name domain.net www.domain.net; return 301 https://$host$request_uri; server_tokens off; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "no-referrer"; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name domain.net www.domain.net; root /var/www; index index.php index.html index.htm; ssl_certificate /etc/letsencrypt/live/domain.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain.net/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; server_tokens off; add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "no-referrer"; resolver 8.8.8.8 8.8.4.4 valid=300s; # For WordPress location / { try_files $uri $uri/ /index.php?$args; } location ~ .php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } }
Validate the nginx config:
sudo nginx -t
Restart nginx:
sudo service nginx restart
Add inbound and outbound firewall rules:
sudo ufw limit 22/tcp && sudo ufw allow 443/tcp && sudo ufw allow out 22/tcp && sudo ufw allow out 25/tcp && sudo ufw allow out 53/udp && sudo ufw allow out 443/tcp && sudo ufw allow out 9050/tcp && sudo ufw deny out to any && sudo ufw enable && sudo ufw status verbose
Emerald Onion has launched
The Tor network and the dot-Onion infrastructure was built for security and privacy in mind. This is unlike legacy clear-net infrastructure, which over the years needs routine and dramatic security changes just to solve evolving security chalenges. Even worse, modern security for legacy clear-net infrastructure does very little for privacy.
Vulnerable populations were the first to recognize the importance of a technology like “the onion router”. The United States Navy was among the first. The United States Navy, realizing very quickly that an anonymity network that only the Navy would use, means that any of its users is from the United States Navy. To this day, the United States Navy researches and develops Tor.
Once Tor became a public, free, and open source project, journalists and other vulnerable populations with life-and-death threat models started using Tor. These survivors and human-rights defenders were a red flag. By the time Tor became a public project, other departments from the United States Government, such as the United States National Security Agency, had already started conducting global mass surveillance.
The United States Navy knew and continues to know that Tor is a necessity in a world dominated by global mass surveillance and by governments that strive for power and control.
Emerald Onion envisions a world where access and privacy are the defaults. This is necessary to ensure human rights including access to information and freedom of speech. If we do not have human rights online, we will not have them offline, either. We launched, officially, on July 2nd. We are looking at 10 year+ development and sustainability. Please reach out to me if you can think of ways to support our work.
Ubuntu SSH crypto hardening
Fix the security and privacy of your Ubuntu 16.04, 16.10, and 17.04 web server access. Fuck global mass surveillance.
Special thanks to @stribika for writing a very similar guide two years ago.
From “man sshd_config”
allowable ciphers
Run “ssh -Q cipher” for validating usable “Ciphers” on clients and servers
Specifies the ciphers allowed. Multiple ciphers must be comma-separated. If the specified value begins with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replacing them.
allowable message authentication code algorithms
Run “ssh -Q mac” for validating usable “MACs” on clients and servers
Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used for data integrity protection. Multiple algorithms must be comma-separated. If the specified value begins with a ‘+’ character, then the specified algorithms will be appended to the default set instead of replacing them. The algorithms that contain "-etm" calculate the MAC after encryption (encrypt-then-mac). These are considered safer and their use recommended.
allowable key exchange algorithms
Run “ssh -Q kex” for validating usable “KexAlgorithms” on clients and servers
Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. Alternately if the specified value begins with a ‘+’ character, then the specified methods will be appended to the default set instead of replacing them.
allowable server key algorithms
Run “ssh -Q key” for validating usable “HostKeyAlgorithms” on servers
Specifies the host key algorithms that the server offers.
allowable key authentication types
Run “ssh -Q key” for validating usable “HostbasedAcceptedKeyTypes” on servers
Specifies the key types that will be accepted for hostbased authentication as a comma-separated pattern list. Alternately if the specified value begins with a ‘+’ character, then the specified key types will be appended to the default set instead of replacing them.
allowable public key authentication types
Run “ssh -Q key” for validating usable “PubkeyAcceptedKeyTypes” on servers
Specifies the key types that will be accepted for public key authentication as a comma-separated pattern list. Alternately if the specified value begins with a ‘+’ character, then the specified key types will be appended to the default set instead of replacing them.
Fix your server keys
cd /etc/ssh sudo rm ssh_host_*key* sudo ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
Amending sshd
sudo vim /etc/ssh/sshd_config
Only use the ed25519 key (delete the others):
HostKey /etc/ssh/ssh_host_ed25519_key
Add these lines (tailor them down based on what you know your client and server have available (see above for “ssh -Q x” options)):
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 HostbasedAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
Restart sshd:
sudo service ssh restart
ssh over Tor
Fix metadata leaks by using Tor as your second end-to-end encrypted tunnel if you don’t mind a mildly delayed CLI due to added latency.
Install Tor by first fixing apt sources and adding Tor’s repo:
sudo vim /etc/apt/sources.list
Delete all lines and use these (replace “zesty” if needed):
deb https://mirrors.wikimedia.org/ubuntu/ zesty main restricted universe multiverse deb https://mirrors.wikimedia.org/ubuntu/ zesty-updates main restricted universe multiverse deb https://mirrors.wikimedia.org/ubuntu/ zesty-backports main restricted universe multiverse deb https://mirrors.wikimedia.org/ubuntu/ zesty-security main restricted universe multiverse deb https://deb.torproject.org/torproject.org zesty main
Install Tor’s signing key:
sudo gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 sudo gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
Update and install Tor:
sudo apt-get update && sudo apt-get install tor deb.torproject.org-keyring -y
Configure Tor for an onion:
sudo vim /etc/tor/torrc
Delete all lines and add these:
HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 22 127.0.0.1:22
Restart Tor:
sudo service tor restart
Find your new dot-onion address:
sudo cat /var/lib/tor/hidden_service/hostname
Configure sshd to only listen via Tor (and not exposed on the clear net):
sudo vim /etc/ssh/sshd_config
Add (or change) this line:
ListenAddress 127.0.0.1:22
Restart sshd:
sudo service ssh restart
Firewall everything
Presuming you are only hosting a web server over ports 80 and 443:
sudo ufw allow 80/tcp && sudo ufw allow 443/tcp && sudo ufw allow out 53/udp && sudo ufw allow out 80/tcp && sudo ufw allow out 123/udp && sudo ufw allow out 443/tcp && sudo ufw allow out 9050/tcp && sudo ufw deny out to any && sudo ufw enable && sudo ufw status verbose
80 for http
443 for https
53 out for DNS
123 out for NTP
9050 out for Tor
Deny everything else.
client side for Tor
sudo vim /etc/ssh/ssh_config
Add these lines under “Host *” (tailor the Ciphers, MACs, and Kex down based on what you know your client and server have available (see above for “ssh -Q x” options)):
UseRoaming no proxyCommand ncat -v --proxy localhost:9050 --proxy-type socks5 %h %p Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
Generate client keys:
ssh-keygen -t ed25519 -o -a 100
Restart ssh:
sudo service ssh restart
Send the client public key to the server:
ssh-copy-id yawnbox@2vytis5xf5djnaoo.onion
Connect to the server with debug to verify hardened crypto:
ssh -v yawnbox@2vytis5xf5djnaoo.onion
You will find this info buried:
debug1: kex: algorithm: curve25519-sha256@libssh.org debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none debug2: key: /home/yawnbox/.ssh/id_rsa ((nil)) debug2: key: /home/yawnbox/.ssh/id_dsa ((nil)) debug2: key: /home/yawnbox/.ssh/id_ecdsa ((nil)) debug2: key: /home/yawnbox/.ssh/id_ed25519 (0x55zg8nba8f20)
Cheers
bonus server config script
#!/bin/bash sudo apt-get update sudo apt-get upgrade -y sudo apt-get dist-upgrade -y sudo apt-get install tor openssh-server -y sudo apt-get autoremove -y sudo apt-get autoclean cd /etc/ssh sudo rm ssh_host_*key* sudo ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" > /etc/ssh/sshd_config sudo echo "HostKey /etc/ssh/ssh_host_ed25519_key" >> /etc/ssh/sshd_config sudo echo "SyslogFacility AUTH" >> /etc/ssh/sshd_config sudo echo "LogLevel INFO" >> /etc/ssh/sshd_config sudo echo "LoginGraceTime 30" >> /etc/ssh/sshd_config sudo echo "PermitRootLogin no" >> /etc/ssh/sshd_config sudo echo "StrictModes yes" >> /etc/ssh/sshd_config sudo echo "MaxAuthTries 5" >> /etc/ssh/sshd_config sudo echo "MaxSessions 5" >> /etc/ssh/sshd_config sudo echo "PasswordAuthentication no" >> /etc/ssh/sshd_config sudo echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config sudo echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config sudo echo "UsePAM yes" >> /etc/ssh/sshd_config sudo echo "X11Forwarding no" >> /etc/ssh/sshd_config sudo echo "PrintMotd no" >> /etc/ssh/sshd_config sudo echo "AcceptEnv LANG LC_*" >> /etc/ssh/sshd_config sudo echo "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr" >> /etc/ssh/sshd_config sudo echo "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256" >> /home/cs/test_sshd sudo echo "KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521" >> /etc/ssh/sshd_config sudo echo "HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519" >> /etc/ssh/sshd_config sudo echo "HostbasedAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519" >> /etc/ssh/sshd_config sudo echo "PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519" >> /etc/ssh/sshd_config sudo service ssh restart sudo mv /etc/apt/sources.list /etc/apt/sources1.bak sudo touch /etc/apt/sources.list sudo echo "deb https://mirrors.wikimedia.org/ubuntu/ xenial main restricted universe multiverse" >> /etc/apt/sources.list sudo echo "deb https://mirrors.wikimedia.org/ubuntu/ xenial-updates main restricted universe multiverse" >> /etc/apt/sources.list sudo echo "deb https://mirrors.wikimedia.org/ubuntu/ xenial-backports main restricted universe multiverse" >> /etc/apt/sources.list sudo echo "deb https://mirrors.wikimedia.org/ubuntu/ xenial-security main restricted universe multiverse" >> /etc/apt/sources.list sudo echo "deb https://deb.torproject.org/torproject.org xenial main" >> /etc/apt/sources.list sudo torify gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 sudo torify gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add - sudo apt-get update sudo apt-get install tor deb.torproject.org-keyring apt-transport-tor -y sudo mv /etc/apt/sources.list /etc/apt/sources2.bak sudo touch /etc/apt/sources.list sudo echo "deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial main restricted universe multiverse" >> /etc/apt/sources.list sudo echo "deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial-updates main restricted universe multiverse" >> /etc/apt/sources.list sudo echo "deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial-backports main restricted universe multiverse" >> /etc/apt/sources.list sudo echo "deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial-security main restricted universe multiverse" >> /etc/apt/sources.list sudo echo "deb tor+https://deb.torproject.org/torproject.org xenial main" >> /etc/apt/sources.list sudo echo "capability dac_read_search," >> /etc/apparmor.d/abstractions/tor sudo /etc/init.d/apparmor reload sudo mv /etc/tor/torrc /etc/tor/torrc.bak sudo touch /etc/tor/torrc sudo echo "HiddenServiceDir /var/lib/tor/hidden_service/" >> /etc/tor/torrc sudo echo "HiddenServicePort 22 127.0.0.1:22" >> /etc/tor/torrc sudo service tor restart sudo touch ~/onion.txt sudo cat /var/lib/tor/hidden_service/hostname >> ~/onion.txt sudo echo "ListenAddress 127.0.0.1:22" >> /etc/ssh/sshd_config sudo service ssh restart sudo ufw allow 22/tcp sudo ufw allow 80/tcp sudo ufw allow 443/tcp sudo ufw allow out 22/tcp sudo ufw allow out 53/udp sudo ufw allow out 80/tcp sudo ufw allow out 123/udp sudo ufw allow out 443/tcp sudo ufw allow out 9050/tcp sudo ufw deny out to any sudo ufw enable sudo ufw status verbose sudo cat ~/onion.txt
Secure Messenger Scorecard (May 2017)
This is a draft.
I’m starting my own Secure Messenger Scorecard based on the prior work of the Electronic Frontier Foundation.
I’ve created an editable Google Doc for further input and development.
Please scrutinize and contribute by Signaling me, emailing me or tweeting at me.
Moved from Apache to Caddy and RSA to EC TLS for WordPress
^ Qualys SSL Labs test for yawnbox.com
^ Security Headers (dot-IO) test for yawnbox.com
With very special thanks to this guide, Running WordPress with Caddy. I was also able to remove several unnecessary PHP applications that Apache needed.
Here’s my Caddyfile:
www.yawnbox.com { redir https://yawnbox.com{uri} } yawnbox.com { root /var/www/ log stdout errors stderr header / { Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'" Referrer-Policy "strict-origin, strict-origin-when-cross-origin" Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" X-XSS-Protection "1; mode=block" X-Content-Type-Options "nosniff" X-Frame-Options "DENY" } fastcgi / /var/run/php/php7.1-fpm.sock { ext .php split .php index index.php } rewrite / { to {path} {path}/ /index.php?{query} } tls / { protocols tls1.2 curves p384 key_type p384 } }
iPhone opsec guide
Note: Be aware that these operational security guidelines are generally not applicable if you’re attempting to evade your own government’s surveillance. Not only do all new iPhone registrations (software and hardware identifiers) go through NSA-surveilled datacenters, the only way to avoid passive or active cellular tracking is to not use a cell phone. Further, everything listed here depends on your threat model.
Physical security
- Assure that your iPhone is generation 6 or greater (A7, A8, A9) to benefit from Secure Enclave.
- Only use a randomly-generated (stored offline and/or memorized) 12+ digit alphanumeric passphrase.
- Enroll in TouchID to minimize shoulder-surfing passphrase disclosure, but be aware of where you leave your fingerprints.
- Register your iPhone on someone else’s account so not to attach SSN to IMEI/IMSI/SIM.
- Register a new, random phone number.
- Do not pay for your iPhone with your credit or debit card.
- Never pay service charges with your credit or debit card.
- Never share the iPhone’s real phone number with anybody.
- Use only VoIP phone numbers for app registration (Signal).
- Never connect your iPhone to PCs in order to minimize infection and to minimize security certificate sharing.
- Only charge your iPhone directly from power or using a power-only USB cable.
- Always keep Wi-Fi disabled. Wi-Fi networks track hardware MAC addresses that get reported to centralized databases (Cisco Meraki, etc) for tracking and/or advertising purposes, and you do not want to disclose your physical location any more finitely to third party services via IP address.
- Always keep Bluetooth disabled.
- Always turn your iPhone off at night.
- Always turn your iPhone off when you are going to be away from the device.
- Always turn your iPhone off when passing through security screenings.
- Store your iPhone in a locked safe when leaving unattended.
- Do not bring your iPhone to events that have moderate-to-high risk of being confiscated, or at least keep your iPhone off at these events.
- Do not let others use your iPhone.
- Remove the microphone from your iPhone.
- Remove all cameras from your iPhone or keep the cameras covered with tape or stickers.
- When needing to carry the device but minimize surveillance, power off your iPhone and store it in a Faraday cage.
- Be aware that the NSA CO-TRAVELER program keeps track of your iPhones location and which devices your iPhone is ever in close proximity to.
Software security
- Never use your iPhone for Web browsing.
- Sign out of iCloud.
- Do not enable Siri.
- Use parental controls to disable Safari.
- Only install trusted apps (Signal) to minimize exposure to remote infection.
- Never sign into any cloud-based email-, calendar-, or contact-syncing accounts.
- Manually input contacts and keep contacts stored locally.
EMET profile for Tor Browser
Windows 10 (1511)
EMET: 5.5.5871.31890
Tor Browser: 6.0.1
When configured, EMET will force enable these security settings for Tor Browser:
- DEP
- SEHOP
- NullPage
- HeapSpray
- EAF
- EAF+
- MandatoryASLR
- BottomASLR
- LoadLib
- MemProt
- Caller
- StackPivot
- ASR
Steps
- Install Tor Browser (torproject.org/download)
- Install EMET (microsoft.com/emet)
- Open EMET
- Enable “Maximum security settings”
- Import this config file, or…
(Perform the following if you want to manually set this up and not simply import my prepared config file.)
- Import > CertTrust
- Import > Popular Software
- Import > Recommended Software
- Quick Profile Name: Maximum security settings
- Apps > Add Application (find and select your *Tor BrowserBrowserfirefox.exe)
- Enable ASR for Mozilla Firefox then add these ASR modules
flash*.ocx;njpi*.dll;jp2iexp.dll;vgx.dll;msxml4*.dll;wshom.ocx;scrrun.dll;vbscript.dll
- Enable ASR for Tor Project Firefox then add the same ASR modules:
flash*.ocx;njpi*.dll;jp2iexp.dll;vgx.dll;msxml4*.dll;wshom.ocx;scrrun.dll;vbscript.dll
- Enable ASR for Mozilla Firefox plugin container then add the same ASR modules:
flash*.ocx;njpi*.dll;jp2iexp.dll;vgx.dll;msxml4*.dll;wshom.ocx;scrrun.dll;vbscript.dll
- Disable “SimExecFlow” for Tor Project Firefox.
Example EMET view
Draft proposal for Debian
Draft:
Please criticize and contribute to the following:
Objectives:
1. The Debian community must immediately deploy Onion Service repositories for Debian downloads and Debian updates.
2. The Debian community must immediately deploy TLS-only repositories for Debian downloads and Debian updates as a backup to Onion Services.
3. The Debian community must assure anonymity-by-default with the employment of apt-transport-tor by changing existing update mechanics.
4. The Debian community must deploy a critical security update to patch existing update mechanics to use Onion Services.
Summary:
Current and future network adversaries can view and retain which repositories Debian servers connect to (metadata), when (metadata), the updates schedule (information), which updates are being applied (information), and into which operating system (information). This is incredibly valuable information for any adversary wanting to perform minimal attacks against Debian servers. Further, with cheapening data retention, mass-hacking and nation-state dominance is supported by the Debian community’s short-sighted update mechanics.
Edward Snowden has given the world factual evidence describing the capabilities and objectives of global powers and the Debian community has willfully neglected these problems.
Arguments:
Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye — Presented to the Human Rights Council in May 2015:
(2)(A)(9) “Notably, encryption protects the content of communications but not identifying factors such as the Internet Protocol (IP) address, known as metadata. Third parties may gather significant information concerning an individual’s identity through metadata analysis if the user does not employ anonymity tools. Anonymity is the condition of avoiding identification. A common human desire to protect one’s identity from the crowd, anonymity may liberate a user to explore and impart ideas and opinions more than she would using her actual identity. […] Users seeking to ensure full anonymity or mask their identity (such as hiding the original IP address) against State or criminal intrusion may use tools such as virtual private networks (VPNs), proxy services, anonymizing networks and software, and peer-to-peer networks.1 One well-known anonymity tool, the Tor network, deploys more than 6,000 decentralized computer servers around the world to receive and relay data multiple times so as to hide identifying information about the end points, creating strong anonymity for its users.”
Debian powers more than one-third of the Internet. The default behavior of Debian is to obtain updates via clear-text HTTP which discloses the following to any network adversary:
1. Server location via IP address
2. Update server via IP address and DNS resolution
3. Server update schedule
4. Server version
5. Application version
This information, via network analysis, would allow any passive or active adversary to plan effective attacks against any Debian server.
Not all adversaries are the same because not all servers have the same risk. Like people, data mining and data retention capabilities pose grave risks for infrastructure. HTTPS may resolve some of the above information leakage depending on an adversary’s capabilities, but Tor resolves them to a greater degree. Anonymity provides the strongest security and is the only acceptably secure option given the facts.
XKEYSCORE, a FVEY technology, is one example of a modern threat to Internet infrastructure. Via Wikipedia:
On January 26, 2014, the German broadcaster Norddeutscher Rundfunk asked Edward Snowden in its TV interview: “What could you do if you would [sic] use XKeyscore?” and he answered:
“You could read anyone’s email in the world, anybody you’ve got an email address for. Any website: You can watch traffic to and from it. Any computer that an individual sits at: You can watch it. Any laptop that you’re tracking: you can follow it as it moves from place to place throughout the world. It’s a one-stop-shop for access to the NSA’s information.
You can tag individuals… Let’s say you work at a major German corporation and I want access to that network, I can track your username on a website on a form somewhere, I can track your real name, I can track associations with your friends and I can build what’s called a fingerprint, which is network activity unique to you, which means anywhere you go in the world, anywhere you try to sort of hide your online presence, your identity.”
The question posed to Edward Snowden was rightly focused on people. However, an XKEYSCORE-like system can trivially threaten any node on the Internet. If XKEYSCORE-like systems can be programmed to track nations, servers, or application installations, the Debian community must act.
Scenarios:
1. Debian server > https://update-server.onion
In scenario 1, operating system and application updates are obtained exclusively within the Tor network with an added layer of Certificate Authority validation ability. HTTP-based Certificate Authority, Domain Name System, and Border Gateway Protocol vulnerabilities do not exist.
2. Debian server > http://update-server.onion
In scenario 2, operating system and application updates are obtained exclusively within the Tor network. HTTP-based Certificate Authority, Domain Name System, and Border Gateway Protocol vulnerabilities do not exist.
3. Debian server > tor+https://update-server.org
In scenario 3, operating system and application updates are obtained via Tor but must leave the Tor network to reach its HTTPS destination. All HTTP-based Certificate Authority, Domain Name System, Border Gateway Protocol, and Man-in-the-Middle vulnerabilities exist once the traffic traverses Tor exit relays onto the normal Internet. Debian servers retain anonymity but security risk is increased.
4. Debian server > tor+http://update-server.org
In scenario 4, operating system and application updates are obtained via Tor but must leave the Tor network to reach its HTTP destination. All HTTP-based Domain Name System, Border Gateway Protocol, and Man-in-the-Middle vulnerabilities exist once the traffic traverses Tor exit relays onto the normal Internet. Debian server retain anonymity but security risk is increased.
5. Debian server > https://update-server.org
In scenario 5, operating system and application updates are obtained via normal Internet with minimal transport security. Server location information, update server information, and server update schedule information easily obtainable, and sophisticated attackers can obtain server version information and package version information. All HTTP-based Certificate Authority, Domain Name System, Border Gateway Protocol, and Man-in-the-Middle vulnerabilities exist.
6. Debian server > http://update-server.org
In scenario 6, the current Debian default, operating system and application updates are obtained via normal Internet with zero transport security. Server location information, update server information, server update schedule information, server version information, and package version information are trivially obtainable. All HTTP-based Domain Name System, Border Gateway Protocol, and Man-in-the-Middle vulnerabilities exist.
Ubuntu OS updates with security and privacy
Never Forget DSA-3733
Validating signatures > MitM > RCE
The Debian developer community refused to implement transport crypto for updates because “signing packages is secure enough”. Utter bullshit.
This is a quick guide on how to dramatically improve the privacy and security of your Ubuntu web server. It requires the installation of “apt-transport-tor”, an application that will allow APT transfers to occur over Tor. There is also an application called “apt-transport-https” that is already installed in Ubuntu that we’ll use.
After reviewing the existing Ubuntu updates mirrors in the USA, I found that Wikimedia has a great TLS configuration. Please contribute to the Google Doc list!
First add Tor Project’s Debian/Ubuntu repository to your system for up-to-date Tor software: https://www.torproject.org/docs/debian.html.en
Then perform the following:
sudo apt-get update sudo apt-get install apt-transport-tor sudo vim /etc/apt/sources.list
Edit “sources.list” to just use only “deb”. “deb-src” is only needed if you build from source which most people do not. You can safely delete the deb-src lines from the file. Replace all of the default Ubuntu repos with Wikimedia’s and be sure to add “tor+” before the “https”. Doing so adds end-to-end encryption via HTTPS, and it becomes Torified meaning network adversaries will have a more difficult time analyzing what software and what versions of said software are installed on your web server.
deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial main restricted universe multiverse deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial-updates main restricted universe multiverse deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial-backports main restricted universe multiverse deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial-security main restricted universe multiverse deb tor+https://deb.torproject.org/torproject.org xenial main
All your future apt-get update, upgrade, and dist-upgrade commands will now be performed over Tor and using high-grade HTTPS.
Firewall changes
If you use UFW to manage your iptables firewall rules, and if you’re properly restricting outbound connections, below is what your config might change to. First reset your UFW rules:
sudo ufw reset
Then:
sudo ufw limit 22/tcp sudo ufw allow 443/tcp sudo ufw allow out 22/tcp sudo ufw allow out 25/tcp sudo ufw allow out 53/udp sudo ufw allow out 443/tcp sudo ufw allow out 9050/tcp sudo ufw deny out to any sudo ufw enable sudo ufw status verbose
Or with one command:
sudo ufw limit 22/tcp && sudo ufw allow 443/tcp && sudo ufw allow out 22/tcp && sudo ufw allow out 25/tcp && sudo ufw allow out 53/udp && sudo ufw allow out 443/tcp && sudo ufw allow out 9050/tcp && sudo ufw deny out to any && sudo ufw enable && sudo ufw status verbose
This UFW (iptables) rule set makes it so brute forcing SSH won’t work and allows all incoming HTTPS traffic. These rules also make it so no traffic can leave the web server unless it is SSH (22), SMTP (25), DNS (53), HTTPS (443), or Tor Socks (9050) traffic. Most web servers do not go as far as block all outbound traffic by default, but it is important in case the web server does become compromised. I would usually allow outbound HTTP (80) traffic because the default Ubuntu update repositories require HTTP. However, we will be Torifying Apt so that’s why we allow outbound 9050/tcp. If you don’t want to Torify Apt, you’ll need to allow outbound 80/tcp instead of 9050/tcp.