8. Securing and monitoring kali Linux

Defining a Security Policy:

Key Considerations:

• Security is not one-size-fits-all; it requires precise goals and understanding of risks.

• Key questions to answer:

  • What needs protection? (e.g., computers, data)

  • What threats are you guarding against? (e.g., data leakage, service disruption)

  • Who are you protecting against? (e.g., regular users, external attackers)

• The concept of "risk" encompasses what to protect, what to prevent, and potential threat sources.

• Bruce Schneier emphasizes that "Security is a process, not a product," highlighting the need for continual adaptation to evolving risks.

Factors Influencing Policy:

• Constraints like cost, inconvenience to users, and performance degradation impact policy decisions.

• Extreme scenarios illustrate tailored responses to defined risks.

• Security policies must align with goals and constraints to be effective and respectable.

System Segmentation and Defense:

• Information systems can be segmented into independent subsystems, each requiring its own risk assessment and security policy.

• Smaller attack surfaces are easier to defend; concentrate sensitive services and minimize access routes.

• Network filtering, including firewalls, helps control access and defend against threats.

Possible Security Measures

On a Server

• Securing Network Services

  • Change default passwords and restrict access with a firewall.

• User Account Security:

  • Set strong passwords to resist brute-force attacks.

  • Use fail2ban to filter IP addresses after failed login attempts.

On a Laptop

• Risk Factors:

  • Less susceptible to random scans but vulnerable during travel.

• Data Protection Measures:

  • Employ full disk encryption and possibly enable the "nuke" feature for confidential data protection.

• Firewall Rules:

  • Implement firewall rules to control outbound traffic, particularly allowing only VPN access to prevent inadvertent exposure of customer IP addresses.

  • Maintain control of activity during local engagements to minimize network noise and avoid alerting customers and their defense systems.

Securing Network Services

In general, it is a good idea to disable services that you do not use. Kali makes it easy to do this since network services are disabled by default.

As long as services remain disabled, they do not pose any security threat. However, you must be careful when you enable them because:

• There is no firewall by default, so if they listen on all network interfaces, they are effectively publicly available.

• Some services have no authentication credentials and let you set them on first use; others have default (and thus widely known) credentials preset. Make sure to (re)set any password to something that only you know.

• Many services run as root with full administrator privileges, so the consequences of unauthorized access or a security breach are therefore usually severe.

Monitoring Logs with logcheck:

• logcheck monitors log files every hour by default and sends unusual log messages in emails to the administrator for further analysis.

• The list of monitored files is stored in /etc/logcheck/logcheck.logfiles.

• logcheck can report in paranoid, server, and workstation levels of detail.

• Paranoid mode is verbose and suitable for specific servers like firewalls. Server mode is recommended for most servers, while workstation mode is designed for workstations and is very terse.

• Customization of logcheck is necessary to exclude extra messages, depending on installed services.

• Applied rules for logcheck are categorized into cracking attempts, security alerts, and system events.

• Files in directories such as /etc/logcheck/cracking.d/, /etc/logcheck/cracking.ignore.d/, /etc/logcheck/violations.d/, /etc/logcheck/violations.ignore.d/, and /etc/logcheck/ignore.d.{paranoid,server,workstation}/ are utilized to manage rules and exclusions.

Curly Brackets {} in a Command:

• In bash commands, curly brackets {} serve various functions, including shorthand for repeating parts of a command.

• Bash expands the command before executing it.

• For example, touch /home/kali/file{1,2,3}.txt creates three files (file1.txt, file2.txt, file3.txt) in the home directory of the user "kali".

Monitoring Activity in Real Time

• Tool: top

  • Interactive tool displaying currently running processes.

  • Default sorting based on processor use.

  • Sorting options: memory, total processor time, process identifier.

  • Key functions: P for processor use, M for memory, T for total processor time, N for process identifier.

  • k key for killing a process by entering its identifier.

  • r key for changing process priority.

  • Useful for identifying resource-heavy processes.

  • Particularly valuable for ensuring processes match expected services.

  • Unusual processes, especially under "www-data" user, warrant investigation.

  • Highly customizable with details in the manual page.

• Similar Tools:

  • xfce4-taskmanager: Graphical tool similar to top.

  • gnome-system-monitor: For GNOME users, akin to top.

  • ksysguard: For KDE users, provides similar functionality to top.

Detecting Changes:

Auditing Packages with dpkg --verify:

• dpkg --verify (or dpkg -V) displays system files that have been modified, relying on checksums stored in its own database (/var/lib/dpkg/info/package.md5sums).

• However, attackers may modify these files to contain new checksums or compromise packages on the Debian mirror. To protect against this, use APT's digital signature verification system.

What Is a File Fingerprint?

• A fingerprint is a signature calculated with algorithms like MD5, SHA1, SHA256, ensuring even tiny changes in file contents result in a changed fingerprint.

• Algorithms are irreversible, meaning knowing a fingerprint doesn't allow finding the corresponding contents.

Monitoring Files: AIDE:

• AIDE (Advanced Intrusion Detection Environment) checks file integrity against a previously-recorded image of the valid system stored in a database (/var/lib/aide/aide.db).

• Install AIDE via apt update followed by apt install aide. Initialize the database with aideinit; it runs daily via /etc/cron.daily/aide to detect changes.

• Changes are recorded in log files (/var/log/aide/*.log) and sent to the administrator by email.

Protecting the Database:

• Validity of AIDE results depends on the validity of its database. Store reference data on read-only storage media to prevent subversion by attackers.

• Tweak AIDE behavior using options in /etc/default/aide. Configuration is in /etc/aide/aide.conf and /etc/aide/aide.conf.d/, with syntax explained in aide.conf(5).

Other Tools:

• Tripwire and Samhain offer similar features to AIDE with additional capabilities.

• checksecurity performs basic system checks (e.g., empty passwords, setuid files).

• chkrootkit and rkhunter detect rootkits potentially installed on the system, though not 100% reliable.

Summary

In this chapter, we took a look at the concept of security policies, highlighting various points to consider when defining such a policy and outlining some of the threats to your system and to you personally, as a security professional. We discussed desktop and laptop security measures as well as firewalls and packet filtering. Finally, we reviewed monitoring tools and strategies and showed how to best implement them to detect potential threats to your system.

Summary Tips:

• Take time to define a comprehensive security policy.

• Real risk often arises when you travel from one customer to the next. For example, your laptop could be stolen while traveling or seized by customs. Prepare for these unfortunate possibilities by using full disk encryption and consider the nuke feature to protect your clients data.

• Disable services that you do not use. Kali makes it easy to do this since all external network services are disabled by default.

• If you are running Kali on a publicly accessible server, change any default passwords for services that might be configuredand restrict their access with a firewall prior to launching them.

• Use fail2ban to detect and block password-guessing attacks and remote brute force password attacks.

• If you run web services, host them over HTTPS to prevent network intermediaries from sniffing your traffic (which might include authentication cookies).

• The Linux kernel embeds the netfilter firewall. There is no turn-key solution for configuring any firewall, since network and user requirements differ. However, you can control netfilter from user space with the iptables and ip6tables commands.

• Implement firewall rules to forbid all outbound traffic except the traffic generated by your VPN access. This is meant as a safety net, so that when the VPN is down you immediately notice it (instead of falling back to the local network access).

• top is an interactive tool that displays a list of currently running processes.

• The logcheck program monitors log files every hour by default and sends unusual log messages in emails to the administrator for further analysis.

• dpkg --verify (or dpkg -V) displays the system files that have been modified (potentially by an attacker), but relies on checksums, which may be subverted by a clever attacker.

• The Advanced Intrusion Detection Environment (AIDE) tool checks file integrity and detects any changes against a previously-recorded image of the valid system.

• Tripwire is very similar to AIDE but uses a mechanism to sign the configuration file, so that an attacker cannot make it point at a different version of the reference database.

• Consider the use of rkhunter, checksecurity, and chkrootkit to help detect rootkits on your system.

In the next chapter, we are going to dig into Debian fundamentals and package management. You will quickly understand the power behind Kali's Debian roots and learn how the developers have harnessed that power. Be warned, the next chapter is fairly dense, but it is critical that you understand Debian basics and package management if you are going to be a Kali power user.