Easy security hardening tips and tricks thread

[sweet19]

if it is a company, look at the shared folders on the network, not everyone should have access to information. manual access to specific users.

[OneEyedKing]

On 11/5/2022 at 12:12 PM, clarkee said:

i'm a supporter of this - ssh on tcp/22 produces very noisy logs; moving it to something high and random almost cuts that noise to 0.

still use ssh keys, still deny remote login as root, have a sensible sudo policy, consider ip whitelisting or perhaps dont' even expose your ssh to the internet to start with :P

Important: Use port knocking.

[Johan]

Some good tips in this thread.

Alright, my time for some low hanging fruit; As frustrating as it might sound, set Windows UAC to "Always notify".

[Simon Michalke]

The ssh service on my servers always gets these 3 Options:

1. non standard port

2. no password Login

3. no root login

Sudo requires the user password, so there is somewhat a 2FA in order to obtain root: Certificate for logging in, Passwort for becoming root. Bonus points if you secure the ssh key addtionally with a passwort or a hardware storage. (Which I am too lazy to do.)

[floopthecat]

Regularly scan your address space from an external source. Even if you control the firewall yourself, this is an important sanity check. If you've not got access to an external server, shodan.io is a good place to start and is free (to a point).

[floopthecat]

If you have even a passing interest in being secure at home, and are able to, invest in a semi decent router rather than relying on the one provided by your ISP. Set up a guest network for your IoT (and guests), and look into running PiHole - it's both extremely useful, and extemely interesting!

[Avery]

Seeing some of these things about SSH just seem kinda snake oily.

People can still see open nonstandard ports and figure out what is actually on it.

A strong password is just as good as using an ssh key. Using them in combination is a somewhat good idea.

And when it comes to no root login, you can just login as a lower user and then switch to root through various means.

[Elched]

This might seem so obvious but:

- Keep track of all your assets that are connected to the network, make sure they are still supported and ensure they receive security updates in a timely manner.

- Don't give internet access to things that don't need internet access

 

(I know, in corporate environment, it's easier said than done 😶)

[HatBang]

On 11/5/2022 at 10:07 PM, Elched said:

In a corporate environment, if you cannot avoid using generic accounts on some systems, use a password manager that provides folder sharing capability to make passwords securely available among teams.

This will help mitigate (somehow) password reuse, easy-to-guess generic passwords and passwords stored in clear text 🙂

+1 - also, this approach allows OTP based 2FA for shared accounts (at least in keeper, 1Password..)

[halmex]

On 11/11/2022 at 5:11 PM, Avery said:

Seeing some of these things about SSH just seem kinda snake oily.

People can still see open nonstandard ports and figure out what is actually on it.

I would not say snake oil, it protects about simple mass scanning and exploitation if a 0day gets dropped. Obviously it is only a additive measure and the basic security measures you mentioned should be implemented before thinking about these kinds of things.

I think that security through obscurity should have a place, but only if all recommended security measures are implemented.

[wacked]

Most people here have focused on the hardening of individual devices, often servers. The thing is that actually implementing any technial measures is the hard part, for a variety of reasons.

Imagine you are a software company. You set up a nexus to save bandwidth by not having to download everything from maven AND more importantly storing your internal artifacts. Since you have staffing problems you work with multiple contractors. You can't put them in your LDAP/Active Directory structure for political reasons and fear that they would get too much access. Now suddenly you have to do account managment for a couple dozen, maybe hundred people. ANd your department still only consists of 3 people. You are slow to work, someone discovers that they can use the jenkins user to access the nexus. Over time that knowledge spreads until most people are using that user -- and there is no more visibility in who created what.

Imagine you are an old company, maybe 70 years. In the 90ies you did your first steps towards digitalization. You were happy to discover that you had technically interested and capable people right there. They implemented a calculator thingy, having the production function for your rubber recipes. But it is the 90ies, they did it in MS Access. The OG of low code. Great success so they also added a payroll module. But clearly not every floor worker should access payroll info -- so you use the security features offered in MS Access 2003. Turns out they suck, so Microsoft removes them. Since you are a normal person and don't follow the Microsoft blog thoroughly, you are caught by suprise. So what do you do now:

Step 1) hire someone to rewrite your software. Clearly the right way, but it will take some time, leading you to option:

Step 2) stay on old MS Access Versions. Works like a charm, you put the rewrite on hold. Suddenly MS announces that Office 2003 is not supported on Win 10, leading you to

Step 3) Giving every worker a Win 7 VM + Office 2003, on their Win 10 desktop. Sometimes people slip up and surf on their win 7 VM... You can imagine the rest

First of all I hope that those stories illustrate that every state of the security, how it is now, came to be for a reason. Office politics, inertia,  short term solutions working too well, security being a cost center, staffing shortages, contracting out and not building in house knowledge...

There may be easy sounding technial measures. But the organizational problems existing in every organization prevent implemting even the most obvious of best practices.

[HowTo]

On 11/5/2022 at 11:53 AM, MalwareTech said:

Use non standard ports for service. A lot of people consider it security through obscurity, but you cut down on background noise from internet scanners and may also be saved from mass exploitation in the event of a vulnerability. 

Great insight!