Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Getting vaguely back on topic, if I may be excused, the latest installment of news is as follows.
You need to know that most Irish hospitals started small - built around one or a few doctors or a charitable institution. Care provided was to the recipe
Quote:
Originally Posted by Voltaire
The art of medicine consists in amusing the patient while nature cures the disease.
Then as medicine became more technical (and reliant on expensive machines) mergers occurred. There was religious divisions, but they were accomodated. Clergy power did wane in the 1990s, so we have Government run (formerly Catholic) hospitals, and the (formerly Protestant/other) Federation of Voluntary Hospitals (FVH).
Now the FVH has a different IT system and will be back soon. These are mainly hospitals in Dublin City, where the majority of Protestant/other folks dwell including my own local hospital. The other rural, and city hospitals are hit real bad and will not have all records back for weeks. There may be temporary arrangements sooner. There's just so many devices and terminals any or all of which can be booby trapped that it's not true. Presumably each type of hospital will be locked out of the other's systems. A ransom was asked for in the millions of €€ but it will not be paid. People have been warned that details of data stolen may appear online. It shows how complete the security breach was.
Not being said out loud is what's no doubt being said privately and on this forum, that this is a security failure of drastic proportions.
What is being said out loud is that it is a callous and cruel act attempting to profit from the suffering of the weak, sick and disabled. Many of these have time sensitive treatments, dialysis being the major one, but many ailments consequential to things like Down's syndrome or Spina Bifida are others. Delays on scans and inability to process them are worrisome.
We had the same thing in the NHS a couple of years ago, before the pandemic. Doctors and hospitals reverted to written notes and they seem to have managed somehow until everything came back online.
I used fail2ban in production environments, and certain development environments. I used it at home. I discovered that after a few days I was blocking most of China, half of Russia, certain areas of India and the EU, one county in the UK, about 20% of South America, and one lonely little hacker in Australia, and a couple of subnets in the USA. None of those in networks where the company had any clients!
At work it helped that we also had an excellent gateway device. Instead of some simple firewall, we had an Astaro Security Gateway with caching, malware scanning/filtering at the packet level, and Intrusion Detection. We also used MANY remote site to host VPN definitions, so clients had access ONLY to the server and account they needed services on. The ASG made a better VPN endpoint than most dedicated enterprise VPN concentrators! This started BEFORE Astaro sold their business and technology over to SOPHOS. Astaro was roughly 30 years beyond the most current Cicso technology.
Alas, we were purchased by a corporation who only understood one word about networking, and that was Cisco. They dumped all of the ASG hardware and became a hundred times more vulnerable.
The combination of an excellent gateway device (Even one cheaper than Astaro or Sophos, but more capable than Cisco) and decent security on the servers (RootKitHunter or something that provides the same benefit, and Fail2ban or other attack detection and blocking) is FAR harder for an attack to penetrate at the server level. Failing there, they are likely to direct phishing attacks and try to get a USER to give them a vector.
PS: the classic thing is one workstation gets infected, but has access to shared drives. The malware encrypts r=target files both locally and on the network drives, and places a signature in some of the folders so you know where to send the money. Other workstations that access those drives MAY also aquire the infections, so that it spreads around the network and to all shared storage very quickly.
after a few days I was blocking most of China, half of Russia
I get your point, and you're not wrong, but this is hyperbole. Most of Russia, or China, is normal people like you and me.
The amount of hacking attempts from these countries (and let's not forget the so-called People's Republic of Korea) might be orders of magnitude larger than from any other country, but it will never amount to anything near what you're suggesting.
I get your point, and you're not wrong, but this is hyperbole. Most of Russia, or China, is normal people like you and me.
The amount of hacking attempts from these countries (and let's not forget the so-called People's Republic of Korea) might be orders of magnitude larger than from any other country, but it will never amount to anything near what you're suggesting.
I cannot verify that ANY of the activity was actual attempts to hack, but they were certainly probing for vulnerability. Dictionary attacks at SSH (on remote access servers) and SSO (at web interfaces mostly) suggest they wanted to know if they COULD break in. Not that they WOULD have, but had I allowed them the discovery I would not have been justifying my pay.
Afterthought: I did not decide to block those regions, that was the automated fail2ban results due to probes.
I thought tracing and geo-ip blocks were being bypassed by, as Ser Olmy said back in post #2, attacking insecure systems from friendly places - Solar Winds being an example. The big 2016 election hack attack came from a compromised server in Africa, I seem to remember.
It seems the Internet is fast becoming a place where everyone can connect but nobody is safe .
It seems the feds (amongst others no doubt) are starting to crack down on the bad guys. Several hacker sites have gone down, and apparently a payments server has been seized - along with a crypto wallet that has ransom payments being transferred elsewhere. Tracking has started ... we may or may not hear about what actually transpires given the lack of transparency this whole sub-culture embraces.
Of course if people properly secured their systems, all would be (almost) moot.
In other news updates, we were notified that the attack was perpetrated by the Wizard Spider Group of professional criminals, all apparently based in St. Petersburg, and none of who ever leave Russia. They seem to specialise in attacks on health services, perhaps feeling there is most to be gained there.
Apparently they principally use 3 types of malware, about which I know nothing, but the web seems to have plenty.
Trickbot (For Banks, apparently)
RYUK
Conti(For Medical Places, it seems)
They used Conti on hse.ie and nobody has ever successfully unlocked it, from what we're being told. But it is being constantly reiterated that no ransom is being paid. I gather they will have some basic records up earlier but full restoration time is weeks/months away. The hospitals want us (patients) to bring any paper records we have to medical appointments.
I found out yesterday. I rang my local health board, and all their computer systems were down. Health boards are local places where they care for locally provided services in an area, usually employing non-medical staff. Standard staffing includes: Physiotherapist; Occupational Therapist; Public Health Nurse; ancilliary staff. Staff & facilities will be tweaked to needs. Each one will have 4 or 5 pcs, all linked in to the HSE network, perhaps with restricted access, but still linked in. They can book hospital appointments, directly receive email (someone@hse.ie). If each of those pcs have to be checked for booby traps, getting techies around to them will be a challenge. Then there's the BYOD guys. Even organising a 100% check of devices will be a nightmare. Conti in particular only operates on windows based systems. It also uses it's own bespoke encryption method.
Which is once again why I've repeatedly said, "use OpenVPN with tls-auth and digital certificates!" Never expose sshd directly to the outside world.
If you follow my advice, your impenetrable VPN also becomes hidden. You can't even begin to attack something if you can't detect that it is there. And you can never "guess" a 4,096-bit one-of-a-kind certificate nor be able to properly sign it.
Your authorized users use their individually-issued unique credentials to swiftly and easily pass through the secret passage, there to face the next challenge "beyond the portcullis." sshd lives there, and it should be "strictly certificate-based," also.
Last edited by sundialsvcs; 05-19-2021 at 10:23 AM.
Now imagine how that would work if an account that's used for remote login or a web based service is the subject of a brute force password attack. How would you log on when your account is constantly being locked?
The 4th strike freeze his screen ? Or send him to the nowhere ?
Naturally the strike counts should be separate for each IP or MAC.
Which is once again why I've repeatedly said, "use OpenVPN with tls-auth and digital certificates!" Never expose sshd directly to the outside world.
If you follow my advice, your impenetrable VPN also becomes hidden.
There's nothing to say they had sshd even. It looks like it was easier than that. In this country, I hardly imagine there's one linux box on a Government system. With the EU, all major jobs have to go to tender, where cheapness and previous experience wins.
Openvpn is a VPN; tls an authentication method(?); How would I/they implement digital certificates? And how is the VPN hidden when they login from a public-facing website?
Openvpn is a VPN; tls an authentication method(?); How would I/they implement digital certificates? And how is the VPN hidden when they login from a public-facing website?
tls-auth(see link ...) is an OpenVPN-specific feature which the other common VPN technologies – so far as I am aware – have not yet copied. (I have no idea why not ...) This uses a second digital certificate, shared by all authorized users, which injects a server-verifiable payload into the initial connection request. Unless the server determines that the supplicant possesses a copy of the proper certificate, it drops the packet and does not reply. It does not even bother to begin the authentication process.
This is significant, because OpenVPN [typically ...] uses the UDP protocol, rather than TCP/IP. In other words, "there are no 'sockets,'" so "there are no 'ports' to 'scan.'"
Instead, there are only one-way "datagrams." When using UDP, which is "a lower-level protocol on the 'networking stack,'" you can send a datagram to an IP address, but you never get to know if it was received. The only way that you can discover that there's anyone out there to talk to is if they send a datagram back to you. If you never receive an answer, you have no way to know whether your packet was lost in the ether, or the recipient – as in this case – declined to reply.
In this way, the OpenVPN server conceals its existence. It is now a secret door. So, the Angel of Death passes over your house because He can't find it.
Furthermore, it no longer needs to waste computer time nor resources on "unauthorized access attempts." Anyone who possesses the tls-auth credential is quite likely to be an authorized user worth introducing yourself to. It takes a trivial amount of computation to decide to ignore the rest of the incoming datagrams.
- - -
Meanwhile ...
"Digital certificates" are a unique, one-of-a-kind credential that can be issued to each individual user ... and, individually revoked. They are identified as "valid" by the TLS technique of "self-signing." (OpenVPN uses the TLS cipher stack – just as this "https" web-site does.)
If you want to present a "password challenge" to the authorized user – say, to protect against unauthorized use of a laptop left behind in an airport bathroom – you do so by encrypting the user's certificate with a password.
Any certificate can be selectively revoked – rendering it utterly useless – without affecting anyone else.
- - -
"sshd" actually does support the idea of certificates, albeit in a much more primitive way, but there is a very-fatal weakness unless you pro-actively take steps to prevent it: "it will accept the least(!) form of authentication that it is programmed to accept." If you configure it to accept certificates and the supplicant doesn't have one, "sshd" will ask them for – and accept – a simple password. Unless you tell it not to.
But in any case, "the presence of the daemon is visible to all comers." You may as well paste a bullseye-shaped target on your server, and label it: "KICK ME!" Which is precisely what millions of servers have done by putting these servers on the front line.
Last edited by sundialsvcs; 05-19-2021 at 02:40 PM.
Ah … so that is what best practice looks like. Thanks for the clear explanation.
Mind you, even if they don't get all the old data back, they won't care. The Government recently got taken to the cleaners over incorrect diagnoses of Cervical Smear tests for cancer. Scores or hundreds of Cancer cases were missed, and the Dept of Health was dragged through our (very generous) courts system. Now with this hack, the old data can no longer come back to bite them
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.