building a secure
play

Building a secure Kennedy bastion, or, 50 @anna_ken_ ways to kill - PowerPoint PPT Presentation

Apr 08, 2023 •31 likes •231 views

Anna Building a secure Kennedy bastion, or, 50 @anna_ken_ ways to kill your server Telenor Digital What is a bastion (jumpbox) ? Outside world bastion server server server What do we mean by secure? How do we make a custom AMI?

  1. Anna Building a secure Kennedy bastion, or, 50 @anna_ken_ ways to kill your server Telenor Digital

  2. What is a bastion (jumpbox) ? Outside world bastion server server server

  3. What do we mean by secure?

  4. How do we make a custom AMI?

  5. Technical context

  6. Ubuntu default packages $ apt list --installed Listing... Done ~2000 packages a11y-profile-manager-indicator/xenial,now 0.1.10-0ubuntu3 amd64 [installed] accountsservice/xenial-updates,now 0.6.40-2ubuntu11.3 amd64 [installed] acl/xenial,now 2.2.52-3 amd64 [installed] acpi-support/xenial,now 0.142 amd64 [installed] acpid/xenial,now 1:2.0.26-1ubuntu2 amd64 [installed] activity-log-manager/xenial-updates,now 0.9.7-0ubuntu23.16.04.1 amd64 [installed] adduser/xenial,xenial,now 3.113+nmu3ubuntu4 all [installed] adium-theme-ubuntu/xenial-updates,xenial-updates,now 0.3.4-0ubuntu1.1 all [installed] adwaita-icon-theme/xenial-updates,xenial-updates,now 3.18.0-2ubuntu3.1 all [installed] aisleriot/xenial,now 1:3.18.2-1ubuntu1 amd64 [installed] $ dpkg-query -W alien/xenial,xenial,now 8.95 all [installed,automatic] a11y-profile-manager-indicator 0.1.10-0ubuntu3 alsa-base/xenial,xenial,now 1.0.25+dfsg-0ubuntu5 all [installed] accountsservice 0.6.40-2ubuntu11.3 alsa-utils/xenial,now 1.1.0-0ubuntu5 amd64 [installed] acl 2.2.52-3 anacron/xenial,now 2.3-23 amd64 [installed] acpi-support 0.142 acpid 1:2.0.26-1ubuntu2 activity-log-manager 0.9.7-0ubuntu23.16.04.1 adduser 3.113+nmu3ubuntu4 adium-theme-ubuntu 0.3.4-0ubuntu1.1 adwaita-icon-theme 3.18.0-2ubuntu3.1 aisleriot 1:3.18.2-1ubuntu1 alien 8.95 alsa-base 1.0.25+dfsg-0ubuntu5 alsa-utils 1.1.0-0ubuntu5 anacron 2.3-23

  7. Ubuntu default packages includes: ? ● ed ● ftp ● curl ● nano ● perl ● python ● rsync ● sed ● telnet ● adduser ● screen ● wget ● apt ● tmux ● vim-common ● dpkg

  8. Just remove all optional / extra packages $ dpkg-query -Wf '${Package;-40}${Priority}\n' apt important adduser required at standard a11y-profile-manager-indicator optional dpkg-query -Wf '${Package;-40}${Priority}\n' | adium-theme-ubuntu extra awk '$2 ~ /optional|extra/ { print $1 }' | xargs -I % sudo apt-get -y purge %

  9. Turns out optional doesn’t mean optional ‘Optional’ and ‘extra’ include: cloud-init ● grub ● linux-base ● openssh-server ● resolvconf ● ubuntu-server ● (meta-package)

  10. Remove all packages that we don’t want ● ed ● curl ● ftp ● net-tools ● gawk ● perl ● nano ● python 2.7 ● rsync ● python 3 ● screen ● tar ● tmux ● vim ● wget

  11. Remove all packages that we don’t want, apart from the ones we can’t Can remove: Can’t remove: ● ed ● curl needed for consul restarts ● ftp ● net-tools needed for sshuttle ● gawk ● perl needed for ssh ● nano ● python 2.7 needed for Ansible ● rsync ● python 3 needed for AWS instance checks ● screen ● tar needed for Ansible ● tmux ● vim ● wget

  12. Restricting user capabilities Use rbash instead of bash Change all user shells to /bin/nologin Remove sudo from all users Restrict allowed commands in authorized_keys

  13. Restricting user capabilities sshuttle sshuttle Use rbash instead of bash Change all user shells to /bin/nologin sshuttle Remove sudo from all users Restrict allowed commands in authorized_keys

  14. Troubleshooting without sudo

  15. Finally, a bootable, usable AMI

  16. Install fail2ban

  17. Use 2FA

  18. Port knocking

  19. Safe and secure

  20. Anna Kennedy Thanks for @anna_ken_ listening! Telenor Digital

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CSE 291 Building Secure Systems using Programming Languages and Analysis Fall 2016 Tue/Thurs

CSE 291 Building Secure Systems using Programming Languages and Analysis Fall 2016 Tue/Thurs

CSE 291 Building Secure Systems using Programming Languages and Analysis Fall 2016 Tue/Thurs 5:00-6:20PM Deian Stefan UC San Diego Who am I? New assistant professor PhD at Stanford (Mazieres & Mitchell) I like to build secure

896 views • 50 slides
Secure Communication Secure Communication Lecture 14 Wrap-Up We saw... Symmetric-Key

Secure Communication Secure Communication Lecture 14 Wrap-Up We saw... Symmetric-Key

Secure Communication Secure Communication Lecture 14 Wrap-Up We saw... Symmetric-Key Components SKE, MAC Public-Key Components PKE, Digital Signatures Building blocks: Block-ciphers (AES), Hash-functions (SHA-3), Trapdoor PRG/OWP for PKE

1.07k views • 72 slides
CEF eI D Building Block European Com m ission DI GI T Frdric POELS STORK Secure idenTity

CEF eI D Building Block European Com m ission DI GI T Frdric POELS STORK Secure idenTity

CEF eI D Building Block European Com m ission DI GI T Frdric POELS STORK Secure idenTity acrOss boRders linKed I SA Interoperability Solutions for European Public Administrations eI DAS STORK 2 .0 Electronic Identification, Secure

793 views • 31 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research & Boston University y Michael Schapira

701 views • 54 slides
Building Secure Cultures Leigh Honeywell @hypatiadotca about me Canadian ex-Symantec,

Building Secure Cultures Leigh Honeywell @hypatiadotca about me Canadian ex-Symantec,

Building Secure Cultures Leigh Honeywell @hypatiadotca about me Canadian ex-Symantec, Microsoft Rebooted your Windows machines a few times in 2012 Now at Heroku, a Salesforce.com company move fast and break things. until this happens

445 views • 23 slides
Designing and Building Secure Software With material from Dave Levin, Mike Hicks, Adam Shostack

Designing and Building Secure Software With material from Dave Levin, Mike Hicks, Adam Shostack

Designing and Building Secure Software With material from Dave Levin, Mike Hicks, Adam Shostack Making secure software Flawed approach : Design and build software, ignore security at first Add security once the functional requirements

858 views • 39 slides
Building Secure Channels Kenny Paterson Information Security Group

Building Secure Channels Kenny Paterson Information Security Group

Building Secure Channels Kenny Paterson Information Security Group Overview Why do we need secure channels? What properties should they have?

480 views • 31 slides
Building Secure Applications Greg Ponto & Tom Shippee Presentation agenda Overview -

Building Secure Applications Greg Ponto & Tom Shippee Presentation agenda Overview -

Esri International User Conference San Diego, California Technical Workshops | July 26, 2012 Building Secure Applications Greg Ponto & Tom Shippee Presentation agenda Overview - Exploring 10.1 architecture Beginners: - Using 10.1

461 views • 28 slides
Development*Process*for*Secure* So2ware Development Processes ( Lecture outline ) Emphasis on

Development*Process*for*Secure* So2ware Development Processes ( Lecture outline ) Emphasis on

Development*Process*for*Secure* So2ware Development Processes ( Lecture outline ) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development Lifecycle

598 views • 34 slides
Linux Security for Developers Insights for building a (more) secure world Michael Boelen

Linux Security for Developers Insights for building a (more) secure world Michael Boelen

Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 We Love Construction 2 Image source unknown And Magic! Turning data into: - Useful output - Stable

1.14k views • 85 slides
GNUnet A network protocol stack for building secure, distributed, and privacy-preserving

GNUnet A network protocol stack for building secure, distributed, and privacy-preserving

GNUnet A network protocol stack for building secure, distributed, and privacy-preserving application FOSDEM20 Martin Schanzenbach 2/2/2020 The Internet is under attack The Internet HTTP, Facebook, Google, Libra ... DNS / X.509 TCP /

631 views • 34 slides
Building Secure Decentralized Applications the DECENT Way Haofan Zheng Xiaowei Chu University

Building Secure Decentralized Applications the DECENT Way Haofan Zheng Xiaowei Chu University

Building Secure Decentralized Applications the DECENT Way Haofan Zheng Xiaowei Chu University of California, Santa Cruz Owen Arden Remote Attestation A process for the enclave to gain the trust of a remote service, so that the remote

212 views • 18 slides
Building a Wide Reach Corpus for Secure Parser Development LangSec 2020 May 21, 2020 The Team

Building a Wide Reach Corpus for Secure Parser Development LangSec 2020 May 21, 2020 The Team

Click to add text Building a Wide Reach Corpus for Secure Parser Development LangSec 2020 May 21, 2020 The Team Chris Mattmann Tim Allison Tom Barber Wayne Burke Valentino Constantinou Edwin Goh Deputy CTO Files and Search Doer/Maker

467 views • 42 slides
Spotlight on Free Sofuware Building Blocks for a Secure Health Data Infrastructure Marcel

Spotlight on Free Sofuware Building Blocks for a Secure Health Data Infrastructure Marcel

FOSDEM 2020, Brussels Spotlight on Free Sofuware Building Blocks for a Secure Health Data Infrastructure Marcel Parciak, Markus Suhr, Tibor Kesztys, Dagmar Krefuing University Medical Center Gttjngen Department of Medical Informatjcs

624 views • 43 slides
Dont trust user input Kirk Jackson, RedShield security.ac.nz, 25 Aug 2019 Building a secure

Dont trust user input Kirk Jackson, RedShield security.ac.nz, 25 Aug 2019 Building a secure

Dont trust user input Kirk Jackson, RedShield security.ac.nz, 25 Aug 2019 Building a secure web app Vulnerability Scan Configuration Review Penetration Testing Production Proxy IDS DLP File integrity monitoring Attacks AV Web

459 views • 30 slides
Building world-class security response and secure development processes David Jorm, Senior

Building world-class security response and secure development processes David Jorm, Senior

Building world-class security response and secure development processes David Jorm, Senior Manager of Product Security, IIX #ODSummit Outline Introductjon SDN atuack surface Recent OpenDaylight vulnerabilitjes Defensive

615 views • 38 slides
BASTION: A Security Enforcement Network Stack for Container Networks Jaehyun Nam 1 , Seungsoo Lee

BASTION: A Security Enforcement Network Stack for Container Networks Jaehyun Nam 1 , Seungsoo Lee

BASTION: A Security Enforcement Network Stack for Container Networks Jaehyun Nam 1 , Seungsoo Lee 1 , Hyunmin Seo 1 , Phillip Porras 2 , Vinod Yegneswaran 2 , and Seungwon Shin 1 KAIST 1 and SRI International 2 The state of Container Security

800 views • 24 slides
Fundamentals of Fluid Dynamics: Ideal Flow Theory & Basic Aerodynamics Introductory Course on

Fundamentals of Fluid Dynamics: Ideal Flow Theory & Basic Aerodynamics Introductory Course on

Introduction Ideal flow theory Vorticity of flow Basic aerodynamics Fundamentals of Fluid Dynamics: Ideal Flow Theory & Basic Aerodynamics Introductory Course on Multiphysics Modelling T OMASZ G. Z IELI NSKI (after: D.J. A CHESON s

918 views • 87 slides
Video in the Interface Video: the BEST * modality As passive or active as needed Simple

Video in the Interface Video: the BEST * modality As passive or active as needed Simple

Video in the Interface Video: the BEST * modality As passive or active as needed Simple directional localization Line-of-sight supports see/be seen paradigm (within visible spectrum) Rich sensor * According to a vision

599 views • 37 slides
Data Selection Workshop: Welcome, Overview, Goals Josh Klein, Penn Welcome to Penn First

Data Selection Workshop: Welcome, Overview, Goals Josh Klein, Penn Welcome to Penn First

Data Selection Workshop: Welcome, Overview, Goals Josh Klein, Penn Welcome to Penn First University in the US, Ben Franklin, ENIAC, blah blah blah Overview Data Selection is hierarchical Trigger Primitives generated at front-end

1.49k views • 52 slides
Terraform Colonise the cloud! Stefan Magnus Landr, BEKK Consulting AS ApacheCon North America

Terraform Colonise the cloud! Stefan Magnus Landr, BEKK Consulting AS ApacheCon North America

Terraform Colonise the cloud! Stefan Magnus Landr, BEKK Consulting AS ApacheCon North America 2017 - 17. May 2017 1 Terraform Commandline tool (go) (OS X, Windows, Linux, ) Developed by Hashicorp (Vagrant, Packer, Consul, Nomad)

1.07k views • 17 slides
Execution Secure Processors Eurocrypt May 1 st , 2017 Rafael Pass, Elaine Shi, Florian Tramr

Execution Secure Processors Eurocrypt May 1 st , 2017 Rafael Pass, Elaine Shi, Florian Tramr

Formal Abstractions for Attested Execution Secure Processors Eurocrypt May 1 st , 2017 Rafael Pass, Elaine Shi, Florian Tramr Trusted hardware: Different communities, different world views 2 Trusted hardware: Different communities,

929 views • 72 slides
CS 378: Autonomous Intelligent Robotics (FRI) Dr. Todd Hester Are there any questions? Talks

CS 378: Autonomous Intelligent Robotics (FRI) Dr. Todd Hester Are there any questions? Talks

CS 378: Autonomous Intelligent Robotics (FRI) Dr. Todd Hester Are there any questions? Talks Keith Sullivan Hierarchical Multiagent Learning from Demonstration Junaed Sattar A Multimodal Approach Towards Robust Human- machine

480 views • 24 slides
Introduction to Trusted Computing Pieter Maene , Johannes G otzfried, Ruan de Clercq, Tilo M

Introduction to Trusted Computing Pieter Maene , Johannes G otzfried, Ruan de Clercq, Tilo M

Introduction to Trusted Computing Pieter Maene , Johannes G otzfried, Ruan de Clercq, Tilo M uller, Felix Freiling, and Ingrid Verbauwhede 1 KU Leuven/COSIC, Belgium 2 FAU Erlangen-N urnberg, Germany January 31, 2017 Trusted Computing 2

723 views • 35 slides

More recommend