Feed your firewalls

So as a few of you know I’m this crusty old Sys Admin dude. I have a number of machines that I look after, and they are nearly all Linux machines. They are on pretty much twenty four seven, this site is an example of such an endeavor.

But the internet has a problem – it’s the continual attack on any machine (Mac, Windows Linux, Unix or something else) and any service that said machine might be running.

It’s not uncommon for someone to attempt to attack this machine every day. Probably the worst I’ve seen is about 30 thousand attempts in one day. Typically it’s about 1- 3 K,  and I have been whittling this number down …  there is a way to manage this.

1 Record what the offensive ip address are (auth log is your friend in this instance)
2 Add these offensive address to the firewall “or better” so that they will not ever have any access, even if it to just rattle the locks on the doors of your computers.

Typically the command, to block an ip address is something like this, it’s not a complex thing .

sudo iptables -A INPUT -s 10.1.1.1/32 -j DROP

People are concerned that one may block out legitimate traffic (and admittedly this is important, especially if you do accidentally add your own ip address!…. do you have physical access to the machine? a plan B?).  But don’t let me scare you, what I’m talking about is not complex (just take care!).

When you think about it there are 4,294,967,296 usable version 4 ip address. My current block list on this small machine is about 880 of these…. that is about 0.0000204891% of all available ip v4 address. It’s not much and my machine is rather low tech.

But the problem is routers. My own network is based on a router that is controlled by my isp. I don’t really have total control over this machine, but it would be good if I could manage that process a bit. But the isp says no – you can have 3 settings!

The up shot is, if I’m serious about security and running may own server from home … I have to manage the abuse from a machine level or add an additional router! ?

It would be better to manage it from a router level because then every machine behind that router / firewall would be protected. But we haven’t really made this jump. I also understand that segmenting the internet is not a good thing but I’m happy with my 0.0000204891 % reduction. I don’t feel bad about this.

 

 

One ring – not a good idea!

There was a fairly famous post once about how Sys Admins are lazy by nature and that automating things is a good habit to have – thus supporting the lazy label. But have we got too lazy, and is that laziness creating environments that are vulnerable?

The reason for this post is that over the last few years I’ve been reading about systems that are designed to “Run the whole network”, “Manage all users and applications”.  The problem is, when these systems go wrong you have a huge clean up job – lets look at a couple of examples.

SolarWinds Hack
This was what is know as a “supply chain breach” it is effectively where the software is hacked at the the source level “in other words at the SolarWinds development space” and that compramised software is distributed in good faith buy the company. This created a situation where one piece of software, which gave some users “God” access to the network and all the machines, and all the users. Was compromised (More than 30,000 public and private organisations)!  You can read about it in detail on this page.

One of the problems is this attitude of “Single sign on”,  one place to do everything.  It’s a lovely concept isn’t it? It means that one machine can control all the services and all the users and all the groups and all the network and… well you get the picture. It means that you can have less staff, less skill sets to train and you know just be lazy.

But lets look at the NotPetya attack. If you want to have a few nightmares read up about what happened to the international company that had 150 domain controllers compromised, and the insane amount of money it took to clear this up. It’s one of the few times where slow internet probably saved a multinational company billions.

As someone who is interested in IT security and sysadmin, I keep coming back to the responsibility of an inquisitive person who knows the network, the machines and what they are all up to.

Ai, automation, constant monitoring, automated alerts  etc are all importnat and on one level mind blowing. But we still need human intelligence and awareness. How much space is on that server? What is the network throughput on a day to day basis? Has there been a change? If so – go investigate it! NOW


Related links

 

Notpetya
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

SolarWinds

https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know

 

 

Did Sundar Pichai lie to Congress, or just use weasel words?

So I’ve been thinking about this for a while now. Operation Aurora was an attack on Google and a number of other companies and it is believed that it was a Chinese state sponsored attack. This was publicly disclosed by Google on January 12, 2010.

If we look at a basic time line
Sundar Pichai started at Google in 2004.

Listen to Sundar Pichai’s comment when asked by Congress (around or on, July 30 2020).

“Do you believe that the Chinese government steals technology from US companies”?

His response…
“I have no first hand knowledge of information stolen from Google”.

That blog post with the disclosure was written on January 12, 2010. As a tech person I remember hearing about it – it was all over the place, surely he read this as well?

If we look at the original disclosure from Google we find the words
“we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google” (bold text by me).

On a personal level I’m sort of amazed that he got away with this answer (you know CEO of Google and all that) but may be the politicians should have been more specific, better informed, or may be Mr Pichai … {feel free to fill in this blank}?

So there you have it – what do you think
Did Sundar Pichai lie to Congress, or just use weasel words?

Related links
Wikipedia article
Sundar Pichai https://en.wikipedia.org/wiki/Sundar_Pichai

Original Google Disclouser
https://googleblog.blogspot.com/2010/01/new-approach-to-china.html

Operation Aurora
https://en.wikipedia.org/wiki/Operation_Aurora

Tech giants face grilling by Congress | ABC News
https://googleblog.blogspot.com/2010/01/new-approach-to-china.html