How far reaching vulnerabilities can go
by Sven Vermeulen, post on Tue 09 April 2013If you follow the news a bit, you know that PostgreSQL has had a significant security vulnerability. The PostgreSQL team announced it up front and communicated how they would deal with the vulnerability (which basically comes down to saying that it is severe, that the public repositories will be temporarily …
Using stunnel for mutual authentication
by Sven Vermeulen, post on Sat 08 December 2012Sometimes services do not support SSL/TLS, or if they do, they do not support using mutual authentication (i.e. requesting that the client also provides a certificate which is trusted by the service). If that is a requirement in your architecture, you can use stunnel to provide this additional …
Perimeter security testing
by Sven Vermeulen, post on Tue 28 August 2012I've been asked a few times how I would do perimeter security testing. Personally, I'm not an offensive security guy, more a defensive one, meaning I'm more about security-related defensive methods rather than PEN testing of any kind. But still, even in a defensive position, having a "view" on how …
Hardening the Linux kernel updates
by Sven Vermeulen, post on Sat 21 July 2012Thanks to a comment by Andy, the guide now has information about additional settings: stackprotector, read-only data, restrict access to /dev/mem, disable /proc/kcore and restrict kernel syslog (dmesg). One suggestion he made didn't make it to the guide (about CONFIG_DEBUG_STACKOVERFLOW) since I can't find any resources about the …
Hardening the Linux kernel
by Sven Vermeulen, post on Fri 20 July 2012I have moved out the kernel configuration settings (and sysctl stuff) from the Hardening Gentoo Linux benchmark into its own Hardening the Linux kernel guide. It covers some common hardening-related kernel configuration entries (although I'm sure I'm missing a lot of them still) as well as grSecurity and PaX settings …
Hardening OpenSSH
by Sven Vermeulen, post on Wed 18 July 2012A while ago I wrote about a Gentoo Security Benchmark which would talk about hardening a Gentoo Linux installation. Within that document, I was documenting how to harden specific services as well. However, I recently changed my mind and wanted to move the hardening stuff for the services in separate …
Why both chroot and SELinux?
by Sven Vermeulen, post on Sun 15 April 2012In my previous post, a very valid question was raised by Alexander E. Patrakov: why still use chroot if you have SELinux?
Both chroot (especially with the additional restrictions that grSecurity enables on chroots that make it more difficult to break out of a chroot) and SELinux try to isolate …
Mitigating risks, part 5 - application firewalls
by Sven Vermeulen, post on Wed 05 October 2011The last isolation-related aspect on risk mitigation is called application firewalls. Like more "regular" firewalls, its purpose is to be put in front of a service, controlling which data/connections get through and which don't. But unlike these regular firewalls, application firewalls work on higher-level protocols (like HTTP, FTP) that …
Mitigating risks, part 4 - Mandatory Access Control
by Sven Vermeulen, post on Fri 23 September 2011I've talked about service isolation earlier and the risks that it helps to mitigate. However, many applications still run as highly privileged accounts, or can be abused to execute more functions than intended. Service isolation doesn't help there, and system hardening can only go that far. The additional countermeasures that …
Mitigating risks, part 3 - hardening
by Sven Vermeulen, post on Tue 13 September 2011While I'm writing this post, my neighbor is shouting. He's shouting so hard, that I was almost writing with CAPS on to make sure you could read me. But don't worry, he's not fighting - it is how he expresses his (positive) feelings about his religion.
Security is, for some, also …