JSHIELDER AUTOMATED HARDENING SCRIPT FOR LINUX SERVERS

JSHielder is an Open Source tool developed to help SysAdmin and developers secure their Linux Servers in which they will be deploying any web application or services. According to information security experts this tool automates the process of installing all the necessary packages to host a web application and Hardening a Linux server with little interaction from the user. Newly added script follows CIS Benchmark Guidance to establish a secure configuration posture for Linux systems.

linux-1

This tool is a Bash Script that hardens the Linux Server security automatically and the steps followed are:

  • Configures a Hostname
  • Reconfigures the Timezone
  • Updates the entire System
  • Creates a New Admin user so you can manage your server safely without the need of doing remote connections with root.
  • Helps user Generate Secure RSA Keys, so that remote access to your server is done exclusive from your local pc and no Conventional password
  • Configures, Optimize and secures the SSH Server (Some Settings Following CIS Benchmark Ubuntu 16.04)
  • Configures IPTABLES Rules to protect the server from common attacks
  • Protects the server against Brute Force attacks by installing a configuring fail2ban
  • Stop Portscans by blocking intrusive IP via IPTABLES using portsentry
  • Install, configure, and optimize MySQL
  • Install the Apache Web Server
  • Install, configure and secure PHP
  • Secure Apache via configuration file and with installation of the Modules ModSecurity, ModEvasive, Qos and SpamHaus
  • Installs RootKit Hunter
  • Secures Root Home and Grub Configuration Files
  • Installs Unhide to help Detect Malicious Hidden Processes
  • Installs Tiger, A Security Auditing and Intrusion Prevention system
  • Restrict Access to Apache Config Files
  • Disable Compilers
  • Creates Daily Cron job for System Updates
  • Kernel Hardening via sysctl configuration File (Tweaked)

Other Hardening Steps

  • Added PHP Suhosin Installation to protect PHP Code and Core for Known and Unknown flaws (Removed on Ubuntu 16. 04)
  • Use of Function for code execution customization
  • Distro Selection Menu
  • Function Selection Menu
  • Deployment Selection Menu (LAMP, LEMP, Reverse Proxy)
  • Added LEMP Deployment with ModSecurity
  • Added /tmp folder Hardening
  • Added PSAD IDS installation
  • Added Process Accounting
  • Added Unattended Upgrades
  • Added MOTD and Banners for Unauthorized access
  • Disable USB Support for Improved Security (Optional)
  • Restrictive Default UMASK
  • Added Additional Hardening Steps
  • Auditd install
  • Sysstat install
  • ArpWatch install
  • Hardening steps following CIS Benchmark
  • Secures Cron
  • Disables Unused Filesystems and Uncommon Network protocols
  • Configure Auditd rules following CIS benchmark (Ubuntu 16. 04)
  • Automates the process of setting a GRUB Bootloader Password
  • Secures Boot Settings
  • Sets Secure File Permissions for Critical System Files

New function

Separate Hardening Script Following CIS Benchmark Guidance https://www.cisecurity.org/benchmark/ubuntu_linux/ (Ubuntu 16. 04)

To run the tool

./jshielder.sh

As the Root user

Having Problems, please open a New Issue for JShielder on Github.

Distro Availability

Ubuntu Server 14. 04LTS

Ubuntu Server 16. 04LTS

After final release of Ubuntu 18. 04LTS, will not be maintaining Jshielder for Ubuntu 14. 04, information security researchers said. It will focus on last 2 major LTS Releases.

Advertisements
Posted in Uncategorized | Leave a comment

VULNERABILITY IN OUTLOOK LET HACKERS TO STEAL PASSWORD HASHES

Most people rely on Outlook email address for work-related as well as personal tasks. Unfortunately, Outlook may not be as secure as we users would like to think. According to a report published by information security training experts at the Carnegie Mellon Software Engineering Institute, Outlook comes with a security bug that could trigger password hash leaks when users’ preview Rich Text Format emails that contains remotely hosted OLE objects.

w out 1

This security vulnerability exists because the Redmond giant doesn’t use strict content verification and restrictions when loading items from a remote SMB server. On the other hand, the same vulnerability cannot be exploited when accessing web-hosted content as Microsoft applies much stricter restrictions when dealing with this type of content.

Outlook doesn’t load web-hosted images in emails in order to protect users’ IP addresses. However, when users access RTF email messages that contain OLE objects loaded from a remote SMB server, Outlook does load the respective images.

This leads to a series of leaks that include IP address, domain name, and more as the reports explains:

Outlook blocks remote web content due to the privacy risk of web bugs. But with a rich text email, the OLE object is loaded with no user interaction… Here we can see than an SMB connection is being automatically negotiated. The only action that triggers this negotiation is Outlook previewing an email that is sent to it… I can see that the following things are being leaked: IP address, domain name, user name, host name, SMB session key. A remote OLE object in a rich text email messages functions like a web bug on steroids.

w out 2

Microsoft partially fixes the problem. Microsoft recently rolled out a hotfix on Patch Tuesday to fix this security issue. According to information security training experts, this solution is not 100% safe as it fails to block all remote SMB attacks.

Once this fix is installed, previewed email messages will no longer automatically connect to remote SMB servers. This fix helps to prevent the attacks outlined above. It is important to realize that even with this patch, a user is still a single click away from falling victim to the types of attacks described above. For example, if an email message has a UNC-style link that begins with “\\”, clicking the link initiates an SMB connection to the specified server.

Posted in Uncategorized | Leave a comment

NJRAT UPGRADED TO PUSH LIME RANSOMWARE AND A BITCOIN WALLET STEALER

The njRAT, also famed as Bladabindi, has been upgraded to push Lime Ransomware and a Bitcoin wallet stealer. According to a Zscaler blog post, this trojan was first spotted in 2013 and has remained one of the most prevalent malware families using multiple .NET obfuscation tools that make detection difficult for antivirus solutions and that hinder analysis by information security training researchers.

The malware was developed using the Microsoft .NET framework and uses multiple .NET obfuscation tools to make detection difficult for antivirus solutions and that hinder analysis by security researchers.

raat.jpg

The malware also uses dynamic DNS for command-and-control (C2) servers and communicates using a custom TCP protocol over a configurable port the blog said.

Deepen Desai, Zscaler’s senior director for information security training research and operations told the source of the malware is unclear, but that researchers know the payload is being served from a server in Australia that is hosting a compromised site.

Seventy percent of the users affected were in South America, while the remaining 30 percent were in North America. The new RAT variant added ransomware and Bitcoin wallet stealing features which appear to contradict each other in practice.

“This is an interesting development, especially the ransomware feature, given that RATs by nature operate in stealth,” Desai said. “Ransomware on the other hand will reveal the infection.”

The information security training professional added the, author is taking a shortcut by stealing existing wallets, but it said he wouldn’t be surprised if the author also adds support for mining Bitcoin on the compromised system in a future variants.

The njRAT variant has the capability of performing ARME and Slowloris DDoS attacks.

The information security training experts described Slowloris as an attack tool designed to allow a single machine to take down a server with minimal bandwidth, send multiple partial HTTP requests, and to keep many connections to the target web server open and hold them open as long as possible.

“The malware also has a WORM functionality to spread through USB that enumerates the files and folders on the hard drive,” analysts said in the post. “Once it detects the USB drive inserted into the system, it copies itself to the USB drive and creates a shortcut using the folder icon.”

As per recommendation of the information security training professionals, the best way to prevent infection is for a user to follow standard security best practices when handling e-mails from external sources as the malware is known to be spread via malicious email links.

Posted in Uncategorized | Leave a comment

SEARS AND DELTA AIR LINES CUSTOMER DATA HAVE BEEN EXPOSED

Personal data and payment information of Sears and Delta Air Lines customers may have been exposed in a data breach last year.

Sears and Delta said they were informed last month that some of their customers’ credit card information might have been compromised during online chat support provided by a software company called [24]7.ai . Information security training analysts from both companies said the transactions were made from September to October of 2017.

delta

Sears Holding Corp (SHLD)said that data from “less than 100,000” customers might have been exposed, but customers using Sears-branded credit cards were not affected. Delta Air Lines (DAL) did not say how many customers were affected.

“At this point, even though only a small subset of our customers would have been exposed, we cannot say definitively whether any of our customers’ information was actually accessed or subsequently compromised,” information security training professional at Delta said in a statement.

The companies said that law enforcement authorities have been notified.

“We are confident that the platform is secure, and we are working diligently with our clients to determine if any of their customer information was accessed,” said [24]7.ai, in a statement.

Delta said that customers will not be responsible for any fraudulent activity that might have been used with their compromised information. The airline launched a web site providing information on the cyber incident.

Information security training expert Brian Krebs tweeted about the breach on Wednesday: “In general I’d say these online chat features are a major cyber security liability for most corporations, esp. for threat from social engineering.”

Posted in Uncategorized | Leave a comment

ANDROID MALWARE IN QR READER APPS ON PLAY STORE

The information security researchers at SophosLabs have discovered a new Android malware in seemingly harmless QR reader apps on Google Play Store. The malware has been developed to flood Android devices with large screen ads to generate revenue for attackers.

android qrrr

Labeled Andr/HiddnAd-AJ by the information security training researchers, the malware was found in six QR code reading apps and one was in smart compass. All the infected apps made to Play Store by evading Google’s Play Protect, an app developed to intensify further the security of systems running on Android.

As per analysis, the malware works in such a way that once it infects the device, it waits up to six hours to start spamming the device with irritating large screen advertisements and notifications containing clickable links, all to generate as much revenue as possible.

“The adware part of each app was embedded in what looks at first sight like a standard Android programming library that was itself embedded in the app. By adding an innocent-looking “graphics” subcomponent to a collection of programming routines that you’d expect to find in a regular Android program, the adware engine inside the app is effectively hiding in plain sight,” wrote the information security trainingprofessional Paul Ducklin of SophosLabs.

android qr jpg

The malware infected apps were reported to Google who did a quick job in removing the apps before further damage. However, some of the apps were already downloaded over 500,000 times.

If you have downloaded any of these apps, it is time to remove them right now. Moreover, the only safe place for Android users to look for clean apps is still Play Store, therefore, avoid downloading unnecessary apps. Information security training experts also recommend sticking to Google Play if possible.

Posted in Uncategorized | Leave a comment

MONGODB HACKED IN 13 SECONDS

For the last couple of years, hackers have been exploiting unprotected MongoDB based servers to steal data and hold the exposed databases for ransom. Hackers leaked 36 million records of internal data collected from several vulnerable servers.

The information security training researchers from German firm Kromtech conducted an experiment in which they purposely left a MongoDB database exposed to the public and kept an eye on the incoming connections, to determine and measure the depth of attacks against MongoDB.

MongoDB jp

The matter seriousness can be understood by the fact that in 2015 John Matherly of Shodan, the world’s first search engine for the IoT devices revealed that there are over 30,000 unprotected MongoDB databases exposed for public access.

The honeypot (a security mechanism set to detect and counteract attempts at unauthorized use of information systems) database contained 30GB of fake data. It took only three hours for hackers to identify the database before wiping out its data in just 13 seconds and leaving a ransom note demanding 0.2 Bitcoin according to Kromtech’s post.

mongodb 1 jpg

In 2017, hackers held several MongoDB databases for ransom and demanded 0.2 Bitcoin in return. It is unclear if the hackers who took over the honeypot database are part of the same group. However, according to Kromtech’s Chief Communication Officer Bob Diachenko, the attack on their database has been traced back to China.

The information security training researchers are certain that only an automated script can complete such task within 13 seconds.

Information security analysts from Kromtech noted “The attacker connects to our database first, then drops the databases to delete them, drops the Journals to erase their tracks, creates a database called Warning with Readme collection and the Solution Record, then drops the Journals again to cover their tracks. This was all completed in just thirteen seconds, leading to the conclusion that this was the work of an automated script”.

mongodb-hacked 13-seconds jpg

The information security training experts are advising users to secure their database since exposed MongoDB servers are still at risk. Another important aspect of ransom attacks against MongoDB is that hackers are simply deleting the database therefore even if victim pays them off, their data will never be returned.

Posted in Uncategorized | Leave a comment

PUERTO RICO POWER UTILITY HACKED

Puerto Rico’s power utility, PREPA, said on Monday it has been hacked over the weekend, but customer information was not compromised.

The computer infrastructure of PREPA, as the Puerto Rico Electric Power Authority is known, suffered a cyber attack on Sunday night, Executive Director Justo Gonzalez Torres said in a statement.

PREPAA

PREPA’s customer service system was not affected and customer information was not at risk, the information security training researchers said; though the attack led to longer wait times at its service center.

“In these moments we are protecting the systems and working to resolve the situation,” Gonzalez said, adding that investigations into the source of the hack were ongoing.

It is the latest in a series of headaches for PREPA, which last year filed a form of U.S. bankruptcy to shed some $9 billion in debt. Four months later, in September, its grid was virtually destroyed when Hurricane Maria hit Puerto Rico, knocking out power to all 3.4 million residents of the U.S. commonwealth.

A spokesman for Puerto Rico Governor Ricardo Rossello has announced plans to privatize PREPA, which is burdened by outdated infrastructure and years of bloated administrative spending.

The news comes on the heels of U.S. President Donald Trump’s blaming the Russian government last week for a campaign of cyber attacks targeting the U.S. power grid.

As of Monday evening, there was no indication that Russia was to blame for PREPA’s hack. When asked about potential sources of the attack, a spokesman for PREPA said the matter was “being investigated and referred to the relevant authorities,” declining to say who those information security training researchers and authorities were.

Posted in Uncategorized | Leave a comment