by peter

Share

The NCSC forbids anyone to be running Kali, Parrot or any other Pentesting focused distributions in a Cyber Essentials certified organisation.

As per an email from IASME: “Pentesting machines running dedicated software for example Kali Linux or Parrot OS are not compliant for Cyber Essentials and should be moved to a separate Sub-Set.”

That being said…. :

1. Perform System Updates

 

Updating your system frequently is the single biggest security precaution you can take for any operating system. Software updates range from critical vulnerability patches to minor bug fixes and many software vulnerabilities are actually patched by the time they become public. Updating also provides you with the latest software versions available for your distribution.

Kali Linux
apt update && apt upgrade

When updating some packages, you may be prompted to use updated configuration files. If prompted, it is typically safer to keep the locally installed version”.

 

2. Set the Timezone

 

Most new Linux systems are set to UTC time by default. However, you may prefer to use the time zone which you live in so log file timestamps are relative to your local time.

Open the tzdata tool.

dpkg-reconfigure tzdata

Select the continent of your choice using the arrow keys and press Enter.

Check the Time

Use the date command to view the current date and time according to your server.

root@localhost:~# date
Thu Mar 1 10:10:23 GMT 2016

 

3. Configure a Custom Hostname

 

A hostname is used to identify your system using an easy-to-remember name. It can be descriptive and structured (detailing what the system is used for) or a generic word or phrase. Here are some examples of hostnames:

Descriptive and/or Structured: web, staging, blog, or something more structured like [purpose]-[number]-[environment] (ex: web-01-prod).

Generic/Series: Such as the name of a fruit (apple, watermelon), a planet (mercury, venus), or animal (leopard, sloth).

This hostname can be used as part of a FQDN (fully qualified domain name) for the system (ex: web-01-prod.example.com).

After you’ve made the change below, you may need to log out and log back in again to see the terminal prompt change from localhost to your new hostname. The command hostname should also show it correctly. See our guide on using the hosts file if you want to configure a fully qualified domain name.

Replace example-hostname with one of your choice.

hostnamectl set-hostname example-hostname

Update Your System’s hosts File

The hosts file creates static associations between IP addresses and hostnames or domains which the system prioritizes before DNS for name resolution.

Open the hosts file in a text editor, such as Nano.

nano /etc/hosts

Add a line for your systems IP address. You can associate this address with your Fully Qualified Domain Name (FQDN) if you have one, and with the local hostname you set in the steps above. In the example below, 10.10.0.1 is the public IP address, example-hostname is the local hostname, and example-hostname.example.com is the FQDN.

File: /etc/hosts

127.0.0.1 localhost.localdomain localhost
10.10.0.1 example-hostname.example.com example-hostname

Add a line for your servers address. Applications requiring IPv6 will not work without this entry:

File: /etc/hosts

127.0.0.1 localhost.localdomain localhost
10.10.0.1 example-hostname.example.com example-hostname
2600:3c01::a123:b456:c789:d012 example-hostname.example.com example-hostname

 

4. Add a Limited User Account

 

Up to this point, you have accessed your system as the root user, which has unlimited privileges and can execute any command–even one that could accidentally disrupt your server. We recommend creating a limited user account and using that at all times. Administrative tasks will be done using sudo to temporarily elevate your limited user’s privileges so you can administer your server.

Not all Linux distributions include sudo on the system by default. If you get the output sudo: command not found, install sudo before continuing.

Create the user, replacing example_user with your desired username. You’ll then be asked to assign the user a password:

adduser example_user

Add the user to the sudo group so you’ll have administrative privileges:

adduser example_user sudo

Log in as the New User
After creating your limited user, disconnect from your system:

exit

Log back in as your new user. Replace example_user with your username, and the example IP address with your systems IP address:

ssh example_user@192.0.2.1

Now you can administer your system from your new user account instead of root. Nearly all superuser commands can be executed with sudo (example: sudo iptables -L -nv) and those commands will be logged to /var/log/auth.log.

 

5. Harden SSH Access

 

By default, password authentication is used to connect to your system via SSH. A cryptographic key-pair is more secure because a private key takes the place of a password, which is generally much more difficult to decrypt by brute-force. In this section we’ll create a key-pair and configure your system to not accept passwords for SSH logins.

As of Autumn 2018, OpenSSH has been added to Windows 10, simplifying the process for securing SSH. Windows 10 in this guide assumes OpenSSH has been installed as part of this update, while Earlier Windows Versions would apply to earlier versions.

This is done on your local computer, not your system, and will create a 4096-bit RSA key-pair. During creation, you will be given the option to encrypt the private key with a passphrase. This means that it cannot be used without entering the passphrase, unless you save it to your local desktop’s keychain manager. We suggest you use the key-pair with a passphrase, but you can leave this field blank if you don’t want to use one.

If you’ve already created an RSA key-pair, this command will overwrite it, potentially locking you out of other systems. If you’ve already created a key-pair, skip this step. To check for existing keys, run ls ~/.ssh/id_rsa*.

ssh-keygen -b 4096

Press Enter to use the default names id_rsa and id_rsa.pub before entering your passphrase. On Linux and OS X, these files will be saved in the /home/your_username/.ssh directory. O

From your local computer:

ssh-copy-id example_user@192.0.2.1

SSH Daemon Options
Open the SSH configuration file on your Compute Instance using a Linux text editor, such as nano or vim:

sudo nano /etc/ssh/sshd_config

Disallow root logins over SSH.

This requires all SSH connections be by non-root users. Once a limited user account is connected, administrative privileges are accessible either by using sudo or changing to a root shell using su -.

# Authentication:
...
PermitRootLogin no

Disable SSH password authentication. This requires all users connecting via SSH to use key authentication. Depending on the Linux distribution, the line PasswordAuthentication may need to be added, or uncommented by removing the leading #.

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

You may want to leave password authentication enabled if you connect to your Linode from many different computers. This will allow you to authenticate with a password instead of generating and uploading a key-pair for every device.

Listen on only one internet protocol. The SSH daemon listens for incoming connections over both IPv4 and IPv6 by default. Unless you need to SSH into your Linode using both protocols, disable whichever you do not need. This does not disable the protocol system-wide, it is only for the SSH daemon. Depending on the Linux distribution, the line AddressFamily may need to be added, or uncommented by removing the leading #

Use the option:

AddressFamily inet to listen only on IPv4.
AddressFamily inet6 to listen only on IPv6.

# Port 22
AddressFamily inet

Restart the SSH service to load the new configuration.

If you’re using a Linux distribution which uses systemd (CentOS 7, Debian 8, Fedora, Ubuntu 15.10+)

sudo systemctl restart sshd

If your init system is SystemV or Upstart (CentOS 6, Debian 7, Ubuntu 14.04):

sudo service sshd restart

 

6. Use Fail2Ban for SSH Login Protection

 

Fail2Ban is an application that bans IP addresses from logging into your server after too many failed login attempts. Since legitimate logins usually take no more than three tries to succeed (and with SSH keys, no more than one), a server being spammed with unsuccessful logins indicates attempted malicious access.

Fail2Ban can monitor a variety of protocols including SSH, HTTP, and SMTP. By default, Fail2Ban monitors SSH only, and is a helpful security deterrent for any server since the SSH daemon is usually configured to run constantly and listen for connections from any remote IP address.

For complete instructions on installing and configuring Fail2Ban, see our guide: A Tutorial for Using Fail2ban to Secure Your Server.

 

7. Configuring the Firewall

 

Using a firewall to block unwanted inbound traffic to your system provides a highly effective security layer. By being very specific about the traffic you allow in, you can prevent intrusions and network mapping. A best practice is to allow only the traffic you need, and deny everything else. See our documentation on some of the most common firewall applications:

Iptables is the controller for netfilter, the Linux kernel’s packet filtering framework. Iptables is included in most Linux distributions by default.

UFW provides an iptables frontend.