Harden SSH for AlmaLinux 9 (RHEL, Fedora)

These steps are taken from the following link. They have other guides for hardening Ubuntu, Debian etc.

https://www.sshaudit.com/hardening_guides.html#rocky9

You will need to become the root user, use either su – or sudo -i

First we need to regenerate the RSA and ED25519 keys

rm /etc/ssh/ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_rsa_key -N ""

Next, remove the small Diffie-Hellman moduli. The moduli file contains prime numbers and generators. Removing the smaller numbers should help increase security as it makes attempting to factor the private keys harder.

awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli

We can now specify which key exchange, ciphers, and algorithms to use.

Add the following to “/etc/crypto-policies/back-ends/opensshserver.config”

# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com
# hardening guide.
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com

HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256

RequiredRSASize 3072

CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256

GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-

HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256

PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256

Finally, restart the ssh server

systemctl restart sshd

Other helpful links

https://www.ssh.com/academy

https://www.redhat.com/en/blog/primes-parameters-and-moduli

https://security.stackexchange.com/questions/79043/is-it-considered-worth-it-to-replace-opensshs-moduli-file

How to Fix OpenVAS “ERROR: The default PostgreSQL version (14) is not 16 that is required libgvmd”

Currently OpenVAS needs PostgreSQL 16 on port 5432. If you have multiple versions of PostgreSQL, the lowest version will typically run on port 5432, and then they’ll increment from there. For example, if you have PostgreSQL 14, 15, and 16, 14 will run on port 5432, 15 on 5433, and 16 on 5434.

The quick fix is to edit the PostgreSQL config files, change the port numbers, restart PostgreSQL, and rerun gvm-setup.

vi /etc/postgresql/16/main/postgresql.conf

Change port number from 5434 to 5432

You will need to remove/disable/change the port for PostgreSQL 14

sudo apt remove postgresql-14
sudo systemctl restart postgresql@16-main.service

We can verify that PostgreSQL is running with netstat.

netstat -tulpn

We can see that the ports 5432 (PostgreSQL 16) and 5433 (PostgreSQL 15) are both running.

Rerun gvm-setup

sudo gvm-setup

Install and Setup OpenVAS on Kali Linux 2023/2024

Notes on installing OpenVAS on Kali Linux in 2023/2024

sudo apt install openvas

Run the setup script. This used to be called openvas-setup, now it is gvm-setup. Note that the script can take a long time to run.

gvm-setup

At the end of the script, it will give you a password. Use this password to log into the web interface. You can reset the password if needed.

If you run into issues with PostgreSQL, check out this post

Log into the web interface at

https://127.0.0.1:9392

Troubleshooting

On Kali Linux, you need to run commands as the _gvm user. You can do this by prepending the commands with

sudo runuser -u _gvm -- COMMAND

There are two — dashes, between the _gvm user and the COMMAND. Replace COMMAND with the GVM/OpenVAS command you want to execute.

Example, to list the current users do

sudo runuser -u _gvm -- gvmd --get-users

To create a new user run

sudo runuser -u _gvm -- gvmd --user=newadmin --new-password=longsecurepassword

Failed to find config ‘daba56c8-73ec-11df-a475-002264764cea’

If you receive a `Failed to find config ‘daba56c8-73ec-11df-a475-002264764cea'”` error,

try running the following command

sudo runuser -u _gvm -- greenbone-nvt-sync

This can take awhile, but it should sync all the files needed. Check the following link for more information.

https://forum.greenbone.net/t/cant-create-a-scan-config-failed-to-find-config/5509

The following link is also helpful for installing OpenVAS

https://stafwag.github.io/blog/blog/2021/02/28/howto-install-opevas-on-kali/

Common Power Issue Terminology

Here is a list of terms associated with power issues.

NameDefinition
FaultMomentary loss of power
BlackoutProlonged power outage
SagMomentary low voltage
BrownoutProlonged Low voltage
SpikeMomentary spike in voltage
SurgeExtended spike in voltage
InrushInitial voltage “surge” when a device is plugged in

Here is a visual image.

Table of Types of Law for Cyber Security

There are three types of law. Criminal, civil, and administrative.

Type of LawExamplesStandard of ProofBurden of ProofPenalty
Criminal LawMurder, assault, robbery, arsonBeyond a reasonable doubtInnocent until proven guiltyFines, Jail, Prison, Death penalty
Civil LawProperty Disputes, Personal injuryPreponderance of evidenceClaimant must give proof (most cases)Compensation for injuries/damage
Administrative LawDefine standards of performance and conduct for major industries, organizations and government agencies
Table of Law

https://www.diffen.com/difference/Civil_Law_vs_Criminal_Law

List of Laws and Acts

The following is a list of “good to know” legislative acts.

AcronymNameNotes
CFAAComputer Fraud and Abuse ActFirst major cyber crime legislation
Federal Sentencing Guidelines (1991)Responsibility on senior management
ECPAElectronic Communications Privacy Act of 1986Made it a crime to invade the electronic privacy of an individual
CALEAComm Assistance for Law Enforcement Act of 1994Amended ECPA. Made wiretaps possible for law enforcement with a court order.
Economic Espionage Act of 1996Made theft no longer tied to something physical
FISMAFederal Information Security Management ActCyber security requirements for government agencies
DMCADigital Millennium Copyright ActCopyright protection is 70 years +
1st major revision added CD/DVD protections
USA PATRIOTUSA PATRIOT Act of 2001Gave law enforcement and intelligence agencies broader wiretapping authorizations
Identity Theft and Assumption Deterrence Act (1998)Made identity theft a crime. Up to 15 years in prison and $250,000 fine.
HIPPAHealth Insurance Portability and Accountability Act (1996)Regulations for security measures for hospitals, physicians, and insurance companies
HITECHealth Information Technology for Economic and Clinical Health Act of 2009Amended HIPPA. Updated privacy/security requirements for Business Associates (BAs), requires a written contract known as a business associate agreement (BAA). BAs are directly subject to HIPPA and enforcement actions like a covered entity.
HITECH also introduced new data breach notifications.
GLBAGramm-Leach-Bliley ActLimits services that banks, lenders, and insurance agencies can provide and information they can share with each other
COPPAChild Online Privacy Protection ActSeeks to protects children (<13 years old) online
FERPAFamily Educational Rights and Privacy ActGives students certain privacy rights. Deals with adults >18, and Children in school <18
ITARInternational Traffic in Arms RegulationRegulates the export of military and defense related technologies
EARExport Administration RegulationsFor commercial use, but may have military applications.
Table of Laws and Acts

Trademark, Patents, Copyright etc.

NameProtection Length
Trademarks10 Years
Patents20 Years
Copyright 70 Years after the death of the author
Trade SecretsUntil they are leaked.
Table of Trademarks, Patents, Copyright, and Trade Secrets

List of Symmetric Encryption Algorithms. Block and Key Size.

List of common symmetric encryption algorithms with their block and key size.

NameBlock SizeKey SizeNotes
AES Advanced Encryption Standard128128, 192, 256Is Rijndael
RijndaelVariable128, 192, 256Is AES
Blowfish 6432-448Often used in SSH
DES Data Encryption Standard6456
Triple DES64112-168DES 3 times
IDEA64128Used in PGP
RC4 Rivest Cipher 4Stream Cipher40-2048Insecure/Not used, used in WEP, WPA, and SSL
RC5 Rivest Cipher 532, 64, 1280-2040
RC6 Rivest Cipher 6128128, 192, 256
Skipjack6480Developed by the NSA and supported key escrow
CAST-1286440-128
CAST-256128128, 160, 192, 224, 256
Twofish1281-256
ChaCha20Stream Cipher256
List of Common Symmetric Encryption Algorithms With Block and Key Size

Import/Export GPG Private Key

Note that if you need to copy both your Private and Public key, you’ll need to export both separately.

https://stackoverflow.com/questions/5587513/how-to-export-private-secret-asc-key-to-decrypt-gpg-files

List Keys

You can list all the GPG keys with the following command.

gpg --list-keys

Export Key

Change “keyID” to your key idea from the above command. The key ID is the long string of hexadecimal characters.

gpg --export-secret-keys "keyID" > private_key.asc

This will export the keys to private_key.asc. Rename as appropriate.

To export the Public Key

gpg --export "keyID" > public_key.asc

Import Key

To use the key, you’ll need to import and trust the key.

gpg --allow-secret-key-import --import private_key.asc
gpg --edit-key "keyID"

Then type

trust

Select level 5.

Import the Public Key

gpg --import public_key.asc

Decrypt Files

To decrypt a single file do

 gpg --batch --passphrase='password' ./file.gpg

If your GPG does not have a password, remove the whole `–passphrase=’password’` option

To decrypt multiple files you can run

for file in * ; do gpg --batch --passphrase='password' "$file" ; done

Using Auditd to monitor changes to Linux

Install and enable auditd with

sudo dnf install auditd
sudo systemctl enable auditd
sudo systemctl start auditd

Add a file or directory to monitor with

auditctl -w /etc/passwd -k password

-w is watch path
-k is a filter key we can use later to search through logs

Now we can search with ausearch

ausearch -k password

Using Preconfigured Rules

There are already some preconfigured rules in /usr/share/audit/sample-rules/

We can copy those to /etc/auditd/rules.d/ and use them.

cd /usr/share/audit/sample-rules/
cp 10-base-config.rules 30-stig.rules 31-privileged.rules 99-finalize.rules /etc/audit/rules.d/
augenrules --load

Note on the 31-privileged.rules file. You’ll need to run the commands in the file which will create a new file. Then we can copy that to “/etc/auditd/rules.d/”

find /bin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' > priv.rules
#find /sbin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules
#find /usr/bin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules
#find /usr/sbin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules
#filecap /bin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules
#filecap /sbin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules
#filecap /usr/bin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules
#filecap /usr/sbin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules

And Copy priv.rules to /etc/audit/rules.d/31-privileged.rules. Overwrite the file there if needed.

cp ./priv.rules /etc/audit/rules.d/31-privileged.rules

Load the rules.

augenrules --load

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/auditing-the-system_security-hardening

How to Create WireGuard Point-to-point Between Mikrotik Routers

We’ll create a tunnel between two Mikrotik RouterOS routers. Once we have the tunnel connected, we can then route traffic between them.

Note: You can add Preshared keys, but we don’t cover that in this post, just to keep things simple. Check out the following post if you want to add Preshared keys.

How to Create a Preshared Key for Wireguard

Here is how we will want our routers set up. The WireGuard PtP IP is the IP addresses used on both ends of the tunnel. The WAN IP is the IP of each Router. Local IP on Host B is setup to distribute DHCP.

Host A

WAN IP: 172.16.0.1
WireGuard PtP IP: 10.1.1.1/30

Host B

WAN IP: 10.0.0.2
WireGuard PtP IP: 10.1.1.2/30
Local IP: 192.168.0.1/24

We need Host A to be able to access Private IP’s (192.168.0.0/24) behind Host B.

We’ll pretend that the 172.16.0.1 address is a public IP, and Host B, is behind some sort of NAT network.

To create the Point-to-point, or PtP, we will create a WireGuard VPN tunnel, and then add routes from Host A to Host B.

For each Mikrotik we need to create a WireGuard interface, and then a peer. One of the peers needs a keep alive if we are behind a NAT.

Wireguard Setup Overview

Here is an overview screenshot of what our WireGuard settings will look like. Host A is on top, and Host B on the bottom. On the left are the WireGuard interfaces, and the right contains the Peers.

We copy the Public Key from the remote WireGuard interface, to the Public Key on the local Peer. I.e. The Host_B Peer contains Host_A’s Interface Public Key and vice verse

Host A

If you want to, you can use the WinBox GUI to setup and configure the router.

Create the WireGuard interface

 /interface/wireguard/add name=wireguard-Host_A disabled=no

Add IP address 10.1.1.1/30 to the newly created WireGuard Interface in /IP/Address

/ip/address/add address=10.1.1.1/30 interface=wireguard-Host_A disabled=no

Create WireGuard Peer, WireGuard -> Peers

  • Select the WireGuard interface,
  • In the Allowed Addresses, put 10.1.1.0/30 and 192.168.0.0/24*.
  • Finally, put in the Public Key from Host B.
    Note that we can’t do this until we create the WireGuard Interface on Host B, so you’ll need to come back for this step.
interface/wireguard/peers/add interface=wireguard-Host_A public-key=HOST_B_WG_PUBLIC_KEY allowed-address=10.1.1.0/30,192.168.0.0/24

Add route for 192.168.0.0/24 to point to 10.1.1.2

/ip/route/add dst-address=192.168.0.0/24 gateway=10.1.1.2

*The Allowed Address sets which addresses work on the other side of the tunnel. If we don’t specify 192.168.0.0/24, then we won’t be able to route to those addresses. If we don’t add 10.1.1.0/30, then our tunnel won’t work at all. Since we only need to route to the 192.168.0.0/24 network from the Host A side, we don’t need this IP range on Host B.

Host B

Create the WireGuard interface, WireGuard -> Add

 /interface/wireguard/add name=wireguard-Host_B disabled=no

Add IP address 10.1.1.2/30 to the newly created WireGuard Interface in /IP/Address

/ip/address/add address=10.1.1.2/30 interface=wireguard-Host_B disabled=no

Create a WireGuard Peer, WireGuard -> Peers

  • Select the WireGuard interface,
  • In the Allowed Addresses, put 10.1.1.0/30
  • Finally, put in the Public Key from Host A.
/interface/wireguard/peers/add interface=wireguard-Host_A public-key=HOST_A_WG_PUBLIC_KEY endpoint-address=172.16.0.1 endpoint-port=13231 allowed-address=10.1.1.0/30 persistent-keepalive=00:00:30

Conclusion

That should be it. Verify that there is a connection. From Host A, ping 192.168.0.1 or any other remote device.

Troubleshooting

Unfortunately, there appear to be some wonky bugs with WireGuard on RouterOS. It does appear to be getting better, but here are a couple things to check if the tunnel is not connecting.

  1. Verify that the Firewall is not blocking WireGuard. You can allow the WireGuard port in the Firewall.
  2. Try disabling and re-enabling the Interfaces and/or Peers
  3. Verify that all the routes for the PtP are in /ip/routes. If not, try manually adding the route (10.1.1.0/30) on the WireGuard interface on both routers.
  4. Add a keep alive if a router is behind a firewall/NAT.
  5. Reboot and or Upgrade the RouterOS version and firmware.

Hardening Mikrotik RouterOS

https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router

Things to harden

  • Delete default admin user
  • Disable unused services and whitelist IP’s
  • Secure SSH
  • DNS

Delete default admin user

Before deleting the default admin user, create your own user account.

/user/add name=MyUsername group=full password=mylongsecurepassword

Note: running /user/add will prompt you for the rest of the options.

Delete the default admin user with

/user remove admin

We want to delete the default admin user for two reasons. 1. There is no default password for this user. 2. It is a default username which means it will be targeted for brute force attacks.

Consider using the /users/groups for more granular control.

Disable unused services

In the following, we disabled all services except SSH and Winbox. We also limit access to those services only from private “RFC 1918” IP addresses. Customize as needed.

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl tls-version=only-1.2
set ssh address="set winbox address="192.168.0.0/16,172.16.0.0/12,10.0.0.0/8"
set api disabled=yes
set winbox address="set winbox address="192.168.0.0/16,172.16.0.0/12,10.0.0.0/8"
set api-ssl disabled=yes tls-version=only-1.2

for www-ssl and api-ssl, tls-version is not a required argument, but you may consider using it if you need the API or Webfig.

Secure SSH

/ip/ssh/set strong-crypto=yes allow-none-crypto=no always-allow-password-login=no host-key-size=4096

And regenerate the SSH host key. It will prompt for a [y/N], hit y to regenerate.

/ip/ssh/regenerate-host-key 

DNS

Unless your device is being used as a DNS resolver, it is best to disable the “Allow Remote Request”

ip dns/set allow-remote-requests=no

If you do need it enabled, then be sure to add some firewall rules to keep your router from being used in amplification attacks.

add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp

You can configure interface lists in /interface/list or Interface -> Interface List in the gui

Or you can change to in-interface and specify the WAN interface directly. You could also set it to !LAN if you have a LAN interface list set up.