Simple Cloud Hardening

2 months 1 week ago
Simple Cloud Hardening Image Kyle Rankin Tue, 04/10/2018 - 10:30 AWS Cloud Security

Apply a few basic hardening principles to secure your cloud environment.

I've written about simple server-hardening techniques in the past. Those articles were inspired in part by the Linux Hardening in Hostile Networks book I was writing at the time, and the idea was to distill the many different hardening steps you might want to perform on a server into a few simple steps that everyone should do. In this article, I take the same approach only with a specific focus on hardening cloud infrastructure. I'm most familiar with AWS, so my hardening steps are geared toward that platform and use AWS terminology (such as Security Groups and VPC), but as I'm not a fan of vendor lock-in, I try to include steps that are general enough that you should be able to adapt them to other providers.

New Accounts Are (Relatively) Free; Use Them

One of the big advantages with cloud infrastructure is the ability to compartmentalize your infrastructure. If you have a bunch of servers racked in the same rack, it might be difficult, but on cloud infrastructures, you can take advantage of the technology to isolate one customer from another to isolate one of your infrastructure types from the others. Although this doesn't come completely for free (it adds some extra overhead when you set things up), it's worth it for the strong isolation it provides between environments.

One of the first security measures you should put in place is separating each of your environments into its own high-level account. AWS allows you to generate a number of different accounts and connect them to a central billing account. This means you can isolate your development, staging and production environments (plus any others you may create) completely into their own individual accounts that have their own networks, their own credentials and their own roles totally isolated from the others. With each environment separated into its own account, you limit the damage attackers can do if they compromise one infrastructure to just that account. You also make it easier to see how much each environment costs by itself.

In a traditional infrastructure where dev and production are together, it is much easier to create accidental dependencies between those two environments and have a mistake in one affect the other. Splitting environments into separate accounts protects them from each other, and that independence helps you identify any legitimate links that environments need to have with each other. Once you have identified those links, it's much easier to set up firewall rules or other restrictions between those accounts, just like you would if you wanted your infrastructure to talk to a third party.

Lock Down Security Groups

One advantage to cloud infrastructure is that you have a lot tighter control over firewall rules. AWS Security Groups let you define both ingress and egress firewall rules, both with the internet at large and between Security Groups. Since you can assign multiple Security Groups to a host, you have a lot of flexibility in how you define network access between hosts.

My first recommendation is to deny all ingress and egress traffic by default and add specific rules to a Security Group as you need them. This is a fundamental best practice for network security, and it applies to Security Groups as much as to traditional firewalls. This is particularly important if you use the Default security group, as it allows unrestricted internet egress traffic by default, so that should be one of the first things to disable. Although disabling egress traffic to the internet by default can make things a bit trickier to start with, it's still a lot easier than trying to add that kind of restriction after the fact.

You can make things very complicated with Security Groups; however, my recommendation is to try to keep them simple. Give each server role (for instance web, application, database and so on) its own Security Group that applies to each server in that role. This makes it easy to know how your firewall rules are being applied and to which servers they apply. If one server in a particular role needs different network permissions from the others, it's a good sign that it probably should have its own role.

The role-based Security Group model works pretty well but can be inconvenient when you want a firewall rule to apply to all your hosts. For instance, if you use centralized configuration management, you probably want every host to be allowed to talk to it. For rules like this, I take advantage of the Default Security Group and make sure that every host is a member of it. I then use it (in a very limited way) as a central place to define any firewall rules I want to apply to all hosts. One rule I define in particular is to allow egress traffic to any host in the Default Security Group—that way I don't have to write duplicate ingress rules in one group and egress rules in another whenever I want hosts in one Security Group to talk to another.

Use Private Subnets

On cloud infrastructure, you are able to define hosts that have an internet-routable IP and hosts that only have internal IPs. In AWS Virtual Private Cloud (VPC), you define these hosts by setting up a second set of private subnets and spawning hosts within those subnets instead of the default public subnets.

Treat the default public subnet like a DMZ and put hosts there only if they truly need access to the internet. Put all other hosts into the private subnet. With this practice in place, even if hosts in the private subnet were compromised, they couldn't talk directly to the internet even if an attacker wanted them to, which makes it much more difficult to download rootkits or other persistence tools without setting up elaborate tunnels.

These days it seems like just about every service wants unrestricted access to web ports on some other host on the internet, but an advantage to the private subnet approach is that instead of working out egress firewall rules to specific external IPs, you can set up a web proxy service in your DMZ that has more broad internet access and then restrict the hosts in the private subnet by hostname instead of IP. This has an added benefit of giving you a nice auditing trail on the proxy host of all the external hosts your infrastructure is accessing.

Use Account Access Control Lists Minimally

AWS provides a rich set of access control list tools by way of IAM. This lets you set up very precise rules about which AWS resources an account or role can access using a very complicated syntax. While IAM provides you with some pre-defined rules to get you started, it still suffers from the problem all rich access control lists have—the complexity makes it easy to create mistakes that grant people more access than they should have.

My recommendation is to use IAM only as much as is necessary to lock down basic AWS account access (like sysadmin accounts or orchestration tools for instance), and even then, to keep the IAM rules as simple as you can. If you need to restrict access to resources further, use access control at another level to achieve it. Although it may seem like giving somewhat broad IAM permissions to an AWS account isn't as secure as drilling down and embracing the principle of least privilege, in practice, the more complicated your rules, the more likely you will make a mistake.


Cloud environments provide a lot of complex options for security; however, it's more important to set a good baseline of simple security practices that everyone on the team can understand. This article provides a few basic, common-sense practices that should make your cloud environments safer while not making them too complex.

Kyle Rankin

Feral Interactive Releases GameMode, YouTube Music Videos Hacked, Oregon Passes Net Neutrality Law and More

2 months 1 week ago
News gaming ZFS Security Hardware open source

News briefs for April 10, 2018.

Feral Interactive today released GameMode, an open-source tool that helps Linux users get the best performance out of their games. According to the press release, "GameMode instructs your CPU to automatically run in Performance Mode when playing games." Rise of the Tomb Raider, which is being released later this month, will be the first release to integrate this tool. GameMode is available now via GitHub.

If you are using ZFS On Linux 0.7.7, which was released in March, upgrade immediately to version 0.7.8 to keep your data safe. Version 0.7.8 is an emergency release to deal with a possible data loss issue, Phoronix reports. See the ZOL bug report for more info.

YouTube was hacked this morning, and many popular music videos were defaced, including the video for the hit song Despacito, as well as videos by Shakira, Selena Gomez, Drake and Taylor Swift. According to the BBC story, "A Twitter account that apparently belongs to one of the hackers posted: 'It's just for fun, I just use [the] script 'youtube-change-title-video' and I write 'hacked'."

Linux computer maker System76 is moving its manufacturing factory from China to Denver, Colorado. In an interview with about the move and bringing manufacturing in-house, System 76 marketing director Louisa Bisio, said "Creating a computer that is open source from the physical design to the OS is the next step in our mission to empower our customers and the community. We believe that by leading with open source design, the rest of the industry will have to follow."

Oregon becomes the second state to pass Net Neutrality law. Governor Kate Brown signed the bill yesterday, "withholding state business from internet providers who throttle traffic, making the state the second to finalize a proposal aimed at thwarting moves by federal regulators to relax net neutrality requirements".

Jill Franklin

Bluestar Gives Arch Linux a Celestial Glow

2 months 1 week ago

LinuxInsider: Bluestar Linux is a GNU/Linux distribution that features up-to-date packages, an impressive range of desktop and multimedia software in the default installation, and a live desktop DVD. The live session capability is one of Bluestar's more enticing qualities.

Blockchain, Part I: Introduction and Cryptocurrency

2 months 1 week ago
Blockchain, Part I: Introduction and Cryptocurrency Image Petros Koutoupis Mon, 04/09/2018 - 10:45 Bitcoin Blockchain Cryptocurrency

It seems nearly impossible these days to open a news feed discussing anything technology- or finance-related and not see a headline or two covering bitcoin and its underlying framework, blockchain. But why? What makes both bitcoin and blockchain so exciting? What do they provide? Why is everyone talking about this? And, what does the future hold?

In this two-part series, I introduce this now-trending technology, describe how it works and provide instructions for deploying your very own private blockchain network.

Bitcoin and Cryptocurrency

The concept of cryptocurrency isn't anything new, although with the prevalence of the headlines alluded to above, one might think otherwise. Invented and released in 2009 by an unknown party under the name Satoshi Nakamoto, bitcoin is one such kind of cryptocurrency in that it provides a decentralized method for engaging in digital transactions. It is also a global technology, which is a fancy way of saying that it's a worldwide payment system. With the technology being decentralized, not one single entity is considered to have ownership or the ability to impose regulations on the technology.

But, what does that truly mean? Transactions are secure. This makes them more difficult to track and, therefore, difficult to tax. This is because these transactions are strictly peer-to-peer, without an intermediary in between. Sounds too good to be true, right? Well, it is that good.

Although transactions are limited to the two parties involved, they do, however, need to be validated across a network of independently functioning nodes, called a blockchain. Using cryptography and a distributed public ledger, transactions are verified.

Now, aside from making secure and more-difficult-to-trace transactions, what is the real appeal to these cryptocurrency platforms? In the case of bitcoin, a "bitcoin" is generated as a reward through the process of "mining". And if you fast-forward to the present, bitcoin has earned monetary value in that it can be used to purchase both goods and services, worldwide. Remember, this is a digital currency, which means no physical "coins" exist. You must keep and maintain your own cryptocurrency wallet and spend the money accrued with retailers and service providers that accept bitcoin (or any other type of cryptocurrency) as a method of payment.

All hype aside, predicting the price of cryptocurrency is a fool's errand, and there's not a single variable driving its worth. One thing to note, however, is that cryptocurrency is not in any way a monetary investment in a real currency. Instead, buying into cryptocurrency is an investment into a possible future where it can be exchanged for goods and services—and that future may be arriving sooner than expected.

Now, this doesn't mean cryptocurrency has no cash value. In fact, it does. As of the day I am writing this (January 27, 2018), a single bitcoin is $11,368.56 USD. This value is extremely volatile, and who knows what direction it will take tomorrow. One thing influencing the value of a bitcoin is the rate of adoption. More people using the technology results in more transactions being verified by the people-owned nodes forming the underlying blockchain. In turn, the owners of the verification systems earn their rewards, thereby increasing the value of the technology. It's simple: verify more transactions, and earn more money. Sure, there is a bit more to it, but that's the general idea.

The owners of the verification systems are referred to as "miners". Miners provide a service of record keeping. Such a service requires a good amount of processing power to handle the cryptographic computations. The purpose of the miner is to keep the underlying blockchain consistent, complete and unaltered. A miner repeatedly verifies and collects broadcasted transactions into groups of transactions referred to as blocks. Using an SHA-256 algorithm (Secure Hash Algorithm 256-bit hash), each new block contains a cryptographic hash of the block prior to it, establishing a link for forming the chain of blocks, hence the name, blockchain.

Figure 1. An Example of How Blocks of Data Are "Chained" to One Another

A Global "Crisis"

With the rise of cryptocurrency and the rise of miners competing to earn their fair share of the digital currency, we are now facing a dilemma—a global shortage of high-end PC graphics adapters. Even previously-used adapters are resold at a much higher price than newly boxed versions. But why is that? Using such high-end cards with enough onboard memory and dedicated processing capabilities easily can yield several dollars in cryptocurrency per day. Remember, mining requires the processing of memory-hungry algorithms. And as cryptocurrency prices continue to increase, albeit at a rapid rate, the worth of the digital currency awarded to miners also increases. This shortage of graphics adapters has become an increasing bottleneck for existing miners looking to expand their operations or for new miners to get in on the action. Hopefully, graphic card vendors will address this shortage sooner rather than later.

Comparing Blockchain Technologies

Multiple platforms exist for crypto-trading. You may come across articles discussing bitcoin and comparing that currency to others like ethereum or litecoin. Initially, those articles can lead to confusion between the two different types of digital coins: 1) cryptocurrencies and 2) tokens. The key things to remember are the following:

  • A bitcoin or litecoin or any other form of cryptocurrency actively competes against existing money and gold in the hopes of replacing them as an accepted form of global currency. As mentioned previously, the technology promises a non-regulated and globally accessible currency—one that contains the same stable value regardless of location. This concept definitely could appeal to those living in unstable countries with unstable currencies.

  • And ethereum? Well, it deals in tokens. It works on the idea of contracts. Ethereum is a platform that allows its users to write conditional digital "smart contracts", showing proof of a transaction that never can be deleted.

In the modern world, a traditionally written contract will outline the terms of a relationship, usually enforceable by law. A smart contract will enforce a relationship using cryptographic code—that is, by executing the conditions defined by its creators using a program. What makes ethereum more interesting is that unlike bitcoin (or litecoin for that matter), the platform does not limit itself to the currency use case.

Much like bitcoin, when a transaction takes place utilizing one or more of these contracts, transaction fees are charged to source the computation power required. The more computational power needed, the higher the fee.

What Is Blockchain?

To understand this cryptocurrency phenomenon and its explosive growth in popularity, you need to understand the technology supporting it: the blockchain. As mentioned previously, a blockchain consists of a continuously growing list of records captured in the form of blocks. Using cryptography, each new block is linked and secured to an existing chain of blocks.

Each block will contain a hash pointer to the previous block within the chain, a timestamp and transactional data. By design, the blockchain is resistant to any sort of modification of data. This is because a blockchain provides an open and distributed ledger to record transactions between two interested parties efficiently, reliably and permanently.

Once data has been recorded, the data in a given block cannot be altered without altering all subsequent blocks.

I guess you can think of this as a distributed "database" where its contents are duplicated hundreds, if not thousands, of times across a network of computers. This method of replication emphasizes the decentralized aspect of the technology. Without a centralized version or a single "master" copy, this database is public and, therefore, can be verified easily without risk or fear of hacking or corruption. Simultaneously hosted by millions of computing nodes, the contents of this database are accessible to anyone on the internet. As an added benefit, the distributed and decentralized model reassures its users that no single point of failure exists. Imagine that one or more of these computing nodes are either inaccessible or experiencing some sort of internal failures or are even producing corrupted data. The blockchain is resilient in that it will continue to make available the requested data contents and in their proper (that is, uncorrupted) format. This is because of a technique commonly referred to as the Byzantine Fault Tolerance method.

Byzantine Fault Tolerance

Systems fail, and they can fail for multiple reasons (such as hardware, software, power, networking connectivity and others). This is a fact. Also, not all failures are easily detectable (even through traditional fault-tolerance mechanisms) nor will they always appear the same to the rest of the systems in the networked cluster. Again, imagine a large network consisting of hundreds, if not thousands, of nodes. To handle such unpredictable conditions, one must employ a voting system to ensure that the cluster will tolerate the failure or misbehavior.

A Byzantine fault is defined by any fault showcasing different types of symptoms to different observers (that is, distributed computing systems). A Byzantine failure is the loss of a system service due to a Byzantine fault in an environment where a consensus must reached in order to perform that one service or operation.

The purpose of Byzantine Fault Tolerance (BFT) is to defend the distributed platform against such Byzantine failures. Failing components of the system will not prevent the remaining components from reaching an agreement among themselves, where such an agreement is required to perform an operation. Correctly functioning components of a BFT system will continue to provide uninterrupted service, assuming that not too many faults exist.

The name of this mechanism is derived from the Byzantine Generals' Problem (BGP). The BGP highlights an agreement problem, where there is a disagreement with all participating members. Imagine a scenario where several divisions of the Byzantine army are camped outside a fortified city. Each division has its own general, and the only way the generals are able to communicate with each other is through the use of messengers. The generals need to decide on a common plan of action. The problem is, some of the generals may and very well could be traitors. With one traitor in their midst, can the non-traitors decide on a common plan?

In a BFT environment, the answer to this question is yes. In a group of three, one traitor makes it impossible not to reach a majority consensus. For instance, if one general says "attack" while the other two say to "retreat", it is easy to determine who the traitor of the group is. It is also possible to reach some sort of agreement across the non-traitors. Now, apply this concept to a distributed network of computing nodes. For example, when f number of nodes goes Byzantine, 2f + 1 nodes will not tolerate the misbehavior. All you need is 1 properly functioning node more than the potentially faulty nodes.

Figure 2. The Byzantine Generals' Problem illustrated

Now, why am I talking about this? The BFT is at the core of a blockchain's resiliency. If a consensus cannot be made to handle a transaction, the blockchain itself is no good.

The Network

A network consisting of computing nodes is what makes up the blockchain. A node gets an identical copy of the blockchain as soon as it joins the network. Each node is considered to be an administrator of the blockchain and not in any more control over the other nodes within the cluster—again, the result of being decentralized.

Figure 3. An Example of a Decentralized Blockchain Network

This method of computing is what lends the blockchain its robustness. Aside from updating the blockchain, each node can and will act independently from the other regardless of how it was accessed. And when it needs to append a new block to the chain, it will broadcast the update to the rest of the nodes (updating the public ledger).

Whatever the user-driven event, it is considered to be a function of the network as a whole. It is the global network that manages the application, and it will operate on a user-to-user or peer-to-peer basis. Each node, when accessed independently, is tasked with confirming the requested transaction (such as mining). Already alluded to previously, it is this core concept that makes the blockchain that much more secure. The blockchain technology eliminates the risks (and vulnerabilities) introduced with data being held (or managed) centrally and not replicated across the network. Another way to think of it is this: instead of having a single entity validate the transaction, you now have multiple entities validating the transaction after reaching a consensus. They act as witnesses, and not one single entity has more authority over the other. This leaves no room for ambiguity, and if one or more nodes misrepresents the original data, the BFT model will address that.

Almost everyone reading this is familiar with the constant security problems running rampant on the internet. We personally attempt to protect both our identity and our assets online by relying on the traditional "user name" and "password" systems. Blockchain takes this a step further and differs in that its security stems from its use of encryption technologies. The authentication "problem" is solved with the generation of "keys". A user will create a public key (a long and randomly generated numeric string) and a private key (which acts like a password). The public key serves as the user's address within the blockchain, and any transaction involving that address will be recorded as belonging to that address. The private key gives its owner access to his or her digital assets. The combination of both public and private keys provide a digital signature. The only concern here is taking the appropriate measures to protect private keys.

Putting the Pieces Together

By now, you should have more of a complete picture of how all of these components tie together.

Figure 4. The General Handling of a Transaction across a Blockchain Network

For example, let's say there's a bitcoin transaction (or it could something else entirely different), but imagine someone in the network is requesting the transaction. This requested transaction is then broadcasted across a peer-to-peer network of computing nodes. Using cryptographic algorithms, the network of nodes validates the user's status and the transaction. Once verified, the transaction is combined with other transactions, creating a new block of data for the public ledger. The new block of data is then appended to the existing blockchain and is done in a way that makes it permanent and unalterable. Then the transaction is complete. Using timestamping schemes, all transactions are serialized.

What Makes Blockchain Important?

Much like TCP/IP, the blockchain is a foundation technology. As TCP/IP enabled the internet by the 1990s, you can expect wonderful new beginnings with the blockchain. It is still a bit too early to see how it will evolve. This revolutionary technology has enabled organizations to explore what it can and will mean for their businesses. Many of these same organizations already have begun the exploration, although it primarily has been focused around financial services. The possibilities are enormous, and it seems that any industry dealing with any sort of transaction-based model will be disrupted by the technology.


This article covers the rise and interest in cryptocurrencies and begins to dive into the underlying blockchain technology that enables it. In the next part of this series, using open-source tools, I start to describe how to build your very own private blockchain network. This private deployment will allow you to dig deeper into the details highlighted here. The technology may be centered around cryptocurrency today, but I also look at various industries the blockchain can help to redefine and the potential for a promising future leveraging the technology.

Petros Koutoupis

Rise of the Tomb Raider Coming to Linux This Month, phpMyAdmin New Release, Canonical's Kernel Update for RPi 2 and More

2 months 1 week ago
News gaming Raspberry Pi multimedia kernel

News briefs for April 9, 2018.

Feral Interactive confirms: "Lara Croft is returning to Linux in Rise of the Tomb Raider later this month, shortly after macOS. Specs will be announced closer to launch. In the meantime, gear up for adventure with our Linux livestream tomorrow at 6PM BST / 10AM PDT on Twitch."

phpMyAdmin version 4.8.0 was released over the weekend. This release brings the usual bug and security fixes, and other major changes include "security enhancements, such as removing the PHP eval() function and authentication logging, a mobile interface to improve the interface when used with tablets or mobile phones, and two-factor authentication options."

Canonical released a "major Linux kernel update for Raspberry Pi 2" that addresses various security vulnerabilities. Among other things, 21 security vulnerabilities were fixed for linux-raspi2, "including a race condition that could lead to a use-after-free vulnerability in Linux kernel's ALSA PCM subsystem, and a use-after-free vulnerability in the network namespaces implementation." Update now if you haven't already. (Source: Softpedia News.)

FreeCAD 0.17 was released last week, marking the first release in two years, so it's certainly a major update. Along with several workbench improvements, "more than 6,800 revisions were added to FreeCAD's source code". See the changelog for all the details, and download it here.

A new major version of the HandBrake open-source video transcoder was released this weekend, v. 1.1.0. Updates include an improved user interface, new and improved official presets, improved Apple TV 4K support and more. See all the details on the GitHub page.

Phoronix reports on big changes in store for the Linux 4.17 kernel (expected to be stable mid-June), including "a huge DRM subsystem update", "initial NVIDIA Tegra 'Xavier' SoC support", "fixes for the Macintosh PowerBook 100 series" and much more.

Jill Franklin