liblor / applied_sec_lab Goto Github PK

I'd propose we implement a simple password policy

• checking that no weak passwords are used (checking against the rockyou password list [1])
• Enforcing a minimal password length

@RequestForCoffee should we share this code between the webserver and the core ca or should I return a special error code if the password doesn't meet the policy?

[1] https://wiki.skullsecurity.org/Passwords

The WebServer requires the file /etc/ssl/trusted/private/*.pfx on startup, but lacks the permissions to read it.

The Firefox installation of the client does not trust our WebServer.

Run a fresh environment using make build, start Firefox and visit https://aslweb01/ to confirm.

• replace certificates
• update hosts (and reboot if the kernel is updated without downtime)
  ...

Since parts are used in the initial setup anyway we could use tags to limit tasks:
ansible-playbook site.yml -i production --tags update

Can't access http://imovies.ch/crl/revoke.crl.

@Miro-H confirmed issue

Remove:

• vagrant:vagrant default user
• Shared folder

We need a central logging solution for our network.

rsyslog seems like a good choice. See their documentation.

We should install security patches regularily, so admins do not have to check manually. This is common practice on Debian servers.

See the wiki for more information.

Encrypt the private keys of user certificates on the core CA with an asymmetric public key of the backup server before pushing them to the backup.

On the website, the list "Revoked Certificates" under "My Certificates" shows all revoked certificates instead of only displaying the revoked certificates of the current user.

We should configure all public nginx servers to serve encrypted content only. For doing so, we should introduce a trusted certificate which has to be installed on the client machine. Also, we should make sure that the TLS configuration nginx is hardened.

See the documentation of the Ansible nginx role fo further information on how to configure the deployment.
See Mozilla's SSL Configuration Generator for hints on how to configure TLS securely.

Make it possible to start galera automatically after complete reboot

Should we add an ansible role for OS hardening?

E.g. implement some of the measures mentioned in [1], including

• Deactivate SSH root login
• Limit ssh users
• ...

[1] https://www.tecmint.com/linux-server-hardening-security-tips/

On recent Debian distributions, nftables is recommended instead of iptables.

Necessary ports in our system:

• *
  • 22 TCP (internal)
• aslans*
  • 22 TCP (external)
• aslcert*
  • 443 TCP (internal)
• asldb*
  • 3306 TCP (internal)
  • 4567 TCP, UDP (internal)
  • 4568 TCP (internal)
  • 4444 TCP (internal)
• aslld*
  • 80 TCP (external)
  • 443 TCP (external)
• asllog*
  • 10514 TCP (internal)
• aslweb*
  • 80 TCP (internal)
  • 443 TCP (internal)

What should the email say? Should it have a link to a form where the employee can report malicious behaviour? Keep in mind that his/her old certificate has been revoked, and the employee can not send a signed & encrypted email to the administrators.

There must be an unintentional vulnerability somewhere. We should try to break our own system before hand-in.

Currently, if a user holding a client certificate visits a public page, they will be offered the option to login using a password. There is no way for them to authenticate without knowing the path to a protected page.

What happens when the db server becomes unavailable or returns an error for a query?
e.g. if a new certificate is issued and the transaction fails for some reason, does the application crash?

The deadline for the hand-in is 21.11.2019. The document must be submitted via e-mail to [email protected].

This issue shall list all important tasks for the final hand-in. For any other concerns, please add a comment below so this list can be updated accordingly.

• Check if the document exceeds 30 pages
• Check the log for missing references.
• Check for duplicated words.
• Hide the section about intentional backdoors (set showbackdoors to false).
• Remove the hint about the page limitation.
• Check the spelling (e.g. using Grammarly).

Add tags to db configuration

According to the assignment, two backdoors have to be included in the system for other teams to find them.

You must build two backdoors into your system. Both backdoors should allow remote access to the system(s) and compromise its purpose. The reviewers of your system will later have to search for these backdoors. Design and implement a first backdoor so that it will be nontrivial but likely for the reviewers to find it. Give your best effort when it comes to the second backdoor! Try to hide it so well that the reviewers will not find it. Do not forget to hide your traces in the end (e.g., shell history).

Users can currently use their certificate to access the site, but they won't be authenticated.

I'm not certain if this is actually due to #10.

Current proposal for load balancing:

The client would connect to the load balancer and then be assigned to one of the web servers.

Pro:

• Simplicity
• Single failure tolerance (except load balancer)

Con:

• If one machine per chain fails, we are unavailable
• The load balancer is a single point of failure (for the improvement, see below)

A more complicated but more robust scheme would use two load balancers and DNS load balancing between the load balancers. This is an optional extension for now.

Open questions:

• How does the load balancer learns that one chain is down?
  • A simple solution would be that the web server stops accepting traffic when the cert server fails (itself or because the DB is unavailable) and the balancer thus switches when one server is unreachable.
• How are users with an active session migrated to the other chain?

We can use RELP to improve the reliability of our logging. Currently, we use TCP.

See the documentation on how to use the RELP module.

MySQL/MariaDB supports client authentication over TLS [1].

[1] https://mariadb.com/kb/en/library/securing-connections-for-client-and-server/

TODO:

• Require TLS for clients
• Use TLS between db-servers
• TLS for SST

To improve security, e.g. agains bruteforce attacks, we could require 2FA when a user wants to login via password authentication.

The assignments provides us with email addresses, which we could use in our network to implement a scheme like the one used by GitHub.

One thing to consider is how to handle a case where a user lost their certificates. That way, the user is not able to read encrypted emails, but they cannot login to our service as they have neither password nor certificate.

During development, the high RAM usage of our setup always kept me concerned as it monotonically increased. The further we advance in our setup, the more RAM we will need.

We should see if we're able to lower our requirements

• to make it possible to run more machines during development and
• to make sure other teams can run our setup.

We need to backup essential data of our system.

Two ready solutions seem "practical".

• Borg
• restic

Also, there exists Burp, which even supports pushing backups.
However, we might not need pushes for backups, if we manage to backup generated private keys separately.

Add another user to the client machine that has can access the config server and from there (as a jump host) all other machines.

Do we accept the risk that if the config server is down, the admin has to physically go to the internal network to be able to fix something?

When I rerun ansible I get the following error and ansible stops:

TASK [Transfer certificates to corresponding hosts] ******************************************************************************************************************************************************************************************
fatal: [aslweb01]: FAILED! => {"changed": false, "cmd": "/usr/bin/rsync --delay-updates -F --compress --archive --rsh=/usr/bin/ssh -S none -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null --rsync-path=sudo rsync --out-format=<<CHANGED>>%i %n%L /home/ansible/tls_certs/iMovies_aslweb01_tls.crt aslweb01:/etc/pki/tls/certs/", "msg": "Warning: Permanently added 'aslweb01,10.0.0.31' (ECDSA) to the list of known hosts.\r\nrsync: link_stat \"/home/ansible/tls_certs/iMovies_aslweb01_tls.crt\" failed: No such file or directory (2)\nrsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1207) [sender=3.1.3]\n", "rc": 23}
fatal: [aslcert01]: FAILED! => {"changed": false, "cmd": "/usr/bin/rsync --delay-updates -F --compress --archive --rsh=/usr/bin/ssh -S none -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null --rsync-path=sudo rsync --out-format=<<CHANGED>>%i %n%L /home/ansible/tls_certs/iMovies_aslcert01_tls.crt aslcert01:/etc/pki/tls/certs/", "msg": "Warning: Permanently added 'aslcert01,10.0.0.21' (ECDSA) to the list of known hosts.\r\nrsync: link_stat \"/home/ansible/tls_certs/iMovies_aslcert01_tls.crt\" failed: No such file or directory (2)\nrsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1207) [sender=3.1.3]\n", "rc": 23}
fatal: [asldb01]: FAILED! => {"changed": false, "cmd": "/usr/bin/rsync --delay-updates -F --compress --archive --rsh=/usr/bin/ssh -S none -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null --rsync-path=sudo rsync --out-format=<<CHANGED>>%i %n%L /home/ansible/tls_certs/iMovies_asldb01_tls.crt asldb01:/etc/pki/tls/certs/", "msg": "Warning: Permanently added 'asldb01,10.0.0.23' (ECDSA) to the list of known hosts.\r\nrsync: link_stat \"/home/ansible/tls_certs/iMovies_asldb01_tls.crt\" failed: No such file or directory (2)\nrsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1207) [sender=3.1.3]\n", "rc": 23}
fatal: [asldb02]: FAILED! => {"changed": false, "cmd": "/usr/bin/rsync --delay-updates -F --compress --archive --rsh=/usr/bin/ssh -S none -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null --rsync-path=sudo rsync --out-format=<<CHANGED>>%i %n%L /home/ansible/tls_certs/iMovies_asldb02_tls.crt asldb02:/etc/pki/tls/certs/", "msg": "Warning: Permanently added 'asldb02,10.0.0.24' (ECDSA) to the list of known hosts.\r\nrsync: link_stat \"/home/ansible/tls_certs/iMovies_asldb02_tls.crt\" failed: No such file or directory (2)\nrsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1207) [sender=3.1.3]\n", "rc": 23}
        to retry, use: --limit @/home/ansible/site.retry