In this chapter, we took a look at the concept of security policies, highlighting various points to consider when defining such a policy and outlining some of the threats to your system and to you personally, as a security professional. We discussed desktop and laptop security measures as well as firewalls and packet filtering. Finally, we reviewed monitoring tools and strategies and showed how to best implement them to detect potential threats to your system.
- Take time to define a comprehensive security policy.
- Real risk often arises when you travel from one customer to the next. For example, your laptop could be stolen while traveling or seized by customs. Prepare for these unfortunate possibilities by using full disk encryption (see Section 4.2.2, “Installation on a Fully Encrypted File System”) and consider the nuke feature (see Adding a Nuke Password for Extra Safety) to protect your clients data.
- Disable services that you do not use. Kali makes it easy to do this since all external network services are disabled by default.
- If you are running Kali on a publicly accessible server, change any default passwords for services that might be configured (see Section 7.3, “Securing Network Services”) and restrict their access with a firewall (see Section 7.4, “Firewall or Packet Filtering”) prior to launching them.
- Use fail2ban to detect and block password-guessing attacks and remote brute force password attacks.
- If you run web services, host them over HTTPS to prevent network intermediaries from sniffing your traffic (which might include authentication cookies).
- The Linux kernel embeds the netfilter firewall. There is no turn-key solution for configuring any firewall, since network and user requirements differ. However, you can control netfilter from user space with the iptables and ip6tables commands.
- Implement firewall rules (see Section 7.4, “Firewall or Packet Filtering”) to forbid all outbound traffic except the traffic generated by your VPN access. This is meant as a safety net, so that when the VPN is down you immediately notice it (instead of falling back to the local network access).
- top is an interactive tool that displays a list of currently running processes.
- The logcheck program monitors log files every hour by default and sends unusual log messages in emails to the administrator for further analysis.
- dpkg --verify (or dpkg -V) displays the system files that have been modified (potentially by an attacker), but relies on checksums, which may be subverted by a clever attacker.
- The Advanced Intrusion Detection Environment (AIDE) tool checks file integrity and detects any changes against a previously-recorded image of the valid system.
- Tripwire is very similar to AIDE but uses a mechanism to sign the configuration file, so that an attacker cannot make it point at a different version of the reference database.
- Consider the use of rkhunter, checksecurity, and chkrootkit to help detect rootkits on your system.
In the next chapter, we are going to dig into Debian fundamentals (Chapter 8, Debian Package Management) and package management. You will quickly understand the power behind Kali's Debian roots and learn how the developers have harnessed that power. Be warned, the next chapter is fairly dense, but it is critical that you understand Debian basics and package management if you are going to be a Kali power user.