Cybersecurity Recommendations

Hello everyone,

As we plunge into holiday season - and this particular year is my frist using Linux opposed to MacOS or Windows - I’m noticing a massive lift in cyber attack activity. I’m using Fedora Silverblue 34 on a Lenovo Thinkpad so I’m pretty sure this machine is good, but when I go onto my Macbook or Windows desktop computer, some things are happening which are just a bit odd. I’m aiming to figure out what I can do on my ThinkPad + Fedora SB34 machine to scan and secure/harden my network at home and elsewhere. Here’s what’s happening:

1.) Internet cutting in and out often (once every few hours);
2.) Internet cutting out more than I notice on my computer while streaming on Roku TV, Smart TV;
3.) Bluetooth mouse not working properly on Windows with fresh batteries installed;
4.) Asian subtitles showed up on YouTube video on Macbook;
5.) One (1) email alert from Google saying that it blocked someone from trying to login to my account.

I bought htis machine to prevent these types of attacks and it’s been effective as far as my TP is concerned. With that said, there are clearly other devices here and as I visit family, I’m realizing that there are just too many devices to monitor.

As I write out this post, a notification just popped up warning me that this post is being edited in another window, and I’m writing this on my Linux ThinkPad machine - so a bit odd in terms of timing and now I’m quite upset.

I have access to SSH into a few quantum computers through projects that I work on - and they’re my credentials (not business projects) and I want to respond to these attacks as aggressively as possible. I’m thinking Kali Linux + Python and I’m hopeful that if anyone knows anything about specifics that I should be aware of to scan networks that I’m on and respond to incidents - then I’m hopeful you can point me in that direction. These attacks ruined two (2) businesses of mine last year and I want to be very clear - i’d like my machines response to be as aggressive as possible in the computing world.

First thing is the router, has it safety apps?

2 Likes

From this part i think if you never have give password to anyone it might be possible that one of your device have a keylogger installed

Change your password and use 2fa hardware base keys like nitro key yubi are good options

Maybe your device have bluetooth issues.

2 Likes

Have you installed all firmware updates for your devices(Router, mouse, every machine)?
Next you can use an online virus-scanner for Windows (e.g. Kapsersky.com) to ensure that no malware was installed. Reset your router to its default and set new strong passwords and configure it again carefully. Ask your provider if there are some issues with the infrastructure. Reset your BIOS/EFI and set it up again. Under Windows setup a guest-account and let no other person use your machines. Whenever it’s possible use secure-boot and use only signed installation media. The most important thing is think before you are doing something wrong. :grinning:

1 Like

Hi Liam,
I guess the answer is simple: Nothing.

Your Thinkpad is a network client, just as your RokuTV, your Mac, your Quantum computer and so on are.

If you want to harden your network security security, you need to harden your router, its firewall, create vlans and so on.

None of the 5 issues your are mentioning are Fedora-related, nor fixable as long as your router doesn’t run Fedora.

3 Likes

Hi Jaap, mmm kinda-sorta but let’s go with no generally speaking because since I’m in town visiting family, they’ll go with whatever Spectrum or AT&T provides. That said, I don’t believe the router itself is attached to any safety applications - any recs?

How about that! A Keylogger. This is something to definitely look into. The one computer actually still does have internet explorer installed - so should probably remove that as well. My speculation is that there’s actually someone specifically doing this and whereas I have someone in mind, they also have the ability to just boot into Kali themselves from a thumb drive ha I am aiming to at least isolate the geographic location.
Regarding the bluetooth - if someone knows which IP address to look for they can scan with Wireshark and decrypt info. and all of that jazz - and if they do that, they can shut down the internet and even turn off bluetooth devices so that when they boot back up - they gain partial access. This is why I was concerned about the bluetooth bit.

I have updated all of the software but I will need to go ahead and check out Kapssersky. Avast was installed and also their VPN - which is OpenVPN - with the forked Chrome Browser or Microsoft Edge broswer. I saw OpenVPN in the file tree plus other Microsoft products as well, so I uninstalled that - installed Brave Browser on the Windows machine and got OpenVPN running directly opposed to through Avast.

Oh okay, I wasn’t sure if there was a client I could install on Fedora that would help with network monitoring, incident response planning or any other protocols for layer one (1). PyRDP, AnroidQF, LDAP, HandleKatz, aDLL etc. I’m not the best with Linux or Python quite yet, so was soliciting general feedback to see if it were possible to have this machine kinda oversee the whole network in any way like with Wireshark or whatever. Not my quantum computer ha one can use a few raspberry pis and kubernetes to create a cluster that would at least throw off a script (I assumed) or SSH into Regeti or something and the intention there was perhaps under a false pretense but though ti had potential to throw off a script.

In that case it is recommended to use a password lock in bios and opt out other options for boot except hard drive and for physical security i would recommend use a full disk encryption luks.

Watch Bluetooth itself is not a secure protocol i hope you know about that if you have a that level of threat model you should not use Bluetooth.

And what ever you have mentioned here are not anyhow fedora related be more specific.

1 Like

I disagree a bit with that. If someone had the possibility to install a keylogger (or something comparable), he/she/it could have installed and changed everything (privilege escalation has then also to be considered unless you can explicitly identify the way the attacker entered your system, and then evaluate all possibilities he had at this point). If there is a keylogger, you have to assume that there is also a persistent backdoor for the attacker to get back in, and there are many ways to to that (it is not so straightforward to check at which points an attacker has established access vectors, and when and where what is logged.)… If a system has a keylogger from someone else installed, the system has to be considered broken, and changing passwords will make no difference…

So, if you cannot identify another reason how someone could get your password, you have to explicitly identify the system on which the possibility to get this password exists (and consider it as broken: re-install os, including the config’s of your home dir). If you cannot identify which system offered this possibility… you have to consider all to be broken (or accept that there is still a realistic chance that someone is listening in, no matter what you now reconfigure within this system).

If you use 2fa, the attacker will have no possibility to get the certificates… but he can use what is plugged in (as long as it is plugged in).

I know I’m painting an extreme example, but if a password goes missing and it can be traced back to a system with a high probability, it should be taken seriously (someone went to the trouble of getting it).

BUT BE AWARE: If you deleted your browsers cookies or such, and then log into google yourself, it will assume that this is a new device, and send you that email. So, are you sure that it was not you who logged in at the given time?

… a small addition here: Linux Windows and Mac have one thing in common: the users are the major firewall and the major vulnerability. Think about what you execute (and with which permissions) on your system, think of what update sources you use, think of what you install and depending on the websites on which you surf on, think of which restrictions you impose in your browser - and of course keep everything updated (and never work as admin/root unless it is explicitly necessary).

Bruce Schneier: Security is a process, not a product : )

4 Likes

That’s true but since the system running fedora could have a security breach perhaps a firewall would help. Does fedora gnome have a firewall built in like cinnamon?

We use safing (portmaster).

https://safing.io/portmaster/

1 Like

Besides nftables/firewalld (including the ports actively listened by specific processes when not blocked by firewalld), SELinux (and of course the traditional rwxrwxrwx : ) is the major issue an attacker has to manage in order to get access / increase his privileges. Other security systems have limited/restricted capabilities and at the worst, they create unforseen interactions and vulnerabilities themselves as they will never be as holistically tested as the kernel (and its environement). When it comes to security tools, it should be focused on the well-tested measures of the kernel.

However, as soon as an attacker achieved his access (and possibly even root access), he can tailor the security measures on his permission level the way he wants, including, e.g., scripts that regularly re-establish his preferred preferences. When the attacked system has dynamic IP addresses, an attacker is likely to impose a measure that regularly offers another machine on the Internet, which he determines in advance, access to the system. By that, the Fedora itself sends a HTTP(S) request to the Internet, which makes even external firewalls to allow the answer (to the preceding request) to pass to the victim machine: so, this also bypasses the need for the port to be open against requests from outside in the external firewall (of course this also includes the internal firewalls of the system, e.g., firewalld) as this firewall at this moment, assumes that an answer will come because this was requested by the trustworthy Fedora (which we consider hacked) from within.

To block this capability of the attacker and his measures (which we assume to be already active), you would have to block HTTP(S) (and of course all other protocols/ports) at all, which would even make the daily updates of Fedora impossible. A broken system : )

Firewalls are in general to prevent attacks. They have to assumed to make no difference once the attack had happened.

However, I admit that this type of attack via the inconspicuous printer, which has not been updated for years but connected to the network, is much more elegant. :slight_smile:

2 Likes

I would clear out cookies and possibly even start a new browser profile, deleting the old one.
Firefox ~/.mozilla Google Chrome ~/.config/google-chrome Save your bookmarks if needed.

To me this is alarming… I would use the site :

https://haveibeenpwned.com/

Troy Hunt has aggregated a large Database of emails and passwords that show up on websites that have been hacked. I would strongly recommend you change your password and enable 2FA immediately.

It’s also a good idea to check and alternative emails and friends and family emails you can. Have them change passwords if necessary.

1 Like

I see. So there are quite a lot of built in firewalls running in the background, that’s awesome. Can we configure the traffic coming into the computer easily with those programs other programs you mentioned, i.e firewalld and rwxrwxrwx.

I know SELinux has 3 modes,

  1. Enforcing
  2. Permissive mode
  3. Disabled mode

Although the configuration seems to be preset. Perhaps centos or fedora server has more to offer in the security customisation for the user in this case.

1 Like

https://docs.fedoraproject.org/en-US/quick-docs/firewalld/

There’s also SELinux Troubleshooter you can download (It used to come with fedora way back when…) or the Firewall GUI from the Software Center, see if it fits your needs.

2 Likes

Great thanks a lot. So what would be the terminal install for that one from the software centre, there’s a few similar ones I see.

1 Like

https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/

https://docs.fedoraproject.org/en-US/quick-docs/troubleshooting_selinux/

2 Likes

Hi @bennyisaiah ,

I confess, my statements were somewhat misleading. Therefore I do not want to leave my above statements as they are (sorry for that :slight_smile: rwxrwxrwx was meant in a funny way. So, I meant the traditional access control of Linux (no specific tool/module), which regulates what user and which group a file own, and who can do what with it (including others). If you open a folder with ls -l, you see these permissions with notations like dr-xr-xr-x or -rwxrwxrwx.

Nevertheless, this is a very rigid way of access control (what actor is allowed to do what with which file) and does not incorporate preventive capabilities. Sometimes, processes need much access rights in this respect to fulfill their purpose (e.g., most VM solutions will not work without invasive/strong access permissions), and if these processes behave unintended (e.g., a hack due to vulnerabilities), a potential attacker can gain a lot of power on the system without causing another reaction of the traditional access control.

This is the point where the mandatory access control (in our case, SELinux) is put in place. It adds another independent access control that is based upon policies (in political science, we call it norms, rules and practices, which is possibly easier to understand : ) instead of rigidly-allocated owner+rights of files: simplified, SELinux evaluates which type of actor should be able to exercise what type of access/action in what type of situation. Type is determined by the profiles, which is more situative rather than rigid. This is a very powerful measure especially in preventive terms, which makes a difference to traditional access control:

Example: If you have a VM solution that needs invasive access permissions to work, everyone who can hack this solution (e.g. through its web interface; code/command injection or such), has automatically invasive permissions: the firewall that manages the system’s network traffic (this is firewalld), that goes in and out, will of course only allow traffic from outside that was requested from inside. But since we have a web server (the VM host’s management web interface) in place, that firewall has to have the ports of HTTPS open to enable people from outside to log into the web interface. So, if someone injects code due to a vulnerability in that web interface, firewalld cannot make a difference in this specific scenario/case. As this VM solution does not work without access rights that are very invasive, the traditional access control won’t make a difference, too. However, if the attacker injects code/commands in order to use the VM host process to break into the remaining system (which usually implies behavior that is not intended for a VM host process), SELinux will analyze the processes behavior and as it will not correspond to the policies, SELinux will prevent the process from exercising that behavior: it enables preventive security that can limit the damage that can be done by vulnerable processes.

Thus, these are three different but complementary security measures, not just three more firewalls. I hope that makes more sense than my elaboration above.

Since you seem to focus on securing your network traffic, the firewalld seems to be the tool that is most interesting for you: @hamrheadcorvette provided the link. Btw, another security measure that can make sense if you have a web server is a web application firewall, which would be not part of the kernel but of the web server (e.g., there is one for nginx; the WAF can be also itself a web server that is put in between the main web server and the network). Of course this does not mean that SELinux does not make a difference for you (as elaborated above).

I suggest to use the links provided by @hamrheadcorvette and @grumpey to get some understanding of the concepts, even if you use a GUI.

3 Likes

So I had to dwell on your post to understand it completely. Thanks for explaining this I had no idea firewalls could be so complex. At least we don’t have to build iptables.

Okay so in summary from what I have researched.

1- A desktop computer does not typically have open ports to the outside world. So a firewall isn’t typically needed for a desktop for typical office work.

2- A server requires not only a firewall but a specially configured firewall to have certain ports open (i.e SSH) and certain ports closed (i.e RDP, VNC etc)

  1. SELinux by default is enabled on all Centos, Fedora and RedHat systems

I checked that here yesterday

[solomon@fedora ~]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
[solomon@fedora ~]$ 
  1. Linux does not need a virus scanner as it doesn’t have a registry on a different type of kernel to windows.

Nevertheless I would still like to check none of my ports are open and also configure my firewall to the recommended settings.

So I activated the firewall

sudo systemctl unmask firewalld

[solomon@fedora ~]$ sudo systemctl start firewalld
[solomon@fedora ~]$ sudo su
[root@fedora solomon]# firewall-cmd --state
running

[solomon@fedora ~]$ sudo firewall-cmd --list-ports
1025-65535/tcp 1025-65535/udp

So should that port be open ?

1 Like