1. Implement a firewall
The de facto firewall for Ubuntu is ufw (uncomplicated firewall). I personally love this tool as it is easy to configure and maintain. You recall that CIS Benchmark I have referred to numerous times in this article and others? Yeah. Follow that. There are a couple of other firewall packages that are referenced in the guides. Pick one and use the recommended settings.
By default, I would recommend to block all inbound traffic from the internet, allow all outbound traffic from the server, and block all but port 22/TCP (for ssh access) and any other required ports on the local network. My personal go to is to block everything by default and then add rules only for services I explicitly need. In some cases, this will require research into the product or service you are installing on the server. As an example, see the port requirements mentioned in my article for building a high available cluster for MySQL. There are ports for the SQL service, remote control, and cluster management services. Proper research in advance will save you hours of frustration trying to figure out why something is not working the way it should.
If you have an existing system that is already providing services on your network and you want to tighten it down, use a tool such as netstat to see what services are listening on which ports to determine what rules should be applied to your firewall. Some traffic is all local. We should only need to worry about traffic that is not local.
2. Monitor for threats
Aside from the tools recommended in the security guides above, you can utilize free tools such as Greenbone or Wazuh to monitor your systems for any potential vulnerabilities or configuration issues that you might want to address within your network. Neither of these tools take a ton of resources, but the feedback they provide will go a long way toward helping you identify any potential holes in your security. I run both of them.
3. Periodically check for CVEs which impact your systems
A great tool that Ubuntu provides is OVAL reports. These reports use OpenSCAP to check your systems against a list of known vulnerabilities known as CVEs. It will not fix them for you, but it will provide an easy to read HTML report you can view in any browser to determine where to focus your efforts for patching. Most of these vulnerabilities can be fixed by regularly running an apt upgrade against your servers. Some of them can only be fixed with an ESM subscription from Ubuntu as those repositories are limited to licensed Pro subscribers.
I generally recommend a reboot primarily due to the number of kernel patches that are released. There is no set schedule as there is with Microsoft. This is arguably a good thing as patches come out more frequently to take care of issues immediately instead of waiting a month or two for the vulnerability to be patched. Others may complain that a lack of any schedule makes checking for patches a daily task to keep their systems current. Follow your best practice or operating procedures to make sure you can hit maintenance windows to avoid impacts to other teams.
It is generally a good practice to re-run the OVAL report after any patching is performed to ensure that the vulnerability is fixed. In some situations, the vulnerability will not be fixed, but the report will provide links to details about the vulnerability which may give you more information on how to mitigate the risk.
Above all, keep in communication with stakeholders for the systems you are patching. Yes, people tend to blame you if a problem occurs after patching. That is just the nature of any job in IT from the support desk staff to the level three engineers. You learn to not let it bother you over time. Communication goes a long way in tempering a lot of those complaints. Just remember to answer all potential questions in your communication — who, what, where, when, and why. Users don’t really care about or need to know the how, but the how should be clearly defined in any change request tickets you may be required to file.
4. Monitoring
Monitoring is one of those tools that you don’t think you need until you realize that you do. It allows you to be more proactive instead of reactive which goes a long way toward showing your value to an employer. Would you rather be known for fixing hundreds of impacts to servers you manage, or for preventing those problems from occurring in the first place?
There are multiple tools to provide monitoring for your infrastructure. My current favorite is Zabbix which also provides high availability. It is an Open Source project that is free to use. It just requires a bit of setting up. Once it is configured, it requires very little maintenance on the system.
My preferred way of setting up Zabbix is for high availability which allows monitoring to always be running even during maintenance windows on the Zabbix systems themselves. Refer to my article on setting up a HA MySQL cluster as a base for getting started. The external resources within that document will also guide you to setting up the application and front-end layers so the system remains always on.
The default Zabbix dashboard will provide you with a list of servers that are consuming the most resources. It will also give you a list of the currently active alerts to help guide you to the problem areas that you might want to address first. If you integrate monitoring with email, you can receive notifications before a user even realizes there might be a problem. Checking the resource utilization can quickly guide you to where modifications in your hosting platform should be made to add more drive space, RAM, or CPU.
5. Use a Pi-Hole for ad filtering
Ok. First, do not do this at work without lots of discussion with leadership or teams that focus on controlling network traffic. There are ways to do this as a Docker container on your local machine so that it only affects you and not a larger group of users. Be aware that if you start filtering traffic from network devices other than yours you might be interfering with someone’s ability to do their job. This information is mainly for the home tinkerer that wants to better control their bandwidth usage.
This software really takes minimal resources and was designed to be run from a low-powered Raspberry Pi. I have found that it works just as well from a Docker or LXD container. In fact, I have it running as my primary DNS point for all devices in my home network to prevent all sorts of metrics monitoring and tracking from third parties. Over time, 25% of the requests leaving my network are going to ad or tracking sites.
My outbound traffic through Pi-Hole is not limited to just my web browser. ALL traffic on my network that has to perform DNS look-ups goes through my Pi-Hole. I have found suspicious tracking on AppleTV, Roku, and Chrome devices as well as Amazon’s Echo brand of devices. Even my internet-connected thermostat does a phone home to the manufacturer hundreds of times per day for some unknown reason.
While I prefer to purchase devices that don’t rely on subscriptions or third party cloud services, it is becoming more avoidable as manufacturers move to fee-based subscription services to use the basic functionality for which I purchased the device. I have a whole soapbox about paying $100 for a security camera and then losing all functionality when the company goes defunct because they were fronting the third party video storage at Amazon Web Services. And why does Amazon’s EERO wifi router require a subscription to use basic functionality? Do not get me started. Pay attention to requirements before you buy devices.
FireBog has a good curated list of lists to add to your Pi-Hole over at https://firebog.net/. I can use all of the items in green without any issue. If you use the lists in blue, you might start running into problems with applications or services not working such as Paramount+ which uses some of the services on these lists to provide you with required ads.
Keep in mind that some services might require you to whitelist some entries for them to function properly. Most subscriptions for streaming services have moved to an ad-supported tier and increased prices for ad-free services. In so doing, the app may not play properly if you are on an ad-supported tier and using a Pi-Hole or any other form of ad blocking with them. I wait until I experience any such problem and then check my blocking logs on the Pi-Hole to see what the culprit might be. The Pi-Hole has a button next to each log item to allow you to quickly add the destination to the whitelist to see if that corrects the issue.
6. Use a VPN
Another one for home users only, consider using a VPN to keep your business your business. I have used NordVPN for years for multiple reasons.
a. I can set my country of origin so that I can test access to resources from remote locations,
b. They do not maintain log files, so it is theoretically impossible for others to track my web usage,
c. Comcast or CenturyLink (the two major players in my area) cannot track my behavior for ad-serving purposes,
d. All traffic including DNS queries are encrypted when leaving my network keeping prying eyes out of my business.
VPN services are also useful if you live in a country where your entire digital life is monitored. Russia’s ban of Twitter after the Arab Spring is an ideal example. If your government runs the risk of serving itself over serving the people, why give them any more power or make their goals easier to achieve? To misappropriate the frequent quote from Benjamin Franklin, “Those who would give up essential liberty to produce a little temporary safety, deserve neither liberty nor safety.” Granted, he was using it in terms of taxation and border security, but that is another discussion for a political blog to handle. The sentiment, albeit misplaced, is apropos to privacy and security in the private sector and technology spaces as well.
7. Isolate IoT devices on their own network
Does your coffee maker need to see all of the traffic on your network or interact with your desktop? No. Nor does Siri, Alexa, Google, your thermostat, or any other internet-connected device on your network. They may need to communicate with each other, but they don’t need to communicate with your laptop.
Any IoT device should have its own interface with which you interact. They do not need to be on the same network as your web browser in order to function fully. In most cases, these devices have not kept up with the latest technology and only support wifi over the 2.4GHz spectrum which is severely speed limited. Some devices cannot even use your newer wifi 6, 6E or 7 networks. I have even found devices that do not support encryption newer than WEP. Others don’t support any encryption at all. Manufacturers have little to no incentive to keep these devices up to date for newer technologies. And we really don’t want to have to replace something that is otherwise functioning so that we can fix vulnerabilities in protocols they use that are decades old as in the case of WEP.
Some devices might have to access resources on your network such as an AppleTV device that is streaming movies from your Plex server or iTunes libraries. Those can still be on a separate subnet with a firewall routing only required traffic into your home network where the resources reside.
Another advantage of isolating IoT devices to their own network is performance. If only your laptops, desktops, and servers are communicating on one network, they are not constantly interrupted by traffic that is going on in the other network. Granted, there is not that much of a performance gain, but there is a security gain that compounds the benefits.
Most wifi routers still have the ability to set up a secondary or guest network that runs over 2.4GHz and meets the low security requirements of older devices. I configure the guest network on my home system for IoT devices and isolate that traffic over there. I do not leave it as an open wifi, but keep it secured with a password. If someone should ever crack that password, they will only get into my IoT devices. Just make sure that your baby monitors or any other audio video monitoring devices are as secure as possible and consider changing the guest network password at least once per year. Better yet, change it when you change the smoke detector batteries.
8. T-Pot 24.04
This suggestion is a bit more obscure and recommended for experienced network administrators. It could be inviting disaster if not done properly. Only do this at your own risk. This machine should not be powered on at all times if it is directly accessible through the internet. Be prepared to quickly power off the VM when not in use or if attacks grow so large that they consume your bandwidth. Even with a 1GB internet connection, they will consume 100% of bandwidth and take down other services on other servers. Never underestimate an attacker.
A honeypot is for all intents and purposes a trap. Have you seen Winnie the Pooh get his head stuck in a tree or pot of honey when trying to grab every last drop? It is like that. In computer terms, a honeypot is a fake server that appears to be legitimate to the outside world. It is a temporary server that provides a vulnerable service as a temptation to hackers. Once a hacker locates the service, they can proceed to attempt a variety of exploits against the service. Meanwhile, the honeypot is logging everything and sending that information to a logging system outside of the honeypot so that you can review what happened later and learn how the system was exploited.
Deutsche Telekom - the owners of T-Mobile - have provided an open source collection of honeypots for a number of years. The system provides popular applications such as SSh servers, web servers, and databases among others. It also provides a web interface for the local administrator to use to see the number of attacks and the country of origin of each using Kibana and Grafana. It used to be much easier to set up because it shipped as an installation ISO complete with an operating systems deployment. You were able to deploy it as a VM, point your DMZ to it, and start monitoring traffic. But the current version is not too difficult to get running.
In its current iteration, it is no longer an ISO from which you can install. Instead, it is an installation script that builds out various containers to build fake systems and services as an invitation for hackers to attempt to exploit. Most hackers will see these and play around on them for about a minute before they realize they are a trap. But they will give you an idea of where holes might exist in your firewall, and provide a starting point to where to focus on tightening security.
To begin, you will need to build a minimal installation linux VM. Any major distribution should suffice, but I choose Debian for my minimal installations. The only optional software that should be installed is OpenSSH and Curl to be able to grab the installation script. The system will need at least 128GB of storage and 8-16GB of RAM. CPU does not seem to be as important, but I select one socket with four cores. Follow one of my other guides on this blog to build out a system before continuing.
Don’t worry about it not having any services other than OpenSSH installed. The installer will build out containers within the system to provide the necessary services to allow attackers to locate the honeypots.
Once the base system is installed and patched, you can execute the following command to install the entire T-Pot collection.
env bash -c "$(curl -sL https://github.com/telekom-security/tpotce/raw/master/install.sh)"
Follow the instructions printed on the screen, check for possible conflicts with any other services, and reboot the system before using. You can get full details on how to best use the software and configure your firewall at https://github.security.telekom.com/2024/04/honeypot-tpot-24.04-released.html. Make sure that you do not expose ports over 64,000 as these higher ports are used for your management of the system. All lower ports are potential targets for attacks.
9. Centralized User Management
One of the benefits of working in a corporate network is the implementation of a centralized database of user accounts and credentials. Most often, this is done with Active Directory (AD) which is Microsoft’s implementation of PAM and LDAP into a single database which can be administered from centralized tools. AD is a required skillset for any system administrator. You could use evaluation versions of Windows to set things up, but long-term access is not guaranteed unless you purchase a license. But Microsoft licenses can get costly - even if it is only for home use.
There are several ways to get centralized user management on Linux systems that will not cost you a lot of money, but they may take you a lot of time. It is time well spent as it will help you develop the skills to understand the underpinnings of identity management. Some of the tools you can research and try are below. Some are free, and some are commercial. I tend to stick with free. They are more difficult to set up, but still worth the effort.
OpenLDAP
389 Directory Server
Samba
Zentyal
ClearOS
NethServer
Univention
Once you have your system of choice in place, you can configure your servers as members of the infrastructure and create accounts that can be shared across servers and workstations. This means that you will no longer have to remember the username and password for each system on the network. You can have a single username and password that works across all of them. With even further configuration, you may even be able to use the same account to manage non-PC devices such as routers, firewalls, switches, and others.
While centralized user management does not really add to security, it does make user management much less of a headache.
10. Sign up for mailing lists
While not a direct security countermeasure that has any impact on the security of your system, there are a variety of security mailing lists you can subscribe to that will provide you with relatively current news of new threat vectors, vulnerability discoveries, available patches, and a plethora of security-related news. Here are some of my favorites.
Bruce Schneier - https://www.schneier.com/
While there is a lot of opinion and paranoia in his blog, Bruce Schneier is one of the leading technologists in the security sector. His blog and newsletter have been available for over twenty years and include information about new threats as well as countermeasures.
SANS Institute - https://www.sans.org/newsletters/
One of the most recognizeed and respected places to learn about security and to obtain security focused certifications is SANS. There are currently three main newsletters you can sign up for. They will send periodic emails without inundating your inbox with tons of spam.
NewsBites - This newsletter is released about every two weeks and gives a timely update on recent headlines related to cybersecurity. It covers major breaches and exploits you should pay particular attention to.
@Risk - This weekly email gives a more detailed look at newly discovered vulnerabilities along with more in-depth coverage of how some exploits work from time to time.
Ouch! - This is a monthly newsletter that gives you the highlights of computer security tuned more for the lay-person. It will provide tips for detecting phishing attempts or other ways that us common folk are constantly being hit with attempts to steal our personal information. It will also suggest ways to avoid situations where security can be easily compromised.
CVE Announce - https://www.cve.org/Media/News/NewsletterSignup
This might be one of the noisier mailing lists and works well if you have filters in place to redirect emails from them to a subfolder that you can review from time to time. Every time a new vulnerability is found or analyzed, this mailing list sends out notification of the new attack vector, and the status of any fix along with links to further guidance on fixing or mitigating the risks.
Summary
There are a ton of things that can be done to provide security to your home network, but with ever increasing numbers of newly found exploits and vulnerabilities, nothing is 100% secure unless it is air-gapped completely from the internet (i.e. no network card or wifi, and all USB ports disabled). With the reliance on network connected information, that is not a very common situation. Though you can never be 100% certain all the time that your network is secure, you can take multiple steps to help keep up with the latest security information and make sure your system is as secure as possible.
Remember that anything running on an internet connected device poses some security risk. Our job is to mitigate these risks as well as possible without impeding our ability to get things accomplished. The only way to fully avoid risk is to power off any device that is not being used.