Features Category

network securitysecurity controlsdata encryption

Strategies To Secure Data Warehouses In Linux Environments

The world of enterprise solutions relies heavily on effective data management. Standard systems, which work great for small businesses, simply break down once you have thousands of moving components operating worldwide - if not hundreds of thousands. Maintaining unstructured data, primarily if your business operates on a global scale, isn’t just a waste of resources; it’s also a risk to your company. . Understanding how to properly organize and secure your information in a data warehouse within a Linux system can help you prevent cyberattacks from inside and outside your company while keeping your data safe. So, where do you get started? Let's begin by examining what a data warehouse is and what may put yours at risk. I’ll then share practical measures for improving data warehouse security. What is a Data Warehouse? Data warehouses are one of the prime options for large enterprises to sort, secure, and silo their data so that it can quickly be processed, analyzed, and used for more in-depth insights and recommendations. This is because a data warehouse works beyond simply structuring your most recent data; it provides a framework that allows you to store historical versions of documents alongside their modern counterparts. They work by regularly transferring data from operational system databases like ERPs or CRMs, apps, social media, the Internet of Things, and more. This produces a histography of the data you need for your business, allowing you to tackle current issues and better map trends as they adapt over the years. Why Does Your Large-Scale System Need a Data Warehouse? There are several reasons why building a data warehouse to structure and store your data should be the number one step when it comes to securing your data on Linux, especially when it comes to cloud-based warehouses: Historical documents are automatically sorted. Data is automatically duplicated and backed up on multiple servers. Centralized data is easier to keep track of andsecure. Access controls are a breeze to implement. What’s Putting Your Data Warehouse at Risk? Linux systems are known for their security and scalability. Thanks to the open-source nature of the system itself, which is constantly being updated and provides more user access control for businesses, you are right on track for securing your large datasets (and their historical versions). Before we get into what steps you can take to prevent data breaches in a Linux system further, let’s recap just what type of threats you’re defending against: Data Breaches : Unauthorized access to confidential data often leads to the exposure or theft of sensitive data, such as financial or personal information. Financial loss, reputational damage, and legal consequences are all possible outcomes. Ransomware: Ransomware is malicious software that encrypts a victim's files and demands payment for the key to decrypt them. Data loss, disruption of operations, and financial extortion are all possible consequences. SQL Injection: SQL injection is a code injection technique that exploits vulnerabilities within a web application’s database layer through malicious SQL queries. Its impacts include unauthorized data access and manipulation and potential database corruption. Insider threats : Insider threats are security risks that originate within an organization. They usually involve employees or contractors misusing their access to systems and data. Data breaches, intellectual theft, and operational sabotage could be severe consequences of insider threats. DDoS attacks: Distributed denial-of-service attacks overwhelm a system, network, or service with internet traffic and make it unusable for users. Service downtime, user distrust, and financial losses are all possible consequences. Implement these Key Methods to Boost Data Warehouse Security You will next need to take proactive steps towards securing your data warehouse. This willfurther minimize the risk of cyberattacks or insider attacks from harming your business. Implement Robust Access Controls The first step will always be to implement robust access controls . Think of these controls as keys to a building. Users should only be able to access the rooms available and no one else’s. This prevents large-scale data breaches and potential insider attacks from interfering with your operations. To do this, you will need to define: Users and Roles : Everyone who has access to your data warehouse must have a unique user identification, and each user must have a defined role (level of access). Permissions : You need to define and set more than just the level of access. You also need to set each user’s permissions, which refer to what they can do with the data they can access. Examples of permissions include read-only, access, or edit. Create Access Controls You can create these access controls using Role-Based Access Control, which works wonders for businesses employing hundreds or thousands of people. In this approach, each role is clearly defined beforehand, and the level of access is locked. You can also use services like OpenLDAP, which allows you to manage user accounts centrally, group those accounts, and create access control policies for your data warehouse. This approach works to simplify your administration efforts and provides consistent access levels across your entire network. Encrypt Data in Transit and at Rest Data is at risk in transit (during a download or upload) and at rest (in your data warehouse). The best way to secure data in both situations is to encrypt it. This way, if someone intercepts the data at any stage, they will need a decryption key to make sense of the information. The open-source tools you will want to look at to accomplish this encryption include: LUKS : Linux Unified Key Setup (LUKS) provides full disk encryption if you store data on-site. SSL/TLS Protocols : Thisprotocol encrypts data as it is transferred over a network, essential when managing a cloud-based warehouse. PostgreSQL: If you are looking for a built-in encryption solution, PostgreSQL encrypts your entire database or specific columns containing sensitive data. Implement Top-Notch Network Security Several security solutions must be standard to protect your Linux system and data warehouse. Firewalls Firewalls are the security guards that protect your entire network. They work to filter incoming traffic to block out suspicious users and connections before they even have a chance to peek at your data. Thankfully, Linux has top-notch firewall options available, but you are likely to use the below: iptables : this is the built-in firewall option for Linux. While powerful, you will need a technical expert to configure your settings based on your needs fully. ufw (Uncomplicated Firewall) : This is just a user-friendly frontend for iptables, so if you need a simplified solution to implement Linux’s iptables firewall system, use this option. Establishing rules beforehand is good practice when setting up your firewall. This can mean only allowing traffic from certain IP addresses or endpoints while blocking everything else. You can also filter services, allowing access only to essential services like database ports through your firewall. VPNs Virtual Private Networks (VPNs) are essential for Linux administrators to secure remote access to data stores. VPNs create encrypted tunnels that ensure data is transmitted securely between users and data warehouses. Selecting a VPN that uses robust encryption algorithms like AES-256 and supports multi-factor authentication (MFA) is essential. These measures enhance security significantly by preventing eavesdropping and making it unlikely that unauthorized access will occur even if login credentials have been compromised. Administrators should also focus on network segmentation and monitoring. Theyshould log VPN connections to detect any unusual activity. It is important to keep VPN software up-to-date with the latest security updates to minimize vulnerabilities. Linux administrators can secure sensitive data and comply with regulatory requirements by implementing a robust VPN. They can also ensure business continuity via secure remote access. A well-managed VPN is essential to maintaining data warehouse security and integrity. Intrusion Detection Systems (IDS) Intrusion Detection Systems (IDSs) are essential in providing data warehouse security by constantly monitoring network traffic and system activities for signs of malicious behavior, such as port scans, malware communications, or hacking attempts in real-time and alerting administrators immediately with immediate alerts that enable swift responses. IDS is available both Network-based (NIDS) for network traffic monitoring and Host-based (HIDS) for individual devices. Administrators should regularly update signatures to recognize emerging threats and fine-tune rules to limit false positive alerts so alerts remain meaningful and actionable, ensuring data warehouse security is maintained. IDS also helps meet regulatory compliance by providing logs and reports on security incidents. They're indispensable tools for proactive threat detection, incident response management, risk analysis, risk mitigation, and improved data warehouse operations security and integrity. Conduct Regular Penetration Tests and Security Audits Penetration testing (pentesting) is an essential security practice that simulates cyberattacks to identify and exploit vulnerabilities within data warehouse environments, with the objective being to uncover security gaps before malicious actors exploit them. Effective pentesting requires an in-depth knowledge of internal and external attack vectors, such as network security issues, application vulnerabilities, and configuration weaknesses. This involves both automated tools and manual techniques mimicking potentialattack scenarios to assess your security posture. Pentesting is essential to increasing data warehouse security as it gives administrators actionable insights into vulnerabilities and their potential impact. By addressing these vulnerabilities, they can implement targeted security measures to strengthen the warehouse further. In addition, regular pentesting helps administrators ensure compliance with regulatory standards and industry best practices, taking a proactive approach to risk management while increasing security awareness among IT teams and helping protect data integrity and confidentiality for long-term storage within warehouses. Use These Security Frameworks and Standards There are several famous Linux-friendly security frameworks and standards in which to invest. By building such a structured approach, you cover all your bases, ensure your business is protected with industry best practices, and reduce the risk of a cyberattack. Just a few of the frameworks and standards you should have in your Linux system to protect your data include: ISO/IEC 27001 : This international standard outlines the best practices for security management. To properly secure your data, follow this framework’s instructions. NIST Cybersecurity Framework (CSF) : This framework provides a high-level structure for identifying, protecting, detecting, and recovering from cyber-attacks. CIS Benchmarks: This set of configuration recommendations for Linux helps ensure your data warehouse is secure. Consider These Open-Source Security Tools One of the prime reasons to invest in a Linux system is the sheer number of open-source tools that allow you to customize every element of your setup. When it comes to securing your data specifically, however, you’ll want to look at these options: Security Information and Event Management (SIEM): This tool centralizes log data across all security measures, from firewalls to servers. It’s used to identify security events andsuspicious activity in real-time. Endpoint Detection and Response (EDR): Endpoints, or devices, are a significant security threat. EDR works on securing those endpoints and monitoring suspicious activity to minimize threats. Network Security Monitoring (NSM): This tool analyzes network traffic to identify suspicious activity and potential threats. Our Final Thoughts on Improving Data Warehouse Security Unstructured data is a big red target on your back. Compiling all that information into a data warehouse allows you to use your data more intelligently while also making it easier to protect yourself with the array of Linux security and open-source solutions available. Implement the best practices discussed in this article and rest easy knowing your critical data is secure from tampering, theft, and compromise. . Enhance your Linux data hub security by implementing robust controls, utilizing encryption techniques, establishing network safeguards, and adhering to industry best practices.. Data Warehouse Security, Linux Security Tools, Network Security Best Practices, Encryption Techniques, Cybersecurity Standards. . Brittany Day

Aug 09, 2024 •

Brittany Day

patch managementSELinuxauthentication

Comprehensive Security Tactics for Linux System Administrators

As cyber threats rapidly advance, Linux administrators and InfoSec professionals are essential defenders against increasingly sophisticated threats. Protectors of critical infrastructure and sensitive data, these experts must implement a wide array of security practices designed specifically to their unique challenges. . Drawing upon knowledge shared at LinuxSecurity.com , this article discusses advanced Linux security practices designed to ward off today's most dangerous cyber risks. Why Is Staying Informed the Bedrock of Linux Security? Knowledge is power in cybersecurity; knowledge is protection. Linux professionals prioritize keeping abreast of threats, vulnerabilities, and security trends. For this reason, LinuxSecurity.com is an indispensable source of up-to-date information, offering insights to identify and address potential breaches preemptively. Senior administrators should go beyond passive news consumption; they should actively engage in security forums, subscribe to threat intelligence feeds, and connect with the broader cybersecurity community. Platforms such as CVE and NIST provide extensive databases of vulnerabilities and exposures paired with automated alert systems, providing real-time threat intelligence essential for early detection and response. Patch Management: Beyond the Basics Advanced Linux administrators understand that effective patch management requires a different approach than simply applying updates automatically; they consider their systems' individual needs and configurations when considering strategies. An effective patch management protocol begins with prioritization. Administrators can assess vulnerabilities using the Common Vulnerability Scoring System (CVSS) and then prioritize patches based on potential impact and severity. While automation tools may assist, human oversight is always required to ensure patches do not disrupt critical operations or introduce new vulnerabilities. How Is SELinux A Mighty Fortification for Linux Systems? Security-Enhanced Linux (SELinux) is a highly effective weapon in the Linux security arsenal, but its complexity often deters wider adoption. Yet SELinux offers unparalleled granularity regarding access controls for experienced professionals who need precise control over who has access to what on their systems. Crafting custom SELinux policies requires an in-depth knowledge of one's network architecture and threat model, but audit2allow can assist this process by analyzing log files to generate policy modules that reflect actual system usage while restricting any unauthorized actions. Why Is Authentication The First Line of Defense? Robust authentication mechanisms are integral to protecting Linux systems from unauthorized access, yet many organizations depend on password policies as their only protection. Advanced administrators should look beyond simple password policies by adopting SSH key-based authentication multi-factor authentication (MFA) and investigating Pluggable Authentication Modules (PAM) for enhanced control over accessing systems. MFA adds another level of protection by requiring two verification forms beyond just passwords or keys, such as hardware tokens or mobile app-generated codes in high-security environments. MFA can more easily distinguish between impenetrable and compromised systems than without additional layers of defense. Why Is Continuous Education and Training Essential? Human factors in cybersecurity can often be the source of instability. Offering regular training to users and administrators, regular and updated education on password hygiene and phishing awareness, and more advanced topics such as secure coding practices , social engineering tactics, and how to respond in case of a suspected breach can drastically decrease the risks of security breaches. Senior Linux administrators can lead by example and champion a culture of security vigilance while constantly honing their skills to stay ahead of emerging threats. What Is the Importance of ServiceHardening and Attack Surface Reduction? Service hardening refers to configuring system services and applications to reduce vulnerabilities while restricting unnecessary functionalities. For Linux administrators, this usually means running regular audits of running services, disabling or terminating unnecessary ones, and using tools like systemd-analyze security to analyze potential service vulnerabilities in depth. Reducing the attack surface requires implementing network segmentation, strict firewall policies, and least privilege models for system access. Each measure makes it harder for attackers to gain entry and move laterally across networks. How Does Data Encryption Protect Data at Rest and in Transit? Securing sensitive data at rest and transit is an essential security practice in an age when data breaches can have devastating repercussions. Tools like GnuPG can offer end-to-end file encryption, while Linux Unified Key Setup (LUKS) offers robust disk encryption solutions. Transport Layer Security (TLS) encrypts data in transit between servers and clients, thus protecting against eavesdropping and man-in-the-middle attacks. Linux administrators should use only robust, modern cryptographic protocols that have been reviewed regularly to ensure compliance. Why Is Automating Security and Compliance Beneficial? Manual security audits and compliance checks can be time-consuming and potentially inaccurate in complex environments. At the same time, automation tools like OpenSCAP offer a solution by continuously evaluating systems against established baselines and producing reports with remediation scripts to address any issues found. Integrating security testing tools into the CI/CD pipeline enables continuous security analysis, helping ensure new code deployments do not introduce vulnerabilities into production environments. Why Should Admins and Organizations Adopt a DevSecOps Culture? The DevSecOps movement advocates for integrating security practices throughout the software development lifecycle . For Linux administrators, this means working closely with development teams to ensure security considerations remain paramount from inception through deployment. Infrastructure as Code (IaC) tools like Ansible , Terraform, and Kubernetes are essential. They enable security policies and configurations to be codified within version control alongside application code for consistency, repeatability, and auditability of security configurations across environments. Our Final Thoughts on the Importance of Implementing Advanced Linux Security Practices Comprehending advanced Linux security requires an integrated approach that combines technical know-how, strategic planning, and constant monitoring. By adopting advanced practices like those found at LinuxSecurity.com and taking advantage of resources like these, Linux administrators and InfoSec professionals can drastically enhance their organization's cybersecurity posture. . Delve into cutting-edge Linux security measures provided by LinuxSecurity.com, enhancing your protection against the ever-changing landscape of cyberattacks.. Advanced Linux Security, Cyber Threat Protection, InfoSec Best Practices. . Dave Wreski

Jul 20, 2024 •

Dave Wreski

Banner 2 1028x280 1708121730 1 1771599631

cybersecuritySELinuxsystem administration

Key Skills For Linux Administrators: Crafting A Standout Resume

If you’ve thought about becoming a professional Linux administrator but you’re not sure where to start, this article is for you. . In it, we’ll explore some of the most important skills expected of someone working in the role. Many of them you’ll already be familiar with, but some may surprise you. Much of our focus will be on cybersecurity and how to make sure you’re ready to deal with security issues from day one. We’ll also cover what sort of administrator skills you’ll need and look at what to include in your resume to give you the best chance of success. What Is a Linux Administrator? The typical Linux administrator’s business agreement contract won’t necessarily specify every aspect of the job description. That’s because the role involves being a jack-of-all-trades and every day is different. Broadly speaking, you’ll be responsible for overseeing every element of both hardware and software management, not only for the physical but also the virtual systems. On a day-to-day basis, that can mean sundry tasks like backup, building new systems, maintenance, configuring and installing new applications. On occasion, it will mean disaster recovery, which is not always the most fun day. One area that is absolutely crucial is network security. Any good Linux sysadmin worth the name will have a broad technical knowledge of the subject. What Linux Administrators Should Know about Security If you’re thinking about embarking on cybersecurity training for Linux systems, here are the fundamentals you should make sure are covered: Creating a good firewall policy Familiarity with Netfilter interpreters like ufw and firewalld is a good start. To have a full grounding in network-wide firewall implementation, though, you should be looking to acquire a solid understanding of both the iptables ruleset and nftables (which uses the nft command line tool). Even though nftables has superseded iptables to a certain extent, you’ll still come across manyiptables-protected networks in the real world, so it’s vital that you be able to work with them. Securing your Linux server Besides implementing an effective firewall, there are many other ways of securing your server, and you should be aware of all of them. Some of these are standard practice across the cybersecurity field e.g. good password hygiene, configuring 2FA, antivirus protection. But some are more Linux-specific. For instance, it’s important to disable the root login on a business server. That’s because the elevated administrative permissions can give cybercriminals a way in. Being able to use SELinux Security Enhanced Linux ( SELinux ) implements a Mandatory Access Control permission system in the Linux kernel. It was designed to protect against unauthorized use and is an integral part of every experienced Linux sysadmin’s toolkit. The SELinux status can be disabled, permissive, or enforcing (which you can think of as off/watching but not doing/watching and actively protecting respectively). Make sure you can use the getenforce command and the sestatus utility to find the system’s current status. Intrusion detection and prevention There are many Intrusion Prevention Systems (IPS) available whose primary function is to monitor network traffic and stop attacks. These have largely replaced the earlier Intrusion Detection Systems (IDS), which detected intrusions and sent an alert to the sysadmin but didn’t actually do anything else. Not very helpful. You’ll need a thorough knowledge of how to set up tools like OSSEC, Tripwire and fail2ban so that protection is set at the appropriate level. Configuring data encryption There are two approaches to data encryption with Linux: full-disk encryption, which encrypts the block device before it is mounted on the system, and file-based encryption, which encrypts a file or folder only using native filesystem features. For networks, you’ll usually be using full-disk encryption, so you should be aware of youroptions for implementing block device encryption. You can use LUKS (Linux Unified Key Setup) encryption in all modern installers. Using Pluggable Authentication Modules (PAM) It’s worth learning about PAM configuration files early on, so you land on your feet when dealing with advanced authentication and security considerations. Rather than having to write new authentication checks for each authentication method used by an app, PAM allows for a separate specialized authentication procedure to be used, whether the user is being authenticated via security certificate, biometric protocol like fingerprint identification and so on. Configuring Linux system auditing A vital weapon in the sysadmin’s security armory is the audit daemon (auditd). It generates log entries displaying information about what’s happening on the network. This helps you track potential violations of security. It’s important to know how to define audit rules, search the logs and create reports from the data provided. It helps you get to know your system much better and assists in the improvement of your security protocols. Knowing your vulnerability scanning tools Every system has its security flaws, and a crucial part of your role will be finding them before an attacker does. Luckily, there are many vulnerability scanning tools to choose from. At the very least, you should be familiar with OpenVAS, Archery and Lynis. Other excellent tools include Prowler (vuln), Safety, and salt-scanner. Being familiar with container security Because containers are so easy to implement, portable and simple to configure, you’re likely to use them often. They do share the host system’s kernel, though, which can become a potential attack vector. So it’s prudent to consider security on your Linux containers. Some angles of approach include employing user namespaces, SELinux MAC, restricting syscalls and setting resource limits. Conducting penetration testing The open-source nature of Linux means that thekinds of tools available for penetration testing are also often the same ones used by hackers themselves. So there’s really no excuse not to be prepared for a realistic attack scenario. Make sure you know all about the most common pentesting tools so you can use them fluently. These include Kali Linux, BackBox, Parrot Security OS, and BlackArch. Knowing your open-source SIEM tools SIEM (Security Information and Event Management) describes a security and auditing system that comprises a number of different analysis and monitoring elements. There are all-rounder solutions available (e.g. LogRhythm, QRadar, ArcSight) but they are expensive, so knowing what’s available in terms of open-source equivalents is a good idea. You’ll find you need to use several as they all tend to have different strengths and weaknesses. Upping your overall Linux cybersecurity skills To sum up, there are a few areas you should be focusing on when brushing up your cybersecurity skills. Broadly speaking, you can divide these into the following: System and network administration. Knowledge of regular expressions. Strong facility with SELinux and AppArmor. In-depth knowledge of open-source security tools. Bash scripting. Important Linux Administrator Skills that Should Be Included on Your Resume Feeling confident? Ready to fire up that online electronic signature software and sign your new contract? Hold on there just one minute; you haven’t got the job yet. Let’s take a look at the kinds of skills you’ll be expected to demonstrate to secure and shine at an interview. The most vital are: A clear understanding of OWASP: a good familiarity with the Open Web Application Security Project (OWASP) is fundamental to operating in this sector. Cloud computing skills: Cloud Ops are key in today’s workplace. Make sure you understand cloud architecture and migration, as well as how hybrid cloud environments work. Cyber security skills: these shouldinclude mitigation using Linux hacking software, as well as monitoring and prevention for possible DDoS attacks. Knowledge on APT (Advanced Package Tool) will also be useful. System monitoring and administration: VMware, MySQL, Python, and RHEL skills. Security Training and Certifications to Add to Your Linux Resume Knowing your stuff is one thing; being able to prove it quite another. Consider certification. The most commonly asked for certifications at the moment are: CISSP - Certified Information Systems Security Professional CISA - Cybersecurity and Infrastructure Security Agency CEH - Certified Ethical Hacker Why Making a Good Resume Can Help You Stand Out from the Rest as a Linux Administrator It’s a competitive industry and everyone needs an edge. Take the time to focus on sharpening up your resume so it really packs a punch. Remember the golden rule: tailor your resume to the role in question. Generic resumes tend to lack the kind of sparkle recruiters are looking for. It’s also vital to maximize your prospects by focusing on your strengths. If you’re relatively young, you may lack experience in the industry, so play up your qualifications and any hands-on projects you’ve succeeded with. On the other hand, more experienced candidates may need to focus on proving that they’re up to date with the latest developments in the sector. Ready, Set, Go! Being a Linux administrator is hugely rewarding. Sure, it’s a role full of challenges, and some days are harder than others. But you’ll never be bored, and if you have a true passion for Linux, there’s a job out there for you. So get yourself ready, make sure you’re all set, and yes – soon enough, you’ll be breaking out that contract generator software and hitting the ground running on your first day. Good luck! . As the need for skilled Linux admins grows, building a strong skill set is essential. Key skills include Linux OS knowledge, shell scripting, and system securityexpertise.. Linux Administrator Skills,Cybersecurity Skills,Firewall Management,Resume Building,Cloud Security. . Brittany Day

Oct 24, 2022 •

Brittany Day

data protectiondata encryptionfile encryption

Mastering Data Encryption: Essential Techniques for Linux Users

Data encryption has never been more important. New data protection and privacy regulations, such as GDPR, mean that companies storing unencrypted customer information are vulnerable to paying heavy fines. The public is now more aware of the importance of encryption, with massive data breaches impacting companies like Facebook receiving major media coverage. . With these issues in mind, it’s only natural that many of us want to start encrypting our sensitive data – both at work and at home. But how exactly should you go about it? This blog aims to answer that question by showing Linux users how to install and set up encryption on their systems. How to Protect Your Hard Drive from Physical Threats The good news for Linux users is that most popular Linux distributions offer an option to activate encryption during setup. The encryption built into these Linux distros is called partition encryption, and below we’ll take a closer look at some benefits of this type of encryption. Partition encryption, along with disk encryption, is one of two major types of data encryption. The main difference between the two is: Disk encryption protects the entire drive. Partition encryption targets a section of a physical drive which has been defined as a separate partition. If a single partition occupies an entire hard drive, then partition encryption is equal to disk encryption. Yet a hard drive might also have multiple partitions – where partition encryption can naturally encrypt the whole hard drive. The added sophistication of partition encryption makes it the safer and more secure way to protect data on your PC. One reason for this is that less of your data is exposed when the system is running. Another factor is that partition encryption offers more rigorous security, with each partition capable of having its own unique encryption keys and passwords. How to Enable Partition Encryption Now that you know a bit more about partition encryption, let’s go into more detail on how to setit up on your computer. Below we have provided step-by-step instructions on how to enable partition encryption on two of the most popular Linux distributions: Fedora and Ubuntu. Fedora 32 Step 1: At the ‘Installation Destination’ step of the setup Wizard, select the drive where you want to install Fedora. Check the ‘Encrypt my data’ box in the lower left corner. Step 2: Set a strong encryption password. Step 3: Wait for installation to complete. You’ll need to enter the password you’ve chosen every time you start up your computer. Ubuntu 20 Step 1: At the ‘Installation type’ step of the setup Wizard, make sure ‘Erase disk and install Ubuntu’ is selected, then click on ‘Advanced features...’. Step 2: Select ‘Use LVM with the new Ubuntu installation’ in the pop-up dialog. Check the ‘Encrypt the new Ubuntu installation for security’ box. Click ‘OK’. Step 3: You’ll see that ‘LVM and encryption selected’ has now appeared next to ‘Advanced features…’. Click ‘Install Now’ to proceed. Step 4: Set a strong encryption password. Enter your password (‘security key’ in Ubuntu) twice and proceed with installation. Step 5: Wait for installation to complete. You’ll need to enter the password you’ve chosen every time you start up your computer. Good Start, but Not Enough for Complete Endpoint Data Protection If you want to protect your sensitive information in the event that your computer is lost or stolen, then partition encryption (free with most Linux distributions) is a great solution. However, partition encryption is unable to keep data safe when your computer is turned on and active, when data is stored in the cloud, or when data is being sent to others. Linux users who are concerned about this may want to look into securing their data with file encryption or container encryption in addition to partition encryption. Stay Secure by Encrypting Your Files To protect data on your activecomputer, it’s necessary for sensitive files and folders to be encrypted with an added layer. You can keep your data safe by using either file encryption or container encryption. By choosing file encryption, you are turning single files into locked, encrypted versions of themselves. Access is then granted after entering the correct password for each individual file. On the other hand, container encryption involves creating a secure virtual drive that is capable of storing many encrypted files at once. When it comes to security and efficiency, container encryption is the superior choice. Using container encryption means you don’t need to keep track of many different passwords in something like a ‘password book’ - which can present a security risk. Instead, you just need to remember one password to access each container. How to Create an Encrypted Container to Secure Files To benefit from this added layer of protection, take a look at the step-by-step instructions below on how to get started with container encryption. We have used BestCrypt Container Encryption as an example. Step 1: Create an Encrypted Container To get started, download BestCrypt Container Encryption. The software is also available for a free trial . Open ‘Applications’, select ‘All’, and launch BestCrypt Container Encryption. Click ‘Create new container’ in the window you just opened. Create a container by choosing a password, then click ‘Create’. Customize the name, size, and container description (optional). Step 2: Create and Copy Files to the Container Once the container is created, the virtual folder will open automatically. Place files in the container by dragging and dropping them into the folder. You can also create encrypted files within the container in the same way you would create them normally. Step 3: Work with Your Secure Files You’ll see your encrypted containers as files with the JBC extension. You can workwith your encrypted files when the container is mounted (open). To access the container, you’ll need to enter the password you created previously. Eject (close) the container as soon as you are done working with your files. This step is essential to ensure the protection of your sensitive data. Copy, move, upload, and backup encrypted containers to the cloud just like you would with any other file. Safely send your containers over the Internet and open them on any Linux, Mac, Windows, or Android device. Congratulations! You have now set up a robust encryption solution on your Linux system. However, it’s worth keeping in mind that using encryption on its own still leaves the possibility that your sensitive data could be recovered by a third party. You can make sure this doesn’t happen by erasing traces of information that are left behind after you copy files to an encrypted container. Happy encrypting! About the Author Michael Waksman has been serving as CEO of Jetico since 2011, more than doubling the size of the company during his tenure. He brings over 15 years of communications, technology and leadership experience. At Jetico, Waksman has led the creation of the corporate identity, raising global brand awareness, building a more commercially-driven team and initiating enterprise customer relations. Jetico has maintained a wide user base throughout the U.S. Defense community, in the compliance market and for personal privacy. Waksman is vice-chairman of the Cyber Group for the Association of Finnish Defense and Aerospace Industries. Recognized as a security and privacy advocate, he is a frequent speaker at international events, occasionally on behalf of the Finnish cyber security industry. In 2012, Waksman was honored with The Security Network's Chairman's Award for fostering collaboration between the United States and Finland. As a native New Yorker he has been living in southern Finland for over 10 years. . Master the art of reliably securing your data on Linuxplatforms to adhere to privacy regulations and protect confidential information.. Data Encryption, Partition Security, Linux Encryption Guide, Protect Sensitive Data. . Brittany Day

Mar 28, 2022 •

Brittany Day

open sourcedata encryptionsoftware transparency

Biden's Cybersecurity Order Requires Federal Software Compliance Standards

On Wednesday, May 12th, in the wake of the recent Colonial Pipeline ransomware attack that shut down one of the largest US pipelines for nearly a week, President Biden signed an executive order placing strict new standards on the cybersecurity of all software sold to the federal government. This order is part of a broad, multi-layered initiative to improve national security by incentivizing private companies to practice better cybersecurity or risk being locked out of federal contracts. . For the first time, the United States will require all software purchased by the federal government to meet, within six months, a series of new cybersecurity standards. Although the companies would have to “self-certify,” violators would be removed from federal procurement lists, which could kill their chances of selling their products on the commercial market. The new order also requires all federal agencies to encrypt data, whether it is in storage or while it is being transmitted. This order addresses a disconcerting trend: cyberattacks - the vast majority of which are email-borne - are rapidly evolving to become more sophisticated, prevalent and far-reaching than ever before. Many of these attacks target critical infrastructure - a point most recently highlighted by the Colonial Pipeline ransomware outbreak. Over the past year, approximately 2,400 ransomware attacks have hit corporate, local and federal offices. Biden’s new executive cybersecurity order recognizes the critical importance of Open Source in securing the software supply chain, stating that the government must ensure "to the extent practicable, to the integrity and provenance of open-source software used within any portion of a product." It is not surprising that the report specifically addresses open-source security. After all, according to open-source company Tidelift, 92% of applications contain open-source components. Luckily, the open-source community itself is already combating this issue with the Software Package DataExchange (SPDX), which aims to enable software transparency through a Software Bill of Materials (SBOM) - a formal record containing the details and supply chain relationships of various components used in building software - that already meets the executive order's requirements. In addition, The Linux Foundation’s Open Source Security Foundation (OpenSSF) has also been working to secure open-source software and its components through its mission of “collaboration to secure the open-source ecosystem”. Also, the Linux Foundation recently announced a new open-source software signing service: the sigstore project , which seeks to improve software supply chain security by enabling the easy adoption of cryptographic software signing backed by transparency log technologies. Besides sigstore, the Linux Foundation oversees multiple projects designed to maintain trusted source code supply chains including in-toto , The Update Framework (TUF) and OpenChain (ISO 5230). The open-source community is also addressing the order’s call for the encryption of data at rest and in transit with the renowned open-source project Let's Encrypt , the world's largest certificate authority for TLS certificates. The bottom line is that Open Source shows significant promise in meeting today and tomorrow’s most significant cybersecurity challenges. It has become clearly apparent that cybersecurity needs to be a top priority - not just for the federal government, but for everyone. David A. Wheeler, the Linux Foundation's Director of Open Source Supply Chain Security, emphasizes the importance of community involvement in securing the open-source supply chain, "We couldn't do this without the many contributions of time, money, and other resources from numerous companies and individuals; we gratefully thank them all. We are always delighted to work with anyone to improve the development and deployment of open-source software." I’m pleased to see this type of legislation put into place. Cybersecurity and data privacy areserious, universal concerns that must be addressed individually by businesses, as well as at the national level. This order offers vendors a great enough incentive that it is hard to imagine they would choose not to comply. While there is no silver bullet, it is encouraging to see that the open-source community is well on its way to meeting this order’s critical demands. . The federal government imposes updated cybersecurity regulations for software acquired by its agencies, bolstering defenses across the board.. Enhanced Cybersecurity Standards, Open Source Initiatives, Software Supply Chain Compliance. . Brittany Day

May 24, 2021 •

Brittany Day

security advisorymalwareransomware

NextCloud Critical: NextCry Ransomware Threatens Linux Servers

A new and particularly troublesome ransomware variant has been identified in the wild. Dubbed NextCry, this nasty strain of ransomware encrypts data on NextCloud Linux servers and has managed to evade the detection of public scanning platforms and antivirus engines. To make matters worse, there is currently no free decryption tool available for victims. . Ransomware hunter and creator of ID Ransomware Michael Gillespie notes that the NextCry ransomware, which is a Python script compiled in a Linux ELF binary using pyInstaller, oddly uses Base64 to encode file names as well as the content of files which have already been encrypted. Gillespie has also confirmed that NextCry encrypts data using the AES algorithm with a 256-bit key. The ransom note that NextCry victims receive reads ““READ_FOR_DECRYPT”, and demands 0.025 BTC for a victim’s files to be unlocked. One NextCloud user, xact64, shared his experience with the malware on a Bleeping Computer forum in an effort to find a way to decrypt personal files which had been instantaneously locked in a NextCry attack: “I realized immediately that my server got hacked and those files got encrypted. “The first thing I did was pull the server to limit the damage that was being done (only 50% of my files got encrypted).” He added, “ I have my own Linux server (an old thin client I gave a second life) with NGINX reverse-proxy”. This statement provides insight into how hackers may have been able to access his system. On October 24, NextCloud disclosed a remote code execution vulnerability ( CVE-2019-11043) which has been exploited to compromise servers with the default Nextcloud NGINX configuration. NextCloud recommends that administrators upgrade their PHP packages and NGINX configuration file to the latest version to protect against NextCry attacks. How to Protect Your Linux System from Ransomware: In addition to upgrading to the latest version of PHP and NGINX, here isa list of best practices that administrators and users should implement to protect their Linux systems from NextCry and other emerging ransomware variants: Update your system frequently. Set up automatic updates whenever possible. Track security advisories and apply software patches as soon as they are released. Create backups on a regular basis. This won’t prevent a ransomware attack, but it can reduce the devastation caused by one. Be aware that backups are not foolproof: ransomware may sit idle for weeks until it is triggered, potentially destroying backups. Ransomware often arrives via email, and ransomware emails can be very difficult to identify. Having a well-designed, multi-layered email security gateway in place that detects malicious emails (such as those containing ransomware) and prevents them from reaching the inbox can significantly decrease your risk of suffering a ransomware attack. Have you or somebody you know experienced a NextCry attack? Please reach out to us and share your story . . ByteShadow malware exploits vulnerabilities in SynCloud systems, maneuvering stealthily while demanding immediate patches to prevent breaches.. NextCry Ransomware, NextCloud Security, Linux Malware, Ransomware Protection Techniques. . Brittany Day

Nov 18, 2019 •

Brittany Day

network securityremote accessdata encryption

Establishing SSH Tunnels with MindTerm for Secure Remote Access

Introduction Businesses, schools, and home users need more secure network services now more than ever. As online business increases, more people continue to access critical company information over insecure networks. Companies are using the Internet as a primary means to communicate with travelling employees in their country and abroad, sending documents to various field offices around the world, and sending unencrypted email; this communication can contain a wealth of information that any malicious person can potentially intercept and sell or give to a rival company. Good security policies for both users and network administrators can help to minimize the problems associated with a malicious person intercepting or stealing critical information within their organization. This paper will discuss using Secure Shell (SSH) and MindTerm to secure organizational communication across the Internet. . Home users and business travelers are accessing company resources and sending sensitive data over insecure networks. This opens up a whole new area of security issues for System Administrators (Securing the home office sensible and securely) , especially since the number of corporate users from home with high-speed access is expected to "more than double from 24 million in 2000 to 55 million by 2005" (Broadband Access to Increase in Workplace) . The increase in the number of airports and hotels offering internet access, especially high-speed access, is increasing and is expected to grow in the future (Broadband Moving On Up) . This can also leave a door wide open for a malicious person to hijack or view a person''s Internet traffic and access their companies. The malicious person may not be interested in the work the employee is doing but just want access to a high-speed server to launch attacks, store files, or other uses. Business people are really at high risk because they don''t know who''s monitoring their Internet connection in the hotel, airport, or anywhere in their travels. Usersof the new high-speed connections are usually not taught proper security protocols and some companies don''t have the staff to help the home user and business traveler set up secure communication. Individual users and, surprisingly, some companies have a mentality that "I don''t have anything people want". This is very disturbing considering the amount of sensitive information that travels across the Internet from an employee''s home or from travelers. What''s more disturbing is the availability of free software to perform these kinds of attacks and the software''s ease of use. Dsniff ( https://www.monkey.org/~dugsong/dsniff/ ) is a freely available program that has utilities that can allow anyone with a networked computer to highjack a local network and monitor what others are doing and grab passwords and other sensitive data. In his book Secrets and Lies: Digital Security in a Networked World, Bruce Schneier states that Technique Propagation is one of the main threats to network security: "The Internet is...a perfect medium for propagating successful attack tools. Only the first attacker has to be skilled; everyone else can use his software" (Schneier) . The purpose of this paper is not how to secure computers but how to set up virtual tunnels to perform secure communication, whether sending documents or sending email. Business travelers should read Jim Purcell, Frank Reid, and Aaron Weissenfluh''s articles on travel security https://www.sans.org/white-papers Home users with high-speed access should read Ted Tang''s article at (https://www.sans.org/white-papers) for information on how to secure your computers with high-speed access. I''d recommend the many resources available on www.sans.org,, / for tutorials on how to secure your computers and servers. The way to ensure that sensitive data is transmitted securely and quickly is to use encrypted methods of data delivery. This can be by way of encrypted email, using secure web-based email services, or establishing encrypted tunnels between twocomputers. Also, easy to setup and reliable software need to be used in order to allow the inexperienced users the ability to quickly establish secure communication channels. Taten Ylonen ''s Secure Shell (www.ssh.com) and MindBright Technology''s () MindTerm are a quick, easy to use, and reliable solution for securing communication over the Internet. SSH and MindTerm SSH (Secure Shell) is a secure replacement for remote login and file transfer programs like telnet, rsh, and ftp, which transmit data in clear, human-readable text. SSH uses a public-key authentication method to establish an encrypted and secure connection from the user''s machine to the remote machine. When the secure connection is established then the username, password, and all other information is sent over this secure connection. You can read more details of how ssh works, the algorithms it uses, and the protocols implemented for it to maintain a high level of security and trust at the ssh website: www.ssh.com. The OpenBSD team has created a free alternative called OpenSSH available at: https://www.openssh.org/ It maintains the high security standards of the OpenBSD team and the IETF specifications for Secure Shell (see the Secure Shell IETF drafts: Upload ), except it uses free public domain algorithms. SSH is becoming a standard for remote login administration. It has become so popular that there are many ports of ssh to various platforms and there are free clients available to login to an ssh server from many platforms as well. See linuxmafia for a list of clients and has an excellent two-part article on ssh and links to ports for different platforms available at. There are programs that also use an ssh utility called Secure Copy (scp) in the background that provide the same functionality of a full ftp client, like WinSCP ( ) and the Java SSH/SCP Client (/ssh/), which has a modified scp interface for MindTerm. Please read the licenses carefully to determine if you are legally allowed to download sshin your country. SSH is free for academic institutions please. Please read the licenses available at the ssh.com website. MindTerm is an ssh client written entirely in Java by MindBright Technology. One of the key practices of developing security software is proper implementation of the underlying algorithms and protocols it uses. MindBright Technology has implemented the ssh protocol very well in this small application file. It is a self-contained archive that only needs to be unzipped into a directory of your choice and it is ready to be used. It can be used as a standalone program or as a web page applet or both. It is available at:. MindTerm is an excellent and inexpensive client to secure communication to and from a local and remote location. The MindTerm program located at the download address above is available free for non-commercial and academic use, commercial use is available on a case to case basis. However, the modifications made by the ISNetwork (https://isnetworks.net/) team "is based on the MindTerm 1.21 codebase, which MindBright released under the GPL [General Public License -- see ]. Since our version is released under the GPL you can use it commercially for free" (Eckels) . ISNetwork''s implementation has all the features of MindBright''s MindTerm except it has a nicer scp interface for more user-friendly file transfers. MindTerm does have some drawbacks in that it doesn''t support UDP tunneling. In order to secure UDP traffic, a program called Zebedee ( ) will work nicely. Zebedee''s server and client program is available for Windows and Linux platforms. It is freely distributed under the GPL License too. You can connect to either Windows or Linux machines using Zebedee. MindTerm will not check to see if your system is secure. It is up to the administrators and users to take care of securing the computer systems. It is easy to implement and it is very effective at maintaining the high level of security implemented in the ssh protocol. This paper will show how easy it is to setup and establish secure communication channels for almost any user and by almost any user. Documents, email, and other data communication can be easily and securely sent to users a few feet away or around the world. How SSH and MindTerm work together SSH and MindTerm will work together to use a technique called port forwarding. Port forwarding is forwarding traffic from one host and a given port to another host and port. In other words, the MindTerm application will open a port on the client''s machine (local machine) and any connection to that local port is forwarded to the remote host and its listening port over an encrypted ssh session. Whether or not the connection is accepted depends on the type of request you are sending to the remote host. For example, you wouldn''t forward POP requests to a remote host listening on port 21 because port 21 is reserved for ftp requests. Port forwarding is also used to allow connections to a server that is behind a firewall and/or has a private IP address. Essentially this is creating a Virtual Private Network (VPN). A VPN is "a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures" ( https://www.techtarget.com/whatis/ ). The port-forwarding can only be done with TCP services. Software installation In order to follow along with this tutorial you will have to install a few packages. This tutorial assumes you have ssh already installed on your server or workstation. If not then you can read the documentation that comes with the ssh or the OpenSSH package for installation instructions for your platform. For the examples that follow, OpenSSH was installed on a Red Hat 7.0 server and workstation. OpenSSH was installed on Red Hat 6.0- 7.0 and worked the same. The client machine used in the following tutorial is a Windows 2000 machine. Windows 95/98, NT 4.0, NT 5.0, Red Hat 6.0-7.0 workstation were alltested as client machines and worked the same. On a side note, the exact same MindTerm jar archive was used on all client systems tested. SSH or OpenSSH MindTerm FTP Client - Any ftp client should work for this tutorial. Ws-FTP and Leech-ftp are the two most popular for Windows. Netscape Communicator - or any other mail client should work Optional: NTOP Optional: vlock Install NTOP to see how other TCP services can be encrypted as well. I downloaded the latest rpm from RPM resource ntop Vlock is optional because users may do work from the console after they are authenticated. However, if a user will only be using the tunnels then the command: vlock -c can be typed at the console or it can be added to the users startup script so when the user logs in, it will automatically lock their console. Server configuration First, make sure that your server is secure. Though traffic is encrypted as it travels over the Internet, it can be sniffed if someone has root access on the local machine and uses a program like ngrep ( ) to sniff traffic on a local machine. For example, in conjunction with the dsniff program mentioned above, the following command could sniff all traffic on the local interface network: ngrep -d lo. Securing the server is, however, beyond the scope of this paper. We''ll use the POP (port 110), IMAP (port 143), SMTP (port 25), VNC (Virtual Network Computing) (5901+), and NTOP (default port 3000) services for this example. All traffic will be forwarded to each service''s respective port on the remote host running the ssh server. All services listening on the remote host listen on all interfaces, unless the service binds to a specific port by default or if manually configured. In order to show how effective this technique of tunneling over ssh is, we will only allow particular services to listen on the local interface. You don''t have to change your current securityconfigurations, however. We will use tcp_wrappers, that is installed by default with Red Hat 7.0 (and previous versions), to connect to the network services. In the /etc/hosts.deny file add the following line: ALL: ALL And in your /etc/hosts.allow file add the following lines: sshd: ALL in.ftpd: 127.0.0.1 ipop3d: 127.0.0.1 imapd: 127.0.0.1 This sets sshd (the ssh server) to allow connections from anywhere any IP address. The other services only allow connections from the local interface. You can verify this by configuring a mail client to connect to your remote pop or imap server and/or an ftp client to connect to your ftp server, right now. It won''t allow you to connect. You''ll also need to set up any user accounts to allow access to these services. (Note: The setup above is only useful if the services are only for internal use and remote users need to access the internal services to send and receive email or transfer files. The services can be available for public use and be encrypted with ssh and MindTerm.) Client configuration The only client configuration that is needed is to be sure that a Java Runtime Environment (JRE) is installed for your platform. Windows and MacOS 8 and later have a JRE already installed. It is recommended to install Sun''s JRE on Windows. IBM has a list of ports of JRE''s to various plaforms: https://www.ibm.com/us-en as well as Sun: Oracle Java Technologies | Oracle . (You don''t need the entire Java package with the debuggers and compilers you just need the Java Virtual Machine to run java applications.) Also, for the tutorial that follows, unzip the MindTerm archive, MindBright''s or ISNetwork''s implementation, archive into " c:mindterm " for windows. Creating the Tunnels MindTerm can be started a few ways. If you have the JRE installed then you can double-click on the mindtermfull.jar application file. Another way is to open up ados-shell and type the command: jview -cp c:mindtermmindtermfull.jar mindbright.application.MindTerm or javaw -cp c:mindtermmindtermfull.jar mindbright.application.MindTerm or java -cp c:mindtermmindtermfull.jar mindbright.application.MindTerm (jview is used if you are using Windows and you don''t download the JRE. Javaw comes with the Windows JRE download and is used because a dos-shell box won''t be needed in order to run MindTerm so there is one less window open) UPDATE: MindTerm 2.0 release candidate 1 is out. The argument to start it has changed slightly. Instead of the command above: java -cp c:mindtermmindtermfull.jar mindbright.application.MindTerm this will start MindTerm from the commandline: java -cp c:mindtermmindtermfull.jar com.mindbright.application.MindTerm Only the " com. " was added to the applet parameter. Also, under the section "MindTerm over the Web" can you add this code directly under the first code example: UPDATE: MindTerm 2.0 release candidate 1 is out. The argument to start the web applet has changed slightly. Instead of the applet parameter above, and the code example below, change the line: applet archive="mindtermfull.jar" code=mindbright.application.MindTerm width=700 height=400 > to: applet archive="mindtermfull.jar" code=com.mindbright.application.MindTerm width=700 height=400 > Only the " com. " needs to be added to the applet parameter " code= ". So the code below will be changed to: This will start the MindTerm program and you can then type the server name when prompted and it will prompt you to " Save as Alias ". You can type a short server name so when you start the applet again you can simply type the " Alias " you created. You will then be prompted for your login name. After you type it, hit enter and a dialog box will appear informing you that the host doesn''t exist and prompt you to create it. Click " Yes ". Another dialog will appear prompting you if you want to add thathost to your " known_host " file. Click " Yes ". Then you are prompted for your password. Type your password and hit enter. If you supplied the proper username and password then you should be at a command line on the server you specified. Creating the Tunnels We''ll create a tunnel to the POP and SMTP server, first. After you have successfully logged in (and optionally enabled vlock) click on "Tunnels" on the menu and then click "Basic". A dialog box will appear. Add the following settings to each box, respectively: Local port: 2010 Remote Hosts: Your remote host (this should be the server running the sshd server). Remote port: 110 Now click "Add". A dialog box should appear stating " The tunnel is now open and operational ". (Note: If you select a port that is already open an error message will appear stating "Could not open tunnel. Error creating tunnel. Error setting up local forward on port XXXX, Address in use.) Click " OK " and the tunnel configuration should appear in the box now. Click " Close Dialog ". Open up your email client''s options or preferences menu. We''ll use Netscape Messenger for this example. Open up Netscape Click on the " Edit " menu ---> " Preferences ". On the left column click on " Mail & Newsgroups ", if the contents aren''t already displayed. Click on " Identity " and type your information in each box. Click on " Mail Servers " in the left column. The default install of Netscape has " mail " in the box underneath " Incoming mail servers ". Click on " mail " Click " Edit " to the right of that box and a dialog box should appear . If POP is not already selected in that drop down box, select it now. In the " Server Name " box type " localhost:2010 " (remember we chose that local port in the MindTerm tunnel creation menu to forward to the remote servers POP (110) port) and then your username. Set any other optionsas you see fit. Click " OK ". In the box " Outgoing mail (SMTP) server " type your smtp server name and underneath that type your " Outgoing mail server user name ". Click " OK ". (Don''t do anything to the "Use Secure Socket Layer (SSL) or TLS for outgoing messages" option). Now click on " Communicator " on the menu and Click " Messenger " . You should then be prompted for your password. Type your password and hit enter. If you have mail you should now be able to read it. As long as you have a MindTerm ssh session open, this should work with most email clients. Remember that the remote server name or POP server name will be "localhost: ". If you are asked for the POP server and port seperately then add it accordingly. Any connections to the local port 2010, in this example, will be forwarded to the remote hosts'' port 110. If you configure an ftp client to connect to the localhost port 2010, right now it wouldn''t work. Why? The POP protocol doesn''t understand ftp protocol. Only POP clients can be forwarded to the localhost port 2010 for the tunnel to be effective. A POP server isn''t any good if you don''t have an smtp server. If you have a mail program like Postfix ( www.postfix.net ), Qmail (), or Sendmail ( https://www.proofpoint.com/us/products/email-protection/open-source-email-solution ) then a secure tunnel can be created to it, as well. With the MindTerm client still running click on "Tunnels" again then "Basic" and add these settings. Local Port: 2025 (just type over the settings set from what we did previously) Remote Host: Your remote smtp server. Remote Port: 25 Click "Add". Then click " OK " on the confirmation menu. Now smtp should be added to the list underneath the settings for POP. In the Netscape Messenger mail server settings add: localhost:2025 as your " Outgoing mail (SMTP) server " All email you send to the remote host will be encrypted. However, if yousend mail to someone outside of the remote host''s mail server, your email will be encrypted only from your local machine to your remote smtp server. From the remote smtp server to any other host, will not be encrypted, unless you''ve configured a tunnel to the other hosts. To enable encrypted ftp sessions add these settings to a new tunnel. Local Port: 2021 (just type over the settings set from what we did previously) Remote Host: Your remote ftp server. Remote Port: 21 Click " Add ". Then click " OK " on the confirmation menu. Now ftp (see the leech ftp example and wsftp--picture 1 and picture 2) should be added to the list underneath the settings for SMTP. Imap settings: Local Port: 2043 (just type over the settings set from what we did previously) Remote Host: Your remote imap server. Remote Port: 143 Click " Add ". Then click " OK " on the confirmation menu. Now ftp should be added to the list underneath the settings for POP. All these settings can be automated in a batch file. Simply add the following to a startup script to automatically create a tunnel to your pop server after authentication: jview (or java or javaw) -cp c:mindtermmindtermfull.jar mindbright.application.MindTerm -server -local0 2010:localhost:110 Here is an example based on what we''ve done above. Add the following to a file in an editor: jview (or java or javaw) -cp c:mindtermmindtermfull.jar mindbright.application.MindTerm -server -local0 2010:localhost:110 -local1 2025:localhost:25 -local2 /ftp/2021:localhost:21 -local3 2043:localhost:143 now save it with a .bat extension. Double-click on it. You should be prompted for your login name when MindTerm starts up then type your password. After you are authenticated click on the " Tunnels " menu and click " Basic ". You should see the tunnels in the box that opens up. This is an easy way to allow remote users to start up thetunnels without many configurations on their part. They only need to click the.bat file and type their username and password and optionally run vlock. Their client software can be pre-configured for remote profiles that connect to the tunnels automatically. When you are finished using the MindTerm, be sure to close all applications that are using a tunnel. If you forget to close the programs using the tunnels, MindTerm will display a message when you attempt to exit from the console or quit the program. What about VNC and NTOP? These services work the same way. Here the VNC server was running on a Red Hat 7.0 workstation. When you start the VNC server, it first listens on port 5901 and each server after that increments up 1 port so the second instance of VNC will listen on port 5902, and the third 5903, etc.. On Linux, you can run multiple VNC servers and people can connect to each VNC server as well. In MindTerm you can simply add a VNC tunnel with the following settings: Local Port: 2001 Remote Host: Your remote VNC server host name. Remote Port: 5901 (If this is the first server instance running) Click " Add ". Then click " OK " on the confirmation menu. Run the vncviewer application on your local machine and type: localhost:2001 , and then the password, when prompted, for the VNC desktop and you have an encrypted VNC session. Ntop works the same way. If you want to run ntop in web mode as a network monitor, you can tunnel connections to your local machine and view the stats in your local browser, without having to install a webserver or opening port 3000 on your remote server. By default, ntop in web mode listens on port 3000 and waits for an http connection to display network stats. Simply create a tunnel to the server running the ssh server and ntop. First run ntop in web mode: ntop -d -w 3000 Then add the settings to the MindTerm tunnel: Local Port: 2080 Host: Server running ntop. Remote Port: 3000 Click " Add ". Then click " OK " on the confirmation menu. Open up your web browser and in the location bar type: You should now see the network stats page for ntop (see the ntop man pages to add password protected access to the ntop display). Similarly, if you want to install a web server so you can use web-based applications to control your server or firewall, then just create a tunnel to port 80. You don''t have to open up a port on the public interface. Simply bind the webserver to the local interface and create a tunnel to the remote hosts'' port 80. For Apache, edit the httpd.conf file and change the "BindAddress *" option to BindAddress 127.0.0.1 . Then add localhost to the "ServerName" directive: ServerName localhost . As you can see by now MindTerm can secure almost any TCP service. It can be used on a remote server to run Webmin, which is an excellent web-application to administer your servers. It comes with its own perl-based webserver and listens on port 10000 by default. Simply create a tunnel to it using MindTerm and it should work without any changes to the Webmin application or your local web browser. The MindTerm download zip file contains many useful examples, such as using it from the command line and an explanation of all the menu options. MindTerm has more features than outlined in this tutorial but the tunnel option is well worth spending time focusing on. MindTerm over the Web MindTerm can be used over the web as well. Users don''t have to download the application. Simply copy the mindtermfull.jar file to a directory into a web directory and the users can simply use it as a built-in application or as a stand-alone java applet. For example, create a folder named "mindterm" under your web directory. Copy the mindtermfull.jar file, that was used above, into the web directory folder "mindterm". Then add the file index.html to the directory with the following content (from the README): Now browse to the location of the directory in your web browser ( name> /mindterm/index.html) . This will start MindTerm as a standalone java applet, the same as if it was started from the command line. Notice the one tunnel that is already created from the applet tag: " " Tunnels can be created using the applet tags so that users don''t have to do anything but browse to the page and then login. Then they would access their services just as explained in the above examples. They can, however, create their own tunnels or new tunnels from the " Tunnels " menu as explained above. The README that comes with the MindTerm zip archive has many more applet parameters that can be added. A couple of security notes here are you can''t connect to another server using the initial login applet. You can only login to the server where the applet is located. However, after you have logged in successfully you can then log in to other servers from the command line. Also, this MindTerm applet is not signed so you need to contact the sales department at MindBright to obtain a crytographic signature for your organization. That is, if it is needed. Security Considerations When an ssh session starts, the public-keys are being sent over an insecure connection until the authentication process is established.. This allows a person to intercept an ssh session and place their own public key in the connection process. SSH is designed to warn the user if a public-key has changed from what exists in their known_host file. The warning that is given is quite noticeable and ssh will drop the connection if the public keys are different, but user''s may still trust the certificate because they may think that their company has changed the server''s public key. This kind of attack isn''t difficult because the dsniff package mentioned earlier contains the tools to perform it. This attackis more commonly called a "man-in-the-middle attack" (The End of SSL and SSH). A temporary and easy fix for this is to first teach the user''s how to recognize the signs that the host key has changed and what to do to get the proper host(s) public key. Second, post the public key for the ssh server(s) on a website, ftp server, or distribute it some other way so that users have access to it at all times. Conclusion SSH and MindTerm together can provide local and remote users with a high-level of security with a simple and small drop-in application. It can also be used from nearly any platform available. Java was chosen because of its cross-platform compatibility. If there is a JRE available for a platform that someone uses then they can use the MindTerm application to communicate securely over long distances. Since ssh is becoming the standard for remote administration and logins, soon nearly all platforms will be able to run an ssh server. MindBright is currently working on a Java SSH server. This tutorial also shows how someone can tunnel through a firewall. This is by no means the intention of this paper. It is hoped people will use it for a secure, quick, and free drop-in VPN-like replacement for remote administration, traveling business people, and a hope that other sectors can see the usefulness in this excellent program. As long as you are allowed to make ssh connections then you can tunnel services through to a remote machine. System and Security Administrators should establish policies against tunneling through firewalls because that can cause internal security breaches if used improperly. Remember that the communication is secured but the commands and files that you access and/or download are still being executed on your local and remote machines. Also, any commands you type on most servers are being logged as well. SSH will protect the data over the network or the Internet but what is done on the remote machines can be logged. SSH and MindTermwill not protect against someone gaining access to a remote user''s computer and installing key logging programs or other snooping devices. It is very simple and quick to set up secure communications but the only way to increase the use of secure communication is for users to encourage their company, financial institutions, health care providers, and other businesses to offer secure services. Special thanks to Patty Pitz for her editing and helping to organize the paper and to Doug Eyman for his technical editing. Works Cited Broadband Access to Increase in Workplace . 25 Jan. 2001. CyberAtlas. 12 Mar. 2001 < > . Broadband Moving On Up . 10 Jan. 2001. CyberAtlas. 12 Mar. 2001 . Schneier, Bruce. Secrets and Lies: Digital Security in a Networked World. New York:Wiley & Sons, 2000. Seifried, Kurt. " The End of SSL and SSH " 18 Dec. 2000. SecurityPortal. 12 March 2001 < > . virtual private network: [Definition]. 6 Oct. 2000. Whatis.com. 15 Mar. 2001. . Remote workers and business travelers access company resources and share sensitive data over unstable networks, risking exposure to security vulnerabilities. Secure Tunnels, SSH Security, MindTerm Application, Encrypted Communication, Remote Access Security. . Brittany Day

May 14, 2001 •

Brittany Day

Community Poll

More Polls

Stay Ahead With Linux Security Features

Refine features

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending Features

Top Linux Vulnerability Scanners in 2026: A Guide to Open-Source Security Tools

How Linux Pentesting Improves Network Security

Understanding Log Management and Analysis Tools for Linux Systems

What is Nmap? How To Use It Effectively for Network Security

Explore Latest Linux Security features

Strategies To Secure Data Warehouses In Linux Environments

Comprehensive Security Tactics for Linux System Administrators

Key Skills For Linux Administrators: Crafting A Standout Resume

Mastering Data Encryption: Essential Techniques for Linux Users

Biden's Cybersecurity Order Requires Federal Software Compliance Standards

NextCloud Critical: NextCry Ransomware Threatens Linux Servers

Establishing SSH Tunnels with MindTerm for Secure Remote Access

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending Features

Top Linux Vulnerability Scanners in 2026: A Guide to Open-Source Security Tools

How Linux Pentesting Improves Network Security

Understanding Log Management and Analysis Tools for Linux Systems

What is Nmap? How To Use It Effectively for Network Security

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Stay Ahead With Linux Security Features

Refine features

Topics

Authors

Published Date

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending Features

Explore Latest Linux Security features

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending Features

Search Topics

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!