In an ever-connected world, network security is increasingly becoming one of the areas where organizations invest a great deal of time and resources. This is because a company’s network is the backbone of any IT infrastructure and connects all the servers and network devices. If the network is breached, the organization will pretty much be at the mercy of the hackers. Crucial data can be exfiltrated and business-centric services and applications can be brought down.
Network security is quite a vast topic and usually takes a two-pronged approach. Network administrators will usually install network security devices such as Firewalls, IDS (Intrusion Detection Systems) & IPS (Intrusion Prevention Systems) as the first line of defense. While this may provide a decent layer of security, some extra steps need to be taken at the OS level to prevent any breaches.
At this point, you should already be familiar with networking concepts such as IP addressing and TCP/IP service and protocols. You should also be up to speed with basic security concepts such as setting up strong passwords and setting up a firewall.
Before we cover various steps to ensure the safety of your system, let’s first have an overview of some of the common network threats.
What is a Network Attack?
A large and fairly complex enterprise network may rely on multiple connected endpoints to support business operations. While this may provide the required connectivity to streamline workflows, it poses a security challenge. More flexibility translates to a wider threat landscape which the attacker can leverage to launch a network attack.
So, what is a network attack?
A network attack is unauthorized access to an organization’s network with the sole purpose of accessing and stealing data and performing other nefarious activities such as defacing websites and corrupting applications.
There are two broad categories of network attacks.
- Passive Attack: In a passive attack, the hacker gains unauthorized access to solely spy on and steal data without modifying or corrupting it.
- Active Attack: Here, the attacker not only infiltrates the network to steal data but also modifies, deletes, corrupts, or encrypts the data and crushes applications, and brings down running services. Admittedly, this is the most devastating of the two attacks.
Types of Network Attacks
Let’s go over some of the common network attacks that can compromise your Linux system:
1. Software Vulnerabilities
Running old and outdated software versions can easily put your system at risk, and this is largely because of inherent vulnerabilities & backdoors that lurk therein. In the previous topic on data security, we saw how a vulnerability on the customer complaint portal of Equifax was exploited by hackers and led to one of the most infamous data breaches.
It’s for this reason that it is always advisable to constantly apply software patches by upgrading your software applications to the latest versions.
2. Man in the Middle Attacks
A man in the middle attack, commonly abbreviated as MITM, is an attack where an attacker intercepts communication between the user and the application or endpoint. By positioning himself between a legitimate user and the application, the attacker is able to strip down the encryption and eavesdrop on the communication sent to and from. This allows him to retrieve confidential information such as login credentials, and other personally identifiable information.
Likely targets of such an attack include eCommerce sites, SaaS businesses, and financial applications. To launch such attacks, hackers leverage packet sniffing tools that capture packets from wireless devices. The hacker then proceeds to inject malicious code into the packets being exchanged.
3. Malware
Malware is a portmanteau of Malicious Software and comprises a broad range of malicious applications such as viruses, trojans, spyware, and ransomware to mention a few. Once inside a network, malware propagates across various devices and servers.
Depending on the type of malware, the consequences can be devastating. Viruses and spyware have the capability of spying, stealing & exfiltrating highly confidential data, corrupting or deleting files, slowing down the network, and even hijacking applications. Ransomware encrypts files rendering then inaccessible unless the victim parts with a substantial amount as ransom.
4. Distributed Denial of Service ( DDoS ) Attacks
A DDoS attack is an attack where the malicious user makes a target system inaccessible, and by doing so prevents users from accessing crucial services and applications. The attacker accomplishes this using botnets to flood the target system with enormous volumes of SYN packets which ultimately render it inaccessible for a period of time. DDoS attacks can bring down databases as well as websites.
5. Internal Threats / Rogue Employees
Disgruntled employees with privileged access can easily compromise systems. Such attacks are usually difficult to detect and protect against since the employees do not need to infiltrate the network. Additionally, some employees can unintentionally infect the network with malware when they plug in USB devices with malware.
Mitigating Network Attacks
Let’s check out a few measures you can take to put a barrier that will provide a considerable degree of security to mitigate network attacks.
1. Keep Software Applications Up to Date
At the OS level, updating your software packages will patch any existing vulnerabilities that may put your system at risk of exploits launched by hackers.
Implement a host-based Firewall
Aside from network firewalls which usually provide the first line of defense against intrusions, you can also implement a host-based firewall such as firewalld and UFW firewall. These are simple yet effective firewall applications that provide an extra layer of security by filtering network traffic based on a set of rules.
3. Disable Services You Don’t Need
If you have running services that are not actively used, disable them. This helps to minimize the attack surface and leaves the attacker with minimal options to leverage and find loopholes.
In the same line, you use a network scanning tool such as Nmap to scan and probe for any open ports. If there are unnecessary ports that are open, consider blocking them on the firewall.
4. Configure TCP Wrappers
TCP wrappers are host-based ACLs ( Access Control Lists ) that restrict access to network services based on a set of rules such as IP addresses. TCP wrappers reference the following host files to determine where a client will be granted or denied access to a network service.
- /etc/hosts.allow
- /etc/hosts.deny
A few points to note:
- Rules are read from top to bottom. The first matching rule for a given service applied first. Take note that the order is extremely crucial.
- The rules in the /etc/hosts.allow file are applied first and take precedence over the rule defined in the /etc/hosts.deny file. This implies that if access to a network service is allowed in the /etc/hosts.allow file, denying access to the same service in the /etc/hosts.deny file will be overlooked or ignored.
- If service rules do not exist in either of the host files, access to the service is granted by default.
- Changes made to the two host files are implemented immediately without restarting the services.
5. Secure Remote Protocols & Use VPN
In our previous topics, we have looked at how you can secure the SSH protocol to deter malicious users from accessing your system. Equally important is the use of a VPN to initiate remote access to the Linux server especially over a public network. A VPN encrypts all the data exchanged between the server and remote hosts and this eliminates chances of the communication being eavesdropped upon.
6. Round-the-clock Network Monitoring
Monitoring your infrastructure with tools such as WireShark will help you to monitor and inspect traffic for malicious data packets. You can also implement fail2ban to secure your server from bruteforce attacks.
[ You might also like: 16 Useful Bandwidth Monitoring Tools to Analyze Network Usage in Linux ]
7. Install Antimalware Software
Linux is increasingly becoming a target for hackers due to its increasing popularity and use. As such, it’s prudent to install security tools for scanning the system for rootkits, viruses, trojans, and any manner of malware.
There are popular opensource solutions such as ClamAV which are efficient in detecting an warding off malware. You can also consider installing chkrootkit to check for any signs of rootkits on your system.
8. Network Segmentation
Consider segmenting your network into VLANs ( Virtual Local Area Networks ). This is done by creating subnets on the same network that act as stand-alone networks. Segmenting your network goes a long way in limiting the impact of a breach to one zone and makes it much harder for hackers to access traverse other subnetworks.
9. Encrypting Wireless Devices
If you have wireless routers or access points in your network, ensure that they are using the latest encryption technologies to minimize the risks of man-in-the-middle attacks.
Summary
Network security is a huge topic that encompasses taking measures on the network hardware section and also implementing host-based policies on the operating system to add a protective layer against intrusions. The measures outlined will go a long way in improving the security of your system against network attack vectors.
“1. Software Vulnerabilities”
Old software is bad because bad actors have had more time to find its vulnerabilities. Applying software patches will only plug up the vulnerabilities that the patch was specifically designed for. They will not fix any yet unknown vulnerabilities.
It is a fallacy to assume that ‘new and improved software is any more secure than the ‘old, tried and true software. While upgrading the applications running on a system may introduce new features, it will also introduce new and undiscovered vulnerabilities. One – because it is inevitable that the programming process will introduce vulnerabilities, and Two – because, in a commercial environment, the main objective is to get the application out to the market as soon as possible, resulting in a foreshortened quality testing.
Another reason for almost guaranteed new vulnerabilities is that even the largest software house does not have sufficient enough staff to conduct thorough testing. At best, they may have a thousand testers while, out in the wild, there are millions of users. Millions of users can find application problems much faster than ANY Q/A staff.
Of course, bad actors will constantly be rooting through the application source, determined to find as many vulnerabilities as they can.
In none of the preceding articles in this series was performing a security audit mentioned as a method of mitigating security attacks. An application such as Lynis will examine a Linux system, be it a server or an individual host, and list possible points of attack.
Hi,
Thanks a lot