Security Testing for entities hosted in cloud

For the applications that are getting migrated to cloud / planned to be hosted in the cloud will need additional security considerations. Failure to ensure proper security protection when using cloud services may potentially result in higher costs and loss to business. Organizations must consider security controls for different services viz. Infrastructures as a service(Iaas), Software as a service (SaaS) or Platform as a service. Which applications should be moved to cloud?     ·         Low to Medium Risk What are the key security risks while hosting in cloud?     ·         Isolation Failure – Multi tenancy is a key thing in cloud. Failure in controls that separate the storage, memory, identity and access control and routing between tenants is a huge risk.     ·         Authentication and Authorization     ·...
Post a Comment

Change the default SSH keys in Kali Linux ......One important step post installation

All of know that we can authenticate to a box without password if you have the SSH keys.

The Kali images have known ssh keys and must be changed. 

Here is how you can do this: 

Move the default Kali ssh keys to a new folder:

cd /etc/ssh/
mkdir default_kali_keys
mv ssh_host_* default_kali_keys/

This will move your default keys to the new folder...

Regenerate the keys:
dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Creating SSH2 ECDSA key; this may take some time ...
insserv: warning: current start runlevel(s) (empty) of script `ssh' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overrides LSB defaults (empty).

Verify ssh key hashes are different:

md5sum ssh_host_*
Compare new key hashes to the hashes below)
cd default_kali_keys/
md5sum *
b9419ea3a8fff086c258740e89ca86b8 ssh_host_dsa_key
f9a5b57d7004e3740d07c5b037d15730 ssh_host_dsa_key.pub
58e49e0d7b24249c38db0c9cf595751b ssh_host_ecdsa_key
597c83fabf3c1e4f2c7af74af05ac671 ssh_host_ecdsa_key.pub
cc0d92036bb86797bed354338faa7223 ssh_host_rsa_key
cc9ddc90b891b5251ed4ea8341495e84 ssh_host_rsa_key.pub

pretty simple to secure !

By Default the Kali has ssshd config as PermitRootLogin without-password

This will disallow user to login with root password remotely. If you want to accesss your kali box
remotely over ssh and login using the root password then do nano /etc/ssh/sshd_config

and change "PermitRootLogin without-password" to "PermitRootLogin yes".

However, this is a less preferred option as this can allow anyone to login who has your root passworrd.


A more preferred option is to change the SSH keys as shown above and then add your public key to the/root/.ssh/authorized_keys file.

I would also go ahead and change the default ssh port from 22 to something different like 2224 or something.

With the above config even if someone tries to attack your Kali box with brute force to gain access to the root password there is little use....The ssh login using password is disabled. The attacker will need to try and brute force the ssh keys - heaps of effort and patience required.

Comments

Post a Comment

Popular posts from this blog

Keeping logs of your console commands during pentesting

Image
While it is very important to keep the screenshots and the results of your tools logged and recorded correctly, consistently and extensively, it is equally important to keep your console logs. This is very helpful when you are done with your penetration test and recall later during the results analysis / report writing that - what was the result of 'that' command I ran??? It is very commonly missed out by most pentesters - at least the beginners. While there are many ways in which you can do this: 1] copy paste the console logs and save it in your fav text editor 2] use a systematic approach I am sure method [1] is known to all :) Let's learn method [2] - Use script yes there is in inbuilt tool / script in linux that you can make use of: script usage: script filename.log This will start a process and it will keep logging the console output to this file. Once you are done just 'exit' Not to mention that care must be taken that you do not exit this process in between ...
Read more