Nxt Forum

Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Nxt Client 1.11.9 - NEW RELEASE: Ardor 2.0.3e TestNet IS LAUNCHED!

Pages: [1]

Author Topic: Node Hardening Guide  (Read 4090 times)

colin012

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
  • Karma: +65/-17
Node Hardening Guide
January 30, 2015, 01:05:48 am

DDoS Protection Outline

The Why
Generally speaking, there is not much an individual can do to protect against a large scale DDoS attack without expensive hardware to handle it. They can increase the size of attack they can handle but without proper hardware it won't make much of a difference; their server will still fail. However, in a peer to peer network with many nodes, each little bit adds to the threshold that the network can handle. If every node can handle an additional 20,000 bytes per second in a 200 node network, that is an additional 4,000,000 bytes per second of an attack the peer to peer network can handle and that makes a difference.

The What
In this outline I will provide tips and links with instructions on how to get the most DDoS resilience out of your node so that together we may have a stronger, safer, NXT Network.

The Basics

Choose a Simple OS (Difficulty Level: Very Easy)
The less you have on your OS, the less security flaws there are to exploit. It is simple as that. Always install the bare minimum of the OS you are using. Typically, for Linux, this will be the server edition and/or will have "minimal" in the name.

Use Full OS Encryption if Possible (Difficulty Level: Very Easy - Very Hard)
Full OS encryption (with a strong password) will help prevent attackers from compromising your machine by remotely accessing your hard drive. On some OSs, this is something you are asked if you want to do during the install process, on others you have to do it manually.

TODO: Give specific details on how to do this for a variety of OSs.

No Wifi (Difficulty Level: Very Easy)
Wifi cards are limited in how much data they can handle per second, and while your wifi may seem fast, it is slow compared to a direct hookup with your router. A direct hookup to the internet can handle a significantly larger attack than a wifi hookup. If you are connected directly to your router, it is likely that the only limit to handling a DDoS attack will be set by your computer itself rather than the connection it has.

DNS Handling (Difficulty Level: Intermediate)
DNS is short hand for "Domain Name Server." They are the servers that translate "www.nxtforum.org" into an IP address that your computer can connect to. Normally, your computer has to wait for a an IP address from its DNS every time it visits a website. This slows it down and eats up bandwidth which makes it more vulnerable to DoS attacks. In this section, I will outline how to prevent this as much as possible as well as secure DNS requests with encryption to help prevent spying. This is done with two programs, DNSMasq and DNSCrypt.

Setting up and configuring DNSCrypt
First you need to install DNSCrypt. This can be done in three commands. But first, switch over to the root account:

Code: [Select]
sudo su
Then enter the following three commands:

Code: [Select]
add-apt-repository ppa:anton+/dnscrypt
apt-get update
apt-get install dnscrypt-proxy

Now that DNSCrypt is installed, need to make a special user for it to run as. Just in case the home directory we are going to use doesn't exist, we will make it with the following command:

Code: [Select]
mkdir /run/dnscrypt
If you get an error stating that the directory already exists, it is fine; move on to making the user.

The username of this user should be ordinary and not indicate that it is used for DNSCrypt in any way. Name it after a friend or a pet and add 2-4 numbers at the end or beginning. Now enter the following command and replace "[Username]" with the username you decided on:

Code: [Select]
adduser --system --quiet --home /run/dnscrypt --shell /bin/false --group --disabled-password --disabled-login [Username]
You will probably get a warning saying that the user doesn't own the home directory. Fix this with the following line of code (again replacing "[Username]"):

Code: [Select]
chown [Username]: /run/dnscrypt
Now we need to configure DNSCrypt. Open the configuration file using nano with the following command:

Code: [Select]
nano /etc/default/dnscrypt-proxy
When you are modifying lines in this file, if they start with any number of #'s, delete the #'s. Only do this for lines you are changing!

First, change the line that starts off "user=" to contain the username you chose. It should look like "user=[Username]" when you are done.

Now, change the line "local-address=" to have a value other than "127.0.0.1" so it won't conflict with DNSMasq once that is set up. Keep it in the "127.0.0.X" family (where X is a number between 0 and 255) so it won't accidentally conflict with a real IP address. "127.0.0.2" would work just fine. Write this down somewhere as you will need it when setting up DNSMasq.

Next, you go to a website:

https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

On this website, search for a DNS server that is, most importantly, marked as having "No Logs" and having "DNSSEC Validation." Among these candidates, select the server you think is closest to you geographically.

Back in nano, find a line starting with "resolver-address=" that does not have a # in front of it (there should be one without any #'s). Change the value after the equals sign to the value in the "Resolver Address" column on the web page I liked you to that lines up with with the DNS server you chose. Do the same thing for "provider-name" and "provider-key" using the values from the "Provider Name" and "Provider Key" columns on the web page respectively.

Save the file (Ctrl+O) and exit nano (Ctrl+X). Next, we want to make sure that this runs on startup. Enter the following command:

Code: [Select]
nano /etc/rc.local
Add the following two lines BEFORE the line that says "exit 0" but replace "[Username]" with the username you chose for DNSCrypt:

Code: [Select]
mkdir /run/dnscrypt
dnscrypt-proxy --daemonize --user=[Username]

Save the file (Ctrl+O) and exit nano (Ctrl+X). You should be good to go!

Installing and Configuring DNSMasq
The next, step is getting DNSMasq set up. First we have to install it:

Code: [Select]
apt-get install dnsmasq
Next, we have to configure it. Enter the following to bring up its configuration file in nano:

Code: [Select]
nano /etc/dnsmasq.conf
Press Ctrl+W and type in "listen-address=" then press "Enter" to find the right line. If there are any #'s in the same line, go ahead and delete them. Change the line to look like this:

Code: [Select]
listen-address=127.0.0.1
Press Ctrl+W and type in "proxy-dnssec" then press "Enter" to find if the line exists. If it does exist and any number of #'s are in the same line as it, delete the #'s. If it doesn't exist, start a new line and type it in. If it exists with no #'s, leave it alone. Either way, you should have a line that looks like this when you are done:

Code: [Select]
proxy-dnssec
Next, do the exact same thing for the that phrase "no-resolv" and by that I mean Ctrl+W search it; if you find it delete any #'s and if you don't make a new line and type it in. Finally, Ctrl+W and look for "server=" to set the last configuration option. Look around and make sure that there isn't line starting like that without any #'s around. Then pick a line that starts with "server=" and set it equal to the IP address you wrote down when configuring DNSCrypt.

Save the file (Ctrl+O) then exit nano (Ctrl+X). DNSMasq is now configured to run through DNSCrypt!

Final Steps
Now, all you need to do is restart DNSCrypt:

Code: [Select]
restart dnscrypt-proxy
then restart DNSMasq:

Code: [Select]
/etc/init.d/dnsmasq restart
and... It should be working! To test it, enter the following command:

dig nxtforum.org

If you get anything other than an error, it worked; you are now running you own DNS Cache with information received over and encrypted connection! If you do get an error for some reason (like not following instructions), enter the following two lines of code and start over:

Code: [Select]
apt-get purge dnsmasq
apt-get purge dnscrypt-proxy

iptables Configuration (Difficulty Level: Intermediate)

If your server has iptables on it... USE IT! I know digital ocean uses it and any linux systems will have it. If you are going to configure iptables for your server, do it in the order I provide here. The order is important.

Flush current iptables rules
Just to be safe, get rid of all current iptables rules so you can set up the new rules do this by issuing the command:

Code: [Select]
iptables -F
Drop common attacks
Issue the following code to drop common attacks with iptables:

Code: [Select]
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

This code drops all incoming null packets, all incoming syn packets, and all incoming XMAS Packets

Allow local host
You want port 7874 to be open to accept information and you may also want local host to be open if you plan on using the API or UI servers on your node.

Code: [Select]
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Limit the number of connections a single IP address can have
Thank you, rigel, for this improvement!
Use the following code to limit the number of connections a single ip address can have and how many they can make per second:

Code: [Select]
iptables -A INPUT -m connlimit --connlimit-above 10 -j DROP
iptables -A INPUT -m hashlimit --hashlimit-name LIMIT --hashlimit-burst 10 --hashlimit-above 1/second --hashlimit-mode srcip --hashlimit-htable-expire 10000 -j DROP

(Optional) Open Port 7874
If you want your node to be public, you will have to open up port 7874.
Code: [Select]
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 7874 -j ACCEPT

TODO: Find the standard strings that are sent using from peers using NXT and drop all others to maximize security on port 7874.

(Optional) Allow Pings
This (I think) is no threat. Someone correct me if I am wrong. Not allowing pings may affect your ability to be found, but again, I am not sure so I need to be corrected here.

Code: [Select]
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT

Default Drop
For maximum security, you want to drop all other packets sent.

Code: [Select]
-A INPUT -j DROP

Modify TCP Settings (Difficulty Level: Intermediate)
It is possible to modify your TCP settings to increase DDoS protection even further than iptables alone could. Thank you to rigel for this whole section!

Open sysctl Configeration File
You will want to use a basic text editor for this. Most Linux machines come with nano as a command line text editor. We will use it for these instructions.
Code: [Select]
nano /etc/sysctl.conf

Change Settings
Add the following lines to the file:
Code: [Select]
net.ipv4.tcp_fin_timeout = 20
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 4
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_max_tw_buckets = 16384
net.ipv4.tcp_retries2 = 10
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 16384 65535

Then save the file and exit nano.

Apply Changes
Once you have exited nano, issue the following code to apply the changes you just made:
Code: [Select]
sysctl -p
« Last Edit: January 30, 2015, 01:09:24 am by colin012 »
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

colin012

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
  • Karma: +65/-17
Re: Node Hardening Guide
January 30, 2015, 01:06:06 am

Advanced Protection

First Steps for More Advanced Server Hardening (Difficulty Level: Easy)
The following sections under "Advanced Protection" will outline outline more advanced ways to harden your Nxt node. The following commands must be entered into a terminal before everything else in this section to make sure it runs smoothly. These are assuming the commands are entered as the super user.

Code: [Select]
service iptables stop
apt-get install yum
yum install sudo perl ntp crontabs sendmail wget -y

Next you want to install EPEL (Extra Packages for Enterprise Linux). This will only work on versions of RHEL (a.k.a. Red Hat Enterprise Linux, RHE, or Red Hat Enterprise) and its derivative Linux distros (such as CentOS and Scientific Linux to name a couple) as far as I can tell. To make it easy, here are some Linux distros that are based off of RHEL in alphabetical order:
  • AsianLinux
  • Asterisk@Home
  • ATmission
  • Berry
  • BioBrew
  • CentOS
  • CERN
  • Ekaaty
  • Elastix
  • Fedora/Fedora Core
  • FoX
  • FrameOS
  • Fuduntu
  • Fusion
  • Hanthana
  • Momonga
  • MythDora
  • NST
  • Ojuba
  • Oracle Enterprise
  • Parsidora
  • Scientific (a.k.a. Scientific Linux)
  • Simplis
  • StartCom
  • Synergy
  • Tao
  • trixbox
  • Vixta
  • VortexBox
  • WhiteBox
  • Xange

If you know any other RHEL based (not RHL/RH or Red Hat Linux/Red Hat) distros, then let me know! If you are running one of those distros (on a 64-bit computer... more on this later) and EPEL doesn't work for you, let me know and I will strike it off of the list! If you don't see your distro on the list, it may still be RHEL based but before you go researching, check this short list of popular distros (in alphabetical order) that are NOT RHEL based:
  • Kubuntu
  • Linux Mint
  • Red Hat Linux (a.k.a. RHL, Red Hat, or RH)
  • Ubuntu

If your Linux distro is not in either list, you will have to do some research to see if it is based on RHEL. First, go to your distro's website and see if they openly say that they are based on another distro. If they do, check the lists again for the distro they are based, your distro will fit in whichever list it's "parent distro" is in and send me a message stating your distro and its category and I will update this post to include it. If you don't see that it is based off of another distro, it most likely won't work with EPEL as it is most likely an original distro. You are welcome to try it, but it will be easier to use the alternate instructions I provide for each step for systems that EPEL is not compatible with.

There are two system architectures available for EPEL 7: x86_64 and ppc64. EPEL 6 also supports i386. EPEL 4 and 5 support i386, x86_64, and ppc (not ppc64). It is important that you download the right one. You will want to check your machine's architecture; this is done with the next command:

Code: [Select]
arch
This command will print your architecture to the terminal in the next line. If you see anything other than "i386," "x86_64," "ppc," or "ppc64" you should move on to the next section under Advanced Protection and use only "EPEL Free" and "EPEL Alternate" steps.

Make a note of which architecture is returned to the terminal and remember it. Next, you need to figure out which version of EPEL to use (4, 5, 6, or 7). This will be determined by which version of RHEL your distro is based off of and what is available for your computer's architecture. For those using RHEL, CentOS, or Scientific Linux it will be the version of RHEL or CentOS you are using (e.g. RHEL 7 will use EPEL 7 and CentOS 6 will use EPEL 6). Other distros may follow this pattern, but I am not sure; do some research into your distro to see which version they are using. If your computer's architecture is not supported for the version of EPEL your distro needs, the easiest thing to do would be to switch distros to one that has EPEL for your computer's architecture. If you don't want to do this or do not have an architecture that is supported at all, then follow only the "EPEL Free" and "EPEL Alternate" steps.

Next, you want to make sure that you get latest release of EPEL available for your OS. Check the proper link below for the version you are going to install:

You should see a link at the bottom that says something like "epel-release-7-5-noarch." Jot down the number after the second number. This is the release number of the version number you are going to be downloading.

Finally (I know, EPEL has taken forever to figure out!), go to the terminal on your server and enter following while replacing things in brackets (removing the brackets as well) with the the info you jotted down (i.e. Replace [Architecture] with the architecture you noted before. Replace [Version Number] with the version that corresponds to your distro. Replace [Release Number] with the latest release for your version that you just found.):

Code: [Select]
wget http://mirror.sfo12.us.leaseweb.net/epel/[Version Number]/[Architecture]/e/epel-release-[Version Number]-[Release Number].noarch.rpm
Once it has downloaded, enter the following into the terminal (replacing brackets like you did before):

Code: [Select]
yum install epel-release-[Version Number]-[Release Number].noarch.rpm -y
This should install the EPEL repository on your machine for later use. Congratulations! You are now set up to start advanced node hardening!

User Configuration (Difficulty Level: Easy - Hard)
Here, we manage user settings to help make sure no one can easily log into or exploit the server and do damage.

Password, Idle, and Timeout Policies (Difficulty Level: Easy) EPEL Free
First, we change the maximum number of days a password is valid for so that no one has time to brute force their way into getting a user password that can do damage. The more frequent, the more secure the server is but the greater chance you have of getting locked out yourself if your password expires:

Code: [Select]
perl -npe 's/PASS_MAX_DAYS.*/PASS_MAX_DAYS [Number of Days]/' -i /etc/login.defs
Next up is the minimum length a password for a server account can be. Making this large only helps if your server must have multiple users that you don't trust to make good passwords and actually makes things worse otherwise because it gives an attacker a number to start with. If you plan on being the only user to ever access your terminal, make this value 0 but always use a good password!:

Code: [Select]
perl -npe 's/PASS_MIN_LEN.*/PASS_MIN_LEN [Minimum Password Length]/' -i /etc/login.defs
Next is the login timeout or how long (in minutes) a user has access to the terminal before having to log in again. Setting this insures that an account isn't left open long enough for someone to exploit it:

Code: [Select]
perl -npe 's/LOGIN_TIMEOUT.*/LOGIN_TIMEOUT [Minutes Before Login Times Out]/' -i /etc/login.defs
Next is the password's warn age. This is how old a password must be before the system warns the user to change it. It is an important reminder to keep you from getting locked out of your own server! I recommend setting it to 7 days:

Code: [Select]
perl -npe 's/PASS_WARN_AGE.*/PASS_WARN_AGE [A Warn Age]/' -i /etc/login.defs
Deleting Unnecessary Users (Difficulty Level: Hard)
On one hand, more users means more possible security holes, on the other hand, some users may be built into your OS for an important reason (such as root) and having only a single user with too may permissions is just as weak (I will address in the next section). So, what you want do is enter the following line of code to view different users you have on your machine to start with:

Code: [Select]
nano /etc/passwd
This will display a bunch of information on the different users on your machine. For just focus on the usernames and don't even think about trying to modify this file because it will hurt you! You will need to do some research on this step. Just look up each username with the distro you are using and see what that particular user does. If it is for something like remote access, you definitely want to delete it (unless you plan to use remote access on your machine for some reason). If you are unsure what it does or or unsure if what it does is important even after your research... leave it alone! If you know what it does and know that you don't need it, get rid of it!

After leaving nano, you can delete users with the following command (replace "[username]" with the username of the user you want to delete):

Code: [Select]
userdel [username]
Preparing to Modify Sudoers Part 1: The Lecture
It is possible to set up sudoers so that it gives a lecture to anyone who tries to use sudo commands. While this doesn't directly do anything to protect your node, some legalese can scare off potential attackers. Find some laws about computer hacking and unauthorized access in your country and warn people about them and the international treaties that could hold an international hacker guilty of these laws. If you are in the US, feel free to borrow mine:

Code: [Select]
Warning! The machine you are accessing is under constant surveillance! This machine is private property and any and all unauthorized access attempts will be prosecuted under the full extent of the law. This includes International Treaties Laws, the Federal CFAA (Computer Fraud and Abuse Act), the ECPA (Electronic Communications Privacy Act), the CSEA (Cyber Security Enhancement Act), and other non-computer related laws such as the EEA (Economic Espionage Act),  as well as state and local laws including but not limited to the following:

Ala. Code  §§ 13A-8-112, 13A-8-113; Alaska Stat. § 11.46.740; Ariz. Rev. Stat. §§ 13-2316 to 13-2316.02; Ark. Code §§ 5-41-101 to -206; Cal. Penal Code § 502; Colo. Rev. Stat. § 18-5.5-101 to -102; Conn. Gen. Stat. § 53a-250 to 53a-261; Del. Code tit. 11, § 931 to 941; Fla. Stat. § 815.01 to 815.07; Ga. Code §§ 16-9-90 to 16-9-94, §§ 16-9-150 to 16-9-157; Hawaii Rev. Stat. §§ 708-890 to 708-895.7; Idaho Code §18-2201, § 18-2202; 720 ILCS § 5/17-50 to -55; Ind. Code §§ 35-43-1-4, 35-43-2-3; Iowa Code § 716.6B; Kan. Stat. Ann. § 21-5839; Ky. Rev. Stat. §§ 434.840, 434.845,  434.850, 434.851, 434.853, 434.855, 434.860; La. Rev. Stat. Ann. §§ 14:73.1 to 14:73.8; Me. Rev. Stat. Ann. tit. 17-A, § 431 to 435; Md. Code, Crim. Law § 7-302; Mass. Gen. Laws Ann. ch. 266, § 33A; Mich. Comp. Laws §§ 752.791, 752.792, 752.793, 752.794, 752.795, 752.796, 752.797; Minn. Stat. §§ 609.87 to 609.893; Miss. Code § 97-45-1 to 97-45-33; Mo. Rev. Stat. § 537.525, § 569.095, § 569.097, § 569.099; Mont. Code Ann. § 45-2-101, § 45-6-310, § 45-6-311; Neb. Rev. Stat. §§ 28-1341 to 28-1348; Nev. Rev. Stat. § 205.473 to 205.513; N.H. Rev. Stat. Ann. §§ 638:16, 638:17, 638:18, 638:19; N.J. Rev. Stat. §§ 2A:38A-1 to -3, § 2C:20-2, §§ 2C:20-23 to 34; N.M. Stat. Ann. § 30-45-1 to 30-45-7; N.Y. Penal Law § 156.00 to 156.50; N.C. Gen. Stat. § 14-453 to 14-458; N.D. Cent. Code § 12.1-06.1-08; Ohio Rev. Code §§ 2909.01, 2909.04, 2909.07(A)(6), 2913.01 to 2913.04; Okla. Stat. tit. 21, §§ 1951 to 1959; Or. Rev. Stat. § 164.377; 18 Pa. Stat. § 5741 to 5749; R.I. Gen. Laws § 11-52-1 to 11-52-8; S.C. Code § 16-16-10 to 16-16-40; S.D. Cod. Laws § 43-43B-1 to § 43-43B-8; Tenn. Code §§ 39-14-601 to -605; Tex. Penal Code § 33.02; Utah Code § 76-6-702 to 76-6-705; Vt. Stat. Ann. tit. 13, § 4101 to 4107; Va. Code §§ 18.2-152.1 to -152.15, § 19.2-249.2; Wash. Rev. Code § 9A.52.110, § 9A.52.120, § 9A.52.130; W. Va. Code §§ 61-3C-3 to 61-3C-21; Wis. Stat. § 943.70; Wyo. Stat. § 6-3-501 to § 6-3-506, 40-25-101 (2014 H.B. 178, Act 48)

Now, open nano and create the lecture file

Code: [Select]
nano /.lecture
Type in your lecture (with a blank line at the beginning and end of the file for easier readability), then save the file and exit nano. If your lecture is long like mine, you may need to edit some terminal settings to make sure the whole thing shows. If it is a short lecture, skip to the next section. Now we want to edit out grub defaults file with:

First we need to find the maximum resolution your graphics card can handle. First, find you graphics card with this line:

Code: [Select]
lspci -vnn | grep VGA -A 12
Next, look up your graphics card and find out what is the maximum resolution it can handle. Now, open the grub defaults file in nano:

Code: [Select]
nano /etc/default/grub
Now, we have three lines we need; to change. find them If you can; if you can't, make them. Also make sure there are no #'s before these three lines and be sure to replace "[Max Resolution]" with the maximum resolution you graphics card can handle.:

Code: [Select]
GRUB_CMDLINE_LINUX="xvga=1366x663"
GRUB_GFXMODE=[Max Resolution]
GRUB_GFXPAYLOAD_LINUX=[Max Resolution]

Save the file and exit nano, then reboot your server and you should be good to go!

Creating New Users(Difficulty Level: Intermediate)
The sudoers file defines who can do what, as which user, on which machine. As you can imagine, this is important for security (as it directly controls who can use the root user for what purposes) but can also be dangerous to modify as it can lock you out of root access when you need it. It is for this reason, we make a special user solely for the purposes of modifying this file in the future..

Note, you don't want the username of this new user to reflect that it is important in any way and you DEFINITELY don't want it to inform a hacker that it has access to the sudoers file so don't call it "sudoers," "visudo," or anything of that nature. Also, naming it a bunch of random characters like "kjfbejvrd65rVRbj" might tell an attacker that this account is special. Just give it a typical username like the first name of a friend of yours, or the name of your dog.

Now to create this account enter the following (replace "[username]" with the username you want to give this user):

Code: [Select]
useradd [username]
Now, make sure you write down this new account's username somewhere. If you cannot access this account in the future, you will not be able to do anything as root (given the sudoers configuration I am going to give you). Next, this account needs a strong password. A strong password actually doesn't mean that it "contains at least one capital letter, one lower case letter, a number, one special character, and the blood of a virgin." While using a variety of characters in unexpected ways adds SOME entropy, using MORE characters adds MORE entropy. To make nice strong long password visit the following website:

https://xkpasswd.net/s/

Now, the settings for the password generator need to be put in order. You can do what you want, but I would change the settings so that it consists of 10 English words, no capitalizations, with no special characters added anywhere and no digits added anywhere. This would be just for memory purposes. If you don't care how memorable your password is, go to this website, change these settings to include more characters, numbers, and capitalizations. This password will be harder to remember, but will be slightly stronger and still easy to type in. The next step is to right this down and stash it somewhere safe.

Now it is time to actually set the user's password (replace "[username]" with the user whose password you wish to set):

Code: [Select]
passwd [username]
It it asks you to enter a "current password" you are on a user who's password has already been set. It should just ask you to enter a password then confirm it.



Now, it is time to set up your sudoers file. Enter in the following line of code:

Code: [Select]
visudo
(MORE COMING)

Router Programming (Difficulty Level: Very Hard)
It is possible to provide additional DDoS security by programming your router manually through either telnet or direct connection.

Download necessary software
I recommend installing PuTTY because it can handle both telnet and direct connection to the router. You can download it from there website here: http://www.chiark.greenend.org.uk/~sgtatham/putty/

Connect
If you plan to connect directly to the router, plug into the port on the back of router that says "program" or something similar. To telnet in, you may need a password.

Program
So far I have only found DDoS protection programing guides for Cisco routers, if you have a Cisco router, please connect to it and follow the steps outlined here for DDoS protection: http://www.cisco.com/c/en/us/support/docs/security-vpn/kerberos/13634-newsflash.htm

You may need to create an account to view the content. Thank you all!
« Last Edit: February 02, 2015, 07:32:50 pm by colin012 »
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

colin012

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
  • Karma: +65/-17
Re: Node Hardening Guide
January 30, 2015, 01:06:20 am

Reserved
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

colin012

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
  • Karma: +65/-17
Re: Node Hardening Guide
January 30, 2015, 01:06:35 am

Reserved
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

colin012

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
  • Karma: +65/-17
Re: Node Hardening Guide
January 30, 2015, 01:06:48 am

Reserved
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

colin012

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
  • Karma: +65/-17
Re: Node Hardening Guide
January 30, 2015, 01:07:02 am

Soon to Come!

  • Finished User Privlage Guide + Sudoers Email Warnings Whenever Someone Uses a Sudo Command!
  • Legalese Warnings To Scare Off Potential Attackers Presented Before All Sudo Commands
  • Kernel Hardening With Grsecurity and Custom Kernel Configurations!
  • Special IPTables Strings Specific to Nxt!
  • Special Nxt Configurations for Public Nodes!
  • Node Clock Syncing for Improved Security
  • Optimized Hard Drive Partitioning for Nxt
  • Automatic Cleaning and Removing of Old Packages
  • Nxt Code Mods to Speed Up Request Handling (BoneCP for Database Query Speed and Constant Declarations for Peer Request Speed)!
  • Building and Configuring Your Own Router with IPFire!
  • Hosting Nxt on Your Custom Built Router to Avoid All Port Forwarding!
  • Flashing a Custom Build On Your Existing Router to Improve Router Performance!
« Last Edit: January 30, 2015, 06:20:18 pm by colin012 »
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

lucky88888

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 694
  • NXT-E328-UJDF-KTGH-9C6YQ
    • View Profile
  • Karma: +42/-14
Re: Node Hardening Guide
January 30, 2015, 03:13:56 am

Good job for the guide!

Will be useful one day! Thanks!
NXT-E328-UJDF-KTGH-9C6YQ
8897013707391239174

colin012

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
  • Karma: +65/-17
Re: Node Hardening Guide
January 30, 2015, 05:22:25 pm

Good job for the guide!

Will be useful one day! Thanks!

Once I get it working on my machine, I will add Linux kernel hardening with grsecurity on here. It is supposed to be relatively easy (e.g. Intermediate - Hard difficulty levels only because some research needs to be done to make sure the kernel is made with the correct settings) but I keep running into little issues that prevent me from getting it to build correctly that I need to look into.

Hopefully I will have an easy to follow guide on getting it to work set up by the end of the week. It is supposed to be one of the best possible things you can do for your server... Especially with the recently discovered Linux security hole (which I only know about second hand but I can guess it is true because all the LTS Vanilla kernels have been updated within the past few days which suggests that it needed to be patched up).

Still, being a paranoid security nut, I hope I can get grsecurity running on my machine!
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

TheCoinWizard

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 614
  • Learn by questioning everything!
    • View Profile
  • Karma: +97/-55
Re: Node Hardening Guide
January 30, 2015, 06:32:38 pm

Thanks for the beautiful tutorial

Reserved for thanking once the tutorial is finished  ;D
« Last Edit: January 31, 2015, 01:20:02 am by TheCoinWizard »
Welcome to the After Nxt Calendar era...
Which started in the year 222 of the French Republic, Frost month, on the fifth day of the first week, better known as the 2456621th Julian day,
even better known as 24 November 2013 at 12:00:00 UTC.

colin012

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
  • Karma: +65/-17
Re: Node Hardening Guide
January 30, 2015, 08:18:42 pm

Thanks for the beautifull tutorial

It isn't done yet... Lol.
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

colin012

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
  • Karma: +65/-17
Re: Node Hardening Guide
February 04, 2015, 03:49:11 pm

Working on sending email when sudo is used ATM. :)
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

TheCoinWizard

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 614
  • Learn by questioning everything!
    • View Profile
  • Karma: +97/-55
Re: Node Hardening Guide
March 23, 2015, 12:52:35 am

are you sure about this:
Quote
net.ipv4.ip_local_port_range = 16384 65535
since nxt runs lower ranges around 7876?
Welcome to the After Nxt Calendar era...
Which started in the year 222 of the French Republic, Frost month, on the fifth day of the first week, better known as the 2456621th Julian day,
even better known as 24 November 2013 at 12:00:00 UTC.
Pages: [1]