Add secure your own devices

5804b770 · Sven Mäder · 967e4ae4 · 5804b770 · 5804b770
Commit 5804b770 authored 4 years ago by Sven Mäder
--- a/network/index.markdown
+++ b/network/index.markdown
@@ -16,6 +16,15 @@ All registered computers are automatically listed in the dynamic DNS under the n

 Registrations expire 45 days after the last usage of the computer in our network. Machines registered to you can also be directly reactivated on https://registration.phys.ethz.ch/. This page also shows the `Sent Name` of your machine, that is used for the `sentname.dhcp.phys.ethz.ch` DynDNS.

+### Other networks
+
+Unlike the main D-PHYS network, which is almost fully accessible from anywhere on the internet,
+computers can now also be registered for firewalled networks as they are usually found in companies.
+This will massively reduce the attack surface and means less headaches for you to keep your device [[secured|secure your own device]] at all times.
+
+Please let us know if you would like your office computers or lab devices to be placed in a more (firewall) restricted network,
+when you [[register|How to get network access]] your device.
+
 Wireless Network
 ----------------

@@ -30,3 +39,5 @@ Security Policy
 ---------------

 All computers connecting to a network on ETH campus have to adhere to the [security policies](https://www.ethz.ch/services/en/it-services/documents.html). This includes that the computers must be free of any viruses/malware/bots and that the access to the network can be blocked if those requirements are not fulfilled.
+
+Please refer to our basic checklist that should help you to [[secure your own device]].
--- a/network/secure_your_own_device.markdown
+++ b/network/secure_your_own_device.markdown
+Secure your own device
+======================
+
+The main D-PHYS network is different from your network at home or from usual corporate networks.
+It has an almost fully open firewall to allow connections to arbitrary ports and services on your device.
+If your computer is not configured correctly and exposes vulnerable services to the network,
+it is at risk of beeing attacked from the whole internet.
+
+This page provides a rough checklist what you should do to minimize the attack surface
+and greatly reduce the chances that your device will be hacked.
+
+If some of the steps described here do not mean anything to you or if you would like to have
+less headaches keeping your device secure in an open network, **[[please contact us|/services/contact]]**!
+We will help you or place your device in a [[more restricted (firewalled) network|/network#other-networks]],
+where it cannot be accessed directly (without VPN) from the internet.
+
+All operating systems
+---------------------
+
+- **Always** have your device/software fully updated
+- [[Use good passwords|/documentation/how_to_handle_passwords]]
+- Never install software from untrusted sources
+- Enable your host firewall
+- Only expose services (ports) needed
+
+More detailed recommendations can be found on [itsecurity.ethz.ch](itsecurity.ethz.ch).
+
+Windows
+-------
+
+- todo
+
+MacOS
+-----
+
+- todo
+
+Linux
+-----
+
+All example configs and commands are for most recent Debian installation or derivatives (Debian, Ubuntu, Raspbian)
+and may need adaptions for other distributions.
+
+- **Always change default passwords** of default users (root, pi, ...)
+- Install packages from trusted repositories only
+
+### Secure SSH access to use [[key-based authentication|/documentation/ssh_keys]] only
+
+Edit `/etc/ssh/sshd_config`:
+
+```
+PermitRootLogin without-password
+ChallengeResponseAuthentication no
+PasswordAuthentication no
+AuthorizedKeysFile .ssh/authorized_keys
+```
+
+Restart sshd: `systemctl restart sshd.service`
+
+This is the most secure option and will disable password-based authentication.
+
+### Secure SSH access with passwords
+
+Alternatively enable password-based authentication for non-root users and limit the allowed users:
+
+```
+PermitRootLogin without-password
+ChallengeResponseAuthentication no
+PasswordAuthentication yes
+AuthorizedKeysFile .ssh/authorized_keys
+AllowUsers root alice bob
+```
+
+Restart sshd: `systemctl restart sshd.service`
+
+Install [fail2ban](https://www.fail2ban.org) to slow down brute-force attacks:
+
+```bash
+apt install fail2ban
+```
+
+[[Use good passwords|/documentation/how_to_handle_passwords]]!
+
+### Enable automatic update installation
+
+- Recommended: `apt install aptitude-robot`
+- Alternative: Install and configure `cron-apt`
+
+### Secure services and ports
+
+Keep the list of services exposed to the network as small as possible.
+Exposed here means services listening on non-loopback interfaces.
+To check that use the following command:
+
+```bash
+ss -tulpn
+```
+
+All sockets listed column `Local Address:Port` that are NOT listening on
+`127.0.0.1` (IPv4 loopback address) or `[::1]` (IPv6 loopback address)
+may be exposted to the network. This includes any explicit IP adresses
+or all addresses/interfaces, noted as `0.0.0.0` (IPv4) and `[::]` (IPv6).
+
+If some services are needed/exposed, secure them by configuration or firewall.
+
+### Avoid high risk and unencrypted services
+
+The following list of services/ports are known to be vulnerable
+and should be avoided/protected at all cost:
+
+- Telnet: `23`
+- FTP: `21`, `22`
+- VNC: `5900+N`
+- mDNS: `5353`
+
+See also [SWITCH report of vulnerable services](https://www.switch.ch/fr/security/info/report/vulnerable/).
+
+### Use a host firewall
+
+Additionally or alternatively to securing services, install and configure a host firewall
+using either [iptables](https://wiki.archlinux.org/index.php/iptables),
+[nftables](https://wiki.archlinux.org/index.php/nftables) or
+[ufw](https://ubuntu.com/server/docs/security-firewall).
+
+Very simple example using `ufw` (Uncomplicated Firewall) to allow SSH access only:
+
+```bash
+apt install ufw
+ufw enable
+ufw allow 22
+```