There are a few penetration testing tools that are available on Linux. One famous tool is Nmap.
This is a port scanning tool that is capable of scanning for open ports on remote systems to test the security of that machine. This is used to test the security of a firewall or equivalent security practice to ensure that only critical ports are opened to the world. Nmap may also reveal what the operating system is that happens to be running on the remote machine; and what kernel version. This is important when deciding upon the attacks that will be required. This tool, as well as a custom utility named sshnuke was shown accurately in the Matrix Reloaded movie.
Nikto is an open-source program that allows security scanning of a web server to find vulnerabilities in the setup of the web server and/or the software running on it. This can find outdated software running on a website, or any problems that could be a security vulnerability. This is very important: an ethical penetration test with this on your web server could help to find any serious problems before they are exploited.
Wpscan allows scanning of WordPress websites to find various vulnerabilities in the version of WordPress installed upon the webserver. If a vulnerability is found it will be listed with a URL that will give more information about the vulnerability.
Whatweb is a tool that will tell you what software is running on a website. Also what version it is? It is not very useful on modern Cloudflare-protected websites though, but it is still worth keeping in your arsenal.
Wireshark is a wireless scanning tool that allows the capture of all packets travelling over the network. This will be used to see what type of devices are on the network, as the contents of the packets include information on the type of router that is routing packets. This can be used to see if there are any vulnerabilities in that hardware. Researching the hardware can be used to find the default login information for that device, it could have been configured with the unchanged details and this could be used to gain better access to the network. A user at the stage of logging into an SSH connection can be spotted with Wireshark, this utility is very useful. As well as getting a picture of what network usage is like on a certain day. This can be used to spot patterns that could be changed or exploited.
Sqlmap. This is a tool that is used to scan for SQL injection vulnerabilities on a website and allow further experimentation to possibly gain access to the website using SQL injection techniques. This supports all popular databases and also supports cracking found password hashes that can be in SQL code.
Burp Suite. This is an integrated suite for testing a particular target and then using advanced techniques to exploit any found vulnerabilities using an easy-to-use GUI.
My cloud-based AWS system is protected with an encrypted VPN, authentication with the VPN is required by connecting on HTTPS port 443 before I can access my Ubuntu instance with SSH on port 22. This is to ensure maximum security with the network connection. I use an encrypted tunnel and then my instance is secure from unwanted access. SSH keys are required to access a command-line interface. That is yet another security method.
Threats to my AWS instance:
- Sniffing of passwords
- If someone was able to sniff my AWS login details on open WIFI then they could log in and change my setup and open other ports to access my Ubuntu instance and obtain root access.
- Theft of VPN keys.
- If my VPN keys were stolen, an attacker could log in straight to the Ubuntu command-line, but they would also need the SSH key required to get command-line access. This would be a concern if my laptop was stolen and the thief was knowledgeable enough to exploit this and steal data.
- Security breach on the Amazon site itself.
- The Amazon website itself could be compromised. This is of a lower probability than other security vulnerabilities, but this could happen and this would result in the theft of a database that would contain encrypted passwords and user’s e-mail addresses. This is of a lower probability than other security breaches, but this is something that is possible.
An Amazon AWS account has been compromised in the past, but they did not manage to actually gain access to the server itself, only the AWS console (Goodin., 2014). This allowed the attacker to delete backups and snapshots of the instances though. A secure account with a very strong password would alleviate the risk of this occurring. Two-factor authentication would be another way to prevent security breaches on an AWS account and the subsequent loss of data. Amazon does have Multi-Factor Authentication, this would be a strong security method to secure the console from unwanted access. One concern is the OpenVPN vulnerability to the bash shellshock bug (Mimoso, 2014). But the proper configuration of the OpenVPN server will avoid this security risk.
The security group on the instance needs to be configured properly to only allow certain traffic through to the instance. If I only have one port open, the others will not be visible.
Sustainability of the cloud instance
The cloud instance would be consuming power and this would result in an amount of CO2 released into the environment. Virtualizing a server allows fewer resources to be used to deploy a server instance. This only creates more usage of the server CPU and more RAM is used to run the extra Hyper-V virtualized virtual machine. Using one powerful machine to run virtual servers results in less air conditioning required compared to running a whole server farm of physical servers. Networking is easier, you do not need a whole range of physical switches and cabling. The virtual machine may use a virtual switch to create subnets and manage connections between the server(s) and the client machines. Not using physical switches also results in a cost-saving for the business. Switches have fans and generate heat. As well as consuming power during operation. And a virtual switch may be deleted and remade whenever you wish to change the configuration of the virtual network. Virtualized hard disk drives are another advantage of the Hyper-V technology over physical drives. Having a large array of physical drives means more heat released into the room and again, this requires more air-conditioning. These measures ensure that the carbon footprint of the virtual network is much lower than a real physical network (Citrix, n.d.) Less space is taken up by the server hardware in the data centre. This means that once again, we have lower costs and far less air-conditioning required. (Malmborg, 2012)1 Therefore we have:
- Lower costs due to a virtualized server instance.
- Less space is taken up by server racks and switches.
- Less lighting is required for the server rooms. They can be remotely managed.
- If a certain VM only needs a certain amount of server resources, it does not make sense to dedicate a physical machine to run the server instance. A Citrix XenServer or Hyper-V instance can run this with lower costs and less power usage.
This is the OpenVPN configuration file I am using for the cloud instance.
server 10.8.0.0 255.255.255.0 verb 3 duplicate-cn key server-key.pem ca ca.pem cert server-cert.pem dh dh.pem keepalive 10 120 persist-key persist-tun comp-lzo push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" user nobody group nogroup proto tcp port 443 dev tun1194 status openvpn-status-1194.log |
This is using a standard configuration with the open connection on port 443 and an IP address of 10.8.0.1 on the server. The DNS addresses are configured as 8.8.8.8 and 8.8.4.4. These are Google DNS addresses and are fine for this purpose.