As already mentioned at some point, gathering Security-related data can be difficult, given that most won’t be sharing their incident-related low-level data anytime soon (not to imply they should).
But also, I talk about security monitoring data, and… I don’t even gather it myself…
Until now, that is.
Setting up a home server for security
OK so this time around, a bit tired of looking for external data sources, while not improving my security at home in any way, even on weekends, I decided I would go the “extra mile” and set up a lab at home (as many have done before me).
Given limited capacities of the router provided by my ISP, what I would do would be to set up a more complete Wifi Access Point for my more “sensitive devices” (i.e. work laptop(s) and the likes…). That way, I won’t be affecting anyone else at home, but I will still be able to monitor everything that my devices are doing (thereby providing myself with (hopefully) interesting data to analyse at a later point.
So first thing first, I need an “AP”. A new, dedicated, home wifi will be a good start anyway, and I’ll make sure I make the AP into a network sensor of sorts.
But I want more than that:
- It needs to have a firewall (duh!)
- It needs to be able to collect “logs” and (maybe, we’ll see) netflow data
- I’ll want to set up a DNS server to be able (hopefully) to create a DNS SinkHole later on for anything I don’t want to happen (ads and the likes)
- I’ll also want to have it run my R Scripts and Shiny Dashboards
- I’ll want to be able to connect to it remotely (i.e. get rid of the Screen cable, so SSH for now, but also at some point a VPN Server)
- And a long list of potential ideas (proxying web traffic for one, setting up an IDS (Snort or similar), have the thing monitoring itself, maybe play with ELK…)
As this is a bit ambitious (think “SOC for my personal activity”), a wifi router won’t cut it. So I thought I would create a “Home Security Server” of sorts.
Step 1: Buying a “server”
- As this is mostly a lab (I can always switch back to the normal home wifi), no redundancy is required (maybe a UPS and clustering at some point in the future would be good, but not a requirement yet)
- Obviously I’ll need a WIFI interface (and an Ethernet to connect to the home router)
- I don’t want it to spend too much power, so passive cooling might be good
- Sufficient RAM and multi-core CPU would be good (I plan on using Docker later on)
- And it needs to be reasonably cheap.
Hence a “mini PC” approach. In this case, I bought a CHUWI HEROBOOK a couple of weeks ago. That’s about it for the hardware part (a couple of Cat. 6 RJ45 cables won’t be a waste either).
Basic setup
Next, I need to decide on a host platform. Fast decision (neither good nor bad): I will use Ubuntu Server (20.04, Stable).
So I create a bootable USB drive with just that, quite simply following the steps as provided by the people at Ubuntu (https://ubuntu.com/tutorials/create-a-usb-stick-on-windows#1-overview). Then I installed with mostly defaults. Works like a charm, but… As usual, networking tools are not there.
I needed to fix that, and so I followed a mix of different resources out there:
https://linuxhint.com/ubuntu_20-04_network_configuration/
https://askubuntu.com/questions/869461/how-do-i-configure-this-interface-for-a-static-address
Just to get the interface up and running. The “ip address” command gave me the name of the interface and its MAC address. I first configured the DHCP server of the LAN interfaces on my router to give this new “server” a static IP address (that might be useful in the future, although not yet an actual need). Then I connected an RJ45 cable and needed to bring up the Ethernet interface.
At the end, for me it meant editing the /etc/netplan/00-installer-config.yaml (after backing it up) to appear like so (spacing not reflected here, I’ll need to look into that):
network: ethernets: enp2s0: dhcp4: yes addresses: [] version: 2
Then:
netplan try
And Enter. That did the trick, as now “ip address” showed the IP address I chose to assign on my router. Good.
At this point, first thing first: Update, Upgrade… This takes a few minutes… Let’s plan the next steps.
Next-up: net-tools
OK so I have a connected and updated “server”. That’s a start. Before going any further, maybe it’s just me, but not having even “ifconfig” commands bugs me. And so I install net-tools.
apt-get install net-tools
I already feel much better.
Then, of course: Firewall
I might be a bit old school, but I’m used to it, so my new server will “sport” a good ol’ iptables. It was already there, so let’s make it a bit better than default, by (for now) blocking all input (relevant note: At this point I’m working locally, usb keyboard, HDMI screen… Not much use for a mouse though as there is no GUI here…).
As I don’t really remember all I should by heart (it’s been quite a while since I last did this kind of things), I’ll go and fetch “inspiration”. I want to make iptables config persistent, which in the past involved some iptables-save and some checking through reboots… Let’s follow some how-to out there:
https://sharadchhetri.com/save-iptables-permanently-on-ubuntu/
No IPv6 for me (home setup doesn’t really need that). Then a few useful rules, I choose and adapt freely from:
(I won’t be sharing my specific choices, but if in the future I need to explain some, I’ll do so).
SSH Server
So I saved a rule to allow for SSH access to my new server in the step above. But I need to set SSH Server up. As it turns out, I selected it upon install. So let’s just “bastion it” a bit, and to do that, I’ll just add certificate-based authentication, and then disable password-based login…
References used:
https://www.answertopia.com/ubuntu/configuring-ssh-key-based-authentication-on-ubuntu/
That’s better, I can disconnect my screen (and keyboard) from the server, and connect it back to my laptop to keep working.
Getting rid of the cable (next week)
So initially, I wanted to do all this to create an “Access Point”. For now, I have a new “server” connected with a cable to the router. But this “post” is getting too long, so I’ll inform about that next week.
TO BE CONTINUED…