San Luis Valley IT

Websites and IT for Southern Colorado

Attack surface reduction for the layperson

securityvpn

It is well-known in the security industry that cyberattacks happen in multiple stages. The first stages are reconnaissance and scanning: searching for a viable target and probing the target for vulnerabilities. These vulns could be known (but not yet implemented), or they could be new vulns called 0-day exploits. Whether the exploit is known or not, attackers must first find exploitable machines.

Reconnaissance often starts with a port scan of a potential target. A typical port scan might look like this:

Nmap scan report for slvit.us (170.249.216.138)
Host is up (0.052s latency).
Other addresses for slvit.us (not scanned): 2600:4c00:200:254::138
rDNS record for 170.249.216.138: atl.slvit.us
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE SERVICE
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
443/tcp open  https
587/tcp open  submission
993/tcp open  imaps
995/tcp open  pop3s

Nmap done: 1 IP address (1 host up) scanned in 5.08 seconds

This shows a list of open ports, and the services that are likely to be listening on them. Ports are internet communication channels used to direct traffic to the correct program on the server. 80 and 443 are for our website server. 53 serves our domain name. All of the other ports go to our mailserver. You might recognize some of these numbers if you've ever set up a mail client like Thunderbird. SMTP (25) is used to receive mail from the outside world. IMAPS and POP3 are used to retrieve incoming mail from the server to your mail client. Finally, 587 sends our outgoing mail to the world.

Each of these open ports is a gateway from the public internet into a program running on the server. For example, the IMAP port 993 connects to our mailserver agent, dovecot. You can send your login info to that port and it will send back your emails. But maybe hackers figure out how to send code to dovecot through port 993? Maybe the code causes dovecot to spill out its emails without the correct login information.

When vulns in the dovecot program are discovered, they are fixed by its developers and the fixes are installed during system updates. But what if our dovecot unknowingly fell out of date? And what if hackers discover the vuln first and exploit it as a 0-day? Clearly, no internet-facing services are safe!

What we can do, however, is limit the number of open ports that hackers can scan for vulns. This can be done by reconfiguring the machine's firewall. Here is a scan on the same server with most of the mailserver ports blocked:

Nmap scan report for slvit.us (170.249.216.138)
Host is up (0.052s latency).
Other addresses for slvit.us (not scanned): 2600:4c00:200:254::138
rDNS record for 170.249.216.138: atl.slvit.us
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE SERVICE
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 5.08 seconds

The only mailserver port still open is 25, used to receive mail from the internet. The ports to retrieve mail and send mail are now closed. The effect is twofold: the hacker cannot know that a service is running on the other ports and the hacker cannot send exploit code to those services (if the services' existence was suspected). So the service has effectively disappeared to the outside world.

This is great so long as you don't need to check your email from the outside world. Blocking those ports means they're blocked for you too. So the firewall must be configured such that access is limited and not blocked off. It's easy to do this for computers on a local network: for example, access can be granted exclusively to IP addresses of the computers in the office. This is effective but doesn't work for, for example, mobile phones, which rotate IP addresses as they move around.

The best way to block public access to services while still granting it to specific devices is with a Virtual Private Network (VPN). This acts as a virtual LAN, making devices around the world appear to be in the same office. Then the firewall can easily limit access to sensitive services to devices on the VPN. As an added bonus, the VPN will E2E encrypt all data between the service and user, providing added protection against tracking and man-in-the-middle attacks.


< Back to all posts