Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Mining (Altcoins)
Re: [OS] nvOC easy-to-use Linux Nvidia Mining v0019-1.4
by
ZedZedNova
on 12/11/2017, 05:03:55 UTC
Quote from: CyberGI on November 12, 2017, 02:58:49 AM
System/Network Security

As a security nerd, I am going to attempt to add value to this thread. Since updates are turned off, and there's a pretty wide attack surface, I've been thinking about how to keep my miner(s) isolated from the rest of my systems except for some remote access. Here are some initial thoughts:

- Without hardening the system, I need to put some network access control function/device between my user network and the miners.
  - I have an old broadband router that I can put them behind with the "internet side" facing my internal network.
    - Have the "broadband side" configured with a static IP address on my user network
    - Open TCP/22 (for ssh and scp) and redirect it to the first miner. You can use that one as a jump-box to get to the others
    - Open TCP/3389 (Windows Remote Desktop) and have that directed to a Windows box (old laptop perhaps) and use that as a jump-box for about anything
  - I actually have several actual firewalls (Forcepoint/Sidewinders and a Palo Alto Networks) that can segment the network for me, not to mention IPS, etc.
    - Open the same ports as above?

ASCII Network Diagram

Internet --> Main firewall --> User Network (where my workstations and servers are) --> Miner Firewall/Broadband-router --> Miner Network

Are there any recommendations on OS hardening you could recommend?


If you know your way around your OS, hardening the system is not that hard. Really.

Center for Internet Security is legit and a good place to start: https://learn.cisecurity.org/benchmarks
look for Ubuntu Linux 16.04 (CIS Ubuntu Linux 16.04 LTS Benchmark version 1.0.0)

  • Do not redirect any traffic to the miners. EVER. NEVER use Windows for access to anything you actually value. It's gotten better, but it's still not safe enough to be used to guard the castle.
  • If you want to set up a jump server, make it multi-homed. This means that there is one interface plugged into the public network (User Network above) and one interface plugged into the private network (Miner network above). If you can not do this, or do not want to create a multi-homed machine, use a single homed machine and use the router to redirect port 22 to that single-homed machine.
  • Do not use passwords alone for users. Use public/private keypairs instead. If you want to be even safer, implement multi-factor authentication. Rudimentary multi-factor authentication can be a combination of public/private keypairs and a password. Here is some good info: https://sysconfig.org.uk/two-factor-authentication-with-ssh.html
  • If you want to secure the miner, since nvOC is based on ubuntu 16.04, use the built-in security tool known as ufw or iptables:  https://help.ubuntu.com/lts/serverguide/firewall.html
  • Lock down all inbound ports except for port 22 (ssh). Restrict outbound traffic such that you only allow traffic outbound that you know/trust. Know what ports and protocols need to be opened. If you are new to the game, some experimentation will be necessary. If you see a port open and you don't know what it is, close it and see what breaks.
  • If you want to have something running that provides a pretty interface, make sure that the provider of that information can only run in userspace and can not escalate privileges to root. How to do that? Implement sudo properly with a well constructed sudoers file that limits what commands a giver user can execute as root. Make sure that the user that the provider (web server) runs as does not have a real login shell.
  • If you need to use Windows Remote Desktop, tunnel it through ssh so it is at least encrypted.
    https://www.saotn.org/tunnel-rdp-through-ssh/