=== Server Details === Vendor: Digital Ocean. \\ Account: devops@expertus.com \\ Instance name: secscan.exphosted.com (DNS zone not public) \\ IP Address : 107.170.34.185 \\ Nexpose dashboard: 107.170.34.185:3780 \\ ===Software Shortlisted:=== Nexpose, OpenVAS, Brakeman. \\ Nexpose and OpenVAS ( Nessus fork ) were shortlisted from all recommendations published by SANS and OWASP Nexpose was used to conduct the security scan. Prior experience and vulnerability database coverage were two decisive factors for the selection. Two scans were conducted. Results from this security scan revealed many security issues which were documented in the issue tracker. \\ === Scan profiles: === == External User Scan: == \\ Default Extensive profile (shipped with Nexpose) was modified to include web spidering, OS fingerprinting and scanning, intuitive i.e. potential vulnerability option which broadens the attack range, destructive scan option. No credentials were applied. \\ == Exhaustive Scan: == Default Exhaustive profile (shipped with Nexpose) was modified to include web spidering, OS fingerprinting and credentialed scanning, destructive scan option. Admin user login credentials were also configured. == Brakeman: == Brakeman was executed to perform the following checks: BasicAuth, ContentTag, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, EscapeFunction, Evaluation, Execute, FileAccess, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NumberToCurrency, QuoteTableName, Redirect, Render, RenderDoS, ResponseSplitting, SQL, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, StripTags, SymbolDoS, TranslateBug, UnsafeReflection, ValidationRegex, WithoutProtection, YAMLParsing === How to repeat in future === Get a trial key from Nexpose. \\ Start the server (details mentioned above), login to the UI and apply the trial key. \\ Scan profiles are already stored - click on green play button to initiate the scan \\ === Server Hardening Tips === Make sure that internal systems are protected from external threats; STEP 1: Add and run this script in cronttab or /etc/rc.local file or install fail2ban; #!/bin/bash iptables -F iptables -X iptables -A INPUT -m state --state INVALID -j DROP iptables -A INPUT -p tcp --dport 22 -s 192.168.2.0/24,192.168.3.0/24,192.168.7.0/25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j DROP service iptables save STEP 2: Install rootkit Hunter For Centos - yum install rkhunter For Debian - apt-get install rkhunter To check - rkhunter -c (collect the report or run this every week or day and collect the log) Step 3: To audit the system install the lynis; For the first run cd /opt git clone https://github.com/CISOfy/Lynis cd lynis ./lynis audit system -Q To Collect report remotely; ssh -t -i /root/.ssh/id_rsa_automated root@ "cd /opt/Lynis; ./lynis -c -Q -q"