Security and Obscurity



“In security engineering, security through obscurity (or security by obscu rity) is the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system. A system or component relying on obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, that will be sufficient to prevent a successful attack. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism.” https://en.wikipedia.org/wiki/Security_through_obscurity

We often rely on our security being through some sort of obscurity. “If they don’t know about it, they can’t use it to get in.” Common household door locks only have so many combinations, yet we can rely on the lock of our front doors because we know that a thief would have to try every combination or break-the-door-down. However, on the Internet, who is watching your front door, so a thief cannot try every combination? Fortunately, our web-server has an access.log file that is automatically updated and archived for us. Let’s start there and see if anyone has left their “footprints” on your web server.

Is anyone trying to gain access?

If you are running a LAMP setup on a Raspberry Pi , open-up a terminal window and type in the following:

cd /var/log/apache2/

zcat access.log* | awk '{print $1}' | sort -n | uniq -c | sort -nr | head -20

The output should be a list with two columns, one containing the number of entries counted, and the second column is the IP address associated with each web request made. The easiest way to get the most information from a reverse IP lookup is by using the following command:

curl ipinfo.io/REPLACE.WITH.IP.ADDRESS.TO.LOOKUP

Rather than rely on an external web service, you can do some digging after you install some tools that are not included by default with the Pi:

sudo apt-get install geoip-bin geoiplookup IP.ADDRESS

Here is a good article on using geoiplookup. Even more advanced digging not included by default with the Pi:

sudo apt-get install dnsutils dig -x IP.ADDRESS

Does the location seem suspicious? Try grepping for the activity, the zgrep command includes the compressed files:

zgrep 'IP.ADDRESS' access.log* -1

By looking at the web requests that were made from the IP address, you can determine whether the activity is suspicious. Typically, you will find that these IP addresses are from bots looking for vulnerabilities in your security. You can manually block IP addresses to your blacklist or you can just deny all and allow select IP addresses. If you haven’t already, you’ll want to install and setup a firewall.