security

After spending last week at the HIMSS (Healthcare and Information Management Systems Society) conference in Atlanta, I came away with some good information and some interesting observations.

Unlike most vendors who work with hospitals, I was not there to exhibit. I was an attendee, and I go to get the latest information regarding healthcare IT and security. Some of the topics in the education sessions are more important to me than others, but that's the great thing about this conference - you get to pick what classes you go to and there's a wide variety.

Most attendees upon learning I was not exhibiting would ask "Why are you attending?" My answer is an emphatic "The real question is, why are your other vendors NOT attending?" If you are going to manage terabytes of healthcare information, I believe this conference is a must. They cover everything from "Meaningful Use" (which I'm not as interested in) to "HITECH Security" which everyone should be interested in.

For security reasons, many businesses are completely disabling USB storage devices on the computers at work. Particularly if you are like me and work with healthcare information, it's doubly important that not only no one can bring in a virus, but that they also can't leave with any private information.

In Linux the risk of viruses are small to nonexistent, however USB sticks automatically mount for reading and writing regardless. There's an easy way in recent Ubuntu distributions to disable USB storage devices. Simply blacklist the kernel driver:

sudo echo "blacklist usb-storage" >> /etc/modprobe.d/blacklist.conf

After that, nobody can use a USB memory stick in that computer, but still allows the administrator(s) to manually load the module and use it.

I'll be giving more enterprise Linux tips in the near future if all goes well.

I consider security one of my top concerns, and one of my major strengths. Given the volume of information that my servers hold, any potential breach could pose serious problems. We constantly audit our servers and security logs, use a custom firewall and intrusion detection software and take a "close everything open only what's necessary" approach to security. We also use full hard disk encryption on all laptops. I'm confident our systems are more secure than 99% of hospitals out there.

On a given day my servers detect and thwart a minimum of 5 to 6 all-out brute-force intrusion attempts. Identified attempts are automatically blocked from accessing any services on any of our servers. Our firewall logs and blocks at least 50 networks scans per day.

But, even I know that to assume we'll never suffer an intrusion is arrogant and dangerous. That's why I made it a point to attend the session on HIM breach notification laws. What was surprising to me was how few people attended that session. I guarantee a lot more will attend the session on the Government stimulus bill, but managing and planning for security issues should be even more important.

Yesterday I posted about implementing rate limiting on new connections. Today I'm going to cover how to take it a step further and watch failed login attempts and automatically block an IP address for a day.

First, you'll want to download BlockHosts from A C Zoom. It's a python script that can be run every time someone attempts to connect that will watch your log files and dynamically create your /etc/hosts.allow file to keep out the nasties.

So, in a traditional step by step method, here's what to do:

sudo su -
wget http://www.aczoom.com/tools/blockhosts/BlockHosts-2.4.0.tar.gz
tar -zxvf BlockHosts*
cd BlockHosts*
python setup.py install

Now you'll want to configure the /etc/blockhosts.cfg file, so open it with your favorite editor and make the following changes:

Look for "WHITELIST = ". You might want to add your own local network to this just in case.

Look for "LOGFILES" and uncomment the one that says:

LOGFILES = [ "/var/log/auth.log", ]

Look for "[mail]" and plug in your setup if you want it to send you an email periodically telling you what action has been taken.

Save and close that.