GrapheneX: An Introductory Guide to System Hardening

5 min read

Get 10-day Free Algo Trading Course

Loading

Last Updated on November 25, 2023

Table of contents:

  1. What is GrapheneX?
  2. What is GrapheneX used for?
  3. Is GrapheneX free?
  4. Why should I use GrapheneX?
  5. Why shouldn’t I use GrapheneX?
  6. How to get started with GrapheneX?
  7. How to use the GrapheneX web GUI?
  8. What are GrapheneX presets?
  9. How to add GrapheneX modules?
  10. How to harden and secure your system user with GrapheneX?
  11. How to harden and secure your system network with GrapheneX?
  12. How to harden and secure your system services with GrapheneX?
  13. How to harden and secure your system kernel with GrapheneX?
  14. How to harden and secure your filesystem with GrapheneX?
  15. How to harden and secure your SSH presets with GrapheneX?
  16. Where can I learn more about GrapheneX?

What is GrapheneX?

GrapheneX is a framework developed for Linux and Windows users that are interested in hardening their devices.

In computing, hardening is the process of securing a system by reducing the potential points of vulnerability.

What is GrapheneX used for?

GrapheneX is used for hardening and securing Windows and Linux systems automatically through various commands and modules. GrapheneX also features a GUI that can be used for improving your security.

Is GrapheneX free?

Yes, GrapheneX is an open-source project and thus completely free.

Why should I use GrapheneX?

  • GrapheneX is easy to use
  • GrapheneX increases your system security
  • Is available on Linux and Windows systems
  • Hardens your systems
  • Protects your trading algorithms and scripts
  • Automates many of the security and hardening tasks
  • Abstracts away the technicality of securing your systems

Why shouldn’t I use GrapheneX?

  • GrapheneX might not have the features you’re looking for
  • GrapheneX requires some knowledge of system security and hardening for maximum performance
  • You might use a third-party system that hosts your code (e.g., TradingView or QuantConnect)
  • You might not be allowed to install unapproved frameworks to your company systems
  • You might not be interested in your security and privacy

How to get started with GrapheneX?

To get started with GrapheneX, you will need to install the framework to your device. There are a couple of ways that we can perform this action. The first way is through Python’s pip package manager and the second one is with Docker.

I’ll personally install it the Python way and use the Linux Ubuntu distro as this is what you will most often use for trading, especially on the cloud. To install GrapheneX with pip, we run the following command:

pip install graphenex
Collecting graphenex
  Downloading GrapheneX-1.3.1-py3-none-any.whl (1.5 MB)...

If you face any issues, you can try this command too:

python3 -m pip install graphenex

To install GrapheneX with Docker, we first need to clone the GitHub repository by running the following command:

sudo git clone https://github.com/grapheneX/grapheneX.git

After that, we can build and run the Docker image:

docker build -t graphenex .
docker run --rm --name graphenex -p 8080:8080 --privileged graphenex

To start GrapheneX from the CLI, we run sudo grapheneX. If it doesn’t start, you might need to cd to where it is executable by running cd /home/USERNAME/.local/bin. Then run ./graphenex. If you are using Ubuntu 22.04 and facing issues, visit this example guide.

If you want to use the command line, the main arguments of GrapheneX are these:

positional arguments:
  host:port      host and port to run the web interface

optional arguments:
  -h, --help     show this help message and exit
  -v, --version  show version information
  -w, --web      run the grapheneX web server
  --open         open browser on web server start

I’m more interested in the GUI and you might be too, so let us start it up.

How to use the GrapheneX web GUI?

To use the GrapheneX web GUI, we write python -m graphenex -w. This will start a server on port 8080 that you can access by clicking this URL. Moreover, you will get a special access token that you will use to be able to access the GUI.

What are GrapheneX presets?

GrapheneX presets are scripts that contain particular modules for automating the hardening operations. Presets can be customized with the modules.json file and they can contain any supported module. 

The preset command shows the available module presets and preset [PRESET] runs the hardening commands in a preset.

How to add GrapheneX modules?

You will notice that your GUI features several modules that have to do with different categories of your system such as the user, network and etc. To add a new module, you can edit the modules namespaces in the modules.json file.

When a new element is created in the JSON file, it will show up as a new module. An example looks like the following:

"namespace": [
        {
            "name": "Module_Name",
            "desc": "module description.",
            "command": "echo 'hardening command'",
            "require_superuser": "True/False",
            "target_os": "linux/win"
        }
    ]

You can also add modules through the GUI by clicking the “Add Module” button in the lower left side of your screen. It is highly recommended to use either the CLI or GUI for adding modules and not editing the modules.json file directly.

How to harden and secure your system user with GrapheneX?

To harden and secure your system user with GrapheneX, navigate to the user tab and click on the modules you want to enable. When you click on them, execute the run command that will enable this feature for your system.

To harden your trading server, I recommend enabling all three modules (Auto_Logout, Enable_Password_Control, and Set_File_Permissions). This will ensure that you are logged out after a period of inactivity, that your passwords are rotated, and that the file permissions are adequate.

How to harden and secure your system network with GrapheneX?

To harden and secure your system network with GrapheneX, navigate to the network tab and click on the modules you want to enable. When you click on them, execute the run command that will enable this feature for your system.

Here, you will want to be careful when enabling features as your system might need some of them depending on your trading instance architecture. Because most traders only use one instance for trading with their cloud providers, I will enable the following modules:

  • Cookie protection – we don’t want to hinder our privacy by enabling cookies to track us and share data with third parties.
  • Disable IP Source Routing – Malicious users can use source routing to probe the network by forcing packets into specific parts of the network.
  • Drop Null – we drop any malfunctioned packets that hit our network
  • Set Permissions Network Settings – let’s not have the network settings be permissionless
  • Set Permissions Users – give permission to adequate user info commands
  • Set Permissions System Configuration – set permissions of the system configuration

There are more modules that you might want to explore and do research on. It all depends on what you’re aiming for.

How to harden and secure your system services with GrapheneX?

To harden and secure your system network with GrapheneX, navigate to the services tab and enable the modules of your liking. I’ll personally enable both of them.

The Syslog Service will enable logging for our system so that those logs can be inspected and scanned for any malicious activity. The Set Permissions Preload File module will set permissions of the sysctl preload/configuration file.

How to harden and secure your system kernel with GrapheneX?

To harden and secure your system network with GrapheneX, navigate to the kernel tab and enable the modules of your liking. I’ll personally enable all of them.

These modules will restrict access to our log files and also restrict pointers. They will also enable system protection and randomize memory to reduce the risk of memory attacks and corruption. These are some standard kernel hardening procedures that everyone should have enabled.

How to harden and secure your filesystem with GrapheneX?

To harden and secure your system network with GrapheneX, navigate to the filesystem tab and enable the modules of your liking. I’ll personally enable both of them.

The Hard/Soft Link Protection secures our system from common exploits to these links. First, let’s cover what they are.

A soft link is a link to the original file, whilst a hard link is a mirror copy of the original file. If you delete the original file, the soft link has no value, because it points to a non-existent file. But in the case of hard link, it is the opposite.

A common vulnerability is the symlink race. It comes about when a program insecurely creates files (e.g., temporary files), and a malicious system user can create a symbolic (soft) link to such a file.

Disable Uncommon FS will disable filesystems that aren’t commonly used. If you are an average trader that doesn’t tinker with your filesystems, you shouldn’t face any issues by enabling this module.

How to harden and secure your SSH presets with GrapheneX?

To harden and secure your SSH presets with GrapheneX, navigate to the other tab and enable the modules of your liking. I’ll personally enable both of them.

These will disable the option to login directly as root via SSH and force us to use keys (e.g., pem keys) for our SSH authentications. This is a very important best practice as you don’t wish anyone to exploit your SSH connections to a trading instance.

Where can I learn more about GrapheneX?

To learn more about GrapheneX, I suggest visiting their GitHub repository which has solid documentation.

Igor Radovanovic