Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # +----------------------------------------------------+
- # | ssh -P-your-port-number-here root@your-server-here |
- # | ssh -P67993 root@echelon.nsa.gov |
- # | |
- # | Title: This is what I do when i'm bored. |
- # | Author: _St0rm |
- # +----------------------------------------------------+
- # Adding new user
- root@echelon:~$ adduser comrade
- # Getting sudoers file + nano file to edit it
- root@echelon:~$ apt-get install sudo
- root@echelon:~$ apt-get install nano
- # Adding new user to sudoers file + giving root priveliges
- root@echelon:~$ nano /etc/sudoers
- root ALL=(ALL:ALL) ALL
- comrade ALL=(ALL:ALL) ALL
- root@echelon:~$ login
- Login: comrade
- Password for comrade:
- Comrade@echelon:~$
- # upgrading and updating apt-get archive
- comrade@echelon:~$ sudo apt-get upgrade
- comrade@echelon:~$ sudo apt-get update
- # Installing apache, iptables, mysql and php5
- comrade@echelon:~$ sudo apt-get install apache2
- comrade@echelon:~$ sudo apt-get install iptables
- comrade@echelon:~$ sudo apt-get install mysql-server mysql-client
- comrade@echelon:~$ sudo apt-get install php5-mysql
- # creating a 404 page for visitors. EG: http://www.website.com/Nuclear-Launch-Codes == 404.html - Redirects all to defense.gov
- comrade@echelon:~$ nano /var/www/404.html
- <html><head><meta http-equiv="REFRESH" content="0;url=https://www.defense.gov/"></head></html>
- # Creating the same but for Forbidden documents instead, this one will redirect to: nsa.gov
- comrade@echelon:/var/www$ nano 403.html
- <html><head><meta http-equiv="REFRESH" content="0;url=https://www.nsa.gov/"></head></html>
- comrade@echelon:~$ nano /var/www/robots.txt
- User-agent: Googlebot
- Disallow: /
- Crawl-delay: 10
- User-agent: Slurp
- Disallow: /
- Crawl-delay: 10
- User-agent: *
- Disallow: /
- Crawl-delay: 10
- User-agent: Bingbot
- Disallow: /
- Crawl-delay: 10
- User-agent: Msnbot
- Disallow: /
- Crawl-delay: 10
- User-agent: Scanner
- Disallow: /
- Crawl-delay: 10
- User-agent:
- Disallow: /
- Crawl-delay: 10
- User-agent: YahooBot
- Disallow: /
- Crawl-delay: 10
- User-agent: baiduspider
- Disallow: /
- Crawl-delay: 10
- User-agent: naverbot
- Disallow: /
- Crawl-delay: 10
- User-agent: seznambot
- Disallow: /
- Crawl-delay: 10
- User-agent: teoma
- Disallow: /
- Crawl-delay: 10
- User-agent: Yandex
- Disallow: /
- Crawl-delay: 10
- User-agent: Bot
- Disallow: /
- Crawl-delay: 10
- # Installing fail2ban -- IPS.
- comrade@echelon:~$ sudo apt-get install fail2ban
- # Changing MOTD for when users login to my server
- comrade@echelon:~$ sudo nano /etc/motd
- ******Welcome back to the server!******
- -bla bla bla this is message of the day-
- # Installing aide
- comrade@echelon:~$ sudo apt-get install aide
- # Changing apache conf, these are the one's i have changed the rest are left as default
- comrade@echelon:/etc/apache2$ sudo nano apache2.conf
- Timeout 300
- KeepAlive Off
- HostnameLookups On
- LogLevel warn
- # Changing apache's httpd.conf file to give away less information
- comrade@echelon:/etc/apache2$ sudo nano httpd.conf
- ServerSignature Off
- ServerTokens Prod
- <Directory />
- Options None
- AllowOverride None
- Order allow,deny
- Allow from all
- </Directory>
- ErrorDocument 404 /404.html
- ErrorDocument 403 /403.html
- # Here you can change icons and default icons.
- comrade@echelon:~$ sudo nano /etc/apache2/mods-enabled/autoindex.conf
- # Changing fail2ban's settings here are the ones i have changed
- comrade@echelon:~$ sudo nano /etc/fail2ban/fail2ban.conf
- loglevel = 2
- logtarget = /var/log/fail2ban.log
- socket = /var/run/fail2ban/fail2ban.sock
- # Changing jail.conf
- comrade@echelon:~$ sudo nano /etc/fail2ban/jail.conf
- ignoreip = 127.0.0.1
- bantime = 6000
- maxretry = 3
- backend = poiling
- destemail = never.gonna.know@yahoo.com
- mta = sendmail
- protocol = tcp
- [ssh]
- enabled = true
- port = ssh
- filter = sshd
- logpath = /var/log/auth.log
- maxretry = 3
- [ssh-ddos]
- enabled = true
- port = ssh
- filter = sshd-ddos
- logpath = /var/log/auth.log
- maxretry = 3
- [postfix]
- enabled = true
- port = smtp,ssmtp
- filter = postfix
- logpath = /var/log/mail.log
- [couriersmtp]
- enabled = true
- port = smtp,ssmtp
- filter = couriersmtp
- logpath = /var/log/mail.log
- # Installing irssi for irc
- comrade@echelon:~$ sudo apt-get install irssi
- # Installing Python
- comrade@echelon:~$ sudo apt-get install python
- # Installing perl
- comrade@echelon:~$ sudo apt-get install perl
- # Installing PPP for a VPN connection
- comrade@echelon:~$ sudo apt-get install ppp
- # Changing ssh configurations to my own settings
- comrade@echelon:~$ sudo nano /etc/shh/ssh_config
- HashKnownHosts yes
- GSSAPIAuthentication yes
- GSSAPIDelegateCredentials no
- # Changing sshd configurations to my own settings
- comrade@echelon:~$ sudo nano /etc/ssh/sshd_config
- Port 65326
- Protocol 2
- HostKey /etc/ssh/ssh_host_rsa_key
- HostKey /etc/ssh/ssh_host_dsa_key
- HostKey /etc/ssh/ssh_host_ecdsa_key
- LogLevel WARN
- StrictModes yes
- PermitRootLogin yes
- # Debatable to you if you remove root login or not.
- IgnoreRhosts yes
- PermitEmptyPasswords no
- HostbasedAuthentication no
- # You can add host auths here, for example things like "only accept root login from this ip" etc. Also for PAM and RSA authing.
- PrintLastLog yes
- UsePAM yes
- comrade@echelon:~$ sudo apt-get install vim
- comrade@echelon:~$ sudo apt-get install yum
- # Editing the hash encryption level - taking out passwords in /etc/passwd - adding hashs to /etc/shadow
- comrade@echelon:~$ sudo nano /etc/pam.d
- password [success=1 default=ignore] pam_unix.so obscure sha512
- password requisite pam_deny.so
- password required pam_permit.so
- password optional pam_ecryptfs.so
- # Rather than this; $1$jmG9uZUU$j2diNHCtKEC/0KLchlw96.
- # You now have this: $8$gMLLKls.$p0713lEoDgwZPQwEnP9r.xkSXUzldol7dAOgUQ88ZCswZmwkgg/jzHV.HlznaY/sMFx6C2leEog3dF/XvCDwn/
- # Editing the /var/www/.htaccess file -- this file should be: chmod 644
- LimitRequestBody 10240000 #bytes, 0-2147483647(2GB)
- IndexIgnore *
- ServerSignature Off
- Include httpd.conf
- <Directory "/var/www">
- Options +Indexes FollowSymLinks +ExecCGI
- AllowOverride AuthConfig FileInfo
- Order allow,deny
- Allow from all
- </Directory>
- ErrorDocument 403 /var/www/403.html
- ErrorDocument 404 /var/www/404.html
- AllowOverride All
- KeepAlive Off
- Include httpd.conf
- Server: Apache
- <Directory />
- Options None
- AllowOverride None
- Order allow,deny
- deny from someones-ip-address
- deny from someones-ip-address
- deny from someones-ip-address
- allow from all
- # to check server headings
- comrade@echelon:~$ sudo apt-get install wget
- # Getting commands like dig, to get dns records
- comrade@echelon:~$ sudo apt-get install dnsutils
- # Setting up the directories for webserver
- ls /var/www/
- /404.html
- /403.html
- /Style.css
- /Videos.html
- /dot.gif
- /favicon.ico
- /images/
- /index.html
- /robots.txt
- So lets say you upload a photo to your /var/www/
- so there is /var/www/test.jpg -- You forgot to add /images/
- so... just simply....
- chmod 711 /images/
- mv test.jpg /var/www/images/test.jpg
- cd images
- chmod o+r test.jpg
- So now: http://www.website.com/images/test.jpg -- you can see this.
- But: http://www.website.com/images/ -- takes you to www.nsa.gov (Forbidden) (403.html)
- Also, rather than defining http://www.website.com/about-us.html
- try linking from index.html : http://www.website.com/about-us
- you won't need .html and it makes it look more professional.
- The robots.txt will stop alot of scanners.
- #--------------------------------------------------------------------------------------------------------------------
- The advantages i have outlined:
- When you have a 404, for example:
- http://www.website.com/lol-derp-i-like-turtles-lolololol-derpereprerperp/
- You will be redirected to: https://www.defense.gov/
- When you have a 403 for example:
- http://www.website.com/directory-full-of-launch-codes/
- You will be redirected to: https://www.nsa.gov/
- #--------------------------------------------------------------------------------------------------------------------
- When you do a server header check:
- comrade@echelon:/$ wget -S tweetstats.com
- Server: Apache/2.2.8 (Ubuntu) Phusion_Passenger/2.2.2
- Content-Type: text/html; charset=utf-8
- X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.2
- Connection: keep-alive
- You NOW get:
- comrade@echelon:/$ wget -S your-website-here
- Server: Apache
- Content-Type: text/html
- Connection: close
- #--------------------------------------------------------------------------------------------------------------------
- Connecting to server:
- Instead of port 22 for ssh: You now have your port on: 65326
- This is alot more harder to find with port scanners.
- Also now:
- comrade@echelon:~$ nmap -F your-website-here
- Not shown: 97 closed ports
- PORT STATE SERVICE
- 25/tcp open smtp <-- SMTP for mail
- 80/tcp open http <-- Web server
- 1829/tcp open pptp <-- VPN
- #--------------------------------------------------------------------------------------------------------------------
- Passwords:
- For example, this is default for apache /etc/passwd file for DestructiveSecurity.com #LulzFailz
- root@delta [~]# cat /etc/passwd
- root:$1$g1S8g.ii$nO7SGH/50ukFA7rJwEBaX/:15180:0:99999:7:::
- erichar:$1$XC/IeALY$9tJjQ4pfOWgpBWCIsHhIh/:15333:0:99999:7:::
- lulzhost:$1$1GqRNaKA$W9bKI3UQIfQeQeaTleLu2/:15333:0:99999:7:::
- desec:$1$wmdS8V7f$WEokt8bnhTNTki2IxovIW.:15342:0:99999:7:::
- murtazaa:$1$R9CjAd.I$43tTmrrlaVtrmBCb7kwpN.:15338:0:99999:7:::
- So here is mine:
- comrade@echelon:~$ sudo cat /etc/passwd
- root:x:0:0:root:/root:/bin/bash
- sjoko:x:1001:1001:,,,:/home/sjoko:/bin/bash
- comrade:x:1000:1000:,,,:/home/comrade:/bin/bash
- #--------------------------------------------------------------------------------------------------------------------
- The Passwords are now stored within /etc/shadow file.
- But the passwords are not shitty MD5 hash with salt.
- They are SHA512 with salt. Is very good imo.
- comrade@echelon:~$ sudo cat /etc/shadow
- sjoko:$8$Tqt.X03MO1euILPmQPmQQWW7loTqPb.yeuILPmQ/euILPmQ.qnZdYdMiQN/l1P/Q6srz1cS.X03MO1qnZdYdgHueuILPmWGgP:15408:0:99999:7:::
- comrade:$8$T61Xa.euILPmQ35CT0Mo8IeuILPmQ/X03MO1qnZdYdg250cf8b51c773f3f.hVeuILPmQX0.3MO1qnZdYdgyfeuILPmQRcOg1m4164UzKbLF.:15411:0:99999:7:::
- #--------------------------------------------------------------------------------------------------------------------
- MySQL-PHP
- Rather than just .html maybe you want to have mysql/php on website? So that is why is added above. :)
- #--------------------------------------------------------------------------------------------------------------------
- This was more for just a quick vps setup. This can take you around 10 minutes.
- Then all you do: reboot
- wait 2 minutes, log into new ssh port, change password to something like:
- rH<.T2177'e}r#y;Rp584|t<%I9_eX
- Then you have a fairly decent protected server.
- There are lots more ways to add more protection. But in 10 minutes setting all of this up is not bad imo.
- #--------------------------------------------------------------------------------------------------------------------
- Now all you need to do is register a domain.
- Then you can host on cloudflare:
- A record: website.com - Points to: cloudflare-IP
- CNAME record: www.website.com - Points to: Cloudflare-IP
- Delete any other records if you do not wish to have them. etc.
- Now that you're hosting on cloudflare, you dont have any subdomains except maybe mail.website.com but then
- that would be on a different host.
- You are protected against -some- ddos attacks.
- Using the /var/log/apache2/access.log as a guide to see who to block and why.
- Think about blocking country by country. makes life alot easier.
- #--------------------------------------------------------------------------------------------------------------------
- _St0rm - twitter.com/_St0rm - twitter.com/St0rmSec
- http://stormsecurity.bislr.com
- #--------------------------------------------------------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement