Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #0x02a: hardening a linux box
- updating
- Newer patches usually have better security and have the vulnerabilities in the last version patched. Because some vulnerabilities can be pretty serious, eg, dirtyc0w, periodically updating your packages is important.
- apt-get update
- updating all packages in the system:
- apt-get upgrade
- configuring your filesystem
- User data, directories with system-wide functions can be further protected by storing them on seperate partitions with stricter permissions. If you don't have this in place, back everything up before repartitioning.
- creating a seperate partition for /tmp
- /tmp is a world-writable directory that all users can temporarily store data in. Making /tmp it's own, seperate filesystem allows sysadmins to set noexec, which removes /tmp as an option to install executable code.
- Check if there is a /tmp partition in /etc/fstab.
- grep "[[space:]]/tmp[[space:]]" /etc/fstab
- If there is no output, create a seperate partition for /tmp.
- ssh hardening
- secure your ssh by disabling root login, use key-based login and change the port to the non-standard port 22.
- sudo nano /etc/ssh/sshd_config
- Add the following and ctrl O.
- Port [ENTER PORT]
- Protocol 2
- PermitRootLogin no
- DebianBanner no
- sudo service ssh restart
- hardening network with sysctl
- The /etc/sysctl.conf config file contains all of the sysctl settings. You can prevent source routing of packets and log malformed IPs.
- sudo nano /etc/sysctl.conf
- # IP Spoofing protection
- net.ipv4.conf.all.rp_filter = 1
- net.ipv4.conf.default.rp_filter = 1
- # Ignore ICMP broadcast requests
- net.ipv4.icmp_echo_ignore_broadcasts = 1
- # Disable source packet routing
- net.ipv4.conf.all.accept_source_route = 0
- net.ipv6.conf.all.accept_source_route = 0
- net.ipv4.conf.default.accept_source_route = 0
- net.ipv6.conf.default.accept_source_route = 0
- # Ignore send redirects
- net.ipv4.conf.all.send_redirects = 0
- net.ipv4.conf.default.send_redirects = 0
- # Block SYN attacks
- net.ipv4.tcp_syncookies = 1
- net.ipv4.tcp_max_syn_backlog = 2048
- net.ipv4.tcp_synack_retries = 2
- net.ipv4.tcp_syn_retries = 5
- # Log Martians
- net.ipv4.conf.all.log_martians = 1
- net.ipv4.icmp_ignore_bogus_error_responses = 1
- # Ignore ICMP redirects
- net.ipv4.conf.all.accept_redirects = 0
- net.ipv6.conf.all.accept_redirects = 0
- net.ipv4.conf.default.accept_redirects = 0
- net.ipv6.conf.default.accept_redirects = 0
- # Ignore Directed pings
- net.ipv4.icmp_echo_ignore_all = 1
- prevent ip spoofing
- sudo nano /etc/host.conf
- order bind,hosts
- nospoof on
- using DenyHosts to monitor, log and block attacks
- DenyHosts is a python program that can autoblock SSH attacks by editing /etc/hosts.deny. DenyHosts can also inform sysadmins about attacked users, logins and attackers.
- sudo apt-get install denyhosts
- Edit the /etc/denyhosts.conf as needed.
- ADMIN_EMAIL = root@localhost
- SMTP_HOST = localhost
- SMTP_PORT = 25
- #SMTP_USERNAME=foo
- #SMTP_PASSWORD=bar
- SMTP_FROM = DenyHosts nobody@localhost
- #SYSLOG_REPORT=YES
- creating encrypted directories
- encfs allows you to create encrypted directories. Any files placed into these directories will become encrypted, and in order to access the folder you will need a password.
- sudo apt install encfs
- enfcs will create one directory that contains the encrypted files and and directory where the files are unlocked. The syntax for creating directories is encfs [path to encrypted dir][path to open dir]
- If I want a directory in my home directory named foo and another one called bar, I would write
- encfs ~/.bar ~/foo
- gpg keys
- To generate a key:
- gpg --gen-key
- Please select what kind of key you want:
- (1) RSA and RSA (default)
- (2) DSA and Elgamal
- (3) DSA (sign only)
- (4) RSA (sign only)
- Select (1), which enables both encryption and signing.
- What keysize do you want? (2048)
- The default keysize is a good choice.
- Key is valid for? (0)
- Most people make their keys valid forever, but don't forget to revoke it if you're no longer using it.
- You need a user ID to identify your key; the software constructs the user ID
- from the Real Name, Comment and Email Address in this form:
- "test (test) "
- Enter your information when prompted. It doesn't have to be real, of course.
- You need a Passphrase to protect your secret key.
- Make sure that the password has both letters, numbers and special characters. If you forget your password, your key will be rendered useless. There are no recovery options.
- When the key is being created, you will need to type on the keyboard, browse the internet or do other things you might usually do on your computer in order to generate random bytes. If gpg says there weren't enough random bytes available, keeo on moving. Your output should look something like this:
- gpg: checking the trustdb
- gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
- gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u
- pub 2048R/8E848E5E 2016-11-21
- Key fingerprint = 68EB 183E 44B8 A3C5 6EC1 F3CD A669 187B 8E84 8E5E
- uid lolcow
- sub 2048R/3939B090 2016-11-21
- creating a revocation certificate
- A revocation certificate must be generated in case your private key has been compromised. Keep your revocation certificate in a physically secure place.
- gpg --output revoke.asc --gen-revoke $GPGKEY
- creating an ascii armored version of the public key
- gpg --output mykey.asc --export -a $GPGKEY
- rkhunter
- rkhunter (rootkit hunter) is a tool that scans for rootkits, backdoors and local exploits. It does this by comparing SHA-1 hashes of important files to known good ones.
- sudo apt-get install rkhunter
- Before running rkhunter you need to fill the file properties database. Set rkhunter in sysconfig to run --propupd every time new software is installed or you will get false positives all the time.
- sudo rkhunter --propupd
- Running --propupd automatically after software updates
- sudo nano /etc/default/rkhunter
- Add the line APT_AUTOGEN="yes" to the file.
- Running rkhunter
- sudo rkhunter --checkall
- iptables
- IPtables is a firewall that is installed on all Ubuntu distros, and is managed with ufw, which also comes with Ubuntu. If you don't have it, install it.
- Putting
- sudo iptables -L
- lists your current iptables rules. If you don't have any rules, you should see this:
- Chain INPUT (policy ACCEPT)
- target prot opt source destination
- Chain FORWARD (policy ACCEPT)
- target prot opt source destination
- Chain OUTPUT (policy ACCEPT)
- target prot opt source destination
- iptables basic options
- [1] -A appends this rule to a rule chain.
- [2] -L lists the current filter rules.
- [3] -m conntrack allows filter rules to be matched based on connection state.
- [4] -m limit requires the rule to be matched by only a limited number of times.
- [5] --cstate defines the list of states for the rule to match on. Valid states are:
- \_ [1] NEW - the connection has not been seen yet.
- \_ [2] RELATED - the connection is new, but is related to another connection that has been permitted.
- \_ [3] ESTABLISHED - the connection has already been established
- \_ [4] INVALID - the traffic could not be identified.
- [6] -p is the connection protocol being used
- [7] --dport is the destination port for this rule. Can be more than one.
- [8] -j jumps to the target. There are four default targets:
- \_ [1] ACCEPT - accept the packet and stop processing rules in this chain.
- \_ [2] REJECT - reject the packet and notify the sender, and stop processing rules in this chain.
- \_ [3] LOG - log the packet and continue processing rules in this chain.
- \_ [4] DROP - drop the packet, and stop processing rules in this chain.
- [9] -I inserts a rule.
- [10] -v displays more information in the output.
- allowing incoming traffic on specific ports
- You could potentially block all traffic, but assuming that we're working over ssh we need to allow it before blocking everything.
- To allow incoming traffic on port 22 [the ssh default port], tell iptables to allow all incoming TCP traffic that comes through 22.
- sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
- This tells iptables to:
- [1] append this rule to the input chain (-A input) so we look at incoming traffic
- [2] check to see if it's TCP (-p tcp)
- [3] if this is true, check to see if the input goes to the default ssh port (--dport ssh)
- [4] if this is true, accept the input (-j ACCEPT)
- sudo iptables -L
- Chain INPUT (policy ACCEPT)
- /target prot opt source destination
- ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
- ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
- Let's allow all incoming web traffic:
- sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
- Checking our rules again, we now have:
- sudo iptables -L
- Chain INPUT (policy ACCEPT)
- target prot opt source destination
- ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
- ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
- ACCEPT tcp -- anywhere anywhere tcp dpt:www
- We've allowed tcp traffic to web and ssh ports, but all traffic can still come in as we haven't blocked anything yet.
- blocking traffic
- When a decision is made to accept a packet, any rules no longer affect it. Because the rules that allow ssh and web traffic come first, we can still accept traffic we need. All we need to do is to put the rule that blocks all traffic at the end.
- sudo iptables -A INPUT -j DROP
- sudo iptables -L
- Chain INPUT (policy ACCEPT)
- target prot opt source destination
- ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
- ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
- ACCEPT tcp -- anywhere anywhere tcp dpt:www
- DROP all -- anywhere anywhere
- All traffic is now blocked on all ports, except for web and ssh.
- using snort for intrusion detection
- An intrusion detection system inspects inbound and outbound network activity and identifies patterns that could indicate someone trying to compromise a system. The following diagram shows how an IDS monitors network traffic.
- +------------------+
- | ROUTER |
- +------------------+
- +------------------+
- | FIREWALL |
- +------------------+
- +------------------+
- | SWITCH |
- +-------+----+-----+
- | | +-------------------+
- | | | |
- | | MIRRORED DATA | |
- | +--------------------> | SNORT IDS |
- | | |
- v | |
- YOU +-------------------+
- creating the snort database
- Assuming you have the LAMP suite installed, you can create the database that will be used by snort.
- mysql -u root -p
- create database snort;
- GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES ON snort.*
- TO 'snort'@'localhost' IDENTIFIED BY 'password';
- FLUSH PRIVILEGES;
- quit
- install snort
- sudo apt-get -y install snort-mysql
- You will be prompted to enter the IP address for the local network in Classless Inter-Domain Routing (CIDR) format.
- snort configuration
- Update the database with the Snort table structure.
- pushd /usr/share/doc/snort-mysql
- sudo zcat create_mysql.gz | mysql -u snort -p snort
- # The syntax is: mysql -u -p
- popd
- Modify the Snort configuration file to include our MySQL specific information.
- sudo sed -i "s/output\ log_tcpdump:\ tcpdump.log/#output\ log_tcpdump:\ tcpdump.log\noutput\ database:\ log,\ mysql, user=snort password=password dbname=snort host=localhost/" /etc/snort/snort.conf
- Remove the pending Snort database config file.
- sudo rm -rf /etc/snort/db-pending-config
- Start the Snort service.
- sudo /etc/init.d/snort start
- installing acid
- Snort's useless if we can't easily talk with it. ACID is a web front-end that monitors Snort's output.
- sudo apt-get -y install acidbase
- When first installed, ACID will only allow access from localhost. Modify the HTTP configuration to allow other workstations to to connect to ACID.
- sudo sed -i "s#allow\ from\ 127.0.0.0/255.0.0.0#allow\ from\ 127.0.0.0/255.0.0.0\ x.x.x.x/255.255.255.0#" /etc/acidbase/apache.conf
- Where x.x.x.x is a workstation.
- Restart apache for the changes to take effect.
- sudo /etc/init.d/apache2 restart
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement