[+] Linux Hardening [+]

1. #0x02a: hardening a linux box
2. updating
3.  
4. Newer patches usually have better security and have the vulnerabilities in the last version patched. Because some vulnerabilities can be pretty serious, eg, dirtyc0w, periodically updating your packages is important.
5.  
6. apt-get update
7.  
8. updating all packages in the system:
9.  
10. apt-get upgrade
11. configuring your filesystem
12.  
13. User data, directories with system-wide functions can be further protected by storing them on seperate partitions with stricter permissions. If you don't have this in place, back everything up before repartitioning.
14.  
15. creating a seperate partition for /tmp
16.  
17. /tmp is a world-writable directory that all users can temporarily store data in. Making /tmp it's own, seperate filesystem allows sysadmins to set noexec, which removes /tmp as an option to install executable code.
18.  
19. Check if there is a /tmp partition in /etc/fstab.
20.  
21. grep "[[space:]]/tmp[[space:]]" /etc/fstab
22.  
23. If there is no output, create a seperate partition for /tmp.
24.  
25. ssh hardening
26.  
27. secure your ssh by disabling root login, use key-based login and change the port to the non-standard port 22.
28.  
29. sudo nano /etc/ssh/sshd_config
30. Add the following and ctrl O.
31.  
32. Port [ENTER PORT]
33. Protocol 2
34. PermitRootLogin no
35. DebianBanner no
36. sudo service ssh restart
37. hardening network with sysctl
38.  
39. The /etc/sysctl.conf config file contains all of the sysctl settings. You can prevent source routing of packets and log malformed IPs.
40.  
41. sudo nano /etc/sysctl.conf
42. # IP Spoofing protection
43. net.ipv4.conf.all.rp_filter = 1
44. net.ipv4.conf.default.rp_filter = 1
45.  
46. # Ignore ICMP broadcast requests
47. net.ipv4.icmp_echo_ignore_broadcasts = 1
48.  
49. # Disable source packet routing
50. net.ipv4.conf.all.accept_source_route = 0
51. net.ipv6.conf.all.accept_source_route = 0
52. net.ipv4.conf.default.accept_source_route = 0
53. net.ipv6.conf.default.accept_source_route = 0
54.  
55. # Ignore send redirects
56. net.ipv4.conf.all.send_redirects = 0
57. net.ipv4.conf.default.send_redirects = 0
58.  
59. # Block SYN attacks
60. net.ipv4.tcp_syncookies = 1
61. net.ipv4.tcp_max_syn_backlog = 2048
62. net.ipv4.tcp_synack_retries = 2
63. net.ipv4.tcp_syn_retries = 5
64.  
65. # Log Martians
66. net.ipv4.conf.all.log_martians = 1
67. net.ipv4.icmp_ignore_bogus_error_responses = 1
68.  
69. # Ignore ICMP redirects
70. net.ipv4.conf.all.accept_redirects = 0
71. net.ipv6.conf.all.accept_redirects = 0
72. net.ipv4.conf.default.accept_redirects = 0
73. net.ipv6.conf.default.accept_redirects = 0
74.  
75. # Ignore Directed pings
76. net.ipv4.icmp_echo_ignore_all = 1
77. prevent ip spoofing
78.  
79. sudo nano /etc/host.conf
80. order bind,hosts
81. nospoof on
82. using DenyHosts to monitor, log and block attacks
83.  
84. DenyHosts is a python program that can autoblock SSH attacks by editing /etc/hosts.deny. DenyHosts can also inform sysadmins about attacked users, logins and attackers.
85.  
86. sudo apt-get install denyhosts
87. Edit the /etc/denyhosts.conf as needed.
88.  
89. ADMIN_EMAIL = root@localhost
90. SMTP_HOST = localhost
91. SMTP_PORT = 25
92. #SMTP_USERNAME=foo
93. #SMTP_PASSWORD=bar
94. SMTP_FROM = DenyHosts nobody@localhost
95. #SYSLOG_REPORT=YES
96. creating encrypted directories
97.  
98. encfs allows you to create encrypted directories. Any files placed into these directories will become encrypted, and in order to access the folder you will need a password.
99.  
100. sudo apt install encfs
101. enfcs will create one directory that contains the encrypted files and and directory where the files are unlocked. The syntax for creating directories is encfs [path to encrypted dir][path to open dir]
102.  
103. If I want a directory in my home directory named foo and another one called bar, I would write
104.  
105. encfs ~/.bar ~/foo
106. gpg keys
107.  
108. To generate a key:
109.  
110. gpg --gen-key
111. Please select what kind of key you want:
112. (1) RSA and RSA (default)
113. (2) DSA and Elgamal
114. (3) DSA (sign only)
115. (4) RSA (sign only)
116. Select (1), which enables both encryption and signing.
117.  
118. What keysize do you want? (2048)
119. The default keysize is a good choice.
120.  
121. Key is valid for? (0)
122. Most people make their keys valid forever, but don't forget to revoke it if you're no longer using it.
123.  
124. You need a user ID to identify your key; the software constructs the user ID
125. from the Real Name, Comment and Email Address in this form:
126. "test (test) "
127. Enter your information when prompted. It doesn't have to be real, of course.
128.  
129. You need a Passphrase to protect your secret key.
130. Make sure that the password has both letters, numbers and special characters. If you forget your password, your key will be rendered useless. There are no recovery options.
131.  
132. When the key is being created, you will need to type on the keyboard, browse the internet or do other things you might usually do on your computer in order to generate random bytes. If gpg says there weren't enough random bytes available, keeo on moving. Your output should look something like this:
133.  
134. gpg: checking the trustdb
135. gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
136. gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u
137. pub 2048R/8E848E5E 2016-11-21
138. Key fingerprint = 68EB 183E 44B8 A3C5 6EC1 F3CD A669 187B 8E84 8E5E
139. uid lolcow
140. sub 2048R/3939B090 2016-11-21
141. creating a revocation certificate
142.  
143. A revocation certificate must be generated in case your private key has been compromised. Keep your revocation certificate in a physically secure place.
144.  
145. gpg --output revoke.asc --gen-revoke $GPGKEY
146. creating an ascii armored version of the public key
147.  
148. gpg --output mykey.asc --export -a $GPGKEY
149. rkhunter
150.  
151. rkhunter (rootkit hunter) is a tool that scans for rootkits, backdoors and local exploits. It does this by comparing SHA-1 hashes of important files to known good ones.
152.  
153. sudo apt-get install rkhunter
154. Before running rkhunter you need to fill the file properties database. Set rkhunter in sysconfig to run --propupd every time new software is installed or you will get false positives all the time.
155.  
156. sudo rkhunter --propupd
157. Running --propupd automatically after software updates
158.  
159. sudo nano /etc/default/rkhunter
160. Add the line APT_AUTOGEN="yes" to the file.
161. Running rkhunter
162.  
163. sudo rkhunter --checkall
164. iptables
165.  
166. IPtables is a firewall that is installed on all Ubuntu distros, and is managed with ufw, which also comes with Ubuntu. If you don't have it, install it.
167.  
168. Putting
169.  
170. sudo iptables -L
171. lists your current iptables rules. If you don't have any rules, you should see this:
172.  
173. Chain INPUT (policy ACCEPT)
174. target prot opt source destination
175.  
176. Chain FORWARD (policy ACCEPT)
177. target prot opt source destination
178.  
179. Chain OUTPUT (policy ACCEPT)
180. target prot opt source destination
181. iptables basic options
182.  
183. [1] -A appends this rule to a rule chain.
184. [2] -L lists the current filter rules.
185. [3] -m conntrack allows filter rules to be matched based on connection state.
186. [4] -m limit requires the rule to be matched by only a limited number of times.
187. [5] --cstate defines the list of states for the rule to match on. Valid states are:
188. \_ [1] NEW - the connection has not been seen yet.
189. \_ [2] RELATED - the connection is new, but is related to another connection that has been permitted.
190. \_ [3] ESTABLISHED - the connection has already been established
191. \_ [4] INVALID - the traffic could not be identified.
192. [6] -p is the connection protocol being used
193. [7] --dport is the destination port for this rule. Can be more than one.
194. [8] -j jumps to the target. There are four default targets:
195. \_ [1] ACCEPT - accept the packet and stop processing rules in this chain.
196. \_ [2] REJECT - reject the packet and notify the sender, and stop processing rules in this chain.
197. \_ [3] LOG - log the packet and continue processing rules in this chain.
198. \_ [4] DROP - drop the packet, and stop processing rules in this chain.
199. [9] -I inserts a rule.
200. [10] -v displays more information in the output.
201. allowing incoming traffic on specific ports
202.  
203. You could potentially block all traffic, but assuming that we're working over ssh we need to allow it before blocking everything.
204.  
205. To allow incoming traffic on port 22 [the ssh default port], tell iptables to allow all incoming TCP traffic that comes through 22.
206.  
207. sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
208. This tells iptables to:
209.  
210. [1] append this rule to the input chain (-A input) so we look at incoming traffic
211. [2] check to see if it's TCP (-p tcp)
212. [3] if this is true, check to see if the input goes to the default ssh port (--dport ssh)
213. [4] if this is true, accept the input (-j ACCEPT)
214. sudo iptables -L
215. Chain INPUT (policy ACCEPT)
216. /target prot opt source destination
217. ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
218. ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
219. Let's allow all incoming web traffic:
220.  
221. sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
222. Checking our rules again, we now have:
223.  
224. sudo iptables -L
225. Chain INPUT (policy ACCEPT)
226. target prot opt source destination
227. ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
228. ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
229. ACCEPT tcp -- anywhere anywhere tcp dpt:www
230. We've allowed tcp traffic to web and ssh ports, but all traffic can still come in as we haven't blocked anything yet.
231.  
232. blocking traffic
233.  
234. When a decision is made to accept a packet, any rules no longer affect it. Because the rules that allow ssh and web traffic come first, we can still accept traffic we need. All we need to do is to put the rule that blocks all traffic at the end.
235.  
236. sudo iptables -A INPUT -j DROP
237. sudo iptables -L
238. Chain INPUT (policy ACCEPT)
239. target prot opt source destination
240. ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
241. ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
242. ACCEPT tcp -- anywhere anywhere tcp dpt:www
243. DROP all -- anywhere anywhere
244. All traffic is now blocked on all ports, except for web and ssh.
245.  
246. using snort for intrusion detection
247.  
248. An intrusion detection system inspects inbound and outbound network activity and identifies patterns that could indicate someone trying to compromise a system. The following diagram shows how an IDS monitors network traffic.
249.  
250. +------------------+
251. | ROUTER |
252. +------------------+
253.  
254. +------------------+
255. | FIREWALL |
256. +------------------+
257.  
258. +------------------+
259. | SWITCH |
260. +-------+----+-----+
261. | | +-------------------+
262. | | | |
263. | | MIRRORED DATA | |
264. | +--------------------> | SNORT IDS |
265. | | |
266. v | |
267. YOU +-------------------+
268. creating the snort database
269.  
270. Assuming you have the LAMP suite installed, you can create the database that will be used by snort.
271.  
272. mysql -u root -p
273. create database snort;
274. GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES ON snort.*
275. TO 'snort'@'localhost' IDENTIFIED BY 'password';
276. FLUSH PRIVILEGES;
277. quit
278. install snort
279.  
280. sudo apt-get -y install snort-mysql
281. You will be prompted to enter the IP address for the local network in Classless Inter-Domain Routing (CIDR) format.
282.  
283. snort configuration
284.  
285. Update the database with the Snort table structure.
286.  
287. pushd /usr/share/doc/snort-mysql
288. sudo zcat create_mysql.gz | mysql -u snort -p snort
289. # The syntax is: mysql -u -p
290. popd
291. Modify the Snort configuration file to include our MySQL specific information.
292.  
293. sudo sed -i "s/output\ log_tcpdump:\ tcpdump.log/#output\ log_tcpdump:\ tcpdump.log\noutput\ database:\ log,\ mysql, user=snort password=password dbname=snort host=localhost/" /etc/snort/snort.conf
294. Remove the pending Snort database config file.
295.  
296. sudo rm -rf /etc/snort/db-pending-config
297. Start the Snort service.
298.  
299. sudo /etc/init.d/snort start
300. installing acid
301.  
302. Snort's useless if we can't easily talk with it. ACID is a web front-end that monitors Snort's output.
303.  
304. sudo apt-get -y install acidbase
305. When first installed, ACID will only allow access from localhost. Modify the HTTP configuration to allow other workstations to to connect to ACID.
306.  
307. sudo sed -i "s#allow\ from\ 127.0.0.0/255.0.0.0#allow\ from\ 127.0.0.0/255.0.0.0\ x.x.x.x/255.255.255.0#" /etc/acidbase/apache.conf
308. Where x.x.x.x is a workstation.
309.  
310. Restart apache for the changes to take effect.
311.  
312. sudo /etc/init.d/apache2 restart