Advertisement
joemccray

InfoSec Addicts Intro to Linux

Jan 8th, 2017
1,263
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #####################################
  2. # InfoSecAddicts Intro to Linux #
  3. # By Joe McCray #
  4. #####################################
  5.  
  6.  
  7.  
  8. ##########
  9. # VMWare #
  10. ##########
  11. - For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
  12.  
  13. - http://www.vmware.com/ap/products/player.html
  14.  
  15.  
  16. - Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
  17.  
  18.  
  19. ##########################
  20. # Download the attack VM #
  21. ##########################
  22. https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
  23. user: infosecaddicts
  24. pass: infosecaddicts
  25.  
  26. - Here is a good set of slides for getting started with Linux:
  27. http://www.slideshare.net/olafusimichael/linux-training-24086319
  28.  
  29.  
  30.  
  31.  
  32. - Log in to your Ubuntu host with the following credentials:
  33. user: infosecaddicts
  34. pass: infosecaddicts
  35.  
  36.  
  37.  
  38. - I prefer to use Putty to SSH into my Ubuntu host on pentests and I'll be teaching this class in the same manner that I do pentests.
  39. - You can download Putty from here:
  40. - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  41.  
  42.  
  43. - For the purpose of this workshop 192.168.230.128 is my Ubuntu IP address so anytime you see that IP you'll know that's my Ubuntu host
  44.  
  45.  
  46.  
  47. ########################
  48. # Basic Linux Commands #
  49. ########################
  50. cd ~
  51.  
  52. pwd
  53.  
  54. whereis pwd
  55.  
  56. which pwd
  57.  
  58. sudo find / -name pwd
  59.  
  60. /bin/pwd
  61.  
  62. mkdir LinuxBasics
  63.  
  64. cd LinuxBasics
  65.  
  66. touch one two three
  67.  
  68. ls -l t (without pressing the Enter key, press the Tab key twice. What happens?)
  69.  
  70. h (and again without pressing the Enter key, press the Tab key twice. What happens?)
  71.  
  72. Press the 'Up arrow key' (What happens?)
  73.  
  74. Press 'Ctrl-A' (What happens?)
  75.  
  76. ls
  77.  
  78. clear (What happens?)
  79.  
  80. echo one > one
  81.  
  82. cat one (What happens?)
  83.  
  84. man cat (What happens?)
  85. q
  86.  
  87. cat two
  88.  
  89. cat one > two
  90.  
  91. cat two
  92.  
  93. cat one two > three
  94.  
  95. cat three
  96.  
  97. echo four >> three
  98.  
  99. cat three (What happens?)
  100.  
  101. wc -l three
  102.  
  103. man wc
  104. q
  105.  
  106. cat three | grep four
  107.  
  108. cat three | grep one
  109.  
  110. man grep
  111. q
  112.  
  113.  
  114. man ps
  115. q
  116.  
  117. ps
  118.  
  119. ps aux
  120.  
  121. ps aux | less
  122.  
  123. Press the 'Up arrow key' (What happens?)
  124.  
  125. Press the 'Down arrow key' (What happens?)
  126. q
  127.  
  128. top
  129.  
  130.  
  131.  
  132. #########
  133. # Files #
  134. #########
  135. cd ~
  136.  
  137. pwd
  138.  
  139. ls
  140.  
  141. cd LinuxBasics
  142.  
  143. pwd
  144.  
  145. cd ~
  146.  
  147. pwd
  148.  
  149. cd LinuxBasics
  150.  
  151. ls
  152.  
  153. mkdir files
  154.  
  155. cp one files/
  156.  
  157. ls files/
  158.  
  159. cd files/
  160.  
  161. cp ../two .
  162.  
  163. ls
  164.  
  165. cp ../three .
  166.  
  167. ls
  168.  
  169. tar cvf files.tar *
  170.  
  171. ls
  172.  
  173. gzip files.tar
  174.  
  175. ls
  176.  
  177. rm -rf one two three
  178.  
  179. ls
  180.  
  181. tar -zxvf files.tar.gz
  182.  
  183. rm -rf files.tar.gz
  184.  
  185. sudo apt install -y zip unzip
  186.  
  187. zip data *
  188.  
  189. unzip -l data.zip
  190.  
  191. unzip data.zip -d /tmp
  192.  
  193. unzip -l data.zip
  194.  
  195.  
  196.  
  197. ############
  198. # VIM Demo #
  199. ############
  200. cd ~
  201. sudo apt install -y vim
  202. infosecaddicts
  203.  
  204. cd LinuxBasics
  205.  
  206. mkdir vimlesson
  207.  
  208. cd vimlesson
  209.  
  210. vi lesson1.sh
  211.  
  212. i (press "i" to get into INSERT mode and then paste in the lines below)
  213.  
  214. #!/bin/bash
  215.  
  216. echo "This is my first time using vi to create a shell script"
  217. echo " "
  218. echo " "
  219. echo " "
  220. sleep 5
  221. echo "Ok, now let's clear the screen"
  222. sleep 3
  223.  
  224.  
  225. ---------------don't put this line in your script----------------------------
  226.  
  227. ESC (press the ESC key to get you out of INSERT mode)
  228.  
  229. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  230.  
  231.  
  232. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  233.  
  234.  
  235.  
  236. vi lesson1.sh
  237.  
  238. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  239.  
  240. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  241.  
  242. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  243.  
  244.  
  245.  
  246.  
  247. vi lesson1.sh
  248.  
  249. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  250.  
  251. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  252.  
  253.  
  254. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  255.  
  256. /echo (typing "/echo" immediately after SHIFT: will search the file for the word echo).
  257.  
  258. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  259.  
  260. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  261.  
  262.  
  263.  
  264.  
  265. vi lesson1.sh
  266.  
  267. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  268.  
  269. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  270.  
  271.  
  272. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  273.  
  274. 4 (typing "4" immediately after SHIFT: will take you to line number 4).
  275.  
  276. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  277.  
  278. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  279.  
  280.  
  281.  
  282.  
  283. vi lesson1.sh
  284.  
  285. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  286.  
  287. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  288.  
  289.  
  290. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  291.  
  292. 4 (typing "4" immediately after SHIFT: will take you to line number 4).
  293.  
  294. dd (typing "dd" will delete the line that you are on)
  295.  
  296. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  297.  
  298. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  299.  
  300.  
  301.  
  302.  
  303. vi lesson1.sh
  304.  
  305. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  306.  
  307. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  308.  
  309.  
  310. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  311.  
  312. 4 (typing "4" immediately after SHIFT: will take you to line number 4).
  313.  
  314. dd (typing "dd" will delete the line that you are on)
  315.  
  316. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  317.  
  318. syntax on (typing "syntax on" immediately after SHIFT: will turn on syntax highlighting
  319.  
  320. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  321.  
  322. set tabstop=5 (typing "set tabstop=5" immediately after SHIFT: will set your tabs to 5 spaces
  323.  
  324. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  325.  
  326. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  327.  
  328.  
  329.  
  330.  
  331. vi .vimrc
  332. i (press "i" to get into INSERT mode and then paste in the lines below)
  333.  
  334.  
  335. set number
  336. syntax on
  337. set tabstop=5
  338.  
  339.  
  340. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  341.  
  342. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  343.  
  344.  
  345.  
  346.  
  347.  
  348.  
  349. vi lesson1.sh
  350.  
  351. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  352.  
  353. echo $MYVIMRC (typing "echo $MYVIMRC" immediately after SHIFT: will display the path to your new .vimrc file
  354.  
  355. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  356.  
  357. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  358.  
  359.  
  360. ###############
  361. # Permissions #
  362. ###############
  363. cd ~
  364.  
  365. pwd
  366.  
  367. ls
  368.  
  369. cd LinuxBasics
  370.  
  371. ls -l one
  372.  
  373. We can determine a lot from examining the results of this command. The file "one" is owned by user "me".
  374. Now "me" has the right to read and write this file.
  375. The file is owned by the group "me". Members of the group "me" can also read and write this file.
  376. Everybody else can read this file
  377.  
  378.  
  379.  
  380. ls -l /bin/bash
  381.  
  382.  
  383. Here we can see:
  384.  
  385. The file "/bin/bash" is owned by user "root". The superuser has the right to read, write, and execute this file.
  386. The file is owned by the group "root". Members of the group "root" can also read and execute this file. Everybody else can read and execute this file
  387.  
  388.  
  389. The next command you need to know is "chmod"
  390. rwx rwx rwx = 111 111 111
  391. rw- rw- rw- = 110 110 110
  392. rwx --- --- = 111 000 000
  393.  
  394. and so on...
  395.  
  396. rwx = 111 in binary = 7
  397. rw- = 110 in binary = 6
  398. r-x = 101 in binary = 5
  399. r-- = 100 in binary = 4
  400.  
  401. ls -l one
  402.  
  403. chmod 600 one
  404.  
  405. ls -l one
  406.  
  407. sudo useradd testuser
  408. infosecaddicts
  409.  
  410. sudo passwd testuser
  411.  
  412. testuser
  413. testuser
  414.  
  415. sudo chown testuser one
  416. infosecaddicts
  417.  
  418. ls -l one
  419.  
  420. sudo chgrp testuser one
  421. infosecaddicts
  422.  
  423. ls -l one
  424.  
  425. id
  426.  
  427. su testuser
  428. testuser
  429.  
  430.  
  431. Here is a table of numbers that covers all the common settings. The ones beginning with "7" are used with programs (since they enable execution) and the rest are for other kinds of files.
  432.  
  433. Value Meaning
  434. 777 (rwxrwxrwx) No restrictions on permissions. Anybody may do anything. Generally not a desirable setting.
  435.  
  436. 755 (rwxr-xr-x) The file's owner may read, write, and execute the file. All others may read and execute the file. This setting is common for programs that are used by all users.
  437.  
  438. 700 (rwx------) The file's owner may read, write, and execute the file. Nobody else has any rights. This setting is useful for programs that only the owner may use and must be kept private from others.
  439.  
  440. 666 (rw-rw-rw-) All users may read and write the file.
  441.  
  442. 644 (rw-r--r--) The owner may read and write a file, while all others may only read the file. A common setting for data files that everybody may read, but only the owner may change.
  443.  
  444. 600 (rw-------) The owner may read and write a file. All others have no rights. A common setting for data files that the owner wants to keep private.
  445.  
  446.  
  447.  
  448. Directory permissions
  449. ---------------------
  450. The chmod command can also be used to control the access permissions for directories. In most ways, the permissions scheme for directories works the same way as they do with files. However, the execution permission is used in a different way. It provides control for access to file listing and other things. Here are some useful settings for directories:
  451.  
  452. Value Meaning
  453. 777 (rwxrwxrwx) No restrictions on permissions.
  454. Anybody may list files, create new files in the directory and delete files in the directory.
  455. Generally not a good setting.
  456.  
  457.  
  458.  
  459. 755 (rwxr-xr-x) The directory owner has full access.
  460. All others may list the directory, but cannot create files nor delete them.
  461. This setting is common for directories that you wish to share with other users.
  462.  
  463.  
  464.  
  465. 700 (rwx------) The directory owner has full access. Nobody else has any rights. This setting is useful for directories that only the owner may use and must be kept private from others.
  466.  
  467. ######################
  468. # Process Management #
  469. ######################
  470. top
  471.  
  472. sudo apt install -y htop
  473. infosecaddicts
  474.  
  475. htop
  476.  
  477. ps
  478.  
  479. ps aux
  480.  
  481. ps -A
  482.  
  483. ps -A | less
  484.  
  485. ps axjf
  486.  
  487. pstree
  488.  
  489. pgrep bash
  490.  
  491. pgrep init
  492.  
  493. ps aux | grep apache
  494.  
  495. You can list all of the signals that are possible to send with kill by typing:
  496.  
  497. kill -l
  498.  
  499. sudo kill -HUP pid_of_apache
  500.  
  501. The pkill command works in almost exactly the same way as kill, but it operates on a process name instead:
  502.  
  503. pkill -9 ping
  504. The above command is the equivalent of:
  505.  
  506. kill -9 `pgrep ping`
  507.  
  508.  
  509.  
  510.  
  511.  
  512. ####################
  513. # MD5 Hashing Demo #
  514. ####################
  515. cd ~/LinuxBasics
  516. mkdir hashdemo
  517. cd hashdemo
  518. echo test > test.txt
  519. cat test.txt
  520. md5sum test.txt
  521. echo hello >> test.txt
  522. cat test.txt
  523. md5sum test.txt
  524. cd ..
  525.  
  526.  
  527.  
  528.  
  529. #################################
  530. # Symmetric Key Encryption Demo #
  531. #################################
  532. cd ~/LinuxBasics
  533. mkdir gpgdemo
  534. cd gpgdemo
  535. echo test > test.txt
  536. cat test.txt
  537. gpg -c test.txt
  538. password
  539. password
  540. ls | grep test
  541. cat test.txt
  542. cat test.txt.gpg
  543. rm -rf test.txt
  544. ls | grep test
  545. gpg -o output.txt test.txt.gpg
  546. cat output.txt
  547.  
  548.  
  549. #########################################################################################################################
  550. # Asymmetric Key Encryption Demo #
  551. # #
  552. # Configure random number generator #
  553. # https://www.howtoforge.com/helping-the-random-number-generator-to-gain-enough-entropy-with-rng-tools-debian-lenny #
  554. #########################################################################################################################
  555.  
  556. sudo apt install -y rng-tools
  557. infosecaddicts
  558.  
  559. /etc/init.d/rng-tools start
  560.  
  561. sudo rngd -r /dev/urandom
  562. infosecaddicts
  563.  
  564.  
  565. echo hello > file1.txt
  566. echo goodbye > file2.txt
  567. echo green > file3.txt
  568. echo blue > file4.txt
  569.  
  570. tar czf files.tar.gz *.txt
  571.  
  572. gpg --gen-key
  573. 1
  574. 1024
  575. 0
  576. y
  577. John Doe
  578. john@doe.com
  579. --blank comment--
  580. O
  581. password
  582. password
  583.  
  584.  
  585.  
  586. gpg --armor --output file-enc-pubkey.txt --export 'John Doe'
  587.  
  588. cat file-enc-pubkey.txt
  589.  
  590. gpg --armor --output file-enc-privkey.asc --export-secret-keys 'John Doe'
  591.  
  592. cat file-enc-privkey.asc
  593.  
  594. gpg --encrypt --recipient 'John Doe' files.tar.gz
  595.  
  596. rm -rf files.tar.gz *.txt
  597.  
  598. ls
  599.  
  600. tar -zxvf files.tar.gz.gpg
  601.  
  602. gpg --output output.tar.gz --decrypt files.tar.gz.gpg
  603. password
  604.  
  605. tar -zxvf output.tar.gz
  606.  
  607. ls
  608.  
  609.  
  610.  
  611.  
  612.  
  613. ############################
  614. # Encryption using OpenSSL #
  615. ############################
  616. openssl genrsa -out private_key.pem 1024
  617. openssl rsa -in private_key.pem -out public_key.pem -outform PEM -pubout
  618.  
  619.  
  620. echo hello > encrypt.txt
  621. openssl rsautl -encrypt -inkey public_key.pem -pubin -in encrypt.txt -out encrypt.dat
  622.  
  623. cat encrypt.dat
  624.  
  625. rm -rf encrypt.txt
  626.  
  627. ls
  628.  
  629. openssl rsautl -decrypt -inkey private_key.pem -in encrypt.dat -out decrypt.txt
  630.  
  631. cat decrypt.txt
  632.  
  633.  
  634.  
  635. ###############################
  636. # Secure File/Folder Deletion #
  637. ###############################
  638. sudo apt install -y secure-delete wipe
  639.  
  640. wget https://www.sans.org/security-resources/tcpip.pdf
  641.  
  642. file tcpip.pdf
  643.  
  644. sudo srm tcpip.pdf
  645.  
  646. wget https://www.sans.org/security-resources/tcpip.pdf
  647.  
  648. shred tcpip.pdf
  649.  
  650. wget https://www.sans.org/security-resources/tcpip.pdf
  651.  
  652. wipe tcpip.pdf
  653.  
  654.  
  655.  
  656.  
  657.  
  658. #################
  659. # IPTables Demo #
  660. #################
  661. cd ~
  662.  
  663. - Delete Existing Rules
  664. ---------------------
  665. sudo /sbin/iptables -F
  666. infosecaddicts
  667.  
  668. (or)
  669.  
  670. sudo /sbin/iptables --flush
  671. infosecaddicts
  672.  
  673.  
  674.  
  675. - Set Default Chain Policies
  676. --------------------------
  677. iptables -P INPUT DROP
  678. iptables -P FORWARD DROP
  679. iptables -P OUTPUT DROP
  680.  
  681.  
  682.  
  683. - Delete Existing Rules
  684. ---------------------
  685. sudo /sbin/iptables -F
  686. infosecaddicts
  687.  
  688. (or)
  689.  
  690. sudo /sbin/iptables --flush
  691. infosecaddicts
  692.  
  693.  
  694.  
  695.  
  696. sudo /bin/bash
  697.  
  698.  
  699.  
  700. - Block a Specific ip-address
  701. -----------------------------
  702. BLOCK_THIS_IP="1.2.3.4"
  703. iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP
  704.  
  705.  
  706. iptables -A INPUT -i eth0 -s "$BLOCK_THIS_IP" -j DROP
  707. iptables -A INPUT -i eth0 -p tcp -s "$BLOCK_THIS_IP" -j DROP
  708.  
  709.  
  710. - Allow ALL Incoming SSH
  711. ------------------------
  712. iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  713. iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
  714.  
  715.  
  716. - Allow Incoming SSH only from a Sepcific Network
  717. -------------------------------------------------
  718. iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  719. iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
  720.  
  721.  
  722. - Allow Incoming HTTP and HTTPS
  723. -------------------------------
  724. iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
  725. iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
  726.  
  727.  
  728. iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
  729. iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
  730.  
  731.  
  732.  
  733. - Combine Multiple Rules Together using MultiPorts
  734. --------------------------------------------------
  735. iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
  736. iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
  737.  
  738.  
  739. - Allow Outgoing SSH
  740. --------------------
  741. iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  742. iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
  743.  
  744.  
  745. - Allow Outgoing SSH only to a Specific Network
  746. -----------------------------------------------
  747. The following rules allow outgoing ssh connection only to a specific network. i.e You an ssh only to 192.168.100.0/24 network from the inside.
  748.  
  749. iptables -A OUTPUT -o eth0 -p tcp -d 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  750. iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
  751.  
  752.  
  753.  
  754. - Allow Outgoing HTTPS
  755. ----------------------
  756. The following rules allow outgoing secure web traffic. This is helpful when you want to allow internet traffic for your users. On servers, these rules are also helpful when you want to use wget to download some files from outside.
  757.  
  758. iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
  759. iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
  760.  
  761.  
  762.  
  763.  
  764. Load Balance Incoming Web Traffic
  765. ---------------------------------
  766. You can also load balance your incoming web traffic using iptables firewall rules.
  767.  
  768. This uses the iptables nth extension. The following example load balances the HTTPS traffic to three different ip-address. For every 3th packet, it is load balanced to the appropriate server (using the counter 0).
  769.  
  770. iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
  771. iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
  772. iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443
  773.  
  774.  
  775.  
  776. Allow Ping from Outside to Inside
  777. ---------------------------------
  778. The following rules allow outside users to be able to ping your servers.
  779.  
  780. iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
  781. iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
  782.  
  783.  
  784.  
  785. Allow Ping from Inside to Outside
  786. ---------------------------------
  787. The following rules allow you to ping from inside to any of the outside servers.
  788.  
  789. iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
  790. iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
  791.  
  792.  
  793.  
  794. Allow Loopback Access
  795. ---------------------
  796. You should allow full loopback access on your servers. i.e access using 127.0.0.1
  797.  
  798. iptables -A INPUT -i lo -j ACCEPT
  799. iptables -A OUTPUT -o lo -j ACCEPT
  800.  
  801.  
  802.  
  803. Allow Internal Network to External network
  804. ------------------------------------------
  805. On the firewall server where one ethernet card is connected to the external, and another ethernet card connected to the internal servers, use the following rules to allow internal network talk to external network.
  806.  
  807. In this example, eth1 is connected to external network (internet), and eth0 is connected to internal network (For example: 192.168.1.x).
  808.  
  809. iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
  810.  
  811.  
  812.  
  813. Allow outbound DNS
  814. ------------------
  815. The following rules allow outgoing DNS connections.
  816.  
  817. iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
  818. iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
  819.  
  820.  
  821.  
  822. Allow Rsync From a Specific Network
  823. -----------------------------------
  824. The following rules allows rsync only from a specific network.
  825.  
  826. iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
  827. iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT
  828.  
  829.  
  830.  
  831. Allow MySQL connection only from a specific network
  832. ---------------------------------------------------
  833. If you are running MySQL, typically you don’t want to allow direct connection from outside. In most cases, you might have web server running on the same server where the MySQL database runs.
  834.  
  835. However DBA and developers might need to login directly to the MySQL from their laptop and desktop using MySQL client. In those case, you might want to allow your internal network to talk to the MySQL directly as shown below.
  836.  
  837. iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
  838. iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
  839.  
  840.  
  841.  
  842. Allow Sendmail or Postfix Traffic
  843. ---------------------------------
  844. The following rules allow mail traffic. It may be sendmail or postfix.
  845.  
  846. iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
  847. iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
  848.  
  849.  
  850. Allow IMAP and IMAPS
  851. --------------------
  852. The following rules allow IMAP/IMAP2 traffic.
  853.  
  854. iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
  855. iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT
  856.  
  857.  
  858. The following rules allow IMAPS traffic.
  859.  
  860. iptables -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
  861. iptables -A OUTPUT -o eth0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT
  862.  
  863.  
  864.  
  865.  
  866. Allow POP3 and POP3S
  867. --------------------
  868. The following rules allow POP3 access.
  869.  
  870. iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
  871. iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
  872. The following rules allow POP3S access.
  873.  
  874. iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
  875. iptables -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT
  876.  
  877.  
  878.  
  879. Port Forwarding
  880. ---------------
  881. The following example routes all traffic that comes to the port 442 to 22. This means that the incoming ssh connection can come from both port 22 and 422.
  882.  
  883. iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22
  884.  
  885. If you do the above, you also need to explicitly allow incoming connection on the port 422.
  886.  
  887. iptables -A INPUT -i eth0 -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT
  888. iptables -A OUTPUT -o eth0 -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEPT
  889.  
  890.  
  891. Log Dropped Packets
  892. -------------------
  893. You might also want to log all the dropped packets. These rules should be at the bottom.
  894.  
  895. First, create a new chain called LOGGING.
  896.  
  897. iptables -N LOGGING
  898. Next, make sure all the remaining incoming connections jump to the LOGGING chain as shown below.
  899.  
  900. iptables -A INPUT -j LOGGING
  901. Next, log these packets by specifying a custom “log-prefix”.
  902.  
  903. iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
  904. Finally, drop these packets.
  905.  
  906. iptables -A LOGGING -j DROP
  907.  
  908.  
  909.  
  910. #########################
  911. # Ubuntu Perfect Server #
  912. #########################
  913.  
  914. Reference:
  915. https://www.howtoforge.com/tutorial/ubuntu-perfect-server-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig/
  916.  
  917.  
  918. deb http://de.archive.ubuntu.com/ubuntu/ yakkety main restricted
  919. deb http://de.archive.ubuntu.com/ubuntu/ yakkety-updates main restricted
  920. deb http://de.archive.ubuntu.com/ubuntu/ yakkety universe
  921. deb http://de.archive.ubuntu.com/ubuntu/ yakkety-updates universe
  922. deb http://de.archive.ubuntu.com/ubuntu/ yakkety-updates multiverse
  923.  
  924.  
  925. Then run
  926. apt-get update
  927.  
  928. to update the apt package database and
  929. apt-get upgrade
  930.  
  931. to install the latest updates (if there are any). If you see that a new kernel gets installed as part of the updates, you should reboot the system afterwards:
  932. reboot
  933.  
  934. Change the Default Shell
  935. /bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore, we do this:
  936. dpkg-reconfigure dash
  937.  
  938. Use dash as the default system shell (/bin/sh)? <-- No
  939.  
  940. Disable AppArmor
  941. ----------------
  942. AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion, you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore, I disable it (this is a must if you want to install ISPConfig later on).
  943. We can disable it like this:
  944.  
  945. service apparmor stop
  946. update-rc.d -f apparmor remove
  947. apt-get remove apparmor apparmor-utils
  948.  
  949.  
  950. apt-get -y install ntp ntpdate
  951.  
  952. Install Postfix, Dovecot, MariaDB, rkhunter and binutils
  953. --------------------------------------------------------
  954. For installing postfix, we need to ensure that sendmail is not installed and running. To stop and remove sendmail run this command:
  955.  
  956. service sendmail stop; update-rc.d -f sendmail remove
  957.  
  958.  
  959.  
  960.  
  961. #######################
  962. # Hardening Ubuntu 16 #
  963. #######################
  964.  
  965. This guide is intended as a relatively easy step by step guide to:
  966.  
  967. Harden the security on an Ubuntu 16.04 LTS server by installing and configuring the following:
  968.  
  969. Install and configure Firewall - ufw
  970. Secure shared memory - fstab
  971. SSH - Key based login, disable root login and change port
  972. Apache SSL - Disable SSL v3 support
  973. Protect su by limiting access only to admin group
  974. Harden network with sysctl settings
  975. Disable Open DNS Recursion and Remove Version Info - Bind9 DNS
  976. Prevent IP Spoofing
  977. Harden PHP for security
  978. Restrict Apache Information Leakage
  979. Install and configure Apache application firewall - ModSecurity
  980. Protect from DDOS (Denial of Service) attacks with ModEvasive
  981. Scan logs and ban suspicious hosts - DenyHosts and Fail2Ban
  982. Intrusion Detection - PSAD
  983. Check for RootKits - RKHunter and CHKRootKit
  984. Scan open Ports - Nmap
  985. Analyse system LOG files - LogWatch
  986. Apparmor - Application Armor
  987. Audit your system security - Tiger and Tripwire
  988. Requirements:
  989.  
  990. Ubuntu 16.04 LTS or later server with a standard LAMP stack installed.
  991. 1. Firewall - UFW
  992.  
  993. A good place to start is to install a Firewall.
  994. UFW - Uncomplicated Firewall is a basic firewall that works very well and easy to configure with its Firewall configuration tool - gufw, or use Shorewall, fwbuilder, or Firestarter.
  995. Use Firestarter GUI to configure your firewall or refer to the Ubuntu Server Guide, UFW manual pages or the Ubuntu UFW community documentation.
  996. Install UFW and enable, open a terminal window and enter :
  997. sudo apt-get install ufw
  998. Allow SSH and Http services.
  999. sudo ufw allow ssh
  1000. sudo ufw allow http
  1001. Enable the firewall.
  1002. sudo ufw enable
  1003. Check the status of the firewall.
  1004. sudo ufw status verbose
  1005. 2. Secure shared memory.
  1006.  
  1007. Shared memory can be used in an attack against a running service. Modify /etc/fstab to make it more secure.
  1008. Open a Terminal Window and enter the following :
  1009. sudo vi /etc/fstab
  1010. Add the following line and save. You will need to reboot for this setting to take effect :
  1011. Note : This only is works in Ubuntu 12.10 or later - For earlier Ubuntu versions replace /run/shm with /dev/shm
  1012. Save and Reboot when done
  1013. tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
  1014. 3. SSH Hardening - key based login, disable root login and change port.
  1015.  
  1016. The best way to secure SSH is to use public/private key based login. See SSH/OpenSSH/Keys
  1017. If you have to use password authentication, the easiest way to secure SSH is to disable root login and change the SSH port to something different than the standard port 22.
  1018. Before disabling the root login create a new SSH user and make sure the user belongs to the admin group (see step 4. below regarding the admin group).
  1019. if you change the SSH port keep the port number below 1024 as these are priviledged ports that can only be opened by root or processes running as root.
  1020. If you change the SSH port also open the new port you have chosen on the firewall and close port 22.
  1021. Open a Terminal Window and enter :
  1022. sudo vi /etc/ssh/sshd_config
  1023. Change or add the following and save.
  1024. Port <ENTER YOUR PORT>
  1025. Protocol 2
  1026. PermitRootLogin no
  1027. DebianBanner no
  1028. Restart SSH server, open a Terminal Window and enter :
  1029. sudo service ssh restart
  1030. 4. Apache SSL Hardening - disable SSL v2/v3 support.
  1031.  
  1032. The SSL v2/v3 protocol has been proven to be insecure.
  1033. We will disable Apache support for the protocol and force the use of the newer protocols.
  1034. Open a Terminal Window and enter :
  1035. sudo vi /etc/apache2/mods-available/ssl.conf
  1036. Change this line from :
  1037. SSLProtocol all -SSLv3
  1038. To the following and save.
  1039. SSLProtocol all -SSLv2 -SSLv3
  1040. Restart the Apache server, open a Terminal Window and enter :
  1041. sudo service apache2 restart
  1042. 5. Protect su by limiting access only to admin group.
  1043.  
  1044. To limit the use of su by admin users only we need to create an admin group, then add users and limit the use of su to the admin group.
  1045. Add a admin group to the system and add your own admin username to the group by replacing <YOUR ADMIN USERNAME> below with your admin username.
  1046. Open a terminal window and enter:
  1047. sudo groupadd admin
  1048. sudo usermod -a -G admin <YOUR ADMIN USERNAME>
  1049. sudo dpkg-statoverride --update --add root admin 4750 /bin/su
  1050. 6. Harden network with sysctl settings.
  1051.  
  1052. The /etc/sysctl.conf file contain all the sysctl settings.
  1053. Prevent source routing of incoming packets and log malformed IP's enter the following in a terminal window:
  1054. sudo vi /etc/sysctl.conf
  1055. Edit the /etc/sysctl.conf file and un-comment or add the following lines :
  1056. # IP Spoofing protection
  1057. net.ipv4.conf.all.rp_filter = 1
  1058. net.ipv4.conf.default.rp_filter = 1
  1059.  
  1060. # Ignore ICMP broadcast requests
  1061. net.ipv4.icmp_echo_ignore_broadcasts = 1
  1062.  
  1063. # Disable source packet routing
  1064. net.ipv4.conf.all.accept_source_route = 0
  1065. net.ipv6.conf.all.accept_source_route = 0
  1066. net.ipv4.conf.default.accept_source_route = 0
  1067. net.ipv6.conf.default.accept_source_route = 0
  1068.  
  1069. # Ignore send redirects
  1070. net.ipv4.conf.all.send_redirects = 0
  1071. net.ipv4.conf.default.send_redirects = 0
  1072.  
  1073. # Block SYN attacks
  1074. net.ipv4.tcp_syncookies = 1
  1075. net.ipv4.tcp_max_syn_backlog = 2048
  1076. net.ipv4.tcp_synack_retries = 2
  1077. net.ipv4.tcp_syn_retries = 5
  1078.  
  1079. # Log Martians
  1080. net.ipv4.conf.all.log_martians = 1
  1081. net.ipv4.icmp_ignore_bogus_error_responses = 1
  1082.  
  1083. # Ignore ICMP redirects
  1084. net.ipv4.conf.all.accept_redirects = 0
  1085. net.ipv6.conf.all.accept_redirects = 0
  1086. net.ipv4.conf.default.accept_redirects = 0
  1087. net.ipv6.conf.default.accept_redirects = 0
  1088.  
  1089. # Ignore Directed pings
  1090. net.ipv4.icmp_echo_ignore_all = 1
  1091. To reload sysctl with the latest changes, enter:
  1092. sudo sysctl -p
  1093. 7. Disable Open DNS Recursion and Remove Version Info - BIND DNS Server.
  1094.  
  1095. Open a Terminal and enter the following :
  1096. sudo vi /etc/bind/named.conf.options
  1097. Add the following to the Options section :
  1098. recursion no;
  1099. version "Not Disclosed";
  1100. Restart BIND DNS server. Open a Terminal and enter the following :
  1101. sudo service bind9 restart
  1102. 8. Prevent IP Spoofing.
  1103.  
  1104. Open a Terminal and enter the following :
  1105. sudo vi /etc/host.conf
  1106. Add or edit the following lines :
  1107. order bind,hosts
  1108. nospoof on
  1109. 9. Harden PHP for security.
  1110.  
  1111. Edit the php.ini file :
  1112. sudo vi /etc/php5/apache2/php.ini
  1113. Add or edit the following lines an save :
  1114. disable_functions = exec,system,shell_exec,passthru
  1115. register_globals = Off
  1116. expose_php = Off
  1117. display_errors = Off
  1118. track_errors = Off
  1119. html_errors = Off
  1120. magic_quotes_gpc = Off
  1121. mail.add_x_header = Off
  1122. session.name = NEWSESSID
  1123. Restart Apache server. Open a Terminal and enter the following :
  1124. sudo service apache2 restart
  1125. 10. Restrict Apache Information Leakage.
  1126.  
  1127. Edit the Apache2 configuration security file :
  1128. sudo vi /etc/apache2/conf-available/security.conf
  1129. Add or edit the following lines and save :
  1130. ServerTokens Prod
  1131. ServerSignature Off
  1132. TraceEnable Off
  1133. Header unset ETag
  1134. Header always unset X-Powered-By
  1135. FileETag None
  1136. Restart Apache server. Open a Terminal and enter the following :
  1137. sudo service apache2 restart
  1138. 11. Web Application Firewall - ModSecurity.
  1139.  
  1140. See : How to install apache2 mod_security and mod_evasive on Ubuntu 12.04 LTS server
  1141. 12. Protect from DDOS (Denial of Service) attacks - ModEvasive
  1142.  
  1143. See : How to install apache2 mod_security and mod_evasive on Ubuntu 12.04 LTS server
  1144. 13. Scan logs and ban suspicious hosts - DenyHosts and Fail2Ban.
  1145.  
  1146. DenyHosts is a python program that automatically blocks SSH attacks by adding entries to /etc/hosts.deny. DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins.
  1147. Open a Terminal and enter the following :
  1148. sudo apt-get install denyhosts
  1149. After installation edit the configuration file /etc/denyhosts.conf and change the email, and other settings as required.
  1150. To edit the admin email settings open a terminal window and enter:
  1151. sudo vi /etc/denyhosts.conf
  1152. Change the following values as required on your server :
  1153. ADMIN_EMAIL = root@localhost
  1154. SMTP_HOST = localhost
  1155. SMTP_PORT = 25
  1156. #SMTP_USERNAME=foo
  1157. #SMTP_PASSWORD=bar
  1158. SMTP_FROM = DenyHosts nobody@localhost
  1159. #SYSLOG_REPORT=YES
  1160. Fail2ban is more advanced than DenyHosts as it extends the log monitoring to other services including SSH, Apache, Courier, FTP, and more.
  1161. Fail2ban scans log files and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.
  1162. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action could also be configured.
  1163. Out of the box Fail2Ban comes with filters for various services (apache, courier, ftp, ssh, etc).
  1164. Open a Terminal and enter the following :
  1165. sudo apt-get install fail2ban
  1166. After installation edit the configuration file /etc/fail2ban/jail.local and create the filter rules as required.
  1167. To edit the settings open a terminal window and enter:
  1168. sudo vi /etc/fail2ban/jail.conf
  1169. Activate all the services you would like fail2ban to monitor by changing enabled = false to enabled = true
  1170. For example if you would like to enable the SSH monitoring and banning jail, find the line below and change enabled from false to true. Thats it.
  1171. [sshd]
  1172.  
  1173. enabled = true
  1174. port = ssh
  1175. filter = sshd
  1176. logpath = /var/log/auth.log
  1177. maxretry = 3
  1178. If you have selected a non-standard SSH port in step 3 then you need to change the port setting in fail2ban from ssh which by default is port 22, to your new port number, for example if you have chosen 1234 then port = 1234
  1179. [sshd]
  1180.  
  1181. enabled = true
  1182. port = <ENTER YOUR SSH PORT NUMBER HERE>
  1183. filter = sshd
  1184. logpath = /var/log/auth.log
  1185. maxretry = 3
  1186. If you would like to receive emails from Fail2Ban if hosts are banned change the following line to your email address.
  1187. destemail = root@localhost
  1188. and change the following line from :
  1189. action = %(action_)s
  1190. to:
  1191. action = %(action_mwl)s
  1192. You can also create rule filters for the various services that you would like fail2ban to monitor that is not supplied by default.
  1193. sudo vi /etc/fail2ban/jail.local
  1194. Good instructions on how to configure fail2ban and create the various filters can be found on HowtoForge - click here for an example
  1195. When done with the configuration of Fail2Ban restart the service with :
  1196. sudo service fail2ban restart
  1197. You can also check the status with.
  1198. sudo fail2ban-client status
  1199. 14. Intrusion Detection - PSAD.
  1200.  
  1201. Cipherdyne PSAD is a collection of three lightweight system daemons that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic.
  1202. To install the latest version from the source files follow these instruction : How to install PSAD Intrusion Detection on Ubuntu 12.04 LTS server
  1203. OR install the older version from the Ubuntu software repositories, open a Terminal and enter the following :
  1204. sudo apt-get install psad
  1205. Then for basic configuration see How to install PSAD Intrusion Detection on Ubuntu 12.04 LTS server and follow from step 2:
  1206. 15. Check for rootkits - RKHunter and CHKRootKit.
  1207.  
  1208. Both RKHunter and CHKRootkit basically do the same thing - check your system for rootkits. No harm in using both.
  1209. Open a Terminal and enter the following :
  1210. sudo apt-get install rkhunter chkrootkit
  1211. To run chkrootkit open a terminal window and enter :
  1212. sudo chkrootkit
  1213. To update and run RKHunter. Open a Terminal and enter the following :
  1214. sudo rkhunter --update
  1215. sudo rkhunter --propupd
  1216. sudo rkhunter --check
  1217. 16. Scan open ports - Nmap.
  1218.  
  1219. Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.
  1220. Open a Terminal and enter the following :
  1221. sudo apt-get install nmap
  1222. Scan your system for open ports with :
  1223. nmap -v -sT localhost
  1224. SYN scanning with the following :
  1225. sudo nmap -v -sS localhost
  1226. 17. Analyse system LOG files - LogWatch.
  1227.  
  1228. Logwatch is a customizable log analysis system. Logwatch parses through your system's logs and creates a report analyzing areas that you specify. Logwatch is easy to use and will work right out of the package on most systems.
  1229. Open a Terminal and enter the following :
  1230. sudo apt-get install logwatch libdate-manip-perl
  1231. To view logwatch output use less :
  1232. sudo logwatch | less
  1233. To email a logwatch report for the past 7 days to an email address, enter the following and replace mail@domain.com with the required email. :
  1234. sudo logwatch --mailto mail@domain.com --output mail --format html --range 'between -7 days and today'
  1235. 18. Apparmor - Application Armor.
  1236.  
  1237. More information can be found here. Ubuntu Server Guide - Apparmor
  1238. It is installed by default since Ubuntu 7.04.
  1239. Open a Terminal and enter the following :
  1240. sudo apt-get install apparmor apparmor-profiles
  1241. Check to see if things are running :
  1242. sudo apparmor_status
  1243. 19. Audit your system security - Tiger and Tripwire.
  1244.  
  1245. Tiger is a security tool that can be use both as a security audit and intrusion detection system.
  1246. Tripwire is a host-based intrusion detection system (HIDS) that checks file and folder integrity.
  1247. Open a Terminal and enter the following :
  1248. sudo apt-get install tiger tripwire
  1249. To setup Tripwire good installation guides can be found on Digital Ocean here and on Unixmen here
  1250. To run tiger enter :
  1251. sudo tiger
  1252. All Tiger output can be found in the /var/log/tiger
  1253. To view the tiger security reports, open a Terminal and enter the following :
  1254. sudo less /var/log/tiger/security.report.*
  1255.  
  1256. ##############################################
  1257. # Log Analysis with Linux command-line tools #
  1258. ##############################################
  1259. - The following command line executables are found in the Mac as well as most Linux Distributions.
  1260.  
  1261. cat – prints the content of a file in the terminal window
  1262. grep – searches and filters based on patterns
  1263. awk – can sort each row into fields and display only what is needed
  1264. sed – performs find and replace functions
  1265. sort – arranges output in an order
  1266. uniq – compares adjacent lines and can report, filter or provide a count of duplicates
  1267.  
  1268.  
  1269.  
  1270. ###############
  1271. # Apache Logs #
  1272. ###############
  1273.  
  1274. Reference:
  1275. http://www.the-art-of-web.com/system/logs/
  1276.  
  1277. wget https://s3.amazonaws.com/SecureNinja/Python/access_log
  1278.  
  1279.  
  1280. - You want to list all user agents ordered by the number of times they appear (descending order):
  1281.  
  1282. awk -F\" '{print $6}' access_log | sort | uniq -c | sort -fr
  1283.  
  1284.  
  1285.  
  1286. - Using the default separator which is any white-space (spaces or tabs) we get the following:
  1287.  
  1288. awk '{print $1}' access_log # ip address (%h)
  1289. awk '{print $2}' access_log # RFC 1413 identity (%l)
  1290. awk '{print $3}' access_log # userid (%u)
  1291. awk '{print $4,5}' access_log # date/time (%t)
  1292. awk '{print $9}' access_log # status code (%>s)
  1293. awk '{print $10}' access_log # size (%b)
  1294.  
  1295. - You might notice that we've missed out some items. To get to them we need to set the delimiter to the " character which changes the way the lines are 'exploded' and allows the following:
  1296.  
  1297. awk -F\" '{print $2}' access_log # request line (%r)
  1298. awk -F\" '{print $4}' access_log # referer
  1299. awk -F\" '{print $6}' access_log # user agent
  1300.  
  1301.  
  1302. awk -F\" '{print $6}' access_log \
  1303. | sed 's/(\([^;]\+; [^;]\+\)[^)]*)/(\1)/' \
  1304. | sort | uniq -c | sort -fr
  1305.  
  1306.  
  1307. - The next step is to start filtering the output so you can narrow down on a certain page or referer. Would you like to know which pages Google has been requesting from your site?
  1308.  
  1309. awk -F\" '($6 ~ /Googlebot/){print $2}' access_log | awk '{print $2}'
  1310. Or who's been looking at your guestbook?
  1311.  
  1312. awk -F\" '($2 ~ /guestbook\.html/){print $6}' access_log
  1313.  
  1314.  
  1315. Reference:
  1316. https://blog.nexcess.net/2011/01/21/one-liners-for-apache-log-files/
  1317.  
  1318. # top 20 URLs from the last 5000 hits
  1319. tail -5000 ./access_log | awk '{print $7}' | sort | uniq -c | sort -rn | head -20
  1320. tail -5000 ./access_log | awk '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  1321.  
  1322. # top 20 URLS excluding POST data from the last 5000 hits
  1323. tail -5000 ./access_log | awk -F"[ ?]" '{print $7}' | sort | uniq -c | sort -rn | head -20
  1324. tail -5000 ./access_log | awk -F"[ ?]" '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  1325.  
  1326. # top 20 IPs from the last 5000 hits
  1327. tail -5000 ./access_log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20
  1328. tail -5000 ./access_log | awk '{freq[$1]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  1329.  
  1330. # top 20 URLs requested from a certain ip from the last 5000 hits
  1331. IP=1.2.3.4; tail -5000 ./access_log | grep $IP | awk '{print $7}' | sort | uniq -c | sort -rn | head -20
  1332. IP=1.2.3.4; tail -5000 ./access_log | awk -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  1333.  
  1334. # top 20 URLS requested from a certain ip excluding, excluding POST data, from the last 5000 hits
  1335. IP=1.2.3.4; tail -5000 ./access_log | fgrep $IP | awk -F "[ ?]" '{print $7}' | sort | uniq -c | sort -rn | head -20
  1336. IP=1.2.3.4; tail -5000 ./access_log | awk -F"[ ?]" -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  1337.  
  1338. # top 20 referrers from the last 5000 hits
  1339. tail -5000 ./access_log | awk '{print $11}' | tr -d '"' | sort | uniq -c | sort -rn | head -20
  1340. tail -5000 ./access_log | awk '{freq[$11]++} END {for (x in freq) {print freq[x], x}}' | tr -d '"' | sort -rn | head -20
  1341.  
  1342. # top 20 user agents from the last 5000 hits
  1343. tail -5000 ./access_log | cut -d\ -f12- | sort | uniq -c | sort -rn | head -20
  1344.  
  1345. # sum of data (in MB) transferred in the last 5000 hits
  1346. tail -5000 ./access_log | awk '{sum+=$10} END {print sum/1048576}'
  1347.  
  1348.  
  1349. ##############
  1350. # Cisco Logs #
  1351. ##############
  1352.  
  1353. wget https://s3.amazonaws.com/StrategicSec-Files/LogAnalysis/cisco.log
  1354.  
  1355.  
  1356. AWK Basics
  1357. ----------
  1358. - To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
  1359.  
  1360. cat cisco.log | awk '{print $5}' | tail -n 4
  1361.  
  1362.  
  1363.  
  1364.  
  1365. - Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
  1366.  
  1367. cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
  1368.  
  1369.  
  1370.  
  1371.  
  1372. - While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
  1373.  
  1374. cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
  1375.  
  1376.  
  1377.  
  1378.  
  1379.  
  1380. - Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
  1381.  
  1382. cat cisco.log | grep %LINEPROTO-5-UPDOWN:
  1383.  
  1384. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
  1385.  
  1386. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
  1387.  
  1388. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
  1389.  
  1390.  
  1391.  
  1392.  
  1393.  
  1394.  
  1395.  
  1396.  
  1397.  
  1398. ##############################
  1399. # Linux For InfoSec Homework #
  1400. ##############################
  1401. In order to receive your certificate of attendance you must complete the all of the quizzes on the http://linuxsurvival.com/linux-tutorial-introduction/ website.
  1402.  
  1403.  
  1404. Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Linux-For-InfoSec-Homework.docx)
  1405.  
  1406.  
  1407.  
  1408.  
  1409. ##############################
  1410. # Linux For InfoSe Challenge #
  1411. ##############################
  1412.  
  1413. In order to receive your certificate of proficiency you must complete all of the tasks covered in the Linux For InfoSec pastebin (http://pastebin.com/b5SxBRf6).
  1414.  
  1415. Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Linux-For-InfoSec-Challenge.docx)
  1416.  
  1417.  
  1418.  
  1419.  
  1420. IMPORTANT NOTE:
  1421. Your homework/challenge must be submitted via email to both (joe-at-strategicsec-.-com and kasheia-at-strategicsec-.-com) by Sunday October 16th at midnight EST.
  1422.  
  1423.  
  1424. #########################################################################
  1425. # What kind of Linux am I on and how can I find out? #
  1426. # Great reference: #
  1427. # https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ #
  1428. #########################################################################
  1429. - What’s the distribution type? What version?
  1430. -------------------------------------------
  1431. cat /etc/issue
  1432. cat /etc/*-release
  1433. cat /etc/lsb-release # Debian based
  1434. cat /etc/redhat-release # Redhat based
  1435.  
  1436.  
  1437.  
  1438. - What’s the kernel version? Is it 64-bit?
  1439. -------------------------------------------
  1440. cat /proc/version
  1441. uname -a
  1442. uname -mrs
  1443. rpm -q kernel
  1444. dmesg | grep Linux
  1445. ls /boot | grep vmlinuz-
  1446.  
  1447.  
  1448.  
  1449. - What can be learnt from the environmental variables?
  1450. ----------------------------------------------------
  1451. cat /etc/profile
  1452. cat /etc/bashrc
  1453. cat ~/.bash_profile
  1454. cat ~/.bashrc
  1455. cat ~/.bash_logout
  1456. env
  1457. set
  1458.  
  1459.  
  1460. - What services are running? Which service has which user privilege?
  1461. ------------------------------------------------------------------
  1462. ps aux
  1463. ps -ef
  1464. top
  1465. cat /etc/services
  1466.  
  1467.  
  1468. - Which service(s) are been running by root? Of these services, which are vulnerable - it’s worth a double check!
  1469. ---------------------------------------------------------------------------------------------------------------
  1470. ps aux | grep root
  1471. ps -ef | grep root
  1472.  
  1473.  
  1474.  
  1475. - What applications are installed? What version are they? Are they currently running?
  1476. ------------------------------------------------------------------------------------
  1477. ls -alh /usr/bin/
  1478. ls -alh /sbin/
  1479. dpkg -l
  1480. rpm -qa
  1481. ls -alh /var/cache/apt/archivesO
  1482. ls -alh /var/cache/yum/
  1483.  
  1484.  
  1485. - Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
  1486. ------------------------------------------------------------------------------------
  1487. cat /etc/syslog.conf
  1488. cat /etc/chttp.conf
  1489. cat /etc/lighttpd.conf
  1490. cat /etc/cups/cupsd.conf
  1491. cat /etc/inetd.conf
  1492. cat /etc/apache2/apache2.conf
  1493. cat /etc/my.conf
  1494. cat /etc/httpd/conf/httpd.conf
  1495. cat /opt/lampp/etc/httpd.conf
  1496. ls -aRl /etc/ | awk '$1 ~ /^.*r.*/
  1497.  
  1498.  
  1499.  
  1500. - What jobs are scheduled?
  1501. ------------------------
  1502. crontab -l
  1503. ls -alh /var/spool/cron
  1504. ls -al /etc/ | grep cron
  1505. ls -al /etc/cron*
  1506. cat /etc/cron*
  1507. cat /etc/at.allow
  1508. cat /etc/at.deny
  1509. cat /etc/cron.allow
  1510. cat /etc/cron.deny
  1511. cat /etc/crontab
  1512. cat /etc/anacrontab
  1513. cat /var/spool/cron/crontabs/root
  1514.  
  1515.  
  1516. - Any plain text usernames and/or passwords?
  1517. ------------------------------------------
  1518. grep -i user [filename]
  1519. grep -i pass [filename]
  1520. grep -C 5 "password" [filename]
  1521. find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Search for Joomla passwords
  1522.  
  1523.  
  1524. - What NIC(s) does the system have? Is it connected to another network?
  1525. ---------------------------------------------------------------------
  1526. /sbin/ifconfig -a
  1527. cat /etc/network/interfaces
  1528. cat /etc/sysconfig/network
  1529.  
  1530.  
  1531. - What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
  1532. ------------------------------------------------------------------------------------------------------------------------
  1533. cat /etc/resolv.conf
  1534. cat /etc/sysconfig/network
  1535. cat /etc/networks
  1536. iptables -L
  1537. hostname
  1538. dnsdomainname
  1539.  
  1540. - What other users & hosts are communicating with the system?
  1541. -----------------------------------------------------------
  1542. lsof -i
  1543. lsof -i :80
  1544. grep 80 /etc/services
  1545. netstat -antup
  1546. netstat -antpx
  1547. netstat -tulpn
  1548. chkconfig --list
  1549. chkconfig --list | grep 3:on
  1550. last
  1551. w
  1552.  
  1553.  
  1554.  
  1555. - Whats cached? IP and/or MAC addresses
  1556. -------------------------------------
  1557. arp -e
  1558. route
  1559. /sbin/route -nee
  1560.  
  1561.  
  1562. - Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
  1563. ------------------------------------------------------------------------------------------
  1564. id
  1565. who
  1566. w
  1567. last
  1568. cat /etc/passwd | cut -d: # List of users
  1569. grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users
  1570. awk -F: '($3 == "0") {print}' /etc/passwd # List of super users
  1571. cat /etc/sudoers
  1572. sudo -l
  1573.  
  1574.  
  1575.  
  1576. - What sensitive files can be found?
  1577. ----------------------------------
  1578. cat /etc/passwd
  1579. cat /etc/group
  1580. cat /etc/shadow
  1581. ls -alh /var/mail/
  1582.  
  1583.  
  1584.  
  1585. - Anything “interesting” in the home directorie(s)? If it’s possible to access
  1586. ----------------------------------------------------------------------------
  1587. ls -ahlR /root/
  1588. ls -ahlR /home/
  1589.  
  1590.  
  1591. - Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
  1592. ---------------------------------------------------------------------------------------------------------------------------
  1593. cat /var/apache2/config.inc
  1594. cat /var/lib/mysql/mysql/user.MYD
  1595. cat /root/anaconda-ks.cfg
  1596.  
  1597.  
  1598. - What has the user being doing? Is there any password in plain text? What have they been edting?
  1599. -----------------------------------------------------------------------------------------------
  1600. cat ~/.bash_history
  1601. cat ~/.nano_history
  1602. cat ~/.atftp_history
  1603. cat ~/.mysql_history
  1604. cat ~/.php_history
  1605.  
  1606.  
  1607.  
  1608. - What user information can be found?
  1609. -----------------------------------
  1610. cat ~/.bashrc
  1611. cat ~/.profile
  1612. cat /var/mail/root
  1613. cat /var/spool/mail/root
  1614.  
  1615.  
  1616. - Can private-key information be found?
  1617. -------------------------------------
  1618. cat ~/.ssh/authorized_keys
  1619. cat ~/.ssh/identity.pub
  1620. cat ~/.ssh/identity
  1621. cat ~/.ssh/id_rsa.pub
  1622. cat ~/.ssh/id_rsa
  1623. cat ~/.ssh/id_dsa.pub
  1624. cat ~/.ssh/id_dsa
  1625. cat /etc/ssh/ssh_config
  1626. cat /etc/ssh/sshd_config
  1627. cat /etc/ssh/ssh_host_dsa_key.pub
  1628. cat /etc/ssh/ssh_host_dsa_key
  1629. cat /etc/ssh/ssh_host_rsa_key.pub
  1630. cat /etc/ssh/ssh_host_rsa_key
  1631. cat /etc/ssh/ssh_host_key.pub
  1632. cat /etc/ssh/ssh_host_key
  1633.  
  1634.  
  1635. - Any settings/files (hidden) on website? Any settings file with database information?
  1636. ------------------------------------------------------------------------------------
  1637. ls -alhR /var/www/
  1638. ls -alhR /srv/www/htdocs/
  1639. ls -alhR /usr/local/www/apache22/data/
  1640. ls -alhR /opt/lampp/htdocs/
  1641. ls -alhR /var/www/html/
  1642.  
  1643.  
  1644. - Is there anything in the log file(s) (Could help with “Local File Includes”!)
  1645. -----------------------------------------------------------------------------
  1646. cat /etc/httpd/logs/access_log
  1647. cat /etc/httpd/logs/access.log
  1648. cat /etc/httpd/logs/error_log
  1649. cat /etc/httpd/logs/error.log
  1650. cat /var/log/apache2/access_log
  1651. cat /var/log/apache2/access.log
  1652. cat /var/log/apache2/error_log
  1653. cat /var/log/apache2/error.log
  1654. cat /var/log/apache/access_log
  1655. cat /var/log/apache/access.log
  1656. cat /var/log/auth.log
  1657. cat /var/log/chttp.log
  1658. cat /var/log/cups/error_log
  1659. cat /var/log/dpkg.log
  1660. cat /var/log/faillog
  1661. cat /var/log/httpd/access_log
  1662. cat /var/log/httpd/access.log
  1663. cat /var/log/httpd/error_log
  1664. cat /var/log/httpd/error.log
  1665. cat /var/log/lastlog
  1666. cat /var/log/lighttpd/access.log
  1667. cat /var/log/lighttpd/error.log
  1668. cat /var/log/lighttpd/lighttpd.access.log
  1669. cat /var/log/lighttpd/lighttpd.error.log
  1670. cat /var/log/messages
  1671. cat /var/log/secure
  1672. cat /var/log/syslog
  1673. cat /var/log/wtmp
  1674. cat /var/log/xferlog
  1675. cat /var/log/yum.log
  1676. cat /var/run/utmp
  1677. cat /var/webmin/miniserv.log
  1678. cat /var/www/logs/access_log
  1679. cat /var/www/logs/access.log
  1680. ls -alh /var/lib/dhcp3/
  1681. ls -alh /var/log/postgresql/
  1682. ls -alh /var/log/proftpd/
  1683. ls -alh /var/log/samba/
  1684.  
  1685. - Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement