SECURING AND HARDENING Flashcards
Create an authentication key with a description, with the RSA type, and a length of 2048 bits
ssh-keyget -t rsa -b 2048 -C “Keys generated on OCT 2024”
ssh-copy-id creds
Where can you find your public and private keys?
Where do you find your key info on the remote server?
.ssh/id_rsa <- private
.ssh/id_rsa.pub <- public
car .ssh/authorized_keys <- via remote server
Disable password authentication on remote server
This will allow you to only login via your key pair.
vi /etc/ssh/sshd_config
/PasswordAuthentication no <- change from yes to no
Change sshd port to 3131
Disable root login
Disable password authentication
Only allow jason and peter
If no net connection have the session terminate - it should check every 300 second.
vi /etc/ssh/sshd_config
Changing the port doesn’t make your server safe, someone can scan all ports via nmap. This helps for scripted attacks.
Change Firewall and SElinux rules
PermitRootLogin no
PasswordAuthentication no
AllowUser jason
ClientAliveInterval 300
ClientAliveCountMax 0
permit ssh access only to a few select networks via iptables
iptables -A INPUT -P tcp –dport 3131 -s 2.2.2.2 -j ACCEPT
Force Grub require a password
Create hashed password
grub-mkpasswd-pbkdf2
it will prompt you to enter a password
Put this hashed password in the grub config
ls /boot/grub2/grub.cfg <- we can’t modify this directly, this is built with things in /etc/grub.d and has to be updated
update-grub2 <- for ubuntu
FOR REDHAT
cd /etc/grub.d/40_custom
Create a grub password to guard the grub options from being edited
grub2-setpassword
Create a boot password under root
vi /boot/loader/entries/superlongname.conf
grub_users root <- only root can bypass boot
wq
Change passord policy for newly added users.
Make sure passwords have to be at least 10 characters.
/etc/login.defs <- for new account not existing ones
PASS_MIN_LENGTH 10
Create user Jacob, make a home directory for him, make that directory /home/jacob give him a description of “network guy” set his shell to /bin/bash
Change password policy for existing user Jacob
Last modified today
Minimum amount of days before pass change
Warning 3 days prior
Confirm
Max number of days before needs pass change
Inactive after 30 days
Expires on December 25th of next year
useradd -m -d /home/jacob -s /bin/bash -c “description” jacob
chage -d 2024-12-14 -m 0 -M 90 -W 3 -I 30 -E 2025-12-25
chage -l
Show two ways you could make require your passwords to:
Only 3 of the same characters from the first password can be in the new password
Only give you three retries before an error
Minimum length is 8 characters
Must contain at least one:
lower
upper
digit
special character
vi /etc/security/pwquality
authconfig
password requisite pam_pwquality.so retry=3 diffok=3 minlen=8 ucredit=1 lcredit=1 dcredit=1 ocredit=1
If this isn’t working restart sshd
Lock and unlock a password
This will add a “!” to the beginning of /etc/shadow
passwd -l jason
passwd -u jason
passwd –status jason <- Capitol L means it is
usermod -L jason
usermod -U jason
See who is in the wheel group
After using sudo, how long are creds cached? Basically how long until you have to re-enter your sudo creds when you use it?
Clear the sudo cache
grep wheel /etc/group
15 mins
sudo -k
Define the four columns of information in:
root ALL=(ALL:ALL) ALL
john ALL=(root) NOPASSWD:/bin/cp/bin/ls,!/usr/bin/vim
jason ALL=(root) NOEXEC:/bin/less
root - user who you’re modifying
ALL - which hosts
(ALL:ALL) User and group. Root user can run commands as all users and groups
/bin/cp,/bin/ls - What commands apply to rule.
!/usr/bin/vim - command user can’t run
NOPASSWD = doesn’t need password
NOEXEC = less isn’t allowed to spawn commands
PASSWD = password is required
How can you tell that everything in the /etc/sudoers.d directory is also applied to /etc/sudoers?
in visudo you will find the line:
#iincludedir /etc/sudoers.d
<- this doesn’t mean it’s a comment here
Create user dan and john
Give dan access to use ls and cat, find their absolute path
add that you want to use yum with dan and not to require a password
Create a user
Group john and dan in an Alias
Create a command alias
Allow the users in your alias group to run your alias command as well as netstat
which cat
which ls
visudo
dan ALL=(root) PASSWD:/usr/bin/ls,/usr/bin/cat,NOPASSWD:/usr/bin/yum
Must start with a capitol!
User_Alias MYADMIN=dan,john
Cmnd_Alias FILE=/usr/bin/cp,/usr/bin/ls,/usr/bin/touch,/usr/bin/yum
MYADMIN ALL=(root) /usr/bin/netstat, FILE
Create a bomb script and describe what it’s doing
What can you do to prevent this?
!/bin/bash
$0 && $0 &
Creates an infinite number of processes
This runs your script over and over in the background until it depletes all resources
Set the ulimit for all users
vi /etc/security/limits.conf
user_name hard nproc 1100
@group_name hard nproc 1100
What is a rainbow table vs brute force
Brute force - trying over and over to get the password hash right. Not a lot of space needed.
Rainbow Table - Lots of space needed but not a lot of time. You can search for hashes here.