SECURING AND HARDENING Flashcards
Create an authentication key with a description, with the RSA type, and a length of 2048 bits
ssh-keyget -t rsa -b 2048 -C “Keys generated on OCT 2024”
ssh-copy-id creds
Where can you find your public and private keys?
Where do you find your key info on the remote server?
.ssh/id_rsa <- private
.ssh/id_rsa.pub <- public
car .ssh/authorized_keys <- via remote server
Disable password authentication on remote server
This will allow you to only login via your key pair.
vi /etc/ssh/sshd_config
/PasswordAuthentication no <- change from yes to no
Change sshd port to 3131
Disable root login
Disable password authentication
Only allow jason and peter
If no net connection have the session terminate - it should check every 300 second.
vi /etc/ssh/sshd_config
Changing the port doesn’t make your server safe, someone can scan all ports via nmap. This helps for scripted attacks.
Change Firewall and SElinux rules
PermitRootLogin no
PasswordAuthentication no
AllowUser jason
ClientAliveInterval 300
ClientAliveCountMax 0
permit ssh access only to a few select networks via iptables
iptables -A INPUT -P tcp –dport 3131 -s 2.2.2.2 -j ACCEPT
Force Grub require a password
Create hashed password
grub-mkpasswd-pbkdf2
it will prompt you to enter a password
Put this hashed password in the grub config
ls /boot/grub2/grub.cfg <- we can’t modify this directly, this is built with things in /etc/grub.d and has to be updated
update-grub2 <- for ubuntu
FOR REDHAT
cd /etc/grub.d/40_custom
Create a grub password to guard the grub options from being edited
grub2-setpassword
Create a boot password under root
vi /boot/loader/entries/superlongname.conf
grub_users root <- only root can bypass boot
wq
Change passord policy for newly added users.
Make sure passwords have to be at least 10 characters.
/etc/login.defs <- for new account not existing ones
PASS_MIN_LENGTH 10
Create user Jacob, make a home directory for him, make that directory /home/jacob give him a description of “network guy” set his shell to /bin/bash
Change password policy for existing user Jacob
Last modified today
Minimum amount of days before pass change
Warning 3 days prior
Confirm
Max number of days before needs pass change
Inactive after 30 days
Expires on December 25th of next year
useradd -m -d /home/jacob -s /bin/bash -c “description” jacob
chage -d 2024-12-14 -m 0 -M 90 -W 3 -I 30 -E 2025-12-25
chage -l
Show two ways you could make require your passwords to:
Only 3 of the same characters from the first password can be in the new password
Only give you three retries before an error
Minimum length is 8 characters
Must contain at least one:
lower
upper
digit
special character
vi /etc/security/pwquality
authconfig
password requisite pam_pwquality.so retry=3 diffok=3 minlen=8 ucredit=1 lcredit=1 dcredit=1 ocredit=1
If this isn’t working restart sshd
Lock and unlock a password
This will add a “!” to the beginning of /etc/shadow
passwd -l jason
passwd -u jason
passwd –status jason <- Capitol L means it is
usermod -L jason
usermod -U jason
See who is in the wheel group
After using sudo, how long are creds cached? Basically how long until you have to re-enter your sudo creds when you use it?
Clear the sudo cache
grep wheel /etc/group
15 mins
sudo -k
Define the four columns of information in:
root ALL=(ALL:ALL) ALL
john ALL=(root) NOPASSWD:/bin/cp/bin/ls,!/usr/bin/vim
jason ALL=(root) NOEXEC:/bin/less
root - user who you’re modifying
ALL - which hosts
(ALL:ALL) User and group. Root user can run commands as all users and groups
/bin/cp,/bin/ls - What commands apply to rule.
!/usr/bin/vim - command user can’t run
NOPASSWD = doesn’t need password
NOEXEC = less isn’t allowed to spawn commands
PASSWD = password is required
How can you tell that everything in the /etc/sudoers.d directory is also applied to /etc/sudoers?
in visudo you will find the line:
#iincludedir /etc/sudoers.d
<- this doesn’t mean it’s a comment here
Create user dan and john
Give dan access to use ls and cat, find their absolute path
add that you want to use yum with dan and not to require a password
Create a user
Group john and dan in an Alias
Create a command alias
Allow the users in your alias group to run your alias command as well as netstat
which cat
which ls
visudo
dan ALL=(root) PASSWD:/usr/bin/ls,/usr/bin/cat,NOPASSWD:/usr/bin/yum
Must start with a capitol!
User_Alias MYADMIN=dan,john
Cmnd_Alias FILE=/usr/bin/cp,/usr/bin/ls,/usr/bin/touch,/usr/bin/yum
MYADMIN ALL=(root) /usr/bin/netstat, FILE
Create a bomb script and describe what it’s doing
What can you do to prevent this?
!/bin/bash
$0 && $0 &
Creates an infinite number of processes
This runs your script over and over in the background until it depletes all resources
Set the ulimit for all users
vi /etc/security/limits.conf
user_name hard nproc 1100
@group_name hard nproc 1100
What is a rainbow table vs brute force
Brute force - trying over and over to get the password hash right. Not a lot of space needed.
Rainbow Table - Lots of space needed but not a lot of time. You can search for hashes here.
Where do you check if your email has it’s hashed password exposed. This allows hackers to try and crack it offline with a rainbow table or brute force
haveibeenpwned.com
What are the three cracking modes in John the Ripper?
Single crack - Uses login names along with other fields from passwd file. Fastest mode for simple passwords
Dictionary attack - Supply a dictionary file that contains one word per line and a password file. Has a mangle mode that rearanges these letters
Incremental - Most powerful, tries all possible character combinations. 12-14 characters it will never terminate.
Install john the ripper
place passwd and shadow together
run john in single mode
Where are passwords saved?
We’ll need to use the lux repository.
rpm -Uvh http://repo.iotti.biz/CentOS/5/noarch/lux-release-0-1.noarch.rpm
rpm –import /etc/pki/rpm-gpg/RPM-GPG-KEY-LUX
combine passwd and shadow files together
unshadow /etc/passwd /etc/shadow > unshadow.txt
john -single unshadow.txt –format=crypt
See what passwords you cracked
john –show unshadow.txt
passwords are saved in user directory under .john/john.pot
–format= crypt - This specifies the hash type to target when cracking password hashes. Crypt refers to UNIX-style password hashes that use crypt(3) function.
Perform a dictionary attack with john the ripper
Where are dictionaries located?
How do you back out and then continue from where you left off on a dictionary attack
/usr/share/john/password.list < one of john’s dictionaries
usr/share/dict <- linux dictionaries
john –wordlist=/usr/share/john/password.lst –rules unshadow.txt
–rule - this enables mangling
ctrl+c <- backs out
john -restore
Only restore in same directory where you aborted
Define AIDE
Advanced Intrusion Detection Environment
File integrity monitoring tool
Takes snap of system to build database
When you run AIDE it will compare the database against the current status. This will detect changes.
This is a host-based IDS HIDS
Install AIDE
check version
show all options
go to config file
initialize database
go to the directory the database is located
Change your new database to be in the naming convention to be checked by aide
create runtime config file for aide
Create /root/abc.txt
add user user1
Run aide to check for newly created files and directories
update aide database to store new values
yum install aide
aide -v
aide –help
/etc/aide/aide.conf
aideinit
cd /var/lib/aide/aide.db.new
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Creating a runtime configuration file:
update-aide.conf
/var/lib/aide/aide.conf.autogenerated < - this is the file
touch /root/abc.txt
useradd user1
aide -c /var/lib/aid/aid.conf.autogenerated –check > report.txt
update database and make it the default
aide -c /var/lib/aide/aide.conf.autogenerated –update
cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
=======================
vi /etc/aide.conf
verbose=15
add whatever else you want to monitor
aide –init
mv aide.db.new.gz aide.db.gz
aide –check
or just
aide
Configure AIDE to only use sha-256
Exclude contents of /var/lib/aide
This will make it to where AIDE ignores this directory
Create a file in /var/lib/aide/ to make sure it doesn’t report it
Check for changes
vi /etc/aide/aide.conf
Checksums = sha256
!/var/lib/aide
update-aide.conf
aideinit
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
touch /var/lib/aide/abc.txt
aide -c /var/lib/aide/aide.conf.autogenerated –check > report.txt
less report.txt
What is a rootkit
Collection of malware that enables access to a computer
After intrusion hacker will install rootkit
Rootkit can subvert software that intends to find it
If you find one, reinstall entire system
Using LUKS, fill a partition with random data.
THIS WILL DELETE ALL DATA
dd if=/dev/urandom of=/dev/sdb status=progress
INITIALIZE THE LUKS PARTITION AND SET THE INITAL PASSPHRASE. WILL FAIL IF MOUNTED
cryptsetup -y -v luksFormat /dev/sdb
-y asks for passphrase
SETUP MAPPING NAME
cryptsetup LuksOpen /dev/sdb secretdata
secretdata <- just whatever name you want
cd /dev/mapper/secretdata
This will show it’s a symbolic link to /dev/dm-0
CHECK STATUS OF THE MAPPING
cryptsetup status secretdata
MAKE FILESYSTEM THEN MOUNT
mkfs.xfs /dev/mapper/secretdata
WITH LINUX YOU CAN ALSO DOUBLE MOUNT
ONCE MOUNTED THIS WILL BE AVAILABLE TO EVERYONE, UPON UNMOUNT IT BECOMES ENCRYPTED
umount /dev/mapper/secretdata
NOW WE NEED TO CLOSE THE LUKS VOLUME
cryptsetup luksClose secretdata
TO ACCESS AGAIN
cryptsetup luksOpen /dev/sdb secret
Create a keyfile as an additional authentication method for LUKS
Can hold up to 10 keyfiles or passwords
GENERATE A KEYFILE
dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
ENCRYPT KEYFILE SYMMETRICALLY USING GPG, MAKE IT ONLY READABLE BY ROOT
chmod 400 /root/keyfile
ADDD TO LUKS
cryptsetup luksAddKey /dev/sdb /root/keyfile
UNLOCK WITH YOUR KEY
cryptsetup luksOpen /dev/sdb secret –key-file /root/keyfile
What are the two types of encryption?
Symmetric (private key) - SHA
Anyone can decrypt with password/passphrase
Asymmetric (public key) RSA/ECDSA
SHA - Secure Hash ALgorithms
RSA - Rivest-Shamir-Adleman
ECDSA - Elliptic Curve Digital Signature Algorithm
Show GPGs supported algorithms
What is replacing RSA
gpg –help
`
ECDSA
What are the two formats that you can get as output for encryption?
Binary - smaller file
ASCII/text
Encrypt a text file with gpg
make the encryption symmetric, this should be in binary form
What is the default encryption algorithm?
Show what algorithms you have available
How do you change it to blowfish?
What is the best way to delete the old file and why?
Overwrite 100 times
Decrypt file
sometimes you need to install pinentry
touch secret.txt
gpg -c secret.txt
-c = symmetric
AES-256
gpg –version
gpg -c –cyper-algo blowfish -o blowfish.txt.gpg secret.txt
-o = output file
DON’T FORGET TO ERASE THE CLEAR TEXT FILE
shred -vu -n 100 secret.txt
file overwritten 100
This will overwrite the file before deleting.
-v = verbose
-u = unalive file
-n number of times to erase data
gpg -o secret.txt -d secret.txt.gpg
secret.txt = the new file name with decrypted content
-o = output to
-d = decrypt
Why doesn’t gpg ask for your passphrase upon decryption
Correct this
It uses gpg-agent daemon which monitors secret/private keys.
It keeps a copy of the passphrase in ram
Make it forget the passphrase
echo RELOADAGENT | gpg-connect-agent
or terminate the currently running agent
gpgconf –kill gpg-agent
Encrypt via gpg using ascii format of secret.txt
decrypt it
gpg -ca secret.txt
-a = armor
this will appear as secret.txt.asc
gpg -d secret.txt.asc
What are the benefits of EncryptPAD
How do you use it
Opensource text editor with encryption function
Mult-Platform
Randomly generates keyfiles in addition to passphrases
Uses AES for SYMMETRIC encryption and SHA256 for integrity check
THIS IS EASY TO USE BECAUSE IF YOU NEED TO MODIFY TEXT OR OPEN IT A BUNCH THIS WILL BASICALLY DO THE WHOLE GPG DECRYPT/ENCRYPT AND DELETE PRVIOUS FILE FOR YOU
Copy the exe to a memory stick and use it
What is steganography?
What is an issue that might occur with it?
Hiding secret info in plain text or clear site
Embed secret files into movies, music, etc
A file hidden in a picture and uploaded to a site might be scaled down which will lose all the info.
What is LSB
How does steganography use this
Least Significant Bit
In terms of binary data, this is the 8th bit
It hides its info here
This works because if you change the LSB
of a color, the change is so minor that you couldn’t even notice a difference.
Overwrite partitions if fdisk and parted don’t work
gdisk /dev/sdd <- for GPT tables
you can delete here or “i” for info
deleted with “d”
You can also delete the whole partition table
wipefs -a /dev/sdd
If you continue to see the partition:
dd if=/dev/zero of=/dev/mapper/secret bs=512 count=1
This will delete the meta data which is 512 bytes
MBR = 512 bytes
GPT = goes on top at another 512 bytes
These are stored on the disk itself, not a partition.
How is nmap stealthy?
It doesn’t complete the tcp connections, so no one even knows it was there.
What do the nmap options mean
nmap -sS <= SYN scan, will only perform the syn portion of the tcp communication
-sT <- connect scan, can be ran as reg. user.
nmap -sU <- udp
-sn or -sP < - ICMP
Perform a standard nmap scan
Perform specific tcp scan
Perform a connect scan
ssh is enabled on 3131, find it with nmap
This will show the port being open, but not the service, how would you show the service?
Scan all ports
Scan udp ports
Scan for icmp on whole network
nmap 192.168.1.1
nmap -sS 192.168.1.1
nmap -sT 192.168.1.1
nmap -p 3131,18,32 192.168.1.1
nmap -p 3131,18,32 -sV 192.168.1.1
nmap -p- 192.168.1.1
nmap -sU 192.168.1.1
nmap -sn 192.168.0.0/24
What’s the first thing nmap does before checking on ports?
This might be give you some grief, what could you do to remedy it?
It will send a ping, if there’s no response or it’s blocked, it won’t do its port scan.
nmap -Pn 192.168.1.1 <- this won’t send a ping.
Firewalls often have IDS which will log that your IP performed several scans on ports, how do we hide our IP with nmap and how does it work
nmap -p 22 -sV 192.168.0.20 -D 192.168.1.1,192.168.1.2,192.168.1.3
-D < - Decoy scan. Appears as several ips scanning IP at the same time. Company’s won’t be able to differentiate between which are innocent and which are guilty.
Although this CAN be defeated if a router path trace is performed.
MAKE SURE THE HOSTS ARE UP OR YOU WILL BE FOUND OUT
We have a list of hosts we want to scan the ports of. How do we easily do this?
nmap will normally try to perform a dns name check and report back names along with ips of the scan which could slow it down. What is the option to prevent this as wel as output it to a file??
nmap -p 80 -iL hosts.txt
-iL <- input list
nmap -p 80 -iL hosts.txt -n -oN output.txt
-n - never do DNS resolution
-oN - Output = Normal
Set a timing template which will dictate how aggressive the port scans will be timing-wise.
Add another option to this command that scans for OS, version, scripts, and traceroute
Show progress of scan
nmap -T0 -A paranoid
press enter
What is a salt?
Added to password hashes so they don’t match and makes them harder to crack.
A normal format for a hash - $8$ <- start shows this is SHA-512
abcd1234 - This would come next, it is the salt
The remaining bit is the hashed password
