SECURING AND HARDENING Flashcards

1
Q

Create an authentication key with a description, with the RSA type, and a length of 2048 bits

A

ssh-keyget -t rsa -b 2048 -C “Keys generated on OCT 2024”

ssh-copy-id creds

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Where can you find your public and private keys?

Where do you find your key info on the remote server?

A

.ssh/id_rsa <- private
.ssh/id_rsa.pub <- public

car .ssh/authorized_keys <- via remote server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Disable password authentication on remote server

This will allow you to only login via your key pair.

A

vi /etc/ssh/sshd_config

/PasswordAuthentication no <- change from yes to no

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Change sshd port to 3131
Disable root login
Disable password authentication
Only allow jason and peter
If no net connection have the session terminate - it should check every 300 second.

A

vi /etc/ssh/sshd_config

Changing the port doesn’t make your server safe, someone can scan all ports via nmap. This helps for scripted attacks.

Change Firewall and SElinux rules

PermitRootLogin no

PasswordAuthentication no

AllowUser jason

ClientAliveInterval 300
ClientAliveCountMax 0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

permit ssh access only to a few select networks via iptables

A

iptables -A INPUT -P tcp –dport 3131 -s 2.2.2.2 -j ACCEPT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Force Grub require a password

A

Create hashed password
grub-mkpasswd-pbkdf2
it will prompt you to enter a password

Put this hashed password in the grub config
ls /boot/grub2/grub.cfg <- we can’t modify this directly, this is built with things in /etc/grub.d and has to be updated

update-grub2 <- for ubuntu

FOR REDHAT
cd /etc/grub.d/40_custom

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Create a grub password to guard the grub options from being edited

A

grub2-setpassword

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Create a boot password under root

A

vi /boot/loader/entries/superlongname.conf

grub_users root <- only root can bypass boot
wq

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Change passord policy for newly added users.
Make sure passwords have to be at least 10 characters.

A

/etc/login.defs <- for new account not existing ones
PASS_MIN_LENGTH 10

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Create user Jacob, make a home directory for him, make that directory /home/jacob give him a description of “network guy” set his shell to /bin/bash

Change password policy for existing user Jacob
Last modified today
Minimum amount of days before pass change
Warning 3 days prior

Confirm
Max number of days before needs pass change
Inactive after 30 days
Expires on December 25th of next year

A

useradd -m -d /home/jacob -s /bin/bash -c “description” jacob

chage -d 2024-12-14 -m 0 -M 90 -W 3 -I 30 -E 2025-12-25

chage -l

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Show two ways you could make require your passwords to:
Only 3 of the same characters from the first password can be in the new password
Only give you three retries before an error
Minimum length is 8 characters
Must contain at least one:
lower
upper
digit
special character

A

vi /etc/security/pwquality

authconfig

password requisite pam_pwquality.so retry=3 diffok=3 minlen=8 ucredit=1 lcredit=1 dcredit=1 ocredit=1

If this isn’t working restart sshd

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Lock and unlock a password

A

This will add a “!” to the beginning of /etc/shadow
passwd -l jason
passwd -u jason
passwd –status jason <- Capitol L means it is

usermod -L jason
usermod -U jason

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

See who is in the wheel group
After using sudo, how long are creds cached? Basically how long until you have to re-enter your sudo creds when you use it?

Clear the sudo cache

A

grep wheel /etc/group
15 mins

sudo -k

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Define the four columns of information in:

root ALL=(ALL:ALL) ALL
john ALL=(root) NOPASSWD:/bin/cp/bin/ls,!/usr/bin/vim
jason ALL=(root) NOEXEC:/bin/less

A

root - user who you’re modifying
ALL - which hosts
(ALL:ALL) User and group. Root user can run commands as all users and groups
/bin/cp,/bin/ls - What commands apply to rule.
!/usr/bin/vim - command user can’t run

NOPASSWD = doesn’t need password
NOEXEC = less isn’t allowed to spawn commands
PASSWD = password is required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How can you tell that everything in the /etc/sudoers.d directory is also applied to /etc/sudoers?

A

in visudo you will find the line:
#iincludedir /etc/sudoers.d

<- this doesn’t mean it’s a comment here

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Create user dan and john
Give dan access to use ls and cat, find their absolute path
add that you want to use yum with dan and not to require a password
Create a user

Group john and dan in an Alias

Create a command alias

Allow the users in your alias group to run your alias command as well as netstat

A

which cat
which ls
visudo
dan ALL=(root) PASSWD:/usr/bin/ls,/usr/bin/cat,NOPASSWD:/usr/bin/yum

Must start with a capitol!
User_Alias MYADMIN=dan,john
Cmnd_Alias FILE=/usr/bin/cp,/usr/bin/ls,/usr/bin/touch,/usr/bin/yum
MYADMIN ALL=(root) /usr/bin/netstat, FILE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Create a bomb script and describe what it’s doing

What can you do to prevent this?

A

!/bin/bash

$0 && $0 &

Creates an infinite number of processes

This runs your script over and over in the background until it depletes all resources

Set the ulimit for all users

vi /etc/security/limits.conf
user_name hard nproc 1100
@group_name hard nproc 1100

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is a rainbow table vs brute force

A

Brute force - trying over and over to get the password hash right. Not a lot of space needed.

Rainbow Table - Lots of space needed but not a lot of time. You can search for hashes here.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Where do you check if your email has it’s hashed password exposed. This allows hackers to try and crack it offline with a rainbow table or brute force

A

haveibeenpwned.com

20
Q

What are the three cracking modes in John the Ripper?

A

Single crack - Uses login names along with other fields from passwd file. Fastest mode for simple passwords

Dictionary attack - Supply a dictionary file that contains one word per line and a password file. Has a mangle mode that rearanges these letters

Incremental - Most powerful, tries all possible character combinations. 12-14 characters it will never terminate.

21
Q

Install john the ripper
place passwd and shadow together
run john in single mode
Where are passwords saved?

A

We’ll need to use the lux repository.

rpm -Uvh http://repo.iotti.biz/CentOS/5/noarch/lux-release-0-1.noarch.rpm
rpm –import /etc/pki/rpm-gpg/RPM-GPG-KEY-LUX

combine passwd and shadow files together

unshadow /etc/passwd /etc/shadow > unshadow.txt

john -single unshadow.txt –format=crypt

See what passwords you cracked
john –show unshadow.txt

passwords are saved in user directory under .john/john.pot

–format= crypt - This specifies the hash type to target when cracking password hashes. Crypt refers to UNIX-style password hashes that use crypt(3) function.

22
Q

Perform a dictionary attack with john the ripper

Where are dictionaries located?

How do you back out and then continue from where you left off on a dictionary attack

A

/usr/share/john/password.list < one of john’s dictionaries
usr/share/dict <- linux dictionaries

john –wordlist=/usr/share/john/password.lst –rules unshadow.txt

–rule - this enables mangling

ctrl+c <- backs out
john -restore

Only restore in same directory where you aborted

23
Q

Define AIDE

A

Advanced Intrusion Detection Environment

File integrity monitoring tool
Takes snap of system to build database
When you run AIDE it will compare the database against the current status. This will detect changes.
This is a host-based IDS HIDS

24
Q

Install AIDE
check version
show all options
go to config file
initialize database
go to the directory the database is located
Change your new database to be in the naming convention to be checked by aide
create runtime config file for aide
Create /root/abc.txt
add user user1
Run aide to check for newly created files and directories
update aide database to store new values

A

yum install aide
aide -v
aide –help
/etc/aide/aide.conf
aideinit
cd /var/lib/aide/aide.db.new
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Creating a runtime configuration file:
update-aide.conf
/var/lib/aide/aide.conf.autogenerated < - this is the file

touch /root/abc.txt
useradd user1
aide -c /var/lib/aid/aid.conf.autogenerated –check > report.txt

update database and make it the default
aide -c /var/lib/aide/aide.conf.autogenerated –update

cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

=======================

vi /etc/aide.conf
verbose=15
add whatever else you want to monitor
aide –init

mv aide.db.new.gz aide.db.gz

aide –check
or just
aide

25
Q

Configure AIDE to only use sha-256
Exclude contents of /var/lib/aide
This will make it to where AIDE ignores this directory

Create a file in /var/lib/aide/ to make sure it doesn’t report it
Check for changes

A

vi /etc/aide/aide.conf

Checksums = sha256
!/var/lib/aide

update-aide.conf
aideinit
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

touch /var/lib/aide/abc.txt
aide -c /var/lib/aide/aide.conf.autogenerated –check > report.txt

less report.txt

26
Q

What is a rootkit

A

Collection of malware that enables access to a computer
After intrusion hacker will install rootkit

Rootkit can subvert software that intends to find it

If you find one, reinstall entire system

27
Q

Using LUKS, fill a partition with random data.

A

THIS WILL DELETE ALL DATA

dd if=/dev/urandom of=/dev/sdb status=progress

INITIALIZE THE LUKS PARTITION AND SET THE INITAL PASSPHRASE. WILL FAIL IF MOUNTED

cryptsetup -y -v luksFormat /dev/sdb
-y asks for passphrase

SETUP MAPPING NAME

cryptsetup LuksOpen /dev/sdb secretdata
secretdata <- just whatever name you want

cd /dev/mapper/secretdata
This will show it’s a symbolic link to /dev/dm-0

CHECK STATUS OF THE MAPPING
cryptsetup status secretdata

MAKE FILESYSTEM THEN MOUNT
mkfs.xfs /dev/mapper/secretdata

WITH LINUX YOU CAN ALSO DOUBLE MOUNT

ONCE MOUNTED THIS WILL BE AVAILABLE TO EVERYONE, UPON UNMOUNT IT BECOMES ENCRYPTED

umount /dev/mapper/secretdata

NOW WE NEED TO CLOSE THE LUKS VOLUME

cryptsetup luksClose secretdata

TO ACCESS AGAIN
cryptsetup luksOpen /dev/sdb secret

28
Q

Create a keyfile as an additional authentication method for LUKS

A

Can hold up to 10 keyfiles or passwords

GENERATE A KEYFILE
dd if=/dev/urandom of=/root/keyfile bs=1024 count=4

ENCRYPT KEYFILE SYMMETRICALLY USING GPG, MAKE IT ONLY READABLE BY ROOT
chmod 400 /root/keyfile

ADDD TO LUKS
cryptsetup luksAddKey /dev/sdb /root/keyfile

UNLOCK WITH YOUR KEY

cryptsetup luksOpen /dev/sdb secret –key-file /root/keyfile

29
Q

What are the two types of encryption?

A

Symmetric (private key) - SHA
Anyone can decrypt with password/passphrase

Asymmetric (public key) RSA/ECDSA

SHA - Secure Hash ALgorithms

RSA - Rivest-Shamir-Adleman
ECDSA - Elliptic Curve Digital Signature Algorithm

30
Q

Show GPGs supported algorithms

What is replacing RSA

A

gpg –help
`
ECDSA

31
Q

What are the two formats that you can get as output for encryption?

A

Binary - smaller file

ASCII/text

32
Q

Encrypt a text file with gpg
make the encryption symmetric, this should be in binary form

What is the default encryption algorithm?
Show what algorithms you have available
How do you change it to blowfish?
What is the best way to delete the old file and why?
Overwrite 100 times
Decrypt file

A

sometimes you need to install pinentry

touch secret.txt
gpg -c secret.txt

-c = symmetric

AES-256
gpg –version
gpg -c –cyper-algo blowfish -o blowfish.txt.gpg secret.txt

-o = output file

DON’T FORGET TO ERASE THE CLEAR TEXT FILE

shred -vu -n 100 secret.txt
file overwritten 100
This will overwrite the file before deleting.
-v = verbose
-u = unalive file
-n number of times to erase data

gpg -o secret.txt -d secret.txt.gpg
secret.txt = the new file name with decrypted content
-o = output to
-d = decrypt

33
Q

Why doesn’t gpg ask for your passphrase upon decryption

Correct this

A

It uses gpg-agent daemon which monitors secret/private keys.
It keeps a copy of the passphrase in ram

Make it forget the passphrase
echo RELOADAGENT | gpg-connect-agent
or terminate the currently running agent
gpgconf –kill gpg-agent

34
Q

Encrypt via gpg using ascii format of secret.txt

decrypt it

A

gpg -ca secret.txt

-a = armor
this will appear as secret.txt.asc
gpg -d secret.txt.asc

35
Q

What are the benefits of EncryptPAD

How do you use it

A

Opensource text editor with encryption function
Mult-Platform
Randomly generates keyfiles in addition to passphrases
Uses AES for SYMMETRIC encryption and SHA256 for integrity check
THIS IS EASY TO USE BECAUSE IF YOU NEED TO MODIFY TEXT OR OPEN IT A BUNCH THIS WILL BASICALLY DO THE WHOLE GPG DECRYPT/ENCRYPT AND DELETE PRVIOUS FILE FOR YOU

Copy the exe to a memory stick and use it

36
Q

What is steganography?

What is an issue that might occur with it?

A

Hiding secret info in plain text or clear site

Embed secret files into movies, music, etc

A file hidden in a picture and uploaded to a site might be scaled down which will lose all the info.

37
Q

What is LSB

How does steganography use this

A

Least Significant Bit

In terms of binary data, this is the 8th bit

It hides its info here

This works because if you change the LSB
of a color, the change is so minor that you couldn’t even notice a difference.

38
Q

Overwrite partitions if fdisk and parted don’t work

A

gdisk /dev/sdd <- for GPT tables
you can delete here or “i” for info
deleted with “d”

You can also delete the whole partition table

wipefs -a /dev/sdd

If you continue to see the partition:
dd if=/dev/zero of=/dev/mapper/secret bs=512 count=1
This will delete the meta data which is 512 bytes

MBR = 512 bytes
GPT = goes on top at another 512 bytes
These are stored on the disk itself, not a partition.

39
Q

How is nmap stealthy?

A

It doesn’t complete the tcp connections, so no one even knows it was there.

40
Q

What do the nmap options mean

A

nmap -sS <= SYN scan, will only perform the syn portion of the tcp communication
-sT <- connect scan, can be ran as reg. user.
nmap -sU <- udp
-sn or -sP < - ICMP

41
Q

Perform a standard nmap scan
Perform specific tcp scan
Perform a connect scan

ssh is enabled on 3131, find it with nmap
This will show the port being open, but not the service, how would you show the service?

Scan all ports
Scan udp ports
Scan for icmp on whole network

A

nmap 192.168.1.1
nmap -sS 192.168.1.1
nmap -sT 192.168.1.1

nmap -p 3131,18,32 192.168.1.1
nmap -p 3131,18,32 -sV 192.168.1.1

nmap -p- 192.168.1.1
nmap -sU 192.168.1.1
nmap -sn 192.168.0.0/24

42
Q

What’s the first thing nmap does before checking on ports?

This might be give you some grief, what could you do to remedy it?

A

It will send a ping, if there’s no response or it’s blocked, it won’t do its port scan.

nmap -Pn 192.168.1.1 <- this won’t send a ping.

43
Q

Firewalls often have IDS which will log that your IP performed several scans on ports, how do we hide our IP with nmap and how does it work

A

nmap -p 22 -sV 192.168.0.20 -D 192.168.1.1,192.168.1.2,192.168.1.3

-D < - Decoy scan. Appears as several ips scanning IP at the same time. Company’s won’t be able to differentiate between which are innocent and which are guilty.
Although this CAN be defeated if a router path trace is performed.

MAKE SURE THE HOSTS ARE UP OR YOU WILL BE FOUND OUT

44
Q

We have a list of hosts we want to scan the ports of. How do we easily do this?

nmap will normally try to perform a dns name check and report back names along with ips of the scan which could slow it down. What is the option to prevent this as wel as output it to a file??

A

nmap -p 80 -iL hosts.txt
-iL <- input list

nmap -p 80 -iL hosts.txt -n -oN output.txt

-n - never do DNS resolution
-oN - Output = Normal

45
Q

Set a timing template which will dictate how aggressive the port scans will be timing-wise.

Add another option to this command that scans for OS, version, scripts, and traceroute

Show progress of scan

A

nmap -T0 -A paranoid

press enter

46
Q

What is a salt?

A

Added to password hashes so they don’t match and makes them harder to crack.

A normal format for a hash - $8$ <- start shows this is SHA-512
abcd1234 - This would come next, it is the salt

The remaining bit is the hashed password