SECURING AND HARDENING

Question 1

Create an authentication key with a description, with the RSA type, and a length of 2048 bits

Answer 1

ssh-keyget -t rsa -b 2048 -C “Keys generated on OCT 2024”

ssh-copy-id creds

Question 2

Where can you find your public and private keys?

Where do you find your key info on the remote server?

Answer 2

.ssh/id_rsa <- private
.ssh/id_rsa.pub <- public

car .ssh/authorized_keys <- via remote server

Question 3

Disable password authentication on remote server

This will allow you to only login via your key pair.

Answer 3

vi /etc/ssh/sshd_config

/PasswordAuthentication no <- change from yes to no

Question 4

Change sshd port to 3131
Disable root login
Disable password authentication
Only allow jason and peter
If no net connection have the session terminate - it should check every 300 second.

Answer 4

vi /etc/ssh/sshd_config

Changing the port doesn’t make your server safe, someone can scan all ports via nmap. This helps for scripted attacks.

Change Firewall and SElinux rules

PermitRootLogin no

PasswordAuthentication no

AllowUser jason

ClientAliveInterval 300
ClientAliveCountMax 0

Question 5

permit ssh access only to a few select networks via iptables

Answer 5

iptables -A INPUT -P tcp –dport 3131 -s 2.2.2.2 -j ACCEPT

Question 6

Force Grub require a password

Answer 6

Create hashed password
grub-mkpasswd-pbkdf2
it will prompt you to enter a password

Put this hashed password in the grub config
ls /boot/grub2/grub.cfg <- we can’t modify this directly, this is built with things in /etc/grub.d and has to be updated

update-grub2 <- for ubuntu

FOR REDHAT
cd /etc/grub.d/40_custom

Question 7

Create a grub password to guard the grub options from being edited

Answer 7

grub2-setpassword

Question 8

Create a boot password under root

Answer 8

vi /boot/loader/entries/superlongname.conf

grub_users root <- only root can bypass boot
wq

Question 9

Change passord policy for newly added users.
Make sure passwords have to be at least 10 characters.

Answer 9

/etc/login.defs <- for new account not existing ones
PASS_MIN_LENGTH 10

Question 10

Create user Jacob, make a home directory for him, make that directory /home/jacob give him a description of “network guy” set his shell to /bin/bash

Change password policy for existing user Jacob
Last modified today
Minimum amount of days before pass change
Warning 3 days prior

Confirm
Max number of days before needs pass change
Inactive after 30 days
Expires on December 25th of next year

Answer 10

useradd -m -d /home/jacob -s /bin/bash -c “description” jacob

chage -d 2024-12-14 -m 0 -M 90 -W 3 -I 30 -E 2025-12-25

chage -l

Question 11

Show two ways you could make require your passwords to:
Only 3 of the same characters from the first password can be in the new password
Only give you three retries before an error
Minimum length is 8 characters
Must contain at least one:
lower
upper
digit
special character

Answer 11

vi /etc/security/pwquality

authconfig

password requisite pam_pwquality.so retry=3 diffok=3 minlen=8 ucredit=1 lcredit=1 dcredit=1 ocredit=1

If this isn’t working restart sshd

Question 12

Lock and unlock a password

Answer 12

This will add a “!” to the beginning of /etc/shadow
passwd -l jason
passwd -u jason
passwd –status jason <- Capitol L means it is

usermod -L jason
usermod -U jason

Question 13

See who is in the wheel group
After using sudo, how long are creds cached? Basically how long until you have to re-enter your sudo creds when you use it?

Clear the sudo cache

Answer 13

grep wheel /etc/group
15 mins

sudo -k

Question 14

Define the four columns of information in:

root ALL=(ALL:ALL) ALL
john ALL=(root) NOPASSWD:/bin/cp/bin/ls,!/usr/bin/vim
jason ALL=(root) NOEXEC:/bin/less

Answer 14

root - user who you’re modifying
ALL - which hosts
(ALL:ALL) User and group. Root user can run commands as all users and groups
/bin/cp,/bin/ls - What commands apply to rule.
!/usr/bin/vim - command user can’t run

NOPASSWD = doesn’t need password
NOEXEC = less isn’t allowed to spawn commands
PASSWD = password is required

Question 15

How can you tell that everything in the /etc/sudoers.d directory is also applied to /etc/sudoers?

Answer 15

in visudo you will find the line:
#iincludedir /etc/sudoers.d

<- this doesn’t mean it’s a comment here

Question 16

Create user dan and john
Give dan access to use ls and cat, find their absolute path
add that you want to use yum with dan and not to require a password
Create a user

Group john and dan in an Alias

Create a command alias

Allow the users in your alias group to run your alias command as well as netstat

Answer 16

which cat
which ls
visudo
dan ALL=(root) PASSWD:/usr/bin/ls,/usr/bin/cat,NOPASSWD:/usr/bin/yum

Must start with a capitol!
User_Alias MYADMIN=dan,john
Cmnd_Alias FILE=/usr/bin/cp,/usr/bin/ls,/usr/bin/touch,/usr/bin/yum
MYADMIN ALL=(root) /usr/bin/netstat, FILE

Question 17

Create a bomb script and describe what it’s doing

What can you do to prevent this?

Answer 17

!/bin/bash

$0 && $0 &

Creates an infinite number of processes

This runs your script over and over in the background until it depletes all resources

Set the ulimit for all users

vi /etc/security/limits.conf
user_name hard nproc 1100
@group_name hard nproc 1100

Question 18

What is a rainbow table vs brute force

Answer 18

Brute force - trying over and over to get the password hash right. Not a lot of space needed.

Rainbow Table - Lots of space needed but not a lot of time. You can search for hashes here.

Question 19

Where do you check if your email has it’s hashed password exposed. This allows hackers to try and crack it offline with a rainbow table or brute force

Answer 19

haveibeenpwned.com

Question 20

What are the three cracking modes in John the Ripper?

Answer 20

Single crack - Uses login names along with other fields from passwd file. Fastest mode for simple passwords

Dictionary attack - Supply a dictionary file that contains one word per line and a password file. Has a mangle mode that rearanges these letters

Incremental - Most powerful, tries all possible character combinations. 12-14 characters it will never terminate.

Question 21

Install john the ripper
place passwd and shadow together
run john in single mode
Where are passwords saved?

Answer 21

We’ll need to use the lux repository.

rpm -Uvh http://repo.iotti.biz/CentOS/5/noarch/lux-release-0-1.noarch.rpm
rpm –import /etc/pki/rpm-gpg/RPM-GPG-KEY-LUX

combine passwd and shadow files together

unshadow /etc/passwd /etc/shadow > unshadow.txt

john -single unshadow.txt –format=crypt

See what passwords you cracked
john –show unshadow.txt

passwords are saved in user directory under .john/john.pot

Question 22

Perform a dictionary attack with john the ripper

Where are dictionaries located?

How do you back out and then continue from where you left off on a dictionary attack

Answer 22

/usr/share/john/password.list < one of john’s dictionaries
usr/share/dict <- linux dictionaries

john –wordlist=/usr/share/john/password.lst –rules unshadow.txt

–rule - this enables mangling

ctrl+c <- backs out
john -restore

Only restore in same directory where you aborted

Question 23

Define AIDE

Answer 23

Advanced Intrusion Detection Environment

File integrity monitoring tool
Takes snap of system to build database
When you run AIDE it will compare the database against the current status. This will detect changes.
This is a host-based IDS HIDS

Question 24

Install AIDE
check version
show all options
go to config file
initialize database
go to the directory the database is located
Change your new database to be in the naming convention to be checked by aide
create runtime config file for aide
Create /root/abc.txt
add user user1
Run aide to check for newly created files and directories
update aide database to store new values

Answer 24

yum install aide
aide -v
aide –help
/etc/aide/aide.conf
aideinit
cd /var/lib/aide/aide.db.new
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Creating a runtime configuration file:
update-aide.conf
/var/lib/aide/aide.conf.autogenerated < - this is the file

touch /root/abc.txt
useradd user1
aide -c /var/lib/aid/aid.conf.autogenerated –check > report.txt

update database and make it the default
aide -c /var/lib/aide/aide.conf.autogenerated –update

cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

=======================

vi /etc/aide.conf
verbose=15
add whatever else you want to monitor
aide –init

mv aide.db.new.gz aide.db.gz

aide –check
or just
aide

Question 25

Configure AIDE to only use sha-256
Exclude contents of /var/lib/aide
This will make it to where AIDE ignores this directory

Create a file in /var/lib/aide/ to make sure it doesn’t report it
Check for changes

Answer 25

vi /etc/aide/aide.conf

Checksums = sha256
!/var/lib/aide

update-aide.conf
aideinit
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

touch /var/lib/aide/abc.txt
aide -c /var/lib/aide/aide.conf.autogenerated –check > report.txt

less report.txt

Question 26

What is a rootkit

Answer 26

Collection of malware that enables access to a computer
After intrusion hacker will install rootkit

Rootkit can subvert software that intends to find it

If you find one, reinstall entire system

Question 27

Using LUKS, fill a partition with random data.

Answer 27

THIS WILL DELETE ALL DATA

dd if=/dev/urandom of=/dev/sdb status=progress

INITIALIZE THE LUKS PARTITION AND SET THE INITAL PASSPHRASE. WILL FAIL IF MOUNTED

cryptsetup -y -v luksFormat /dev/sdb
-y asks for passphrase

SETUP MAPPING NAME

cryptsetup LuksOpen /dev/sdb secretdata
secretdata <- just whatever name you want

cd /dev/mapper/secretdata
This will show it’s a symbolic link to /dev/dm-0

CHECK STATUS OF THE MAPPING
cryptsetup status secretdata

MAKE FILESYSTEM THEN MOUNT
mkfs.xfs /dev/mapper/secretdata

WITH LINUX YOU CAN ALSO DOUBLE MOUNT

ONCE MOUNTED THIS WILL BE AVAILABLE TO EVERYONE, UPON UNMOUNT IT BECOMES ENCRYPTED

umount /dev/mapper/secretdata

NOW WE NEED TO CLOSE THE LUKS VOLUME

cryptsetup luksClose secretdata

TO ACCESS AGAIN
cryptsetup luksOpen /dev/sdb secret

Question 28

Create a keyfile as an additional authentication method for LUKS

Answer 28

Can hold up to 10 keyfiles or passwords

GENERATE A KEYFILE
dd if=/dev/urandom of=/root/keyfile bs=1024 count=4

ENCRYPT KEYFILE SYMMETRICALLY USING GPG, MAKE IT ONLY READABLE BY ROOT
chmod 400 /root/keyfile

ADDD TO LUKS
cryptsetup luksAddKey /dev/sdb /root/keyfile

UNLOCK WITH YOUR KEY

cryptsetup luksOpen /dev/sdb secret –key-file /root/keyfile

Question 29

What are the two types of encryption?

Answer 29

Symmetric (private key) - SHA
Anyone can decrypt with password/passphrase

Asymmetric (public key) RSA/ECDSA

SHA - Secure Hash ALgorithms

RSA - Rivest-Shamir-Adleman
ECDSA - Elliptic Curve Digital Signature Algorithm

Question 30

Show GPGs supported algorithms

What is replacing RSA

Answer 30

gpg –help
`
ECDSA

Question 31

What are the two formats that you can get as output for encryption?

Answer 31

Binary - smaller file

ASCII/text

Question 32

Encrypt a text file with gpg
make the encryption symmetric, this should be in binary form

What is the default encryption algorithm?
Show what algorithms you have available
How do you change it to blowfish?
What is the best way to delete the old file and why?
Overwrite 100 times
Decrypt file

Answer 32

sometimes you need to install pinentry

touch secret.txt
gpg -c secret.txt

-c = symmetric

AES-256
gpg –version
gpg -c –cyper-algo blowfish -o blowfish.txt.gpg secret.txt

-o = output file

DON’T FORGET TO ERASE THE CLEAR TEXT FILE

shred -vu -n 100 secret.txt
file overwritten 100
This will overwrite the file before deleting.
-v = verbose
-u = unalive file
-n number of times to erase data

gpg -o secret.txt -d secret.txt.gpg
secret.txt = the new file name with decrypted content
-o = output to
-d = decrypt

Question 33

Why doesn’t gpg ask for your passphrase upon decryption

Correct this

Answer 33

It uses gpg-agent daemon which monitors secret/private keys.
It keeps a copy of the passphrase in ram

Make it forget the passphrase
echo RELOADAGENT | gpg-connect-agent
or terminate the currently running agent
gpgconf –kill gpg-agent

Question 34

Encrypt via gpg using ascii format of secret.txt

decrypt it

Answer 34

gpg -ca secret.txt

-a = armor
this will appear as secret.txt.asc
gpg -d secret.txt.asc

Question 35

What are the benefits of EncryptPAD

How do you use it

Answer 35

Opensource text editor with encryption function
Mult-Platform
Randomly generates keyfiles in addition to passphrases
Uses AES for SYMMETRIC encryption and SHA256 for integrity check
THIS IS EASY TO USE BECAUSE IF YOU NEED TO MODIFY TEXT OR OPEN IT A BUNCH THIS WILL BASICALLY DO THE WHOLE GPG DECRYPT/ENCRYPT AND DELETE PRVIOUS FILE FOR YOU

Copy the exe to a memory stick and use it

Question 36

What is steganography?

What is an issue that might occur with it?

Answer 36

Hiding secret info in plain text or clear site

Embed secret files into movies, music, etc

A file hidden in a picture and uploaded to a site might be scaled down which will lose all the info.

Question 37

What is LSB

How does steganography use this

Answer 37

Least Significant Bit

In terms of binary data, this is the 8th bit

It hides its info here

This works because if you change the LSB
of a color, the change is so minor that you couldn’t even notice a difference.

Question 38

Overwrite partitions if fdisk and parted don’t work

Answer 38

gdisk /dev/sdd <- for GPT tables
you can delete here or “i” for info
deleted with “d”

You can also delete the whole partition table

wipefs -a /dev/sdd

If you continue to see the partition:
dd if=/dev/zero of=/dev/mapper/secret bs=512 count=1
This will delete the meta data which is 512 bytes

MBR = 512 bytes
GPT = goes on top at another 512 bytes
These are stored on the disk itself, not a partition.

Question 39

How is nmap stealthy?

Answer 39

It doesn’t complete the tcp connections, so no one even knows it was there.

Question 40

What do the nmap options mean

Answer 40

nmap -sS <= SYN scan, will only perform the syn portion of the tcp communication
-sT <- connect scan, can be ran as reg. user.
nmap -sU <- udp
-sn or -sP < - ICMP

Question 41

Perform a standard nmap scan
Perform specific tcp scan
Perform a connect scan

ssh is enabled on 3131, find it with nmap
This will show the port being open, but not the service, how would you show the service?

Scan all ports
Scan udp ports
Scan for icmp on whole network

Answer 41

nmap 192.168.1.1
nmap -sS 192.168.1.1
nmap -sT 192.168.1.1

nmap -p 3131,18,32 192.168.1.1
nmap -p 3131,18,32 -sV 192.168.1.1

nmap -p- 192.168.1.1
nmap -sU 192.168.1.1
nmap -sn 192.168.0.0/24

Question 42

What’s the first thing nmap does before checking on ports?

This might be give you some grief, what could you do to remedy it?

Answer 42

It will send a ping, if there’s no response or it’s blocked, it won’t do its port scan.

nmap -Pn 192.168.1.1 <- this won’t send a ping.

Question 43

Firewalls often have IDS which will log that your IP performed several scans on ports, how do we hide our IP with nmap and how does it work

Answer 43

nmap -p 22 -sV 192.168.0.20 -D 192.168.1.1,192.168.1.2,192.168.1.3

-D < - Decoy scan. Appears as several ips scanning IP at the same time. Company’s won’t be able to differentiate between which are innocent and which are guilty.
Although this CAN be defeated if a router path trace is performed.

MAKE SURE THE HOSTS ARE UP OR YOU WILL BE FOUND OUT

Question 44

We have a list of hosts we want to scan the ports of. How do we easily do this?

nmap will normally try to perform a dns name check and report back names along with ips of the scan which could slow it down. What is the option to prevent this as wel as output it to a file??

Answer 44

nmap -p 80 -iL hosts.txt
-iL <- input list

nmap -p 80 -iL hosts.txt -n -oN output.txt

Question 45

Set a timing template which will dictate how aggressive the port scans will be timing-wise.

Add another option to this command that scans for OS, version, scripts, and traceroute

Show progress of scan

Answer 45

nmap -T0 -A paranoid

press enter