SECURING AND HARDENING Flashcards
(46 cards)
Create an authentication key with a description, with the RSA type, and a length of 2048 bits
ssh-keyget -t rsa -b 2048 -C “Keys generated on OCT 2024”
ssh-copy-id creds
Where can you find your public and private keys?
Where do you find your key info on the remote server?
.ssh/id_rsa <- private
.ssh/id_rsa.pub <- public
car .ssh/authorized_keys <- via remote server
Disable password authentication on remote server
This will allow you to only login via your key pair.
vi /etc/ssh/sshd_config
/PasswordAuthentication no <- change from yes to no
Change sshd port to 3131
Disable root login
Disable password authentication
Only allow jason and peter
If no net connection have the session terminate - it should check every 300 second.
vi /etc/ssh/sshd_config
Changing the port doesn’t make your server safe, someone can scan all ports via nmap. This helps for scripted attacks.
Change Firewall and SElinux rules
PermitRootLogin no
PasswordAuthentication no
AllowUser jason
ClientAliveInterval 300
ClientAliveCountMax 0
permit ssh access only to a few select networks via iptables
iptables -A INPUT -P tcp –dport 3131 -s 2.2.2.2 -j ACCEPT
Force Grub require a password
Create hashed password
grub-mkpasswd-pbkdf2
it will prompt you to enter a password
Put this hashed password in the grub config
ls /boot/grub2/grub.cfg <- we can’t modify this directly, this is built with things in /etc/grub.d and has to be updated
update-grub2 <- for ubuntu
FOR REDHAT
cd /etc/grub.d/40_custom
Create a grub password to guard the grub options from being edited
grub2-setpassword
Create a boot password under root
vi /boot/loader/entries/superlongname.conf
grub_users root <- only root can bypass boot
wq
Change passord policy for newly added users.
Make sure passwords have to be at least 10 characters.
/etc/login.defs <- for new account not existing ones
PASS_MIN_LENGTH 10
Create user Jacob, make a home directory for him, make that directory /home/jacob give him a description of “network guy” set his shell to /bin/bash
Change password policy for existing user Jacob
Last modified today
Minimum amount of days before pass change
Warning 3 days prior
Confirm
Max number of days before needs pass change
Inactive after 30 days
Expires on December 25th of next year
useradd -m -d /home/jacob -s /bin/bash -c “description” jacob
chage -d 2024-12-14 -m 0 -M 90 -W 3 -I 30 -E 2025-12-25
chage -l
Show two ways you could make require your passwords to:
Only 3 of the same characters from the first password can be in the new password
Only give you three retries before an error
Minimum length is 8 characters
Must contain at least one:
lower
upper
digit
special character
vi /etc/security/pwquality
authconfig
password requisite pam_pwquality.so retry=3 diffok=3 minlen=8 ucredit=1 lcredit=1 dcredit=1 ocredit=1
If this isn’t working restart sshd
Lock and unlock a password
This will add a “!” to the beginning of /etc/shadow
passwd -l jason
passwd -u jason
passwd –status jason <- Capitol L means it is
usermod -L jason
usermod -U jason
See who is in the wheel group
After using sudo, how long are creds cached? Basically how long until you have to re-enter your sudo creds when you use it?
Clear the sudo cache
grep wheel /etc/group
15 mins
sudo -k
Define the four columns of information in:
root ALL=(ALL:ALL) ALL
john ALL=(root) NOPASSWD:/bin/cp/bin/ls,!/usr/bin/vim
jason ALL=(root) NOEXEC:/bin/less
root - user who you’re modifying
ALL - which hosts
(ALL:ALL) User and group. Root user can run commands as all users and groups
/bin/cp,/bin/ls - What commands apply to rule.
!/usr/bin/vim - command user can’t run
NOPASSWD = doesn’t need password
NOEXEC = less isn’t allowed to spawn commands
PASSWD = password is required
How can you tell that everything in the /etc/sudoers.d directory is also applied to /etc/sudoers?
in visudo you will find the line:
#iincludedir /etc/sudoers.d
<- this doesn’t mean it’s a comment here
Create user dan and john
Give dan access to use ls and cat, find their absolute path
add that you want to use yum with dan and not to require a password
Create a user
Group john and dan in an Alias
Create a command alias
Allow the users in your alias group to run your alias command as well as netstat
which cat
which ls
visudo
dan ALL=(root) PASSWD:/usr/bin/ls,/usr/bin/cat,NOPASSWD:/usr/bin/yum
Must start with a capitol!
User_Alias MYADMIN=dan,john
Cmnd_Alias FILE=/usr/bin/cp,/usr/bin/ls,/usr/bin/touch,/usr/bin/yum
MYADMIN ALL=(root) /usr/bin/netstat, FILE
Create a bomb script and describe what it’s doing
What can you do to prevent this?
!/bin/bash
$0 && $0 &
Creates an infinite number of processes
This runs your script over and over in the background until it depletes all resources
Set the ulimit for all users
vi /etc/security/limits.conf
user_name hard nproc 1100
@group_name hard nproc 1100
What is a rainbow table vs brute force
Brute force - trying over and over to get the password hash right. Not a lot of space needed.
Rainbow Table - Lots of space needed but not a lot of time. You can search for hashes here.
Where do you check if your email has it’s hashed password exposed. This allows hackers to try and crack it offline with a rainbow table or brute force
haveibeenpwned.com
What are the three cracking modes in John the Ripper?
Single crack - Uses login names along with other fields from passwd file. Fastest mode for simple passwords
Dictionary attack - Supply a dictionary file that contains one word per line and a password file. Has a mangle mode that rearanges these letters
Incremental - Most powerful, tries all possible character combinations. 12-14 characters it will never terminate.
Install john the ripper
place passwd and shadow together
run john in single mode
Where are passwords saved?
We’ll need to use the lux repository.
rpm -Uvh http://repo.iotti.biz/CentOS/5/noarch/lux-release-0-1.noarch.rpm
rpm –import /etc/pki/rpm-gpg/RPM-GPG-KEY-LUX
combine passwd and shadow files together
unshadow /etc/passwd /etc/shadow > unshadow.txt
john -single unshadow.txt –format=crypt
See what passwords you cracked
john –show unshadow.txt
passwords are saved in user directory under .john/john.pot
–format= crypt - This specifies the hash type to target when cracking password hashes. Crypt refers to UNIX-style password hashes that use crypt(3) function.
Perform a dictionary attack with john the ripper
Where are dictionaries located?
How do you back out and then continue from where you left off on a dictionary attack
/usr/share/john/password.list < one of john’s dictionaries
usr/share/dict <- linux dictionaries
john –wordlist=/usr/share/john/password.lst –rules unshadow.txt
–rule - this enables mangling
ctrl+c <- backs out
john -restore
Only restore in same directory where you aborted
Define AIDE
Advanced Intrusion Detection Environment
File integrity monitoring tool
Takes snap of system to build database
When you run AIDE it will compare the database against the current status. This will detect changes.
This is a host-based IDS HIDS
Install AIDE
check version
show all options
go to config file
initialize database
go to the directory the database is located
Change your new database to be in the naming convention to be checked by aide
create runtime config file for aide
Create /root/abc.txt
add user user1
Run aide to check for newly created files and directories
update aide database to store new values
yum install aide
aide -v
aide –help
/etc/aide/aide.conf
aideinit
cd /var/lib/aide/aide.db.new
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Creating a runtime configuration file:
update-aide.conf
/var/lib/aide/aide.conf.autogenerated < - this is the file
touch /root/abc.txt
useradd user1
aide -c /var/lib/aid/aid.conf.autogenerated –check > report.txt
update database and make it the default
aide -c /var/lib/aide/aide.conf.autogenerated –update
cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
=======================
vi /etc/aide.conf
verbose=15
add whatever else you want to monitor
aide –init
mv aide.db.new.gz aide.db.gz
aide –check
or just
aide
