Notes for Linux Basix Episode 39

I  will be joining the guys over at the   Linux Basix podcast tonight and below are some of the things I intend to discuss.

Discussion Links:

  1. 7 Best Network Security Linux Distributions (DoortoDoor): A list of special purpose distros [BackTrack, Network Security Toolkit(NST),Pentoo, nUbuntu(Network Ubuntu),Security Tools Distribution(STD),Helix,Damn Vulnerable Linux]. These distributions are mainly designed to perform network security tasks such as vulnerability assessment and penetration testing in order to prevent and monitor unauthorized entry, abuse, alteration, or denial of computer network resources. Since most of these distros are available as Live CDs, you could instantly try or use them without hard disk installation. Read more over at http://www.junauza.com/2011/01/network-security-linux-distros.html
  2. Soundminer: A Stealthy and Context-AwareSound Trojan for Smartphones: Researchers have developed a low-profile Trojan horse program for Google’s Android mobile OS that steals data in a way that is unlikely to be detected by either a user or antivirus software. The malware, called Soundminer, monitors phone calls and records when a person, for example, says their credit card number or enters one on the phone’s keypad, according to the study.Using various analysis techniques, Soundminer trims the extraneous recorded information down to the most essential, such as the credit card number itself, and sends just that small bit of information back to the attacker over the network, the researchers said. Read more over at http://www.csoonline.com/article/656264/soundminer-android-malware-listens-then-steals-phone-data

Tech Segment: Password reset the hard way

Problem: I was tasked with retrieving or resetting the web login password to a Linux based custom build system, very similar to an appliance. I currently had limited shell access to the system however I was not certain if the password was stored in /etc/passwd or in some sort of database on the system.

**Before we begin just know that everything mentioned here will probably not work on a normal Ubuntu based system, the manufacture possibly used their know custom Kernel and other system tweaks.**

Commands used:

  1. netstat – a command-line tool that displays network connections, routing tables, and a number of network interface statistics.
  2. fuser – a command line tool to identify processes using files or sockets.
  3. lsof – a command line tool to list open files under Linux / UNIX to report a list of all open files and the processes that opened them.
  4. /proc/$pid/ file system – Under Linux /proc includes a directory for each running process (including kernel processes) at /proc/PID, containing information about that process, notably including the processes name that opened port.
  5. uname- Print name of current system

Phase one “Getting to know the system”:

I started off with a few simple commands to try and identify what various of Linux was the system running:

uname -a (Verify what kernel version I was up against)

yum (To see if it was a Fedora based system)

apt-get (To see if it was an Ubuntu based system and it was)

cat /etc/issue (To check what flavor of Ubuntu, turned out it was “Ubuntu 8.04”)

Next I wanted to get Root access without resetting the Root account password. I figured this would prevent me from having to deal with any restrictions issues.

Created a user called testuser
user@host:~$ sudo adduser testuser

Edit the password file and changed UID and GID to that of root (testuser:x:0:0)
user@host:~$ sudo nano /etc/passwd

Then once  I logged in newly created testuser and I am automatically given root access.
user@host:~$ su – testuser

Since I know that the service I am interest is running on port 443, I will run  few  commands to get a better ideal of whats really going on with this port.

Netstat to view the connection stated and PID for the services running on port 443:

root@host:~# netstat -tulpn | grep 443

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      5548/pound

To confirm the processes PID use the fuser command:

root@host:~# fuser 443/tcp
443/tcp:              5548  5549

To find out process name and working directory associated with PID # 5548, enter:

root@host:~# ls -l /proc/5548/exe
lrwxrwxrwx 1 root root 0 Jan 21 14:15 /proc/5548/exe -> /opt/pound/sbin/pound

root@host:~# ls -l /proc/5548/cwd
lrwxrwxrwx 1 root root 0 Jan 21 14:15 /proc/5548/cwd -> /opt/app_name/rails/ssl

Now I have an application name and working directory to go investigate. After further research I found out that Pound is a reverse-proxy load balancing server, and the config file showed me it was passing all connection on port 443 to another port on the same server.

I then used lsof to further investigate the newly discovered port:

root@host:# lsof -Pnl +M -i4
mongrel_r 5623      112    3u  IPv4  14528       TCP 127.0.0.1:3000 (LISTEN)

Then to find out the processes own:
root@host:# ps aux | grep 5623

app_user      5623  0.0  1.3  40048 28536 ?        Sl   14:14   0:02 /usr/bin/ruby1.8 /usr/bin/mongrel_rails start -d -e production -p 3000 -a 127.0.0.1 -P log/mongrel.3000.pid –user app_user –group app_name

A bit more research and I found out what mongrel_rails was. Mongrel is a fast HTTP library and server for Ruby that is intended for hosting Ruby web applications of any kind using plain HTTP rather than FastCGI or SCGI.

After poking around a bit more I notice the tie in with a postgres SQL server that I notice in a few earlier commands. Now on to the fun part!

Phase two “Modifying the system”:

Now that I have realized that the system has a database, and the user account is not location in the /etc/passwd file its time to access database identify the user account and make some modifications.

su – postgres to change to the postgres SQL user:
root@host:~# su – postgres

Launching PostgresSQL interactive terminal:
postgres@piab:~$ psql

List all the roles and Superusers :
postgres-# du
List of roles
Role name | Superuser | Create role | Create DB | Connections | Member of
———–+———–+————-+———–+————-+———–
postgres  | yes       | yes         | yes       | no limit    |
App_User  | no        | no          | no        | no limit    |
(2 rows)

List all database on the system:

postgres=# l
List of databases
Name    |  Owner   | Encoding
———–+———-+———-
postgres  | postgres | UTF8
App_Name  | postgres | UTF8

Connect to a database:
postgres=# c App_Name

List of tables:
App_Name=# dt

Schema |        Name        | Type  | Owner
——–+——————–+——-+——-
public | schema_info        | table | App_User
public | users              | table | App_User

Query table users:
select * from users;

Fields of interest to me were (id, login, email, password, salt_val,passwd_create,passwd_updated)

Now before I went any further I ensured to dump the DB using pg_dump and pg_dumpall
postgres@host:~$ pg_dump dbname > /tmp/dbname.out
postgres@host:~$ pg_dumpall > /tmp/db.out

At this point I had a few options:

  • Try to reverse the password encryption and salting mechanism
  • Try to find the code that handles the authentication and bypass that
  • Get access to another box, create a password and copy that hash and encrypted value over to the DB on the other system.

Luckily for me I had access to another device so I  created a password there, and queried that DB and copied over the encrypted password and hash into notepad then used an insert statement to add to the values to the db along with a test user.

Connected back to the DB:
postgres=# c App_Name

Insert new records:
INSERT INTO users (id,login,email,password,salt_val,created_at) values (‘2′,’demo’,’demo@localhost’,’9abdgagf42324243240fdbd’,’8d5d6cd8fa6a0323jb3240988324′,’2006-12-05 21:15:32′);

Went back to the login portal https://ipaddress and bingo! Big shout out to byte_bucket over at irc.freenode.net #pauldotcom, he was very helpful in helping me work through this.

Additional reading:

http://www.cyberciti.biz/faq/what-process-has-open-linux-port/

http://linux.die.net/man/8/pound

http://linux.die.net/man/1/pg_dump

https://support.eapps.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=180

http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/


Notes for Linux Basix Eps24

Show notes for Linux Basix podcast:

Discussion Links:

News: http://www.wired.com/threatlevel/2010/09/zeus-botnet-ring/

Zeus botnet ring: Thirty-seven people are being charged in the U.S. for their alleged role in an international fraud ring based in East Europe that stole more than $3 million from bank accounts belonging primarily to small businesses and municipalities, according to indictments released Thursday.

The sophisticated ring included a multitude of East Europeans who entered the U.S. on student visas and fake passports to operate as so-called “money mules,”  laundering funds stolen from U.S. accounts and sending the money overseas.

Bye Bye Bios: New PCs could start in just seconds, thanks to an update to one of the oldest parts of desktop computers.The upgrade will spell the end for the 25-year-old PC start-up software known as Bios that initialises a machine so its operating system can get going.

The code was not intended to live nearly this long, and adapting it to modern PCs is one reason they take as long as they do to warm up. Bios’ replacement, known as UEFI, will predominate in new PCs by 2011.The acronym stands for Unified Extensible Firmware Interface and is designed to be more flexible than its venerable predecessor.

News: http://www.wired.com/gadgetlab/2010/09/data-collection-android/

Data collection Andriod:Something as simple as changing your Android phone’s wallpaper or downloading a ringtone could transmit personal data about you, including your location, without your knowledge.

Sound farfetched? It’s not: About 15 of 30 randomly selected, popular, free Android apps sent sent users’ private information to remote advertising servers and two-thirds of the apps handled data in ambiguous
ways, say researchers.

News: http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=227500797

DHS Launches Cyber Attack Exercise:For three or four days this week, the Internet will come under a virtual attack from an unknown adversary, and it will be up to the government and private sector’s coordinated efforts to root out the cause and work together to keep systems up and running — at least within the simulated confines of the Department of Homeland Security’s Cyber Storm III exercise, which begins Tuesday.

The Cyber Storm series of exercises simulates large cyber attacks on critical infrastructure and government IT assets in order to test the government’s preparedness. Specifically, this year’s exercise will be the first time DHS will test both the draft National Cyber Incident Response Plan (an effort to provide a coordinated response to major cybersecurity incidents) that will be publicly released later this year and the new National Cybersecurity and Communications Integration Center (the hub of DHS’ cybersecurity coordination efforts).

Tech segment: “Nessus Bridge for Metasploit

The idea for this segment and a future blog post that I will be releasing tomorrow with an interview from the author,came about from a posting I saw on twitter this week. After reading the author’s site I said to myself this is some “prety cool stuff”

Basic Idea:

The general concept is to allow you to do various tasks with your Nessus server, from within the msf command line.  By that I mean scan with Nessus, review the results, import the results and then exploit the results.

Below is the current and future list of feature that the author is currently developing:

  • Generic Commands
  • Reports Commands
  • Scan Commands
  • Plugin Commands
  • User Commands
  • Policy Commands
  • Checkout his blog and keep an eye on this project –> http://blog.zate.org

    What do you need to start testing:

    • A host with Metasploit installed and configured (I recommend BackTrack 4)
    • A host with a Nessus server installed and updated (I recommend you install on your BT4 host)
    • A vulnerable host to test with (I recommend you download metasploitable)

    Once you have the above criteria met, log into your Nessus server via the web interface and create your test policy. From this point onwards you can log-out of your server and close your web browser.

    Next do the following:

    1-  Load up your Metasploit console via /pentest/exploit/framework3/msfconsole
    2-  Ensure you have the most updated version “svn up”
    3-  Load the nessus module  “load nessus”
    4- Connect to your nessus server with “nessus_connect user@myhost:8834 ok”
    5-  Next start your first scan with “nessus_scan_new <policy id> <scan name> <targets>”
    6-  While running you can issues “nessus_scan_status” to view when its completed
    7-  Next you can need to get your report ID with the following command “nessus_report_list”
    8-  Create db workspace and import scanned results “db_connect” then “nessus_report_get <report id>”
    9- Choose a report ID number and use the following to view the details so you can see if your host has any high risk vulnerability to exploit with MSF “nessus_report_hosts <report id>” .

    From here on you can issue the db_autopwn commands and have fun:

    Usage: db_autopwn [options]
    -h          Display this help text
    -t          Show all matching exploit modules
    -x          Select modules based on vulnerability references
    -p          Select modules based on open ports
    -e          Launch exploits against all matched targets
    -r          Use a reverse connect shell
    -b          Use a bind shell on a random port (default)
    -q          Disable exploit module output
    -R  [rank]  Only run modules with a minimal rank
    -I  [range] Only exploit hosts inside this range
    -X  [range] Always exclude hosts inside this range
    -PI [range] Only exploit hosts with these ports open
    -PX [range] Always exclude hosts with these ports open
    -m  [regex] Only run modules whose name matches the regex
    -T  [secs]  Maximum runtime for any exploit in seconds

    Go out and have some fun,and look for my follow-up post tomorrow.

    Notes for Linux Basix Eps20

    I  appeared on the Linux Basix podcast once more, I am becoming a regular :). Below are some of the things I spoke of during my segment.

    Discussion Links:

    1. Symantec Snoop Dogg rap contest site rickrolled: Symantec’s attempts to link up with Snoop Dogg to launch a cybercrime rap contest, to bring about awareness on the issue. However it turned out that the site had several vulnerabilities and had to be taken down for maintenance, read more over at  http://www.theregister.co.uk/2010/09/03/symantec_rap_contest_farce/.
    2. Facebook adds new remote log-out security feature: Facebook on Thursday announced a new security feature that will allow users to see if they are logged into their accounts on a different computer and to remotely log out if so. This can also be used to see if someone has your password and has been logging in when you are not around. The new security feature follows a Login Notification feature the company announced in May that lets users tell Facebook to notify them via e-mail or SMS when a new computer or device is used to log into their account, read more over at  http://news.cnet.com/8301-27080_3-20015482-245.html .
    3. Rosetta Stone for Unix: The goal of this site is to give you a command syntax comparison between Linux, Unix, MAC OSX, and a few others, visit http://bhami.com/rosetta.html and have some fun. Another good site with a collection of Unix/Linux/BSD commands is –> http://cb.vu/unixtoolbox.xhtml which gives you the option to save the page as a new PDF ebook.
    4. Malware hosted on Google Code project site: Malicious individuals are using the Google Code repository to host Trojans horses, backdoors and password stealing keyloggers, according to researchers at Zscaler. The researchers found a malicious project hosted on the free Google Code site with about 50+ malware executables stored in the download section of the project. “The first malicious file was uploaded on June 24, 2010 and was still active at the end of August this year, proving that Google is slow to find and remove malicious projects”, read more over at http://www.zdnet.com/blog/security/malware-hosted-on-google-code-project-site/7247

    Tech Segment: Installing and using Xplico

    What is Xplico?

    The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT).

    Features

    • Protocols supported: HTTP, SIP, IMAP, POP, SMTP, TCP, UDP, IPv6, …;
    • Port Independent Protocol Identification (PIPI) for each application protocol;
    • Multithreading;
    • Output data and information in SQLite database or Mysql database and/or files;
    • At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;
    • Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer -RAM, CPU, HD access time, …-);
    • TCP reassembly with ACK verification for any packet or soft ACK verification;
    • Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;
    • No size limit on data entry or the number of files entrance (the only limit is HD size);
    • IPv4 and IPv6 support
    • Modularity. Each Xplico component is modular. The input interface, the protocol decoder (Dissector) and the output interface (dispatcer) are all modules
    • The ability to easily create any kind of dispatcer with which to organize the data extracted in the most appropriate and useful to you

    Installing and Configuring:

    First begin with a little sudo fu and install the following packages:

    apt-get install tcpdump tshark apache2 php5 php5-sqlite build-essential perl zlib1g-dev libpcap-dev libsqlite3-dev php5-cli libapache2-mod-php5 libx11-dev libxt-dev libxaw7-dev python-all sqlite3 recode sox lame libnet1 libnet1-dev libmysqlclient15-dev

    Create a temp directory to wget your files too with mkdir Xbuild and cd Xbuild

    Download Xplico source code from SorceForge or BerliOS

    tar zxvf xplico-0.5.x.tgz

    wget http://geolite.maxmind.com/download/geoip/api/c/GeoIP-1.4.6.tar.gz
    tar zxvf GeoIP-1.4.6.tar.gz

    cd GeoIP-1.4.6
    ./configure
    make

    cd ..
    rm -f *.tar.gz

    cd xplico
    wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
    gzip -d GeoLiteCity.dat.gz
    rm -f *dat.gz
    make

    cd ..
    wget http://mirror.cs.wisc.edu/pub/mirrors/ghost/GPL/ghostpdl/ghostpdl-8.70.tar.bz2
    tar jxvf ghostpdl-8.70.tar.bz2

    The ghostpcl contains the pcl6 application that it is necessary to “network printer job”

    rm -f *.bz2
    cd ghostpdl-8.70
    make

    Wait for some time

    cd ..
    cp ghostpdl-8.70/main/obj/pcl6 xplico-0.5.x
    rm -rf ghostpdl-8.70

    Download videosnarf from http://ucsniff.sourceforge.net/videosnarf.html. Note for 64 bits architectures: Some codec libraries are proprietary and are only for 32bits architecture. The only solution in this case is this: http://forum.xplico.org/viewtopic.php?p=453#p453

    wget http://downloads.sourceforge.net/project/ucsniff/videosnarf/videosnarf-0.63.tar.gz
    tar xvzf videosnarf-0.63.tar.gz
    cd videosnarf-0.63
    ./configure
    make
    cd ..
    cp videosnarf-0.63/src/videosnarf xplico-0.5.x

    Install Xplico

    cd xplico-0.5.x
    make install

    Copy Apache configuration file

    cp /opt/xplico/cfg/apache_xi /etc/apache2/sites-enabled/xplico

    After this we have to change Apache ports file to add port of XI. Then, in /etc/apache2/ports.conf add:

    # xplico Host port
    NameVirtualHost *:9876
    Listen 9876

    We must also modify the php.ini file to allow uploads (pcap) files. Edit /etc/php5/apache2/php.ini.

    The lines to modify are:\
    **post_max_size = 100M** \
    **upload_max_filesize = 100M**\

    Enable mode rewrite in Apache:

    a2enmod rewrite

    And finally restart Apache:

    /etc/init.d/apache2 restart

    You can find much more information and documentation on the wiki –> http://wiki.xplico.org.

    Uploading your first PCAP file:

    1. Log into the user inter by going to http://xplicoip:9876
    2. Username:xplico and password:xplico please change after
    3. Click on Case to create a new case.
    4. Click on session to create a new session
    5. Click on newly created session within the newly created case and click upload–> browse to your capturefile.pcap.
    6. You can also create a live stream and just have the host sit there passively listening.

    Sit back wait for xplico to works it’s magic and then browse your results. View this page to see screen-shots of all the various options of xplico –> http://wiki.xplico.org/doku.php?id=web_interface. Now all your have to do is go sniffing, read the manual and have fun viewing your results.

    Linux Basix Security Tips Part 1

    A while back I hinted to the wonderful guys over at  http://www.linuxbasix.com/ that I would like to appear on the show and do a segment on Linux security, the agreed and below are some of the notes that can be used to follow alone with my segment.

    Disclaimer: I am by no means a Linux security expert; I am just trying to bring some visibility to a topic that I believe all new users should think about.

    Taken from the Linux basix website, our goal here is to bring together information that will make your introduction to Linux and Open Source Software more enjoyable and productive. As we go along we will be constantly updating this site with our shows and show notes. If you have any questions please post comments to the shows and blog. Feel free to let us know what you think of the show and we will do our best to make it make as much sense as possible. Once the forum is up and running it will be a source to find answers, tips and tricks to make computing more enjoyable.

    The goal of my segment is not to touch on anything too advance, for that you can find several Linux hardening guide by CERT, NSA, and many more resources out there. Instead I will be focusing on giving a few tips that anyone new to Linux should keep in mind before connecting their server/workstation to the internet.

    I would like to start by sharing a few sentences I found in a blog posting over at computer world;

    “You see Windows was designed as a single-user, non-networked operating system. That design is still at the heart of Windows, which is why security must always be an add-on to Windows. Linux, in contrast, was built from the ground up as a multi-user, networked system. Linux, like Unix, which came before it, was constructed to work in a world with hostile users.”

    Physical Security ( might seem silly but this should always be considered)

    Configure the BIOS to disable booting from CDs/DVDs, external devices, and set a password to protect these settings, you can also go another step by encrypting your entire drive. Next, set a password for the GRUB bootloader.

    • Generate a password hash using the command  /usr/sbin/grub-md5-crypt.
    • Add the hash to the first line of /boot/grub/menu.lst as follows: password –md5 passwordhash

    Minimum install as possible

    Take a moment to think about your installation, I understand you might not know exactly what you want but don’t install everything at first. Just do the basics and as you learn more you can then install those additional application and do it properly. Also remove unnecessary packages, only keep the ones you need, and lastly remove any accounts that are not needed.

    # yum list installed
    # yum list packageName
    # yum remove packageName

    OR

    # dpkg –list
    # dpkg –info packageName
    # apt-get remove packageName

    Stay away form clear text protocols

    Under no circumstances do you want to use any clear text protocol. Any of the following  protocols or programs   (telnet, rsh, rlogin, FTP, TFTP) can give out your username/password to anyone on your local network with a packet sniffer. If you are hosting a website or providing users with a login portal ensure that you are not using http, but instead https even if you have to generate your own certificate.

    Identify all open ports and services

    Its important to know what ports you have open and what services are associated to them this way you can decide if you would like to block or filter them with a firewall. This is also important so in the event you notice a new port open you already have a baseline to compare it too.

    To do you can use a tool like  Nmap (“Network Mapper”) which is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

    ex nmap -A -sV 127.0.0.1

    You can also use the following for identifying and turning off unwanted services:

    To view all services that are turned on:
    # chkconfig --list | grep '3:on'

    To disable a service:

    # service serviceName stop
    # chkconfig serviceName off

    Security software

    • Install Antivirus software, I am aware that Linux is not highly prone to viruses like your average Windows PC, but don’t for a moment think that Linux is not being successfully exploited in the wild every day. You want to ensure that you are not the “Low Hanging Fruit” in short don’t be the easy target.
    • Install/configure firewall (SELinux, IP Tables, and AppArmor) and take a moment to read how to configure it.

    Keep Your Software Up to Date

    • Configure your system to update via your software repository and apply then automatically. Security updates should be applied as soon as possible.
    • Create the file apt.cron, make it executable, place it in /etc/cron.daily or /etc/cron.weekly, and ensure that it reads as follows:

    #!/bin/sh
    /usr/bin/apt-get update
    #
    Or aptitude –s safe-upgrade

    Password policy

    • You want to insure that you have a proper password policy, first identify any user accounts that has an empty password and set on or remove the account.
    • Setup password aging, its important to keep rotating your password a minimum every 60 days.
    • Set up some sort of password lockout policy, if someone attempts a brute force attempt you need to at least slow them down, a standard practice is to lockout an account after 3 failed login attempts.To get password expiration information, enter:
      chage -l userName

      To see failed login attempts, enter:
      faillog

      To unlock an account after login failures, run:
      faillog -r -u userName

      Note you can use passwd command to lock and unlock accounts:
      # lock account
      passwd -l userName

      # unlock account
      passwd -u userName

      Identify empty passwords type the following command
      # awk -F: ‘($2 == “”) {print}’ /etc/shadow

    Make Sure No Non-Root Accounts Have UID Set To 0

    Only root account have UID 0 with full permissions to access the system. Type the following command to display all accounts with UID set to 0:

    # awk -F: '($3 == "0") {print}' /etc/passwd

    You should only see one line as follows:
    root:x:0:0:root:/root:/bin/bash

    If you see other lines, delete them or make sure other accounts are authorized by you to use UID 0.

    File and file system security

    SUID and SGID files on your system are a potential security risk, and should be monitored closely. Because these programs grant special privileges to the user who is executing them, it is necessary to ensure that insecure programs are not installed. A favorite trick of crackers is to exploit SUID-root programs, then leave a SUID program as a back door to get in the next time, even if the original hole is plugged.

    • Find all SUID/SGID programs on your system, and keep track of what they are, so you are aware of any changes which could indicate a potential intruder. Use the following command to find all SUID/SGID programs on your system:

    root# find  / -type  f ( -perm -04000 -o -perm -02000 )

    World-writable files, particularly system files, can be a security hole if a cracker gains access to your system and modifies them. Additionally, world-writable directories are dangerous, since they allow a cracker to add or delete files as he wishes. (can upload malware to a site and infect visitors)

    To locate all world-writable files on your system, use the following command:

    find / -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print

    Secure ssh remote access

    • Disable root login via ssh, if someone is going to try and brute force your ssh server the first user name the will try will be root, so ensure that you do not allow ssh login for your root user. You can verify or edit this but changing the config file in:

    vi /etc/ssh/sshd_config

    Find this section in the file, containing the line with “PermitRootLogin” in it.

    #LoginGraceTime 2m
    #PermitRootLogin no
    #StrictModes yes
    #MaxAuthTries 6

    Then restart your SSH service with sudo /etc/init.d/sshd restart

    Noowner Files

    Files not owned by any user or group can pose a security problem. Just find them with the following command which do not belong to a valid user and a valid group.

    find /dir -xdev ( -nouser -o -nogroup ) -print

    Keeping an eye on your logs:

    You should configure logging and auditing so you can keep an eye on any type of  attacks that are launched against your system. You can manually check the following logs or use a tool like logwatch or logcheck or any number of log parsers out there. Logs of interest are :

    • /var/log/syslog
    • /var/log/faillog
    • /var/log/auth
    • /var/log/lastlog
    • /var/log/messages
    • /var/log/apahe2/access.log and error.log

    When all else fail, here are some useful Scripts and tools you can use:

    Lynis: Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

    Security audit tool,is a security tool that can be used both as a security audit as well as a part of an intrusion detection system. It consists of set of tests, library and textual/graphical front-end. Tests are sorted into groups and security levels. Administrators can run selected tests, groups or whole security levels.

    The Bastille Hardening program “locks down” an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system’s current state of hardening, granularity reporting on each of the security settings with which it works.

    audit2.pl (perl): This second script searches the entire file system, listing SUID, SGID, world-writable, group-writable files. It also lists trust files and their contents. Finally it lists files with weird names (e.g., containing punctuation characters), which might be danger or a sign of penetration. On a large server with 100GB disks, this can take a few hours to run.

    Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2).  It tries to find misconfiguration that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).

    DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).

    OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.

    References:

    http://iase.disa.mil/stigs/checklist/index.html

    http://www.sans.org/score/checklists/linuxchecklist.pdf

    http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf

    http://georgia.ubuntuforums.org/showthread.php?t=1002167&page=2

    http://boilinglinux.blogspot.com/2008/07/ubuntu-hardy-hardening.html

    http://www.cyberciti.biz/tips/linux-security.html

    http://www.debian.org/doc/manuals/securing-debian-howto/

    http://tldp.org/HOWTO/Security-HOWTO/file-security.html

    http://blogs.computerworld.com/16367/dell_back_tracks_on_linux_being_safer_than_windows

    http://www.rootkit.nl/projects/lynis.html

    https://fedorahosted.org/sectool/

    http://www.security-database.com/toolswatch/

    http://securitytube.net/Mastering-IPTables-video.aspx

    http://nmap.org/

    http://www.openvas.org/

    http://www.bastille-unix.org/

    http://denyhosts.sourceforge.net/

    http://pentestmonkey.net/tools/unix-privesc-check/

    http://www.boran.ch/audit

    http://oreilly.com/pub/h/66

    http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/

    http://www.cyberciti.biz/faq/linux-log-files-location-and-how-do-i-view-logs-files/