Please enable JavaScript.

Coggle requires JavaScript to display documents.

Securing Linux, Automated Tasks via SSH - Coggle Diagram

- - - - R p+i+n+u+g+s+m+c+md5 ("read-only") - this checks everything but last access time & use md5 checksum - approp for files that dont get updated except by patches
      - L p+i+n+u+g ("log file") - u can use this on some log files & files that changes regularly /etc/passwd shadow . This macro checks everything but file size & last access & last mod times & does not run any checksum to attempt to verify any content
      - Common sets have predefined macros:
      - p+i+n+u+g+S ("growing log file") spcial ">" used on files that should change but nvr shrink
      - Specify the regexp & list of param
        /usr/bin/su$ p+i+n+u+g+s+m+c+md5
    - - =/usr$ R #check /usr itself but dont recurse
      - You can also use ! to exclude files & dir from considerations
      - By def, AIDE recurs descends through dir trees, catching all entries- it is vital to terminate this regexp with "$"
      - /etc/namedb R #watch zone files
        !/etc/namedb/slave R #but not slave files
    - - /dev L #watch /dev entries
      - !/dev/[pt]typ[0-9a-f]$ #these changes a lot
      - H = p+i+n+u+g+s+b+m+c+sha512+rmd160 #heavy auditng
      - /root H #critifcal area
      - verbose=20 #0-255 with verbose being a good def
      - /root/.ssh/khown_hosts$ > #this file changes
      - gzip_dbout=yes #support Gzip Dbs
      - =/etc$ L #critical dir
      - database_out=file:/var/aide/aide.db.new.gz #new Db here
      - /etc/.* H #watch contents
      - database=file:/var/aide/aide.dg.gz #where Db lives
      - !/etc/ntp.drift$ # ignore this file
    - - /etc (but beware of derived files in /etc)
      - Crontab files/dir - kernel & bootleader if any
      - Config file in roots home dir
      - sample : http://www.deer-run.com/~hal/aide/
      - Certain dir should always be check /,/usr,/var,/dev, /tmp
      - IMPORTANT TO RUN AIDE AGINST FTP/FS TO MAKE SURE YOU ARE NOT DIST TROJANED SFT WITHOUT Your knowledge & that your upload dir are not being used for WAREZ
    - - Generating your DB
        aide --config=/var/aide/aide.conf --init
        mv /var/aide/aide.db.new.gz /var/aide/aide/aide.db.gz
      - Running a check
        aide --config=/var/aide/aide.conf --check
      - Automate with corn
      - Updating DB
        
        use "aide --update" to run scan & simultaneously produce new Db
        
        Carefully check report before overwriting old db
- - - - Accountability: Check the sudo logs to see who crash the sys
      - Dont hav to change the passwrd when somebody leave
      - least priv: Give operat/DBAs only the comm they need
    - - sudo vi
        :shell - use a shell escape in another prog to circumvent
      - There isnt perfect sol to stop all such possibl prv escalation - u hv to trust your users to do right thing - monitor audit to ensure trust is not misplaced
      - Frustrated user run sudo su or sh to get root shell- At this point, any comm they type will not be logged by sudo
    - - Define def (global,permachine/user,pergrp)
      - Use grps & literals to define rule- Rules say which user will run which comm on which hosts as what usr
      - Define grps of user, comm,hosts
      - Goal is to hv single config file that can be maintained in 1 place & then pushed out to all mmachine (via rsync etc)
      - config on 163
- - - - Prg should nvr execute instructions from stack / or any other writable data seg
      - Modify kernel- attempts to execute from stack cause prog abort
      - Req cooperation of CPU hardware
      - prg code normally resides in RO txt seg
    - - Stack prot is enabled by def linux (since v2.6.8)
      - Check: dmesg | grep NX
      - For solaris: noexec_user_stack/log = 1
  - - - Use strong encryption to protect the data flowing between client-server. Strong protection is the only real protection we have from session hijacking
      - Only grant access to sys that hv leg need to access serv
      - Patch known Vulnerabilities
      - Isolate app "one app per serv" - so that V on 1 serv doesn't end up compromising another
      - Disable services that are not necessary
      - Run unprivileged - kernel based prv restrict like SELINUX
      - Removing OS v info from login banners can help little - security through obscurity dsnt work as gen sec posture but obscurity is a layer that can be used to help prevent systems.
    - - Reduced size implies reduced complexity, greater sec but loss of convenience - choose sec over conven
      - Apply set of patches & maintan over lifetime of sys
      - Install smallest possible image- boot faster & more stable
      - Tao of patches
        
        Test patches in non-prod sys before release
        
        Yum for EPEL extra pkg "yum install epel-release"
        
        Install patches after inst req OS pck
        
        Rollback strategy - snapshot of vm b4 patches-OR-break mirror b4 applying updates
    - - Rename the srv in /etc/rc?.d directory to prvnt srv from started at particular run lvl
      - use "zzSnn" or .NOSnn
      - SystemD is very diff animal from traditional Unix init- its an idea of only starting the service on demand - it abondon the old concept of runlvl & innstead has dependency targets
      - SystemD can detect failure in say DB & gracefully shutdown other components - it can also configured to auto try /restart failes serv
      - SystemD unit files - def files tht ships with OS are found in /usr/lib/systemd/system. theres also a /etc/systemd/system where admin can put locally dev unit files
      - In unit file - "Restart=on-failure" means that systemD will monitor the ssh process & start another one if the process dies - this is convenient for critical services like SSH
    - - Many standard services can be disabled completely
      - Services may hv ports for remote access that are not used:
      - In many cases you dont need these ports & you should shutdown them down to reduce the potential for remote exploits
      - Another tactic : "Bind to loop back"
      - For some services you may only hv option to use host based FW to restrict access to these ports
    - - Disable 25/tcp listener on all nix sys that are no acting as a mail serv
      - On sys running postfix- their def mail serv- run listener on 25/tcp but hv bind on localhost & not accept conne from outside sys.
    - - Attacker doesn't have to guess the passwrd- if they takeover the session once u logged in
      - Local attacker with root priv can snoop nw session in prg
      - Attacker takes over the session which is already in progress
      - As far as exploit code goes - check out Tap,Hunt,bettercap
      - Remote party from 3rd party machines
      - The case for Encryption
        
        Cleartext is susceptible to session HJ- Encyption not only protects transmitted data but also makes session HJ essentially impossible
        
        Encryption is the only real defense against session hijacking
    - - Transparently tunnels X11 traffic- runs remote GUIS securely!
      - Tunnels any TCP based prot- quick-dirty VPN
      - All sessions are fully encrypted - supports strong auth
      - Basic SSH config
        
        Protocol 2
        
        MaxAuthTries 3
        
        Banner - /etc/issue path name of banner containing text
        
        ListenAddress def 0.0.0.0
        
        Port -def 22
        
        SyslogFacility AUTH/AUTHPRIV
        
        LogLevel INFO - specify syslog fac & how much to log
        
        StrictModes yes - ensures users home/dir are not world writable
        
        PrintMotd no - set to no if you using motd twice
        
        PIDFile - can be used to custom path
        
        AllowTCpForwarding no
        
        X11Forwarding no
        
        PermitRootLogin no
        
        Privilege Separation
        
        PrivSep runs auth in chroo()ed env
        
        Req special usr/grp 7 simple dir setup
        
        Many openSSh expoits due to auth libs
        
        PrivSep is an imp sec feature. you should turn on
        
        U need to create unpriv U/G called sshd & an empty dir mode 111 owned by root:root - see README.privsep
        
        UsePrivilegeSeparation yes
        
        PasswordAuthetication yes/no - if it is yes then refer below sett
        
        PermitEmptyPasswords no
        
        PubKeyAuthetication yes
        
        AloowUsers -
        
        UsePam
        
        Yes, tells server to obey local PAM conf
        
        Effectively overrides PasswordAuthetication option
        
        Convenient if u use LDAP auth or some 3rd party auth sys conf via your PAM stack - xmodulo - 2FA
        
        StrictHostkeyChecking
        
        Setting is in ssh_config rather sshd_config
        
        if set to "no" disables the prompts - all keys accepted auto
        
        "Yes" prevents connection unless key already in know_hosts
      - Improved login/file xfer protocol
  - - - Hostbased FW as a additional layer & for spec appl
      - RHEL is using mgmt layer on top of iptables called FWd
      - Use network FW to enforce general policy & drop bogus trafic
      - Smoothwall , Untangle , pfsense can be used to turn an off the shelf PC into NW FW
      - Preparing the ground
        
        iptables -L - for list
        
        iptables -F - to flush the existing rule
        
        iptables -P INPUT DROP - setting drop policy for input chains
        you can apply same deny policy with OUTPUT ,FORWARD chain
        
        Dont mess with loopback
        
        All other net 127.0.0.0 traffic is spoofed
        
        iptables -A INPUT -i lo -j ACCEPT - Accept traffic on interface lo
        
        iptables -A OUTPUT -o lo -j ACCEPT - "" output chain
        
        iptables -A INPUT -s 127.0.0.0/8 -j DROP Anitspoofing filter - rule to drop any other traffic trying to reach the box that purports to come from the nw -s means source add
        
        Aloow trafic freely on loopback interface
        
        Allow our packets out
        
        iptables -A OUTPUT -p udp -m state \ --state NEW,ESTABLISHED -j ACCEPT
        
        iptables -A OUTPUT -p icmp -m state \ --state NEW,ESTABLISHED -j ACCEPT
        
        iptables -A OUTPUT -p tcp -m state \ --state NEW,ESTABLISHED -j ACCEPT -->-m state is stateful fw were allowing outgoing pckts that either initiate NEW conn or part of ESTABLISHED conn
        
        Desktops tends to be permissive in outbound direction- here we are allowing all outbound TCP,UDP, & ICMP trafic
        
        iptables allow u to filter based on dest ip add "-d" & desti port "--dport" so you can create more restrictive rules to only allow certain types of outbound egress filters
        
        And Allow return packets
        
        iptables -A INPUT-p tcp -m state \ --state NEW,ESTABLISHED -j ACCEPT
        
        iptables -A INPUT -p icmp[udp] -m state \ --state NEW,ESTABLISHED -j ACCEPT
        
        Allow inbound packets from session we've initiated
        
        External Access
        
        iptable -A INPUT -p tcp --dport 22 \ -m state --state NEW -j ACCEPT
        
        iptable -A INPUT -p tcp --dport 80 \ -m state --state NEW -j ACCEPT
        
        You want people to access services on this machine like SSH or port 80because machine is SSH ,webserver
        
        Logging
        
        iptables -A INPUT -j LOG
        iptables -A OUTPUT -j LOG
        iptables -A FORWARD -j LOG
        
        Should be deposited in /var/log/messages
        
        Finish chains with LOG rules to catch pckts before def drop policy- logging drop trafic could alert you to attackers trying to get into your box
        
        Saving your rule sets
        
        Filetring rules not saved across reboots by def
        
        iptables-save