Menu

Matrix 0501 Hardening Linux (Debian-Based Distros)

Please NOTE: This page is under construction. A lot more information will be added over time.

Checklist based on Aiden Gravitt's "GOD teir checklist LINUX or also know as PAIN"
Last Updated: 1/23/2020

High Level (Overview)

  • Install and maintain malware protection software
    • Install Linux Malware Defender
    • Install Antivirus (Microsoft Security Essentials)
  • Account Management
    • Remove guest user 
    • Remove old accounts 
    • Ensure all accounts use strong passwords
    • PAM Files 
  • Enabling the Firewall and Configuring Network Settings
  • Disable unnecessary services (Also called a daemon) 
  • Attach Detection 
    • Monitor your processes 
    • Port Checks 
    • System Logs (syslog & journalctl) 
  • Installing and Automating Updates 
  • Setting Audit Policies
  • Software Configuration
    • Firefox
  • Delete Unauthorized and Suspicious Files
    • Write down file names and locations that were deleted 

Tools

Low Level (Details)

While going through this checklist, please make sure to write down any vulnerabilities you find as it will help you out later after the competition when you are trying to figure out how you got some points (trust me, you wont want to forget how you got some points).

Please Note How Parameters Are Used In Commands: sudo <required> [optional parameter one | optional parameter 2] ...

  • Read the Read Me and Complete Forensics Questions
  • Install and Maintain Malware Protection Software
    • Install & Run ClamAV (Anti-Virus)
      • Install ClamAV by first making sure your machine is updated with sudo apt-get update && apt-get upgrade then installing with: sudo apt-get install clamav clamav-daemon clamtk 
        This will install the ClamAV program along with its services and GUI versions.
      • Once installed, you can manually update the antivirus database by running: sudo freshclam 
        This might not work right away as the clamav-daemon creates a service that automatically updates clamav, making it so that you can't manually update while it is running.
      • To run a scan that will: locate --infected files and alert you with a --bell and --remove them by performing a --recursive scan, you will want to run: sudo clamscan --infected --remove --bell --recursive /
      • This will take a long time and will most likely not show anything for a long time. Trust me, more likely than not it is running.
    • Install & Run Linux Malware Detect (LMD)  (Anti-Malware)
      • To install download from the GitHub repository here (Make sure to download the zip): https://github.com/rfxn/linux-malware-detect/releases/tag/1.6.4
      • Unzip and enter directory. Run installer using the command: sudo ./install.sh
      • You can tell if it installed correctly if you get a help page after running the command: sudo maldet
      • Next thing you are going to want to do is using your preferred text editor, change the following settings the file /usr/local/maldetect/conf.maldet:
        • scan_max_depth="45"
        • scan_clamscan="1"
          This should already be set to 1 if clamav was already installed.
        • quarantine_hits="1"
        • quarantine_clean="1"
      • To run use the following command: sudo maldet -a / -l -e
        Breakdown of parameters: 
        • -a / -- scan all PATH
        • -l -- log
        • -e -- report
      • After the scan is run make sure to look at the report given by the program as it will tell you what files have been removed and where they were found. 
        Please Note that you should still look around the file system as it is possible that the scan missed something. You can never be too careful.
    • Install & Run RKHunter (Anti-Rootkit)
      • To install use the following command: sudo apt-get install rkhunter
      • Update the rootkit database: sudo rkhunter --update
      • Check for Rootkits on entire system and some common vulnerabilities: sudo rkhunter --check
      • If any rootkits are found, log them and remove immediately.
  • Account Management
    • Please remember to do the following things while configuring user accounts:
      • Write down names of accounts you delete.
      • Write down the password you give users.
    • Users and Groups
      • Disable login for non user accounts such as bin, sys, uucp, mysql, etc.
        • To disable an account (meaning you cant login to it) all you have to do is the following command: passwd -l <username>
        • Disable Guest account
          • Like Windows, the Guest account is turned on by default. You should disable this so people who aren't authorized to have access to the system can't access the data.
          • To turn off the guest account you need to edit the LightDMfile:
            • Open the file with the following command: sudo <preferred text editor> /etc/lightdm/lightdm.conf
            • Add the line allow-guest=false at the end of the file. Save the file and exit.
            • Restart the system. The guest account should now be disabled.
        • Ensure only Authorized Users are Admins
          • You can do this by going the settings app and user accounts and comparing each user and see if they are supposed to Admin or not. If they are admin and not supposed to be, remove the admin permission from the User.
          • You should also check the sudoers file in /etc/sudoers. Make sure that only users that are authorized to use the sudo command are added.
        • Ensure only Authorized Users are on the System
          • For this you will again be going through the list of users that can be found in the graphical settings window and removing users that are not authorized to be on the system by comparing it to the Readme or documentation for who is allowed.
          • Make sure you also make sure that they don't have anything left on the system that references the account (groups, files, etc.)
        • Ensure all users on the system have strong passwords
      • PAM Configuration Files (User Account Policies)
    • Firewall & Network Settings
      • Enable the Firewall
        • The most common Firewall you will find on a system will be the Uncomplicated Firewall (UFW). You will also sometimes find another firewall by the name of "Firewall Configuration" which is just the graphical version of UFW (gufw):
          • UFW Install & Enable
            • To install use the following command: sudo apt-get install ufw 
            • To enable the firewall use the following command: sudo ufw enable
          • How to add/remove Firewall Rules
            • To see a verbose list of currently enabled rules all you have to do is run: sudo ufw status verbose numbered 
            • To add a rule all you have to do is the following command: sudo ufw allow <port# | protocol(ssh, http/s, etc)>
            • Make sure to add the correct ports for services that are required in your Readme file. Otherwise what is the point of a service if you can't connect to it?
            • To remove a rule all you have to do is the following command: sudo ufw delete <row number the rule is on>
              You can find the row number the rule is on with the sudo ufw status numbered command.
            • Make sure to remove any ports that should not be open, if there are open ports that shouldn't be open/aren't  required for a required service to run, write down the port number and look up what service requires that port. More likely than not, you will end up killing two birds with one stone as it is highly likely that that open port is associated with a service that should not be installed on the server and should be removed immediately.
          • Fail2ban
            • You will want to install Fail2ban as this service will protect the computer against brute force attacks and unauthorized users attempting to break in.
            • To install use the following command: sudo apt-get install fail2ban
            • Fail2ban Configuration (Location: /etc/fail2ban/)
          • Enable Syn Cookie Protection: sudo sysctl -n net.ipv4.tcp_syncookies
          • Disable IPv6 (Potentially Harmful):
             echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
          • Disable IP Forwarding: echo 0 | sudo tee /proc/sys/net/ipv4/ip_forward
          • Prevent IP Spoofing: echo "nospoof on" | sudo tee -a /etc/host.conf
        • Services Configurations and Useful Information:
          Please Note: If the Readme does not state that one of the services is required, remove immediately.
          • SSH
          • Web
            • Apache2
            • Nginx
          • SQL Databases
            • PostgreSQL
            • MySQL
            • MariaDB
          • Samba (SMB)
        • Setting Audit Policies and Monitoring Software
          • Installing and Automating Updates
          • System Logs (syslog & journalctl) 
          • Monitor your processes 
          • Port Checks 
        • User Software Configuration
          • Firefox
            •  General:
              •  Save files to: Downloads
              •  Automatically Install Updates: Enabled
                 (This is step was completed when you had set up Automatic Updates for the system)
            •  Privacy & Security:
              •  Set to Strict
              •  Send websites a “Do Not Track” signal that you don’t want to be tracked: Always
              •  Cookies and Site Data: Delete cookies and site data when Firefox is closed
              •  Logins and Passwords: All set to disabled (unchecked)
              •  History: Never Remember
              •  Permissions:
                Go into each "settings" and checkmark the "Block new requests asking to access ______". Also while in these settings make sure no websites are listed as having access to the setting.
              •  Block Pop-up Windows: Enabled
              •  Warn you when websites try to install add-ons: Enabled
              •  Firefox Data Collection Use: Disable All (uncheck all)
              •  Deceptive Content and Dangerous Software Protection: Enable All (Block Dangerous downloads and unwanted/uncommon software)
              •  Certificates: 
                •  Ask you every time: Enable
                •  Query OCSP Responder: Enable
              •  HTTPS-Only Mode (Only available in most up-to-date version of Firefox): Enable HTTPS-Only Mode in all windows 
            •  Ensure there are no plugins installed
        • Unauthorized and Suspicious Files

        Additional Information

        • Problem: "sudo" command cannot be found
          Solution: If you get an error saying "the command sudo cannot be found" or something similar, it means that sudo is not installed. To fix this go into the root terminal and using apt-get install sudo with the command: apt-get install sudo
          After that, all you have todo is add your user to the sudoers file.
        • Problem: An Unauthorized user has been mapped to another user in Postgresql
          Solution: You can easily find out what users are mapped to who in Postgresql by going to the following files:  /etc/postgresql/x.x/main/pg_ctl.confand /etc/postgresql/x.x/main/pg_hba.conf
          These two configuration files are used to identity map users.

        Resources