Sunday, February 12, 2012

Linux Security Checklist


A. SUID check. (Root-owned files checked SetUID and SetGID
    # Find /-user root-perm -4000-print (SetUID)
    # Find /-user root-perm -2000-print (SetGID)
    # Find /-user root-perm -4000-print-xdev

Two. Check each partition the disk usage
    # Df-h

Three. File integrity checking.
    - Tripwire executable installs

Four. Checking whether to install a backdoor. (/ Dev rootkit check and inspection)
    # Find / dev-type f-exec ls-l {} \;
    #. / Chkrootkit
   
5 Currently available port check open ports, and response.

    # Netstat-atp | grep LISTEN
       (Using the protocol: TCP is? Or UDP is?
       The port number being used
       Associated with the server IP and domain name
       PID generation
       Peuroseseumyeong in service
       State current response is possible?
    # Lsof | grep LISTEN
       (Currently being served peuroseseumyeong (demonmyeong)
           PID numbers are currently being generated.
       Currently being served is the owner of the process
       Protocol Version: Ipv4 or Ipv6
       Whether TCP or UDP
       State response is available?

6. Check running processes and daemons seedlings (the processes of creating relationships)

    # Pstree

7 Check the system operation conditions.

   # Top-d2

Eight. Check back.

Nine. Spam check (check out the mailq directory)

  # Cd / var / spool / mqueue (the same date, a number of files with the same size-sensitive)

10 Core inspection.
 
 # Find /-name core-exec ls-l {} \;
 
 Emergency has occurred, or at least within the server system for accurate analysis of
 Instantaneous state of the server's memory dump file when receiving
 
 11 Check the file size

 # Repquota-av-ag
 # Df-h

12 Check the latest server visitor.

  # Vi / var / log / secure
  # Last-n 10  
   - Check the access logs from 10th last.

13. Checking Accounts record the last access.
   
   # Lastlog
    -Lastlog is currently in / etc / passwd to target all of the accounts that exist when the last check haetneungareul connecting to the server.
     Mail, adm, bin, and all accounts "** Never logged in **" is called the normal unfolding.

 14. View the current server visitor

   # W (telnet)
   # Ftpwho (ftp)

15. Check the root command history.

   # Vi / root / .bash_history (. Set nu)
   # Cat / root / ..bash_history | wc-l (1000 lines to be more than normal)

16. Use the command file checks by account.

   # Find /-name. Bash_history-exec ls-l {} \; (each account-specific. Bash_history files exist)
   # Find /-name. Bash_history-exec cat {} \; (until all the contents of the file that we can check).

17. Check the owner root (UID and GID checking the zero-users)

   # Cat / etc / passwd | grep 0:0

18. The most important directories in the server checks

   - / Etc / xinetd.d / (xinetd service to the directory where the files that Internet service)
   - / Etc / rc.d / (boot-related files) (after copying the files to compare the file size, etc.) (caused kernel panics).
   - / Etc / rc.d / init.d / (daemons started at boot time to a specific service or seukiripteu file)

19. A. Rhosts file check

   # Find /-name. Rhosts-exec ls-l {} \;
   # Find /-name. Rhosts-exec cat {} \;
    - The verification process, such as remote from the password used to access files directly without
       
20 Check the memory usage.

   # Free-m
   # Cat / proc / meminfo (free and top refer to the file shows.)
   # Top-d2

21. Important to check the instructions for the administrator.

       Type the following commands to set the permissions to 100. Then determine whether to change the permissions change.
       
   # Chmod 100 / usr / bin / top
   # Chmod 100 / usr / bin / pstree
   # Chmod 100 / usr / bin / w
   # Chmod 100 / bin / ps
   # Chmod 100 / usr / bin / who
   # Chmod 100 / usr / bin / find
   # Chmod 100 / bin / df
   # Chmod 100 / bin / netstat
   # Chmod 100 / sbin / ifconfig
   # Chmod 100 / usr / sbin / lsof
   # Chmod 100 / usr / bin / make
   # Chmod 100 / usr / bin / gcc
   # Chmod 100 / usr / bin / g + +
   # Chmod 100 / usr / bin / c + +

22. Check root users using the su command.

   The use of the su command history can be found.

   # Cat / var / log / messages | grep root

23. Last n days check the changed files. (One unit)

   # Find /-ctime -1-print | more

25. To check a specific file using find.

   . Exec File Finder
   # Find /-name '. Exec'-exec cat {} \;-print

   #. Forward file check
   # Find /-name '. Forward'-exec cat {} \;-print
   
   write permissions in the file (directory) Search
   # Find /-type f \ (-perm -2-o-perm -20 \)-exec ls-lg {} \;
   # Find /-type d \ (-perm -2-o-perm -20 \)-exec ls-ldg {} \;
   
   Check SteUID SetGID
   # Find /-type f \ (-perm -004000-o-perm -002000 \)-exec ls-lg {} \;

   / Dev check
   # Find / dev-type f-exec ls-l {} \;
   
   Find missing files and directories owner
   # Find /-nouser-o-nogroup-print
   
   Allow remote access remote files (. Rhosts) to find
   # Find /-name. Rhosts-print
   
   Find recently modified files (file or directory), a unit of
   # Find /-ctime -20-type f or d
   
   Check open ports on the current server and jeopgeunjeobo
   # Netstat-an | grep LISTEN (port and verify the daemon is running which is LU7)
   # Lsof | grep LISTEN (check more detail)

26. Administrative permissions to modify instruction.

   # Chmod 100 / usr / bin / top
   # Chmod 100 / usrbin / pstree
   # Chmod 100 / usr / bin / w
   # Chmod 100 / bin / ps
   # Chmod 100 / usr / bin / who
   # Chmod 100 / usr / bin / find
   # Chmod 100 / bin / df
   # Chmod 100 / bin / netstat
   # Chmod 100 / sbin / ifconfig
   # Chmod 100 / usr / sbin / lsof
   # Chmod 100 / usr / bin / make
   # Chmod 100 / usr / bin / gcc
   # Chmod 100 / usr / bin / g + +
   # Chmod 100 / usr / bin / c + +

27. Check the file permissions and ownership restrictions, and important.

   # Chmod 644 / etc / service
   # Chmod 600 / etc / xinetd
   # Chmod 644 / etc / mail / aliases
   # Chmod 600 / etc / httpd / conf / httpd.conf
   # Chmod 644 / var / log / wtmp
   # Chmod 644 / var / run / utmp
   # Chmod 644 / etc / motd
   # Chmod 644 / etc / mtab
   # Chmod 600 / etc / syslog.conf
   # / Etc, / usr / etc, / bin, / usr / bin, / sbin, / usr / sbin
   # Chmod 1777 / tmp
   # Chmod 1777 / var / tmp
       
28. check umask values.
   umask value for root check.
   # Umask
   022 -> 755 files in 644 directories created.
   027 -> 750 files in 640 directories created.

29. In / dev device files and make sure that it exists outside.

   # Find / dev-type f-exec ls-l {} \;

30. Pass the end user's instruction

   # / Usr / local / bin: usr / local / mysql / bin :/ home / hosting / bin /
    Both the general user commands available in this doom.

31 Manager passes the command

   # :/ Bin :/ sbin :/ usr / bin :/ usr / sbin :/ usr / local / bin :/ usr / local / sbin :/ usr / bin
   # / X11 :/ usr/X11R6/bin :/ usr / kerberos / bin :/ root / bin

32. Su permissions to allow only certain groups

   # Vi / etc / group (wheel gureupe have su permissions to add users)
   # Wheel: x: 10: root, cream

   # Vi / etc / pam.d / su (two lines to add)

   # Auth sufficient / lib / security / pam_rootok.so
   # Auth required / lib / security / pam_wheel.so allow group = wheel

   # Vi / var / log / message confirmation from

33. chmod 400 / etc / shadow

34 The default log file system.

   - / Var / log / messages
   - / Var / log / secure
   - / Var / log / wtmp
   - / Var / run / utmp
   - / Var / log / lastlog

35. utmp, wtmp, lastlog file

   utmp file: connect to the current system that has the user's information.
   
   # Strings utmp | more
   
   Information use the command
   login (1), who (1), init (8), last (8), lastcomm (8)
   
   wtmp file: Access was from the beginning of the login and logout all users have the information available.
   
   # Strings wtmp | more
   
   Information use the command
   login (1), who (1), init (8), last (8), lastcomm (8)
   
   lastlog file
   
   Bin the most recently logged in the information.
   
   can be determined by the last command.

36. Spill countermeasures password (web)

       method using perl.

   AllowOverride FileInfo AuthConfig Limit
   Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
   Options Indexes SymLinksIfOwnerMatch IncludesNoExec ExecCGI
   Options Indexes SymLinksIfOwnerMatch IncludesNoExec
   
       Order allow, deny
       Allow from all
   
       Order deny, allow
       Deny from all
   
       How to use SSI's exec command

# AddType text / html. Shtml
# AddHandler server-parsed. Shtml

27. Implemented using a real-time hacking PortSentry defense. (Not used incorrectly to the server when connected).

   # Tar-xvzf portsentry-1.1.tar.gz
   # Make linux
   # Make install
   
   # / Usr / local / psionic / portsentry / portsentry-tcp
   # / Usr / local / psionic / portsentry / portsentry-udp
   # / Usr / local / psionic / portsentry / portsentry-stcp
   # / Usr / local / psionic / portsentry / portsentry-atcp
   # / Usr / local / psionic / portsentry / portsentry-stdp
   
   # Vi / etc / hosts.deny inspection.

28. Check Chkrootkit backdoor.

  # Tar-xvzf chkrootkit.tar.gz
  # Make sense
  #. / Chkrootkit (Check the instructions)

How to prevent DOS attacks with 29 ping.

   # Vi / etc / sysctl.conf
   # Net.ipv4.icmp_echo_ignore_broadcasts = 1
   
   # Sysctl-w
   # / Etc / rc.d / init.d / network restart
   # Sysctl-a | grep ignore_broadcasts

30. Using Nmap port scan out the possibility of hacking.

   # Nmap-sS-p80 211.42.48.110-O-v www.armian.net
   # Nmap-sS-O-v 211.42.48.114

Source
=========================================================================
iptables-A INPUT-s 211.63.89.95-p icmp-j DROP

/ / DROP all packets
iptables-A INPUT-s 0/0-j DROP

iptables-A OUTPUT-f-d 192.168.1.1-j DROP

/ / TCP option - syn A B in the outgoing packet to the server and blocks incoming packets from B to A.
iptables-p TCP-s 192.168.1.1 - syn

iptables-A INPUT-p tcp! - Sport 0:1024 - dport 25-J ACCEPT

/ / UDP flooding precautions
iptables-P INPUT ACCEPT
iptables-P OUTPUT ACCEPT
iptables-F INPUT
iptables-F OUTPUT
iptables-A INPUT-m state - state ESTABLISHED, RELATED-j ACCEPT
iptables-A OUTPUT-m state - state ESTABLISHED, RELATED-j ACCEPT
iptables-A OUTPUT-p udp! - Dport 53-m state - state NEW-j DROP

/ / How to respond wephaeking
[Root @ wowsecurity dev] # chmod 700 / usr / bin / wget / usr / bin / lynx / usr / bin / curl
Use modsecurity

/ / Only allow ftp in Korea and in other countries when you want to block access
iptables-A INPUT-p tcp - dport 21-m geoip - src-cc KR-j ACCEPT
iptables-A INPUT-p tcp - dport 21-j DROP
Or iptables-A INPUT-p tcp - dport 21-m geoip! - Src-cc KR-j DROP

/ / Limit of simultaneous connections
iptables-A INPUT-m recent - name badguy - rcheck - seconds 300-j DROP
iptables-A INPUT-p tcp - syn - dport 25-m connlimit - connlimit-above 5-m recent - name badguy - set-j DROP
iptables-A INPUT-p tcp - syn - dport 80-m connlimit - connlimit-above 15? connlimit-mask 24-j DROP
iptables? A INPUT? m psd? j DROP

/ / VPN
Gateway - to Gateway approach
Host-to-Gateway approach

/ / Tacacs settings
Router (config) # tacacs-server host xxxx
Router (config) # tacacs-server key cisco
Router (config) # enable use tacacs

switch> (enable) set authentication login tacacs
switch> (enable) set tacacs server xxxx
switch> (enable) set tacacs key cisco

/ / NTP
Difficulties in the analysis of different time settings for a long time, time synchronization must always remember to

/ / No login: Remotely accessible without passwd passwd should be set up only.
/ / No login local: passwd settings are required.

/ / Anti-spam
# Vi / etc / mail / access
spammer.org REJECT
xxx0 RELAY

# Makemap has / etc / mail / access.db

/ / Sendmail configuration file initializes
# M4 / etc / mail / sendmail.mc> / etc / mail / sendmail.cf

/ / Tcpwrapper Telnet to set
# Vi / etc / inetd.conf
telnet stream tcp nowait root / usr / sbin / in.telnetd in.telnetd
Modify the preceding sentence as follows:
telnet stream tcp nowait root / usr / sbin / tcpd in.telnetd

# Vi / etc / hosts.deny
ALL: ALL

# Vi / etc / hosts.allow
telnetd: xxxx

# Service inetd restart

/ / PAM to set
# Vi / etc / security / limits.conf
* Hard maxlogins 6
@ Users hard maxlogins 4

/ / FIND
find /-type f \ (-perm -4000-o-perm -2000 \)-ls / / SETUID SETGID files search
find /-type f-exec grep 'hack' {} / dev / null \ n; / / hack file containing the search words
find /-user 427-print / / UID is the owner of a file showing 427
find /-perm -0002-type d-print / / general user DIR showing that you have write access to
find /-nouser-o-nogroup-print / / a user or group does not show files

chattr + i - Add / Change / Delete impossible
chattr + a - can only add
chattr + A - atime for files that can change the access time attribute.

/ / Proc control
echo "0"> / proc/sys/net/ipv4/conf/all/accept_source_route
-> Spoofing packets to prevent source route is not allowed. If you allow source routing, a malicious attacker ip source routing can be specified using a purpose made ㅣgyeongroreul path back to the original location can be specified.

echo "1"> / proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
-> Smurf attack can be exploited through the broadcast address should not respond to icmp echo.

echo "0"> / proc/sys/net/ipv4/ip_forward
-> The system to other systems through the forwarding of the packet will be ignored (this is not a router or gateway).

echo "0"> / proc/sys/net/ipv4/conf/all/accept_redirects
-> Icmp redirect is not allowed. If you allow an attacker could change the routing tables of any unintended paths their traffic can be passed.

echo "1"> / proc/sys/net/ipv4/conf/all/log_martians
-> Spoofed packets and source routing, redirect the log file for the packet leaves.

echo "1"> / proc/sys/net/ipv4/tcp_syncookies
-> Syn flooding attack syncookies capabilities to respond to the lights.

echo-e "32768 \ t61000"> / proc/sys/net/ipv4/ip_local_port_range
-> Local port range specification

echo "1024"> / proc/sys/net/ipv4/tcp_max_syn_backlog
-> Backlog queue size is increasing in response to the attack.

stunnel
openssl must be installed.
xinetd.conf
service pop3s
{
server = / usr / local / sbin / stunnel
server_args = / usr / local / etc / stunnel / stunnel.conf
}
service ssmtp
{
}

/ / Zone transfer
dig@ns.wowsecurity.net. wowsecurity.net axfr
host-l kunsan.ac.kr dns.kunsan.ac.kr

-> Master on the slave need to allow zone transfer.
slave of the other three, the fourth to provide slave server zone transfer if not will have to block all the zone transfer.

/ / Ssh to use tcp-wrapper in a
. / Configure - with-libwrap

/ / Mysql 3306 blocked access to the
on compiling, - skip-networking
max_user_connections setting limits
show processlist

/ / Telnet to an IP at the same time limit twice haneungeo
iptables-A INPUT-p tcp - syn - dport 23-m connlimit-above 2-j REJECT

/ / FTP connection to limit
Order deny, allow
Deny from xxxx
Allow from All

/ / SMURFFING measures
Instead of TCP / IP is sent to the encryption. (IP forgery virtually effortless)
Using VLAN
IP FILTERING (IP and MAC address is fixed.)
PORT SECURITY (MAC FLOODING contrast)

/ / Set
SET PORT SECURITY 3/1 ENABLE MAC ADDRESS

/ / Nafta: TCP with memory exhaustion (attacked by the actual user's IP address)

/ / Smurf countermeasures-boosting icmp echo reply packets from the network for another block or allow certain amount of daeyeokpokman

/ / No ip redirects - icmp redirect blocked

/ / Ingress <-> egress

/ / Blackhole