Results 1 to 5 of 5

Thread: Hardening Kali Linux - Tips and Tricks

  1. #1
    Join Date

    Hardening Kali Linux - Tips and Tricks

    Hello Everyone,

    I use Kali v2 on my Panasonic Toughbook as the default OS . Somewhere down the line I had picked up a rootkit. After reformatting and reinstalling Kali, My first objective was to harden the OS.

    I am somewhat new to making linux more secure, but here are some snippets and tools I have used. ( Still working on iptables ) and setting up tripwire .

    I've started this thread hoping others will chime in with their techniques, configs and iptable setups. As what I have listed is just a few commands to review your some security aspects of your OS.

    Searching for rootkits I used chkrootkit, can be found here or
    apt-get install chkrootkit
    Running chkrootkit is easy as
    sudo chkrootkit
    Also, There are other useful tools to review after installing chkrootkit
    [root:/usr/lib/chkrootkit]# ls -l
    total 808
    -rwxr-xr-x 1 root root 6120 Mar 23 2015 check_wtmpx
    -rwxr-xr-x 1 root root 10360 Mar 23 2015 chkdirs
    -rwxr-xr-x 1 root root 8784 Mar 23 2015 chklastlog
    -rwxr-xr-x 1 root root 10480 Mar 23 2015 chkproc
    -rwxr-xr-x 1 root root 10352 Mar 23 2015 chkutmp
    -rwxr-xr-x 1 root root 5808 Mar 23 2015 chkwtmp
    -rwxr-xr-x 1 root root 10456 Mar 23 2015 ifpromisc
    -rwxr-xr-x 1 root root 746408 Mar 23 2015 strings-static
    I suggest to try them all.

    lynis - open source security auditing tool. Comes with Kali

    #lynis --update
    #lynis audit system

    Useful Commands

    -Check Services running

    # chkconfig --list |grep '3n'

    # chkconfig serviceName off
    ----Check Listening Ports

    # netstat -tulpn
    ---- Close Unwanted Ports

    # iptables -A INPUT -p tcp --dport PORT_NUMBER -j DROP
    ---Review IP Tables

    # Iptables –L –n –v

    ---Checking Accounts for Empty Passwords

    # cat /etc/shadow | awk -F: '($2==""){print $1}'
    Display Failed Logins
    # faillog
    ----- Logs to review

    /var/log/message – Where whole system logs or current activity logs are available.
    /var/log/auth.log – Authentication logs.
    /var/log/kern.log – Kernel logs.
    /var/log/cron.log – Crond logs (cron job).
    /var/log/maillog – Mail server logs.
    /var/log/boot.log – System boot log.
    /var/log/mysqld.log – MySQL database server log file.
    /var/log/secure – Authentication log.
    /var/log/utmp or /var/log/wtmp : Login records file.

    Useful Tools
    Basic tools:
    lynis - security auditing tool for Unix based systems
    rkhunter - rootkit, backdoor, sniffer and exploit scanner
    chkrootkit - rootkit detector
    tripwire - file and directory integrity checker
    tiger - Report system security vulnerabilities

    bastille - Security hardening tool
    unhide - Forensic tool to find hidden processes and ports
    unhide.rb - Forensic tool to find processes hidden by rootkits
    aide - Advanced Intrusion Detection Environment
    bsign - Corruption & intrusion detection using embedded hashes
    systraq - monitor your system and warn when system files change
    snort - flexible Network Intrusion Detection System
    psad - Port Scan Attack Detector
    samhain - Data integrity and host intrusion alert system

    Links and Material
    IPTable Guide

    25 Most Frequently Used Linux IPTables Rules Examples

    IPTables rule generator

    25 Hardening Security Tips for Linux Servers

    Clam AV Source

    It's not much, I figure its a start. I will be updating frequently.

    What do you guys think about tripwire, for checking file integrity and changes ?
    Last edited by hightech316; 2015-10-27 at 13:52. Reason: Move to Community Generated How-To please

  2. #2
    Join Date
    Clamav does nothing, it looks for windows viruses attached to emails.
    There are no viruses for linux (they have been created in labs) but none
    exist in the wild.
    As a second defense rkhunter can be installed:
    apt-get install rkhunter

    Update regularly:
    rkhunter --update

    and check for rootkits with
    rkhunter -c

    Dropping the ping scan with iptables is good but does not make you immune,
    nmap -Pn x.x.x.x

    will be discovered on a network, though takes longer.
    Another tip is to harden SSH security, good advice on Ubuuntu forum:

    The other things you can do is install a firewall like ufw, install fail2ban
    to disable unauthorised ssh login attempts and an intrusion system
    like Snort or Tripwire (as you already mentioned) are good ideas.

    LJ has a useful article on Tripwire,1

    You can also check for system file changes by installing packages tiger
    and systraq

    apt-get install tiger systraq

    What was the name od the rootkit you were infected with?
    This is the first time I've heard of anyone being infected on Linux, but not
    impossible especially if you run as root and install software outside
    of the kali repos.

  3. #3
    Join Date
    After noticing strange activity on router and strange open ports chkrootkit reported I was infected with SuckIT rootkit . ( will post chkrootkit log soon)

    Then it seems they started a netcat listener and adjusted portforwarding rules on my router for port 31337 and 8080.
    I'm not at home, the router being used here is a cheap net gear which the ISP provided .

    Been downloading alot of utilities from out of boredom. Which in return installed all the dependences those utilities required and may have been outdated and so on.

    I've been using Mutt's OS since backtrack 3 and never had an intrusion.

    Thanks for the tips.

    Cannot find the chkrootkit log, I did run rkhunter as well and it also reported 1 root kit .

    [11:43:44] System checks summary
    [11:43:44] =====================
    [11:43:44] File properties checks...
    [11:43:44] Files checked: 145
    [11:43:44] Suspect files: 5
    [11:43:44] Rootkit checks...
    [11:43:44] Rootkits checked : 380
    [11:43:44] Possible rootkits: 1
    [11:43:44] Applications checks...
    [11:43:44] Applications checked: 6
    [11:43:44] Suspect applications: 0
    [11:43:44] The system checks took: 1 minute and 13 seconds
    [11:43:44] Info: End date is Wed Oct 21 11:43:44 CDT 2015
    Last edited by hightech316; 2015-10-27 at 13:33.

  4. #4
    Join Date
    They must have got access to your netgear router to change forwarding rules. You've probably done so already
    but change the admin password on your router, then you really need to reinstall kali. If a rootkit has been detected
    then theres no way to tell what damage has been done to your system.

    Once up and running and connected to the internet with no browser open periodicly run

    netstat -tpe

    This will show the programs using tcp and username and port, you may want to
    run netstat -upe or -tupe (can be a lot of lines). Some services, ntp, ipp updates
    are normal but anything 'foreign' needs looking up on whois and a firewall rule
    Securing your router (and router firewall) is your first priority, hope that helps.

  5. #5
    Join Date
    Thanks for reply.

    Yes, First thing I did was secure router then reformat & reinstall using LUKS this time aswell.

    Made sure to disable root logins in ssh

Similar Threads

  1. Kali 2.0 Installation Tips for Macbook Pro 2015 Retina
    By yzh503 in forum How-To Archive
    Replies: 17
    Last Post: 2017-01-10, 20:24
  2. Kali 2.0 Installation Tips for Macbook Pro 2015 Retina
    By yzh503 in forum Installing Archive
    Replies: 0
    Last Post: 2015-08-16, 10:43

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts