Hello Everyone,
I use Kali v2 on my Panasonic Toughbook as the default OS . Somewhere down the line I had picked up a rootkit. After reformatting and reinstalling Kali, My first objective was to harden the OS.
I am somewhat new to making linux more secure, but here are some snippets and tools I have used. ( Still working on iptables ) and setting up tripwire .
I've started this thread hoping others will chime in with their techniques, configs and iptable setups. As what I have listed is just a few commands to review your some security aspects of your OS.
Searching for rootkits I used chkrootkit, can be found here http://www.chkrootkit.org/ or
Code:
apt-get install chkrootkit
Running chkrootkit is easy as
Also, There are other useful tools to review after installing chkrootkit
[root:/usr/lib/chkrootkit]# ls -l
total 808
-rwxr-xr-x 1 root root 6120 Mar 23 2015 check_wtmpx
-rwxr-xr-x 1 root root 10360 Mar 23 2015 chkdirs
-rwxr-xr-x 1 root root 8784 Mar 23 2015 chklastlog
-rwxr-xr-x 1 root root 10480 Mar 23 2015 chkproc
-rwxr-xr-x 1 root root 10352 Mar 23 2015 chkutmp
-rwxr-xr-x 1 root root 5808 Mar 23 2015 chkwtmp
-rwxr-xr-x 1 root root 10456 Mar 23 2015 ifpromisc
-rwxr-xr-x 1 root root 746408 Mar 23 2015 strings-static
I suggest to try them all.
lynis - open source security auditing tool. Comes with Kali
#lynis --update
#lynis audit system
Useful Commands
-Check Services running
# chkconfig --list |grep '3
n'
-ShutdownService
# chkconfig serviceName off
----Check Listening Ports
---- Close Unwanted Ports
# iptables -A INPUT -p tcp --dport PORT_NUMBER -j DROP
---Review IP Tables
---Checking Accounts for Empty Passwords
# cat /etc/shadow | awk -F: '($2==""){print $1}'
Display Failed Logins
----- Logs to review
/var/log/message – Where whole system logs or current activity logs are available.
/var/log/auth.log – Authentication logs.
/var/log/kern.log – Kernel logs.
/var/log/cron.log – Crond logs (cron job).
/var/log/maillog – Mail server logs.
/var/log/boot.log – System boot log.
/var/log/mysqld.log – MySQL database server log file.
/var/log/secure – Authentication log.
/var/log/utmp or /var/log/wtmp : Login records file.
Useful Tools
Basic tools:
lynis - security auditing tool for Unix based systems
rkhunter - rootkit, backdoor, sniffer and exploit scanner
chkrootkit - rootkit detector
tripwire - file and directory integrity checker
tiger - Report system security vulnerabilities
Others:
bastille - Security hardening tool
unhide - Forensic tool to find hidden processes and ports
unhide.rb - Forensic tool to find processes hidden by rootkits
aide - Advanced Intrusion Detection Environment
bsign - Corruption & intrusion detection using embedded hashes
systraq - monitor your system and warn when system files change
snort - flexible Network Intrusion Detection System
psad - Port Scan Attack Detector
samhain - Data integrity and host intrusion alert system
Links and Material
IPTable Guide
25 Most Frequently Used Linux IPTables Rules Examples
IPTables rule generator
25 Hardening Security Tips for Linux Servers
Clam AV Source
It's not much, I figure its a start. I will be updating frequently.
What do you guys think about tripwire, for checking file integrity and changes ?
