Hello Everyone,
I use Kali v2 on my Panasonic Toughbook as the default OS . Somewhere down the line I had picked up a rootkit. After reformatting and reinstalling Kali, My first objective was to harden the OS.
I am somewhat new to making linux more secure, but here are some snippets and tools I have used. ( Still working on iptables ) and setting up tripwire .
I've started this thread hoping others will chime in with their techniques, configs and iptable setups. As what I have listed is just a few commands to review your some security aspects of your OS.
Searching for rootkits I used chkrootkit, can be found here http://www.chkrootkit.org/ orRunning chkrootkit is easy asCode:apt-get install chkrootkit
Also, There are other useful tools to review after installing chkrootkitsudo chkrootkit
I suggest to try them all.[root:/usr/lib/chkrootkit]# ls -l
total 808
-rwxr-xr-x 1 root root 6120 Mar 23 2015 check_wtmpx
-rwxr-xr-x 1 root root 10360 Mar 23 2015 chkdirs
-rwxr-xr-x 1 root root 8784 Mar 23 2015 chklastlog
-rwxr-xr-x 1 root root 10480 Mar 23 2015 chkproc
-rwxr-xr-x 1 root root 10352 Mar 23 2015 chkutmp
-rwxr-xr-x 1 root root 5808 Mar 23 2015 chkwtmp
-rwxr-xr-x 1 root root 10456 Mar 23 2015 ifpromisc
-rwxr-xr-x 1 root root 746408 Mar 23 2015 strings-static
lynis - open source security auditing tool. Comes with Kali
#lynis --update
#lynis audit system
Useful Commands
-Check Services running
-ShutdownService# chkconfig --list |grep '3n'
----Check Listening Ports# chkconfig serviceName off
---- Close Unwanted Ports# netstat -tulpn
---Review IP Tables# iptables -A INPUT -p tcp --dport PORT_NUMBER -j DROP
# Iptables –L –n –v
---Checking Accounts for Empty Passwords
Display Failed Logins# cat /etc/shadow | awk -F: '($2==""){print $1}'
----- Logs to review# faillog
/var/log/message – Where whole system logs or current activity logs are available.
/var/log/auth.log – Authentication logs.
/var/log/kern.log – Kernel logs.
/var/log/cron.log – Crond logs (cron job).
/var/log/maillog – Mail server logs.
/var/log/boot.log – System boot log.
/var/log/mysqld.log – MySQL database server log file.
/var/log/secure – Authentication log.
/var/log/utmp or /var/log/wtmp : Login records file.
Useful Tools
Basic tools:
lynis - security auditing tool for Unix based systems
rkhunter - rootkit, backdoor, sniffer and exploit scanner
chkrootkit - rootkit detector
tripwire - file and directory integrity checker
tiger - Report system security vulnerabilities
Others:
bastille - Security hardening tool
unhide - Forensic tool to find hidden processes and ports
unhide.rb - Forensic tool to find processes hidden by rootkits
aide - Advanced Intrusion Detection Environment
bsign - Corruption & intrusion detection using embedded hashes
systraq - monitor your system and warn when system files change
snort - flexible Network Intrusion Detection System
psad - Port Scan Attack Detector
samhain - Data integrity and host intrusion alert system
Links and Material
IPTable Guide
25 Most Frequently Used Linux IPTables Rules Examples
IPTables rule generator
25 Hardening Security Tips for Linux Servers
Clam AV Source
It's not much, I figure its a start. I will be updating frequently.
What do you guys think about tripwire, for checking file integrity and changes ?