Here's what I got so far ... suggestions? On Tue, Feb 2, 2010 at 8:21 AM, Edward Ned Harvey <lop...@nedharvey.com> wrote: >> 3b) ssh key only authentication > > And generate new keys too, just incase anyone ever got them before. > >Title: CTF-Cutsheet
CTF-Cutsheet
Table of Contents
1 CTF Cutsheet - Defenders v0.1
Last updated:
Written by: Joseph Kern
Lots of Help From: Edward Harvey, David Lang, Atom Powers, Matt Simmons, and Nick Whalen
Want to add something? Email Additions to joseph.a.kern (AT) gmail (DOT) com
2 DO THIS FIRST
2.1 [ ] Create sudo enabled accounts for all defenders
# adduser <username>2.1.1 Add accounts to the sudoer file
# visudoWhere it says 'root ALL=(ALL) ALL' add the line (for each <username>):
<username> ALL=(ALL) ALL2.2 [ ] Change all root passwords
# passwd root2.3 [ ] Disable root login via ssh
vi /etc/ssh/(config) "PermitRootLogin" to "no"Note: The ssh config file may be named differently.
2.3.1 Also note any other groups or users in this file
If they are not used for scoring, disable them
2.4 [ ] Restart ssh after completing this
/etc/(somwhere.d)/ssh(d) restart3 Configuration Management
3.1 [ ] Backup important config files
cp -r /etc/* ~/tmp/backupI would back these up twice, once local once remote, these are your defaults, create new backup directories each time you change the file.
3.1.1 At this point you should learn how to use diff.
diff <fileA> <fileB>diff will show you the differences between two files, or directories of files. While it's nice to know something changed, it's better to know what changed.
3.2 [ ] Hash all config files
sha1sum /etc/* > ~/tmp/hashes.sumThis file needs to be backed up as well, once local once remote, remember you must rerun this every-time you make a change to the configs.
3.3 [ ] Check configs for changes
sha1sum -c hashes | grep FAILEDThis will NOT work if you don't keep your config backups and hash files current inform your team members of this.
3.4 [ ] Replace configs as needed
3.5 [ ] Look for currently logged in users
users4 Network and Services Management
4.1 [ ] List all listening services
# netstat -lp # service listservice is zenwalk specific, YMMV.
4.2 [ ] Disable all unscored services
4.3 [ ] Use nmap on all servers periodically
# nmap <local ip block or system>You can set up a script to run nmap against all systems, store the results, and then run a diff across the two versions. This will alert you to any changes.
5 LAMP Stack
LAMP (Linux Apache MySQL PHP|Perl|Python)This is a large topic, and could lead to reams of documentation. Here's some things to look for.
5.1 [ ] root should not be running any of the services
There is NO reason root should be running any of these services. If you change the user or group, make sure you change the file permissions as well.
5.2 [ ] Change all admin passwords within the applications
5.3 [ ] Change default URLs to web pages that enable administration
These will be in application specific files
5.4 [ ] Monitor resource usage
This may give you an early warning. I like using htop.
6 Firewall
iptables is complex (if you've never used it), if you don't have a ruleset start with this:
6.1 [ ] Listing all current iptables (firewall rules)
iptables -nL6.2 [ ] Creating a basic ruleset
What I suggest is stopping all traffic, and then allowing on scored traffic through.
This is a basic firewall built with iptables. This needs to be modified to allow incoming connections to services.
Firewall template stolen from pzion.org and modified, this has not been tested yet …
#!/bin/bash # This assumes your external NIC is eth0 EXT-NIC=eth0 iptables --flush iptables --policy INPUT DROP iptables --policy OUTPUT DROP iptables --policy FORWARD DROP iptables --append INPUT -i lo -j ACCEPT iptables --append OUTPUT -o lo -j ACCEPT iptables --append OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT# from here you need to add site specific info: # example for ssh on port 22 and http on port 80 # iptables -A INPUT -p tcp -i $EXT-NIC --dport 22 --sport 1024:65535 -m state \ --state NEW -j ACCEPT # iptables -A INPUT -p tcp -i $EXT-NIC --dport 80 --sport 1024:65535 -m state \ --state NEW -j ACCEPTiptables -A INPUT -j DROP # Here's your implicit DROP/DENY NOTE: You will NOT be able to ping after this is set.6.3 iptables kung-fu
6.3.1 SYN Flood
iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT6.3.2 ICMP Denial of Service
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0\ -j ACCEPTThis rule may conflict with the last rule of the script template.
6.3.3 The Nuclear Option
If you find yourself in an impossible situation and need to cut off all access issue this command.
iptables -I INPUT 1 -j DROPThis will insert a rule at the top of the chain, dropping all connections. If you are using ssh, you will be dropped as well. The only way to regain access is to use a physical terminal.
- Removing this option
iptables -D INPUT 17 References
7.1 IPtables Resources
- Linux Firewalls Using iptables
- Ubuntu IPtables Community Wiki (Includes logging examples)
Date: 2010-02-02 12:05:04 EST
HTML generated by org-mode 6.34 in emacs 22
_______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
