R3verse Posted June 21, 2012 Share Posted June 21, 2012 (edited) ~ Linux Hardening distribution tutorial provided by ~ Rquirements: [*] Linux distribution 64 bit or 32 bit. [*] Knowledge of basic linux commands! [*] Knowledge behind the scenes of executing linux commands [*] Encryption knowledge Before we start, I would like to give some credit around here. I will like to thank the following for motivating me, to provide, this tutorial right here, and why it's neccesary!. In my opinion, you gotta treat shell access, like it is physical access!. Thanks to: HAK5 There is several ways of hardening linux distributions!. In this scenario, we will dive into Ubuntu, and we will enumerate, my way of doing it, in a linux environment. Okay, so let's dive right into it. No more wasting time, doing 1337 copy + paste, of any source code!, Now I, breakdown concept tools, and techniques, for hackers, network gurus, and IT ninjas. It's all about to make internal/local security, at your Linux box!. Off we go... This thread will cover, How To Linux Hardening, with my opinion [*] Encrypt files with GPG [*] Chattr [*] Encryption on harddrive partition [*] Linux Distributions & scripts to hardening! [*] Umask benefits! GPG encryption folders & files So basically GPG & GPGdir, is a tool provided by default in most likely, any linux distribution. You might want to enumerate your own way of encrypt, a file/directory. In this scenario, I'm going to show you the way I do, for hardening my own Linux environment. Below here you will see my output from my terminal, this indicates how gpg works when I entered a pass phrase, and used cat to view the output. Code: root@r3verse-M11x:/test1# cat test2.txt hello there root@r3verse-M11x:/test1# gpg -c test2.txt gpg: gpg-agent is not available in this session root@r3verse-M11x:/test1# ls -l total 8 -rw-r--r--. 1 root root 12 Apr 30 23:44 test2.txt -rw-r--r--. 1 root root 60 Apr 30 23:45 test2.txt.gpg root@r3verse-M11x:/test1# cat test2.txt.gpg % +Y-y~ (Ԉ[7";,x8root@r3verse-M11x:/test1# Resources: GPG - file encryption http://www.cyberciti.biz/tips/linux-how-...sword.html GPGdir - directory encryption You might, want to study this on your own! http://cipherdyne.org/gpgdir/download// Chattr - user privileges attributes Okay, we now explained how GPG works, now let's dive into Chattr, which you mind find a bit tricky. As you may see in this scenario, we set our attribute on test2.txt afterwards we determine, which file had the immunate flag "i". Below you will find my output, and which kind of access to the file I have. Code: root@r3verse-M11x:/test1# chattr +i test2.txt root@r3verse-M11x:/test1# lsattr * ----i--e- test2.txt root@r3verse-M11x:/test1# ls -l total 4 -rw-r--r--. 1 root root 12 Apr 30 23:44 test2.txt root@r3verse-M11x:/test1# Even if you try to nano test2.txt and try to modify this bit of code, you WONT, be able to.. even as root!. ;-) scary huh?. This is my output... Now imagine, how great is this security enchance!?.. Pretty good right. To remove the file simply, use the command below. I just added a minus symbol instead of a plus.. You can now change permissions by chmod or remove it by rm, in the way you want!. Code: root@r3verse-M11x:/test1# chattr -i test2.txt WARNING - BIG IMAGE! Encryption on harddrive partition We all know of Truecrypt right...Well this is ONE solution. To point it out, we have of course several ways of disk encryption!.. Such as How-To by David Braun The other ones, I have to credit my own study. :). Below here, you can find more info on it. I won't dive into it, since I'm trying, to keep this tutorial small and smooth to understand n' follow!, for you to enjoy! [*] Truecrypt http://www.truecrypt.org/downloads [*] Bastille http://www.bastille-unix.org/running_bastille_on.htm [*] Hardened Linux distribution http://hardenedlinux.sourceforge.net/?sub=doc [*] EnGarde http://www.engardelinux.org/ Umask benefits! To start off with, I have to say, you might think, well chmod is one way of change the permissions of a file / directory. Right... well you might not know this yet then. :) ... We'll dive into it in a bit. Definition of Umask: A great tool provided to automate the permission assignments. There is a standard permission for Umask, which set the permissions for files and folders, which are created in an environment where 002, which means, the files which we focus on would be set with the permissions (rw-r--r--). Folders will by default, used this command, being set to 775 (rwxr-xr-x). We are focused on our own asset of security implementing, of our own linux environment right?. Now, the best solution for YOU, to implement by using the Umask command would be setting the file / folder to 0037. This will gain the permissions 640 (rw-r--), and folders by default, will have permissions 750 (rwxr-x---). Below here I show you how I create a file, showing the permissions of the user by root, and what I did change it to. Now imagine, if you had several users, you could set like in my case r3verse, to only have the minimal amount of permissions!.. I have a basic rule. Don't ever make an attackers job easy! EVER!. My PoC here in this scenario: Code: root@r3verse-M11x:/test1# umask 0022 root@r3verse-M11x:/test1# umask 037 root@r3verse-M11x:/test1# umask 0037 root@r3verse-M11x:/test1# su r3verse r3verse@r3verse-M11x:/test1$ touch test2.txt touch: cannot touch `test2.txt': Permission denied r3verse@r3verse-M11x:/test1$ ls test2.txt r3verse@r3verse-M11x:/test1$ ls .l ls: cannot access .l: No such file or directory r3verse@r3verse-M11x:/test1$ ls -l total 4 -rw-r--. 1 root root 37 May 1 01:14 test2.txt r3verse@r3verse-M11x:/test1$ umask 0002 r3verse@r3verse-M11x:/test1$ If you have any questions, regarding this thread, please feel free to ask! - but do not haste about contact me by PM :). Sincerely, R3verse Edited June 21, 2012 by R3verse Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.