▄▀ [how To] Hardening Linux Distribution Techniques - Provided By R3verse ▄▀

[R3verse]

~ Linux Hardening distribution tutorial provided by ~

Rquirements:

[*] Linux distribution 64 bit or 32 bit.

[*] Knowledge of basic linux commands!

[*] Knowledge behind the scenes of executing linux commands

[*] Encryption knowledge

Before we start, I would like to give some credit around here.

I will like to thank the following for motivating me, to provide,

this tutorial right here, and why it's neccesary!.

In my opinion, you gotta treat shell access, like it is physical access!.

Thanks to:

HAK5

There is several ways of hardening linux distributions!.

In this scenario, we will dive into Ubuntu, and we will enumerate,

my way of doing it, in a linux environment.

Okay, so let's dive right into it.

No more wasting time, doing 1337 copy + paste, of any source code!,

Now I, breakdown concept tools, and techniques, for hackers, network gurus, and IT ninjas.

It's all about to make internal/local security, at your Linux box!. Off we go...

This thread will cover, How To Linux Hardening, with my opinion

[*] Encrypt files with GPG

[*] Chattr

[*] Encryption on harddrive partition

[*] Linux Distributions & scripts to hardening!

[*] Umask benefits!

GPG encryption folders & files

So basically GPG & GPGdir, is a tool provided by default in most likely,

any linux distribution. You might want to enumerate your own way of encrypt,

a file/directory. In this scenario, I'm going to show you the way I do, for hardening my own Linux environment.

Below here you will see my output from my terminal,

this indicates how gpg works when I entered a pass phrase,

and used cat to view the output.

Code:
root@r3verse-M11x:/test1# cat test2.txt
hello there
root@r3verse-M11x:/test1# gpg -c test2.txt
gpg: gpg-agent is not available in this session
root@r3verse-M11x:/test1# ls -l
total 8
-rw-r--r--. 1 root root 12 Apr 30 23:44 test2.txt
-rw-r--r--. 1 root root 60 Apr 30 23:45 test2.txt.gpg
root@r3verse-M11x:/test1# cat test2.txt.gpg
%
+Y-y~
(Ԉ[7";,x8root@r3verse-M11x:/test1#

Resources:

GPG - file encryption

http://www.cyberciti.biz/tips/linux-how-...sword.html

GPGdir - directory encryption

You might, want to study this on your own!

http://cipherdyne.org/gpgdir/download//

Chattr - user privileges attributes

Okay, we now explained how GPG works, now let's dive into

Chattr, which you mind find a bit tricky.

As you may see in this scenario, we set our attribute on test2.txt

afterwards we determine, which file had the immunate flag "i". Below you will find my output,

and which kind of access to the file I have.

Code:
root@r3verse-M11x:/test1# chattr +i test2.txt
root@r3verse-M11x:/test1# lsattr *
----i--e- test2.txt
root@r3verse-M11x:/test1# ls -l
total 4
-rw-r--r--. 1 root root 12 Apr 30 23:44 test2.txt
root@r3verse-M11x:/test1#

Even if you try to nano test2.txt

and try to modify this bit of code, you WONT,

be able to.. even as root!. ;-) scary huh?. This is my output...

Now imagine, how great is this security enchance!?..

Pretty good right.

To remove the file simply, use the command below.

I just added a minus symbol instead of a plus..

You can now change permissions by chmod or remove it by rm,

in the way you want!.

Code:
root@r3verse-M11x:/test1# chattr -i test2.txt

WARNING - BIG IMAGE!

Encryption on harddrive partition

We all know of Truecrypt right...Well this is ONE solution.

To point it out, we have of course several ways of disk encryption!..

Such as How-To by David Braun

The other ones, I have to credit my own study. :).

Below here, you can find more info on it. I won't dive into it, since I'm trying,

to keep this tutorial small and smooth to understand n' follow!, for you to enjoy!

[*] Truecrypt

http://www.truecrypt.org/downloads

[*] Bastille

http://www.bastille-unix.org/running_bastille_on.htm

[*] Hardened Linux distribution

http://hardenedlinux.sourceforge.net/?sub=doc

[*] EnGarde

http://www.engardelinux.org/

Umask benefits!

To start off with, I have to say, you might think, well chmod is one way of

change the permissions of a file / directory. Right... well you might not know this yet then. :) ... We'll dive into it in a bit.

Definition of Umask:

A great tool provided to automate the permission assignments.

There is a standard permission for Umask, which set the permissions for files and folders,

which are created in an environment where 002, which means, the files which we focus on would be set with the permissions (rw-r--r--).

Folders will by default, used this command, being set to 775 (rwxr-xr-x).

We are focused on our own asset of security implementing,

of our own linux environment right?.

Now, the best solution for YOU, to implement by using the Umask command would be setting the file / folder to 0037.

This will gain the permissions 640 (rw-r--), and folders by default, will have permissions 750 (rwxr-x---).

Below here I show you how I create a file,

showing the permissions of the user by root, and what I did change it to.

Now imagine, if you had several users, you could set like in my case r3verse,

to only have the minimal amount of permissions!..

I have a basic rule. Don't ever make an attackers job easy!

EVER!.

My PoC here in this scenario:

Code:
root@r3verse-M11x:/test1# umask
0022
root@r3verse-M11x:/test1# umask 037
root@r3verse-M11x:/test1# umask
0037
root@r3verse-M11x:/test1# su r3verse
r3verse@r3verse-M11x:/test1$ touch test2.txt
touch: cannot touch `test2.txt': Permission denied
r3verse@r3verse-M11x:/test1$ ls
test2.txt
r3verse@r3verse-M11x:/test1$ ls .l
ls: cannot access .l: No such file or directory
r3verse@r3verse-M11x:/test1$ ls -l
total 4
-rw-r--. 1 root root 37 May  1 01:14 test2.txt
r3verse@r3verse-M11x:/test1$ umask
0002
r3verse@r3verse-M11x:/test1$

If you have any questions, regarding this thread,

please feel free to ask! - but do not haste about contact me by PM :).

Sincerely,

R3verse

Edited June 21, 2012 by R3verse

[ihackforfun]

This is all true and well but all your hardening will only be effective once an attacker actually gets on your system, you could stop them getting on your system in many ways (firewall to start with) and then make sure that there is nothing running on the system that you do not need (this means stopping, removing or disabling all services you do not use). The added benefit of removing services and software you do not need is that your system will boot faster and might even be faster while using ...

[R3verse]

This is all true and well but all your hardening will only be effective once an attacker actually gets on your system, you could stop them getting on your system in many ways (firewall to start with) and then make sure that there is nothing running on the system that you do not need (this means stopping, removing or disabling all services you do not use). The added benefit of removing services and software you do not need is that your system will boot faster and might even be faster while using ...

Dear sir,

Thanks for the comment though!

You know, this is where Iptables comes in handy =)..

And this can be used in formal ways, which you might get done quick enough,

So I would not bother write it all already.

Sincerely,

R3verse.

[ghosthunter007]

Yeah I have a pretty good set of iptables rules and portsentry well tuned along with tripwire.

[ewook]

Trivs du med BBB? ;)

For the majority of the audience - here's another tip, when it comes to hardening deb-based systems:

http://www.debian.org/doc/manuals/securing-debian-howto/

Mind, it's long, large and not the pretiest bird around - but if you're truly interested in the basic steps, parse through it :).