Posted on Wednesday, 21st March 2012 by Michael
Quick Tips for Linux Security at the CCDC
This guide is to be high level and provide a reference for the CCDC Blue Cell to use to help secure their Linux boxes during the CCDC events. This being said this document does not guarantee your victory.
My understanding is during the contest tools can be downloaded if the tools are free for commercial use. With that being said I will base some of my suggestions on that. Remember time is important. We are already on your box. Also my thoughts may be different than other red cell members.
Before the event
- Study this: http://www.sans.org/score/checklists/ID_Linux.pdf
- Learn Linux basic administration and file editing.
Remote and Local Administration Security
- Logon to the console: service sshd stop
- Change root password
- Disable root login in the sshd.conf
- Remove any keys that exist in .ssh
- Create new keys
- Disable password login and use keys in the sshd.conf
- Install apf firewall : http://www.rfxn.com/projects/advanced-policy-firewall/ or learn Iptables
- Edit the configuration lines for ingress and egress ports, don’t forget protocols as well so ping works.
- Install BFD: http://www.rfxn.com/projects/brute-force-detection/
- Edit the configuration files and start apf and bfd
- Start sshd backup
- Verify before disconnecting your keys work.
- Change keys often.
- Know what users belong on the system and which had been added.
- Last command to see who logged on to your box last and from where also w to see who is on now and from where. Unknown IP’s are an incident.
- Look for hidden directories mkdir “…” <= Bad
- Set none root users to a jailed shell so they can’t run anything.
Database Security:
- Change or add a password for mysql or postgres . Warning may damage some of the web apps depending how they were installed.
Web Security:
- Use ModSecurity for your web apps
- Use .htaccess files to restrict the admin sections of your web app to local IP addresses.
- Change default passwords
- Lock down access to phpmyadmin, no need for outside access to it.
- Lock down webdav, no need for that.
- Cat /var/log/http/access.log and error_log to look for web hacking attempts and who tried them.
Posted in CCDC | Comments (0)