Month: May 2016

Install rkhunter (Rootkit Hunter)

rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD.

Install RKHunter which is the Rootkit Detection tool

Install from EPEL

# yum – -enablerepo=epel -y install rkhunter

# nano /etc/sysconfig/rkhunter
Recipient address for report

MAILTO=root@localhost

If specified “yes”, scan more detaily

DIAG_SCAN=no

Update database

# rkhunter – -update

Update system file properties

# rkhunter – -propupd

Execute checking
–sk means sikpping to push Enter key.
If specified –rwo , display only warnings

# rkhunter – -check – -sk

How to force sshd server to display login banner

Pre login banner is use for sending a warning message before authentication may be relevant for getting legal protection or just give out information to users. The contents of the specified file are sent to the remote user before authentication is allowed. This option is only available for protocol version 2. By default, no banner is displayed (if you are using latest version of Linux/UNIX then you do not have to worry about version issue).

Procedure to change OpenSSH pre login banner

1) By default sshd server turns off this feature.

2) Login as the root user; create your login banner file:

# vi /etc/ssh/sshd-banner

Append text:
Welcome to nixCraft Remote Login!

3) Open sshd configuration file /etc/sshd/sshd_config using a text editor:

# vi /etc/sshd/sshd_config

4) Add/edit the following line:

Banner /etc/ssh/sshd-banner

5) Save file and restart the sshd server:

# /etc/init.d/sshd restart

Arpwatch Tool to Monitor Ethernet Activity in Linux

WARNING : BE CAREFUL USING ARPWATCH,
IT MAY CAUSE IP CONFLIC!

Arpwatch is an open source computer software program that helps you to monitor Ethernet traffic activity (like Changing IP and MAC Addresses) on your network and maintains a database of ethernet/ip address pairings. It produces a log of noticed pairing of IP and MAC addresses information along with a timestamps, so you can carefully watch when the pairing activity appeared on the network. It also has the option to send reports via email to an network administrator when a pairing added or changed.

This tool is specially useful for Network administrators to keep a watch on ARP activity to detect ARP spoofing or unexpected IP/MAC addresses modifications.

By default, Arpwatch tool is not installed on any Linux distributions. We must install it manually using ‘yum‘ command on RHEL, CentOS, Fedora and ‘apt-get‘ on Ubuntu, Linux Mint and Debian.

# yum install arpwatch

Let’s focus on the some most important arpwatch files, the location of the files are slightly differ based on your operating system.

  1. /etc/rc.d/init.d/arpwatch : The arpwatch service for start or stop daemon.
  2. /etc/sysconfig/arpwatch : This is main configuration file…
  3. /usr/sbin/arpwatch : Binary command to starting and stopping tool via the terminal.
  4. /var/arpwatch/arp.dat : This is the main database file where IP/MAC addresses are recorded.
  5. /var/log/messages : The log file, where arpwatch writes any changes or unusual activity to IP/MAC.

Type the following command to start the arpwatch service.

# chkconfig --level 35 arpwatch on
# /etc/init.d/arpwatch start

Arpwatch Commands and Usage

To watch a specific interface, type the following command with ‘-i‘ and device name.

# arpwatch -i eth0

So, whenever a new MAC is plugged or a particular IP is changing his MAC address on the network, you will notice syslog entries at ‘/var/log/syslog‘ or ‘/var/log/message‘ file.

# tail -f /var/log/messages

You can also check current ARP table, by using following command.

# arp -a

If you want to send alerts to your custom email id, then open the main configuration file ‘/etc/sysconfig/arpwatch‘ and add the email as shown below.

# -u <username> : defines with what user id arpwatch should run
# -e <email>    : the <email> where to send the reports
# -s <from>     : the <from>-address
OPTIONS="-u arpwatch -e email@domain.xxx -s 'root (Arpwatch)'"

Lynis is a powerful auditing tool for Linux

Lynis is an open source and much powerful auditing tool for Unix/Linux like operating systems. It scans system for security information, general system information, installed and available software information, configuration mistakes, security issues, user accounts without password, wrong file permissions, firewall auditing, etc.

Lynis is one of the most trusted automated auditing tool for software patch management, malware scanning and vulnerability detecting in Unix/Linux based systems. This tool is useful for auditors, network and system administrators, security specialists and penetration testers.

Installation of Lynis
Lynis doesn’t required any installation, it can be used directly from any directory. So, its good idea to create a custom directory for Lynis under /usr/local/lynis.

# mkdir /usr/local/lynis

Download stable version of Lynis source files from the trusted website using wget command and unpack it using tar command as shown below.

# cd /usr/local/lynis
# wget https://cisofy.com/files/lynis-2.2.0.tar.gz

Unpack the tarball

# tar -xvf lynis-2.2.0.tar.gz

Running and using Lynis Basics
You must be root user to run Lynis, because it creates and writes output to /var/log/lynis.log file. To run Lynis execute the following command.

# cd lynis
# ./lynis

By running ./lynis without any option, it will provide you a complete list of available parameters and goes back to the shell prompt.

To start Lynis process, you must define a --check-all parameter to begin scanning of your entire Linux system. Use the following command to start scan with parameters as shown below.

# ./lynis --check-all

Once, you execute above command it will start scanning your system and ask you to Press [Enter] to continue, or [CTRL]+C to stop) every process it scans and completes.

To prevent such acknowledgment (i.e. “press enter to continue”) from user while scanning, you need use -c and -Q parameters as shown below.

# ./lynis -c -Q

It will do complete scan without waiting for any user acknowledgment. See the following screencast.

Creating Lynis CronJobs
If you would like to create a daily scan report of your system, then you need to set a cron job for it. Run the following command at the shell.

# crontab -e

Add the following cron job with option --cronjob all the special characters will be ignored from the output and the scan will run completely automated.

30	22	*	*	*	root    /path/to/lynis -c -Q --auditor "automated" --cronjob

The above example cron job will run daily at 10:30pm in the night and creates a daily report under /var/log/lynis.log file.

Lynis Scanning Results
While scanning you will see output as [OK] or [WARNING]. Where [OK] considered as good result and [WARNING] as bad. But it doesn’t mean that [OK] result is correctly configured and [WARNING] doesn’t have to be bad. You should take corrective steps to fix those issues after reading logs at /var/log/lynis.log.

In most cases, the scan provides suggestion to fix problems at the end of the scan. See the attached figure that provides a list of suggestion to fix problems.

Updating Lynis
If you want to update or upgrade current lynis version, simple type the following command it will download and install latest version of lynis.

# ./lynis update info         [Show update details]
# ./lynis update release      [Update Lynis release]

Lynis Parameters
Some of the Lynis parameters for your reference.

  1. --checkall or -c : Start the scan.
  2. --check-update : Checks for Lynis update.
  3. --cronjob : Runs Lynis as cronjob (includes -c -Q).
  4. --help or -h : Shows valid parameters
  5. --quick or -Q : Don’t wait for user input, except on errors
  6. --version or -V : Shows Lynis version.

That’s it, we hope this article will be much helpful you all to figure out security issues in running systems. For more information visit the official Lynis page at

https://cisofy.com/download/lynis/.

Direct Download Lynis 2.2.0 Tar File

Enjoy!

SSH via key files for Putty & Filezilla

PLEASE NOTE THAT I AM NOT USING MULTIPLE ACCOUNT ON THIS SERVER. IF YOU USE MULTIPLE ACCOUNTS YOU NEED TO MAKE THOSE STEP IN THE /HOME/(USER ACCOUNT NAME)

  1. Go to /root/.ssh directory (If directory does not exist create it)
  2. cat known_hosts (If it does not exist create it)
  3. ssh-keygen -t rsa (Create the private and public keys)
  4. Enter passphase (Hit enter twice for none)
  5. ls -a (You will see now the Private Local Machine Key and the Public Server Key)
  6. cat id_rsa.pub
  7. Copy the id_rsa.pub
  8. In the .ssh directory run the following command
    # touch authorized_keys
  9. Copy the id_rsa.pub key in the authorized_keys file
  10. If you did not already did this step you are good to go!
    navigate to /etc/ssh/sshd_config
  11. Navigate to …
    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes
    #PermitEmptyPasswords no
    PasswordAuthentication yes
  12. You have to set the PasswordAuthentication no
  13. For the rest of the installation just follow the video!

Here is what I do after, download the private key id_rsa to your computer. Open filezilla and add a new connection by using “LOGON TYPE: Key File”

RSA_KEY

Add the key file that you downloaded “id_rsa” then Filezilla will prompt you to created the final key file by converting it to .ppk “I named my keyfile filezilla.ppk”

When the new key is saved you will be able to login to the ftp server.

P.S Use the same filezilla.ppk key for PUTTY 😉

Also you will notice that if you use CSF you will have a stronger security!

csf-score

Et voilà!