| title |
|---|
Basic Security Check on Debian/ubuntu |
[TOC]
Step.1 Check login records
last
Step.2 Do limit for ssh login
vim /etc/hosts.allow
--- /etc/hosts.allow ---
sshd: 202.39.9.79/32
--- /etc/hosts.allow ---
vim /etc/hosts.deny
--- /etc/hosts.deny ---
sshd:ALL
--- /etc/hosts.deny ---
Step.3 Do command history record into syslog
vim /etc/bash.bashrc
--- /etc/bash.bashrc ---
PROMPT_COMMAND='history -a; { command=$(history 1 | { read x y; echo $y; }); [ "$SSH_CLIENT" ] || SSH_CLIENT=$SUDO_USER; [ "$SSH_CLIENT" ] || SSH_CLIENT='sudo'; logger -p local0.notice -t history -i "date=$(date +%Y\/%m\/%d\-%T), user=$USER, from=$SSH_CLIENT, pwd=$PWD, command=$command"; }'
--- /etc/bash.bashrc ---
Step.4 Check for guid=0
awk -F':' '{print "user:"$1"\tgid:"$3}' /etc/passwd
Step.5 disable root login with password
echo 'PermitRootLogin prohibit-password' >> /etc/ssh/sshd_config
grep --color '^PermitRootLogin' /etc/ssh/sshd_config
/etc/init.d/ssh restart
Please ensure if it have any new or odd file(s)?
ls -lta /etc/init.d/
ls -lta /etc/cron.d/
ls -lta /etc/systemd/system/
find /etc/init.d/ -type f -ctime -30
find /etc/cron.d/ -type f -ctime -30
find /etc/systemd/ -type f -ctime -30
Please ensure the output from the two command.
apt-get -y install debsums
debsums -c
debsums -ca
Step.1 Install and basic configuration tunning
aptitude -y install rkhunter chkrootkit
sed -i 's|UPDATE_MIRRORS=0|UPDATE_MIRRORS=1|g' /etc/rkhunter.conf
sed -i 's|MIRRORS_MODE=1|MIRRORS_MODE=0|g' /etc/rkhunter.conf
sed -i 's|WEB_CMD="/bin/false"|WEB_CMD=""|g' /etc/rkhunter.conf
egrep --color '^UPDATE_MIRRORS|^MIRRORS_MODE|^WEB_CMD' /etc/rkhunter.conf
Step.2 Update and Scan with rkhunter
rkhunter --update
rkhunter -c
Step.3 Scan with chkrootkit Please ensure the output after checking about network/execute/networking interface mode/login record.
chkrootkit -x
Step.1 Install unhide
aptitude -y install unhide
Step.2 Scan with the following commands
unhide brute
unhide procall
unhide sys
unhide-tcp