TTY (Teletype Terminal) and Psuedo Terminals Security:
#/etc/securetty
this file that has list of the terminals that root can access.
For Eg:- If root user is not able to login through any terminal the respective terminal will be missing from the
securetty file. So edit the file to restrict the root login to a limited teletype terminals
#tty
This will show the terminal where user have logged in to currently
- But some programs such as SSH will by pass this securetty file and will maintain their own configuration.
- Whenever a new ssh session is initiated a psuedo terminal is created on the fly and it will be visible under the directory /dev/pts/
- Try to login as normal user over network always and issue "su - l". Let the hacker find out the local user credentials first and let him try for root.Make always the way of compromising difficult
This is to warn the users about the authorized use of the server.
# /etc/issue
This file content will be presented before the user logs in (Before giving the username & password or after accepting the public key).
# /etc/issue.net
Telnet uses this file as "banner" while clinet makes a connection
# /etc/motd
This file content will be presented immediate after the successful login.
Including the Banner in SSH:
Now we can include these banner in ssh to warn about the usage of system
------
Banner /etc/issue
------
Restart the deamon to take effect.
Other Useful utilities for checking the system incase of the suspectable compramize occured
# /usr/bin/last
This will tell the last login details including duration, terminals, from ip etc.
Last reads the contents in /var/log/wtmp and process.
------------
root pts/1 kiran Thu Oct 1 21:51 - 21:52 (00:00)
root pts/1 jithu Thu Oct 1 21:35 - 21:44 (00:09)
root pts/0 test Thu Oct 1 21:33 still logged in
reboot system boot 2.6.28-11-generi Thu Oct 1 21:32 - 22:00 (00:28)
------------
# /bin/netstat
Will show the list of all listening or connected or opened tcp/udp & unix sockets
root@ubuntu:~# netstat -tulpn
-----------
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2908/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2342/cupsd
tcp6 0 0 :::22 :::* LISTEN 2908/sshd
tcp6 0 0 ::1:631 :::* LISTEN 2342/cupsd
udp 0 0 0.0.0.0:44467 0.0.0.0:* 2318/avahi-daemon:
udp 0 0 0.0.0.0:68 0.0.0.0:* 2439/dhclient
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2318/avahi-daemon:
-----------
The above command shows the list of deamon that have been bound to all ports including TCP & UDP
root@ubuntu:~# netstat -ant
----------
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 52 192.168.91.128:22 192.168.91.1:4069 ESTABLISHED
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:631 :::* LISTEN
----------
netstat with optoins "ant" will show all connections that are currently active in your system
# /usr/bin/lsof
This command will reveal all the open files as well as opened sockets in the linux systems.
In linux enviornment all the objects are considered to be files. lsof will list the all the opened file.
So this tool will be usefull on post compramised check.
# /usr/bin/lsof
------------
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
init 1 root cwd DIR 8,1 4096 2 /
init 1 root rtd DIR 8,1 4096 2 /
init 1 root txt REG 8,1 104364 171411 /sbin/init
init 1 root mem REG 8,1 1442180 246132 /lib/tls/i686/cmov/libc-2.9.so
init 1 root mem REG 8,1 117348 228503 /lib/ld-2.9.so
------------
root@ubuntu:~# lsof /root/
-------------
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
bash 2666 root cwd DIR 8,1 4096 32641 /root/
seq 3415 root cwd DIR 8,1 4096 32641 /root/
lsof 3416 root cwd DIR 8,1 4096 32641 /root/
lsof 3417 root cwd DIR 8,1 4096 32641 /root/
-------------
This will show all the files accessed by any binaries inside the /root directory. This is helpfull to find the access of perticular file by any binaries and the i/o as well as the user that is exicuting it
A single open file can prevent a filesystem from being unmounted. lsof should be run as the superuser (root) to see all open files in the given directory.
This will give the list of the sockets opened in system
root@ubuntu:~# lsof -i
---------------
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
avahi-dae 2318 avahi 14u IPv4 5946 UDP *:mdns
avahi-dae 2318 avahi 15u IPv4 5947 UDP *:44467
cupsd 2342 root 2u IPv6 5997 TCP localhost:ipp (LISTEN)
cupsd 2342 root 3u IPv4 5998 TCP localhost:ipp (LISTEN)
dhclient 2439 root 5u IPv4 6201 UDP *:bootpc
sshd 2656 root 3u IPv4 6628 TCP ubuntu.local:ssh->inp-gopalank.local:4069 (ESTABLISHED)
sshd 2908 root 3u IPv4 8011 TCP *:ssh (LISTEN)
sshd 2908 root 4u IPv6 8013 TCP *:ssh (LISTEN)
---------------
To see the relation between two systems use the follwoing command
# lsof -i@hostname/ip address
root@ubuntu:~# lsof -i@localhost
-----------
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
cupsd 2342 root 2u IPv6 5997 TCP localhost:ipp (LISTEN)
cupsd 2342 root 3u IPv4 5998 TCP localhost:ipp (LISTEN)
-----------
More Eg:-
For Listing all the connections between localhost and 192.168.91.1
root@ubuntu:~# lsof -i@192.168.91.1
--------
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 2656 root 3u IPv4 6628 TCP ubuntu.local:ssh->inp-gopalank.local:4069 (ESTABLISHED)
--------
For Listing All the UDP based connections between localhost and 192.168.91.1
root@ubuntu:~# lsof -iUDP@192.168.91.1
------
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
------
For Listing all the TCP based connections between localhost and 192.168.91.1
root@ubuntu:~# lsof -iTCP@192.168.91.1
---------
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 2656 root 3u IPv4 6628 TCP ubuntu.local:ssh->inp-gopalank.local:4069 (ESTABLISHED)
--------
For Listing all the connections between localhost and port 4069 from host 192.168.91.1.
root@ubuntu:~# lsof -iTCP@192.168.91.1:4069
--------
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 2656 root 3u IPv4 6628 TCP ubuntu.local:ssh->inp-gopalank.local:4069 (ESTABLISHED)
--------
For Listing all the files opened by a process
Using process ID:-
root@ubuntu:~# lsof -p 2656
----------
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 2656 root cwd DIR 8,1 4096 2 /
sshd 2656 root rtd DIR 8,1 4096 2 /
sshd 2656 root txt REG 8,1 418340 49205 /usr/sbin/sshd
----------
Using Process Name:-
root@ubuntu:~# lsof -c syslogd
---------
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
syslogd 1975 syslog cwd DIR 8,1 4096 2 /
syslogd 1975 syslog rtd DIR 8,1 4096 2 /
syslogd 1975 syslog txt REG 8,1 31816 171504 /sbin/syslogd
syslogd 1975 syslog mem REG 8,1 42504 246149 /lib/tls/i686/cmov/libnss_files-2.9.so
syslogd 1975 syslog mem REG 8,1 38444 246153 /lib/tls/i686/cmov/libnss_nis-2.9.so
syslogd 1975 syslog 6w REG 8,1 0 168157 /var/log/mail.log
---------
For listing all the ports opened in the system by IPV4
root@ubuntu:~# lsof -Pnl +M -i4
----------
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
avahi-dae 2318 110 14u IPv4 5946 UDP *:5353
avahi-dae 2318 110 15u IPv4 5947 UDP *:44467
cupsd 2342 0 3u IPv4 5998 TCP 127.0.0.1:631 (LISTEN)
dhclient 2439 0 5u IPv4 6201 UDP *:68
sshd 2656 0 3u IPv4 6628 TCP 192.168.91.128:22->192.168.91.1:4069 (ESTABLISHED)
sshd 2908 0 3u IPv4 8011 TCP *:22 (LISTEN)
----------
For listing all the ports opened in the system by IPV6
root@ubuntu:~# lsof -Pnl +M -i6
----------
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
cupsd 2342 0 2u IPv6 5997 TCP [::1]:631 (LISTEN)
sshd 2908 0 4u IPv6 8013 TCP *:22 (LISTEN)
----------
No comments:
Post a Comment
tag ur valuable ideas below