Security
  • IT Security Knowledge Base
  • Blue team
    • Linux System Hardening
    • Phishing Analysis
    • Snort
    • Yara
  • Capture the Flag
    • OverTheWire
      • Bandit
        • Bandit Level 0
        • Bandit Level 0 → Level 1
        • Bandit Level 1 → Level 2
        • Bandit Level 2 → Level 3
        • Bandit Level 3 → Level 4
        • Bandit Level 4 → Level 5
        • Bandit Level 5 → Level 6
        • Bandit Level 6 → Level 7
        • Bandit Level 7 → Level 8
        • Bandit Level 8 → Level 9
        • Bandit Level 9 → Level 10
        • Bandit Level 10 → Level 11
        • Bandit Level 11 → Level 12
        • Bandit Level 12 → Level 13
        • Bandit Level 13 → Level 14
        • Bandit Level 14 → Level 15
        • Bandit Level 15 → Level 16
        • Bandit Level 16 → Level 17
        • Bandit Level 17 → Level 18
        • Bandit Level 18 → Level 19
        • Bandit Level 19 → Level 20
        • Bandit Level 20→ Level 21
        • Bandit Level 21→ Level 22
        • Bandit Level 22 → Level 23
        • Bandit Level 23 → Level 24
        • Bandit Level 24 → Level 25
        • Bandit Level 25 → Level 26
        • Bandit Level 26 → Level 27
        • Bandit Level 27 → Level 28
        • Bandit Level 28 → Level 29
        • Bandit Level 29 → Level 30
        • Bandit Level 30 → Level 31
        • Bandit Level 31 → Level 32
        • Bandit Level 32 → Level 33
    • OWASP Juice Shop
      • Installation
      • Level 1 - Challenges
      • Level 2 - Challenges
    • TryHackMe Rooms
      • Anthem
      • Capture!
      • Corridor
      • Gotta Catch'em All!
      • Mustacchio
      • Neighbour
      • Opacity
      • Source
    • CEH v12 practical resources
  • Cryptology
    • CryptoHack
      • Course: Introduction to CryptoHack
        • Introduction - Challenges
        • General - Encoding
        • General - XOR
      • Course: Modular Arithmetic
        • General - Mathematics
        • Mathematics - Modular Math
        • Mathematics - Brainteasers Part 1
      • Course: Symmetric Cryptography
        • How AES Works
        • Symmetric Starter
        • Block Ciphers
        • Stream Ciphers
  • Red Team
    • Reconnaissance
      • Foot-printing
      • Scanning (Nmap)
      • Enumeration
    • Vulnerability Analysis
    • Initial Access
      • Obtaining credentials
      • Vulnerability Exploitation
        • Buffer Overflow
        • Metasploit and Armitage
        • Ninja Jonin
    • Active Directory
      • Connect to AD
      • AD Explore
      • CMD and PowerShell enumeration
      • Certificates in AD
      • LDAP Pass-back Attacks
      • Cracking NetNTLM Challenge with Responder
      • Exploring Configuration Files for AD Credentials
      • Pass the hash with evil WinRM
      • Understanding Runas
    • Malware
    • Sniffing
      • Intercept HTTP traffic - Hetty
      • Intercept HTTP traffic - Bettercap
      • Wireshark
    • Social Engineering
    • Denial of Service
    • Web Hacking
      • Burp Suite
      • OWASP ZAP
      • Web servers
      • Web Server Footprinting
      • Directory Enumeration
      • Session Hijacking
      • Web Shells
      • Web vulnerability scanners
      • SQL Injection
    • Cloud
    • Wireless Networks
      • Attacking WEP
      • Attacking WPA/WPA2
    • Mobile Devices
    • Network Security Evasion
    • Privileges Escalation
    • Maintain Access and Hide Malicious Activity
      • Backdooring
    • Cover your Tracks
  • Internet of Things
    • IoT in general
    • Common IoT Protocols
      • CoAP
      • MQTT
      • ZIGBEE
      • Bluetooth
    • Scapy
      • Sniffing and spoofing
      • ARP cache Poisoning
  • Projects
    • Cybersecurity Roadshow
Powered by GitBook
On this page
  • General best practices
  • GRUB password
  • Filesystem Partitioning and Encryption
  • VeraCrypt nice and easy tool to use.
  • However we can also use LUKS (Linux Unified Key Setup).
  • Firewall (iptables)
  • Remote Access
  1. Blue team

Linux System Hardening

A general overview of techniques to harden Linux systems. The techniques here are aimed at Ubuntu systems.

PreviousIT Security Knowledge BaseNextPhishing Analysis

Last updated 1 year ago

General best practices

  • Regularly update your system: Keep your Linux distribution and all installed software up to date by applying security patches and updates. This helps protect against known vulnerabilities.

  • Use strong passwords: Enforce strong password policies, including password complexity requirements and regular password changes. Consider using a password manager to generate and securely store complex passwords.

  • Disable unnecessary services: Disable or uninstall any unnecessary services and daemons to minimize the attack surface of your system. Only enable the services required for your system's functionality.

GRUB password

Many BIOS and UEFI firmware allows you to add a boot password. This password will prevent unauthorized users from booting the system.

One tool to do so is grub2-mkpasswd-pbkdf2, which prompts you to input your password twice and generates a hash for you. The resulting hash should be added to the appropriate

Filesystem Partitioning and Encryption

nice and easy tool to use.

However we can also use LUKS (Linux Unified Key Setup).

Most distributions let you encrypt a drive using a graphical interface. However, if you would like to set up LUKS from the command line, the steps are along these lines:

  • Install cryptsetup-luks. (apt install cryptsetup)

  • Confirm the partition name using fdisk -l, lsblk or blkid. (Create a partition using fdisk if necessary.)

  • Set up the partition for LUKS encryption: cryptsetup -y -v luksFormat /dev/sdb1. (Replace /dev/sdb1 with the partition name you want to encrypt.)

  • Create a mapping to access the partition: cryptsetup luksOpen /dev/sdb1 EDCdrive.

  • Confirm mapping details: ls -l /dev/mapper/EDCdrive and cryptsetup -v status EDCdrive.

  • Overwrite existing data with zero: dd if=/dev/zero of=/dev/mapper/EDCdrive.

  • Format the partition: mkfs.ext4 /dev/mapper/EDCdrive -L "Strategos USB".

  • Mount it and start using it like a usual partition: mount /dev/mapper/EDCdrive /media/secure-USB.

Firewall (iptables)

We can configure firewall rules in Linux systems with iptables. Other firewalls include nftables. It is often easier to use a GUI than a CLI, as managing firewall rules is quite cumbersome.

Example: Enable SSH traffic.

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

  • -A INPUT appends to the INPUT chain, i.e., packets destined for the system.

  • -p tcp --dport 22 applies to TCP protocol with destination port 22.

  • -j ACCEPT specifies (jump to) target rule ACCEPT.

iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

  • -A OUTPUT append to the OUTPUT chain, i.e., packets leaving the system.

  • -p tcp --sport 22 applies to TCP protocol with source port 22.

Remote Access

Always use SSH and

  1. Disable remote login as root; force login as non-root users.

  2. Disable password authentication; force public key authentication (with password) instead.

  3. Preferable enforce whitelisting approach of public keys

The configuration of the OpenSSH server can be controlled via the sshd_config file, usually located at /etc/ssh/sshd_config. You can disable the root login by adding the following line:

PermitRootLogin no

We can disable passwords authentication and enabling public key authentication as such:

  • PubkeyAuthentication yes to enable public key authentication

  • PasswordAuthentication no to disable password authentication

configuration file
VeraCrypt