Cyber Patriot Lecture Series - Securing Ubuntu Systems

In this lecture series, learn essential steps to secure Ubuntu 14.64-bit systems, including installation of malware protection software, account management best practices, enabling firewalls, auditing policies, and setting up account lockout policies using Linux PAM. Follow a structured process to enhance the security of your Ubuntu systems effectively.

• Cybersecurity
• Ubuntu
• System Security
• Account Management
• Malware Protection

maer114 Follow

Uploaded on Feb 23, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Cyber Patriot Lecture Series Ubuntu 14 64-bit 1 Buddy Spisak October 24, 2018

2. First things first 2 Install and maintain malware protect software Account Management Remove guest account Remove unnecessary accounts Use strong password for all accounts Delete suspicious files Delete unauthorized files Using PAM

3. First things first (cont.) 3 Enabling the firewall Disable unnecessary services Monitor the environment Check running processes Check open ports Check syslog Installing and automating updates Verify audit policies

4. Final first things first 4 Write down steps taken File names and locations deleted Downloads the package lists from the repositories and "updates" them to get information on the newest versions of packages and their dependencies sudo apt-get update Will fetch new versions of packages existing on the machine if APT knows about these new versions by typing sudo apt-get upgrade

5. Account Policies 5 Three step process to setting up audits 1. Install the auditing program by typing sudo apt-get install auditd 2. Enable audits by typing sudo auditctl e 1 3. View and modify policies by typing sudo gedit /etc/audit/auditd.conf Time to start with monitoring something, let s say the /etc/passwd file. auditctl -a exit,always -F path=/etc/passwd -F perm=wa Finding the related event or access to the file can be quickly traced by using the ausearch tool. sudo ausearch -f /etc/passwd

6. Account Policies (cont.) 6 Linux Pluggable Authentication Modules (PAM) provide dynamic authentication support for applications and services in a Linux Account: control account conditions (e.g. not expired, etc.) Authentication: verify user identities Password: control some password policies Session: define actions performed at the beginning and end of user sessions

7. Account Policies (cont.) 7 This file allows you to set an account lockout policy sudo gedit /etc/pam.d/common-auth Add this line to the end of the file: auth required pam_tally2.so deny=5 onerr=fail unlock_time=1800 Save the file and close it

8. Account Policies (cont.) 8 The /etc/pam.d/common-auth file can looks as follows: auth required pam_env.so auth required pam_tally2.so deny=5 unlock_time=1800 onerr=fail auth [success=1 default=ignore] pam_unix.so nullok_secure auth requisite pam_deny.so auth required pam_permit.so auth optional pam_cap.so

9. Account Polices (cont.) 9 gksu is graphical front-end for su to allow users to run graphical applications from terminal via root user privilege. sudo apt-get install gksu Turn off guest account sudo gedit /etc/lightdm/lightdm.conf.d/50-no-guest.conf Add the line allow-guest=false The 50-no-guest.conf file needs to have the following lines: [SeatDefaults] allow-guest=false This will turn off the local guest account logging into the system locally.

10. Account Polices (cont.) 10 To list all groups cat /etc/group To add a group sudo addgroup [groupname] To add a user to a group sudo adduser [USERNAME] [GROUPNAME]

11. Application Security Settings 11 Check if an application is installed sudo apt-cache policy auditd auditd: Installed: 1:2.3.2-2ubuntu1 Candidate: 1:2.3.2-2ubuntu1 Version table: *** 1:2.3.2-2ubuntu1 0 500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages 100 /var/lib/dpkg/status

12. Application Security Settings (cont.) 12 Enable the firewalls sudo apt-get install gufw Using Gufw software 1. Click the Ubuntu button in the menu bar 2. Select Search 3. Select Firewall Configuration 4. Click the unlock button on the Gufw window 5. Select Enact root permissions by authenticating 6. Select Turn Firewall Status On

13. Application Security Settings (cont.) 13 Enable syn cookie protection sudo sysctl -n net.ipv4.tcp_syncookies Note: Install updates before the half way mark sudo apt-get update sudo apt-get upgrade Do not do the following because it will break the scoring engine from working sudo apt-get dist-upgrade Ensure all services are legitimate sudo service -status-all

14. Application Updates 14 How do I find this problem? Keeping your operating system and software updated is a good cybersecurity practice in general. How do I solve this problem? 1. Click the Settings icon on the top right hand corner 2. Select System Settings 3. Select Software & Updates. 4. The Update Manager may warn you that updates are not being installed automatically. 5. Select Updates. Change the Automatically check for updates from Never to Daily. You will be prompted for a password, which can be found in the README file on the desktop.

15. Defensive Countermeasures 15 Countermeasure: An action taken to offset another one and to prevent an undesirable outcome in the process. For example, change the password word lenth from 8 to 10 characters will affect accounts that have 8 character passwords. You will need to update those accounts to meet the new password requirement in order to use them.

16. Forensic Questions 16 How do I find this problem? You should always look on the desktop of the image to see if there are questions for you to answer about existing vulnerabilities. There is a file on the desktop called "Forensics Question 1. How do I solve this problem? You will be logged into the image as Administrator po. To find the path of the directory containing all of the prohibited .mp3 music files on the image, select Places, Home Folder, Search icon (magnifying glass icon), and type in .mp3 into the Search box. Right-click on one of the files, select Properties, and under Location you will see the path of the directory. Look at the Location for the other .mp3 files. The path of the directory is /home/po/Music/The Bands and Ensembles of the US Armed Forces/Veterans Day Honor. Remember to Save the file.

17. Local Polices 17 Login definitions sudo gedit /etc/login.defs This is a much longer file. To easily find the section to edit, type ctrl+f and then pass Modify the following variables to the same recommended settings used in Windows: Maximum Password Duration: PASS_MAX_DAYS 90 Minimum Password Duration: PASS_MIN_DAYS 10 Days Before Expiration to Warn Users to Change Their Password: PASS_WARN_AGE 7

18. Operating System Settings 18 From the search field in Ubuntu menu on the left of the desktop type System Log for the available logs.

19. Operating System Settings (cont.) 19 Check running process ps ef Port checks netstat tulpn System Logs (syslog) auth.log tracks authentication events dpkg.log tracks software events syslog tracks operating system events Xorg.0.log - tracks events

20. Operating System Settings (cont.) 20 Check for the SSH status: start/stop/status sudo /etc/init.d ssh status Encyrpt network traffic by typing sudo apt-get install ssh Utilize access control with hosts.allow and host.deny for tcpd and sshd

21. Operating System Updates 21 Click the Ubuntu button in the menu bar for the Update Manager Install any available security updates from the main Update Manager window.

22. Policy Violation: Malware 22 Verify id rkhunter is installed sudo apt-cache policy rkhunter rkhunter can also help you find some backdoors sudo apt-get install rkhunter To update this program: sudo rkhunter -versioncheck sudo rkhunter -update Sudo rkhunter --propupd To check for vulnerabilities: sudo rkhunter --checkall After running above, check warnings by going to sudo gedit/var/log/rkhunter.log and searching for Warning.

23. Policy Violation: Prohibited Files 23 Stop the unwanted processes. Check the README for exceptions. ps -ef | grep ftp To kill a process, look at the second number on the line outputted by ps -ef describing the process. sudo kill KILL [NUM] Remove prohibited packages. However, some of these applications may be required, so check under "essential services" in the README. dpkg-query -l | grep ftp

24. Policy Violation: Unwanted Software 24 You can remove the samba application from the ubuntu software center. 1. Go to Applications and then Ubuntu Software Center 2. In the search box type samba 3. Any software with a green check is installed 4. Click on SMB/CIFS and select Remove 5. Enter the password for an administrator. At the terminal prompt: sudo apt-get remove samba

25. Locate files 25 Find all regular files owned by a user by typing libby sudo find / -type f user libby Using the locate command sudo updatedb sudo locate *.mp3

26. Services Auditing 26 Can be viewed and managed in the GUI To install, type in the terminal window sudo apt-get install bum After installing, type sudo bum to run

27. Services Auditing (cont.) 27 Disable services such as: Telnet Anonymous FTP Remote process (Rexec, Rlogin, and Rsh) Rstatd Finger Talk, Ntalk

28. User Auditing 28 How do I find this problem? One of the first things you should do when starting an image during a competition is check the README file on the desktop. There, you will see the authorized Administrators and Users for the image. These are the only users that should have accounts. All others should be removed. How do I solve this problem? 1. Go to Applications 2. Select System Tools 3. Select System Settings 4. Select User Accounts 5. Click on Unlock and enter your password, which will give you root access. 6. Click on the account to be removed and then select the minus sign in the bottom left of the window to delete the account 7. Selecting Delete Files. Make sure to write down th name of the user you deleted.

29. User Auditing 29 User profile /home/username/etc/default/useradd Password files and file permissions /etc/passwd /etc/shadow Password history /etc/login.def

30. Final Thoughts 30 Ubuntu Resources The following resources may help teams as they train on the Linux operating system during the competition. Ask Ubuntu - A question-and-answer site for Ubuntu users and developers https://askubuntu.com/ Ubuntu Forum - A community for Ubuntu support https://ubuntuforums.org/ Ubuntu Manual - A beginner's guide to Ubuntu https://ubuntu-manual.org/ Ubuntu Trusty - A wiki of resources to introduce users to Ubuntu http://ubuntuguide.org/wiki/Ubuntu_Trusty