FreeBSD

Package Manager

• FreeBSD uses the package manager pkg, similar to the package manager apt
• Example usage commands
  • sudo pkg update
  • sudo pkg install (package name)
  • sudo pkg delete (package name)

Monitoring Services

• Services and other scripts run at system startup are located in the directories
  • /etc/rc.d/
  • /usr/local/etc/rc.d/
  • Scripts are ran at the kernel level (higher privileges than the root user)
  • Each script is a POSIX-compliant /bin/sh script with no file extension

#!/bin/sh

my_example_service code

• Use the service command to view services and their status
  • List all enable services
    • service -e
  • List all loaded services (enabled or not enabled)
    • service -l
    • Check for any malicious/unneeded services and remove the file from /etc/rc.d or /usr/local/etc/rc.d as needed
  • Start, stop, and restart services
    • service (service name) start
    • service (serivce name) stop
    • service (service name) restart
  • Enable and disable services
    • service (service name) enable
    • service (service name) disable
  • Reload a service (this applies configuration file changes to services without a full restart)
    • service (service name) reload
    • Note that all services may not support this feature. If a service does not support reload, restart it instead to apply configuration file changes.
  • View the status of a service
    • service -v (service name) status
      • When running, the process ID is shown
      • The directory the service file is located in is shown
      • This command’s output is not very descriptive. We recommend using the ps command to view more information about the service. Additionally, navigate to the service’s directory and view its shell script.

Checking Network Connections

• The sockstat command displays network and system opened sockets in FreeBSD
• List all opened ports
  • sockstat
• List all listening ports
  • sockstat -l
• List all TCP or UDP sockets
  • sockstat -P udp
  • sockstat -P tcp
  • sockstat -P tcp,udp
  • sockstat -P tcp -p 80, 443
    • -p allows for filtering by port numbers
• List all Unix sockets and named pipes
  • sockstat -u

Changing File Flags

• Alongside the chattr command, FreeBSD includes the chflags command to set file flags
• Examples
  • Set the system immutable flag
    • sudo chflags schg (filepath)
    • Remove the flag: sudo chflags noschg (filepath)
  • Set the system append-only flag
    • sudo chflags sappnd (filepath)
    • Remove the flag: sudo chflags noappnd (filepath)
  • Set the system undeletable flag
    • sudo chflags sunlnk (filepath)
    • Remove the flag: sudo chflags nounlnk (filepath)
• To view which flags are set on a file, run ls -lo (filepath)

System Configuration Files

• FreeBSD’s main system configuration file is /etc/rc.conf
  • System variables can be changed by either editing this file or using the sysrc command
  • To check the value of a variable in rc.conf, run sudo sysrc (variable name)
  • To set a variable’s value, run sudo sysrc (variable name)=(new value)
  • To append a value to a variable run **sudo sysrc (variable name)+=(value to append)
  • To remove a value from a variable run sudo sysrc (variable name)-=(value to remove)
• Note that rc.conf should not be made immutable, as sysrc commands won’t be able to update variable names
• Limit rc.conf visibility and read/write permissions to only the root user:
  • sudo chown root:(sudoers group) /etc/rc.conf
  • sudo chmod 640 /etc/rc.conf

The Kernel Securelevel

• The FreeBSD kernel has five different levels of security
• If the rc.conf variable kern_securelevel_enable is set to “YES”, then the kernel level is enforced
  • Otherwise, if kern_securelevel_enable is set to “NO”, then the kernel level is disabled and always set to Level -1
• The current level is stored in the rc.conf variable kern.securelevel
  • Level -1: permanently insecure mode
    • Always run the system in level 0 mode
    • Default initial value upon installation
  • Level 0: insecure mode
    • Immutable and append-only flags may be turned off
  • Level 1: secure mode
    • The system immutable and system append-only flags may not be turned off
    • Note that not even the root user can remove the system immutable and system append-only flags
  • Level 2 is basically identical to level 1
  • Level 3: nearly identical to level 1, except IP packet filter rules cannot be changed
• Any super-user process can raise the security level, but no process can lower the level
  • To lower or raise kern.securelevel, use the command sudo sysrc kern.securelevel=(new level)
  • If /etc/rc.conf is made immutable, this command along with other sysrc commands to alter variables will not work

Linux Persistent Iptables Service

NOTE: Using systemd

1. Creating the Backup Script

• Make a directory to store the restore script

  sudo mkdir /etc/iptables-persistent/

• Put your iptables rules file in the created directory

  sudo cp /path/to/rules /etc/iptables-persistent/iptables-rules

• Use one of the following to create the restore script (based on existence of iptables-restore):

  sudo vi /etc/iptables-persistent/restore.sh

  1. Paste the following if iptables-restore exists:

  #!/bin/bash
  
  bin=`which iptables-restore`
  $bin < /etc/iptables-persistent/iptables-rules

  2. Paste the following if iptables-restore does NOT exist

  NOTE: the iptables-rules file must be lines that finish the command sudo iptables and without any whitelines or comments):

  #!/bin/bash
  
  while read rule;
  do
      iptables $rule
  done < etc/iptables-persistent/iptables-rules

• Make the script executable

  sudo chmod +x /etc/iptables-persistent/restore.sh

2. Creating the Service

• Create the service file

  sudo vi /etc/systemd/system/iptables-persistent.service

• Paste the following into the file

  [Unit]
  Description=iptables persistent service
  ConditionFileIsExecutable=/etc/iptables-persistent/restore.sh
  After=network.target
  
  [Service]
  Type=forking
  ExecStart=/etc/iptables-persistent/restore.sh
  start TimeoutSec=0
  RemainAfterExit=yes
  GuessMainPID=no
  
  [Install]
  WantedBy=multi-user.target

• Enable the service

  sudo systemctl enable --now iptables-persistent.service

Linux Splunk Changes

Pre-Execution Script Changes

All changes pertain to the splunk.sh script (competition-resources/Splunk/splunk.sh)

1. Change INDEXER to the ip address of the splunk instance (receiver)
2. Changed PASS to a different password
3. Remove the else branch from the “if ! restart_splunk” (lines 126-128)

Post script execution

Manually add source(s) to monitor:

1. Select a file (or entire directory) to monitor
2. Talk to a captain to obtain the index to use (most likely either “linux” or “windows”)
3. Change directory into the $SPLUNK_HOME/bin directory (most likely /opt/splunkforwarder)
4. Run a command like sudo ./splunk add monitor /path/to/thing/to/monitor -index <name of index>

In the case where the chosen source is already being monitored (and you need to change something about how it is being monitored… e.g., changing the index):

1. Change directory into the $SPLUNK_HOME/bin directory
2. Run the command sudo ./splunk remove monitor /path/to/thing/to/monitor
3. Follow the previous set of steps to re-add the source as a monitor

These commands edit the file at the path $SPLUNK_HOME/etc/apps/search/local/inputs.conf. Do what you will with this information. It should be noted that making manual changes usually requires a restart of the splunk daemon to take effect. To do this: sudo $SPLUNK_HOME/bin/splunk restart

Linux CCDC Basic Checklist

1. Network Scanning & Enumeration

Nmap Scanning

• Scan all ports:

  nmap -p- <IP ADDRESS>

• Ping sweep for active hosts:

  nmap 10.10.10.0-10
  nmap 10.10.10.0/24

• Scan specific ports for service versions and OS detection, saving output to a file:

  nmap -sS -sV -O <IP ADDRESS> > nmap.txt

2. User & Password Management

Reset Passwords

(expects /etc/passwd copy with only accounts you want to reset the password for to be in the file)

Without saving passwords:

for user in $(cat ./users | awk -F: '{print $1}'); do echo "$user:m0Nk3y!m0Nk3y!" | sudo chpasswd; done

With saving passwords to a file:

for user in $(cat ./users | awk -F: '{print $1}'); do echo "$user:m0Nk3y!m0Nk3y!" | tee -a ./new_passwords | sudo chpasswd; done

Create a New User

useradd user -m -s /bin/bash -g sudo

• Alternatively, add group separately:

  usermod -aG sudo|wheel user

• Add public key to .ssh/authorized_keys

Disable Accounts

usermod -L <user>

Enable Accounts

usermod -U <user>

3. SSH Security & Key Management

Rotate SSH Keys

• Find authorized_keys files:

  find / -name "authorized_keys" 2>/dev/null

• Replace contents with the new public key

• Securely copy the new key:

  scp whatever.pub [email protected]:/home/name/.ssh/

Secure /etc/ssh/sshd_config

• Verify default SSH port
• Disable root login
• Disallow empty passwords
• (Optional) Disable password authentication entirely

4. System & Service Management

System Logs

• Check authentication logs:

  cat /var/log/auth.log

• Installed package logs:

  cat /var/log/dpkg.log

• Terminal command logs:

  cat /var/log/term.log

• Review logs in reverse order:

  journalctl -r

Systemctl Commands

• Check service status:

  systemctl status <service>

• View service configuration:

  systemctl cat <service>

• Restart a service:

  systemctl restart <service>

• Enable and start a service:

  systemctl enable --now <service>

• Disable a service:

  systemctl disable <service>

• Stop a service:

  systemctl stop <service>

5. Process & Cron Job Monitoring

Active Processes & Connections

• View active processes:

  top

• List active network connections:

  ss -tupa

• List running processes:

  ps aux

Crontab & Scheduled Tasks

• View user crontabs:

  crontab -l

• Edit crontab:

  crontab -e

• Check system cron jobs:

  ls -la /etc/cron.*

• Find crontabs of all users

  for user in $(cut -f1 -d: /etc/passwd); do echo "user: $user"; crontab -u "$user" -l 2>/dev/null && echo ""; done

6. Security Hardening & Permissions

Remove SUID Binaries

• Find all SUID binaries:

  find / -perm -u=s

• Find files with read-only permissions:

  find / -type f -perm -0400 -ls 2>/dev/null

• Remove SUID permissions:

  chmod a-s <file path>

• Add SUID permissions:

  chmod u+s <file path>

Secure /etc/sudoers

• Ensure it is only writable by root:

  chmod 0440 /etc/sudoers

7. Incident Response & Documentation

Kill Active Sessions

• Kill by TTY:

  pkill -9 -t <TTY>

• Find your own TTY:

  tty

• Kill by username:

  pkill -9 -u <username>

• Kill by PID:

  kill -9 <PID>

• Kill by process name:

  pkill <process name>

Backups

• Take a backup of /etc/ directory or any other mission critial services:

  tar -czvf etc-backup.tar.gz /etc/

Documentation

• Record findings for incident response
• Save nmap scans & security incidents
• Maintain logs for injects & investigations

Cisco Firepower Firewall

Note: The web interface and command line interface may be split on two different machines. Make sure that passwords are reset on both the web and command line interface.

Reset Passwords on the Web Interface

1. Log in to the web interface as a user with administrator access.
2. Navigate to System > Users, and click the edit icon (a pencil) for each user.
3. Enter the new password in the Password and Confirm Password fields.
4. Click Save. If prompted to restart the device, then restart.
5. Verify that the passwords were changed for all users.

Reset Passwords on the Command Line Interface

1. Log in to the administrator account over SSH or with the console.
2. If you do not immediately boot into a Linux shell, enter the command expert to access the Linux shell.
3. At the shell prompt enter the command sudo passwd (the name of the user) to change passwords for all users.
4. Enter the command exit to exit the shell/interface.
5. Verify that the passwords were changed for all users.

Keycloak

Installation

• https://www.keycloak.org/guides#getting-started
• install Docker (docker.io) or Podman
  • x86-64-v2 is not supported on older CPUs
  • sudo usermod -aG docker $USER && newgrp docker

docker run -p 8080:8080 -e KC_BOOTSTRAP_ADMIN_USERNAME=admin -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:26.1.3 start-dev

• direct installation

Accounts Setup

# start production server (need to provide TLS certs)
bin/kc.sh start --bootstrap-admin-username admin --bootstrap-admin-password admin

# start development server
bin/kc.sh start-dev --bootstrap-admin-client-id tmpadm --bootstrap-admin-client-secret secret

# create temporary admin user (done without server running)
bin/kc.sh bootstrap-admin user # --username tmpadm --password:env PASS_VAR (optional)

# create temporary service user
bin/kc.sh bootstrap-admin service # --client-id tmpclient --client-secret:env=SECRET_VAR (optional)

Authentication & Usage of Keycloak

• general configuration: https://www.keycloak.org/server/all-config

• provider configuration: https://www.keycloak.org/server/all-provider-config

• https://www.keycloak.org/guides#server

• can be an OpenID Connect Provider

• can secure JS applications on client-side with keycloak-js and on server-side with keycloak-connect

• new clients can integrate with Keycloak through client registration on CLI or through the service endpoint

MariaDB and MySQL

MySQL Config File

When installed, the mysql service will automatically start and run upon system startup on port 3306. The config file is stored in /etc/mysql/mysql.conf.d/mysqld.cnf.

MariaDB Config File

When installed, the mysql service will automatically start and run upon system startup on port 3306. The config files are stored in /etc/mysql/my.cnf and /etc/mysql/mariadb.conf.d/50-server.cnf (this file contains Maria-DB server specific settings).

Securing the Services and Databases

The config file:

• Ensure that these fields are set properly
  • User (should be mysql)
  • Ensure that the user mysql does not have sudo privileges, i.e., not in any sudoers group
  • Do not set the user to root!
• Port (3306 by default if no value is present)
• Bind-address (typically localhost or 127.0.0.1 if the database is hosted on the same machine with the config file)
• Disable local-infile
  • Include the line local-infile = 0 anywhere underneath [mysqld] in the config file
  • Local-infile introduces a security risk as enabling it allows users to import data from files on disk into a database table
• After making changes to the config file, restart mysql with sudo systemctl restart mysql

The service files:

• MariaDB and MySQL’s service files are stored in /lib/systemd/system/ and/or /etc/systemd/system/
• Things to look out for:
  • User and Group should be set to mysql, as shown below
  • If they are set to anything else (such as root), red team can leverage exploits for privilege escalation
  • To check which user mysql is running as, use the command ps aux | grep mysql
• Good idea to backup the service files as well in case of deletion/alteration

Passwords:

• By default, the root user in MySQL has no password. To change root’s password, open a mysql session with sudo mysql -u root
• Run Use mysql;
• If you’re on MySQL, run ALTER USER ‘root’@‘localhost’ IDENTIFIED WITH mysql_native_password BY ‘(new_password)’;
• If you’re on MariaDB, run ALTER USER ‘root’@‘localhost’ IDENTIFIED BY ‘(new_password)’;
• Run FLUSH PRIVILEGES;

Auditing Users:

• In an open MYSQL session, run SELECT User, Host FROM mysql.user; to view all users and their host values
• Host values are either localhost or an IP address. They restrict a user’s connection to that host only, i.e., a host value of localhost restricts connections to the local machine.
• A host value of % allows the user to connect from any host. Ensure that the root user and other system users have a host value of localhost. Ideally, no user should have a host value of %.
• To change a user’s host value, run the command RENAME USER ‘(username)’@‘(old_host)’ TO ‘(username)’@‘(new_host)’; Then run FLUSH PRIVILEGES; to apply the changes.

Removing unwanted users:

• run DROP USER (username);

Backing up the databases:

• While the MySQL service is running, run sudo mysqldump –all-databases –routines -u root -p > (path to a backup .sql file)
• Create a copy of the config file: sudo cp (path to config file) (path to backup config file)
• Also a good idea to backup the files for the mysql service for systemctl should those files be altered or deleted

Restoring the databases:

• sudo cp (path to backup config file) (path to config file)
• sudo systemctl stop mysql
  
• sudo rm -rf /var/lib/mysql/*
• sudo mysqld –initialize
• sudo chown -R mysql: /var/lib/mysql
• sudo systemctl start mysql
• cat (path to backup .sql file) | sudo mysql -u root -p

MariaDB and MySQL Hardening

1. Log in to the mysql/mariadb console with sudo mysql -u root -p
2. Root’s password may be blank if it is not provided during the competition
3. If you can not log in, ensure the mysql service has properly started without logging errors (broken config file, networking error, etc.)
4. In MySQL, run USE mysql;
5. Change root user’s password
   • If you’re on MySQL, run ALTER USER ‘root’@‘localhost’ IDENTIFIED WITH mysql_native_password BY ‘’;
   • If you’re on MariaDB, run ALTER USER ‘root’@‘localhost’ IDENTIFIED BY ‘’;
6. Run FLUSH PRIVILEGES;
7. Verify/edit the appropriate config file
   • MySQL: /etc/mysql/mysql.conf.d/mysqld.cnf
   • MariaDB: /etc/mysql/my.cnf and /etc/mysql/mariadb.conf.d/50-server.cnf
   • Verify that user is set to mysql
   • Verify that the port is set correctly (3306 by default)
   • Verify that the bind-address is set correctly
   • Add the line local-infile = 0 somewhere underneath the [mysqld] section
   • Save changes and restart mysql with sudo systemctl restart mysql
8. Audit users
   • Log in to the mysql/mariadb console
   • run SELECT User, Host FROM mysql.user; to view all users and their host values
   • Make sure host values are either a valid IP address or localhost. No user should have a host value of %.
   • To change a user’s host value, run the command RENAME USER ‘(username)’@‘(current_host)’ TO ‘(username)’@‘(new_host)’; Then run FLUSH PRIVILEGES; to apply the changes.
   • Remove unneeded users with DROP USER (username);
9. Create backups
   • While the MySQL service is running, run sudo mysqldump –all-databases –routines -u root -p > (path to backup .sql file)
   • Create a copy of the config file: sudo cp (path to config file) (path to backup config file)
   • Create backups of the mysql service files used by systemctl
     • /lib/systemd/system/ and/or /etc/systemd/system/

PostgreSQL Hardening

1. Log in to the PostgreSQL console with sudo psql
2. Root’s password may be blank if it is not provided during the competition
3. If you can not log in, ensure the PostgreSQL service has properly started without logging errors (broken config file, networking error, etc.)
4. Change root user’s password
   • In PostgreSQL, run ALTER USER root WITH PASSWORD ‘(new password)’;
   • Alternatively, use ***
5. Verify/edit the config files in /etc/postgresql/(version number)/main
   • pg_hba.conf
     • Client Authentication Config File
     • Controls which hosts can connect to the PostgreSQL server, how clients are authenticated, which users they can log in as, and which databases they can access
     • Remove all suspicious entries from the file
     • Check for out-of-place users and hosts
   • postgresql.conf
     • Main Config File for PostgreSQL
     • Important fields
       • listen_addresses: which IPs to listen on
       • port: should always be set to 5432
       • password_encryption
6. Audit users
   • Log in to the PostgreSQL console
   • Run \duS+ to view all users and their permissions
   • Remove unneeded users with DROP USER (username);
7. Create backups
   • While the PostgreSQL service is running, run sudo pg_dumpall > postgresql_dump
   • Create a copy of the config files: sudo cp -r /etc/postgresql/(version number)/main /path/to/backup/directory
   • Also a good idea to backup the files for the postgreSQL service for systemctl should those files be altered or deleted
     • Located in /lib/systemd/system/ and/or /etc/systemd/system/

PostgreSQL

Config Files

• When installed, the postgresql service will automatically start and run upon system startup on port 5432. The config files are stored in /etc/postgresql/(version number)/main.

• Important config files are

  • pg_hba.conf
    • Client Authentication Config File
    • Controls which hosts can connect to the PostgreSQL server, how clients are authenticated, which users they can log in as, and which databases they can access
    • Remove all suspicious entries from the file
    • Check for out-of-place users and hosts
  • postgresql.conf
    • Main Config File for PostgreSQL
    • Important fields
      • listen_addresses: which IPs to listen on
      • port: should always be set to 5432
      • password_encryption

• Check if any malicious files are in /etc/postgresql/(version number)/main/conf.d

• After updating config files, restart the service using sudo systemctl restart postgresql

The service files:

• PostgreSQL’s service files are stored in /lib/systemd/system/ and/or /etc/systemd/system/
• Good idea to backup the service files as well in case of deletion/alteration

Passwords:

• By default, the root user in PostgreSQL has no password. To change root’s password, run ALTER USER root WITH PASSWORD ‘(new password)’;

Auditing Users:

• In an open PostgreSQL session, run \duS+ to view all users and their permissions
• Add new users with the command CREATE USER (username);

Removing unwanted users:

• run DROP USER (username);

Backing up the databases:

• While the PostgreSQL service is running, run sudo pg_dumpall > postgresql_dump
• Create a copy of the config files: sudo cp -r /etc/postgresql/(version number)/main /path/to/backup/directory
• Also a good idea to backup the files for the postgreSQL service for systemctl should those files be altered or deleted

Restoring the databases:

• psql -X -f postgresql_dump postgres
• Restore config files
• Restore systemctl service files

Salt

https://docs.saltproject.io/en/latest/topics/tutorials/walkthrough.html

Commands (Execution Modules)

Basics

# ping minions
sudo salt '*' test.ping

# list version
sudo salt -v '*' test.version

# install command
sudo salt -v '*linux*' pkg.install vim

# apply /srv/salt/test.sls
sudo salt -v '*linux*' state.apply test

# run commands (can use pipes, command substitution, etc.)
sudo salt '*linux*' cmd.run 'uptime'

# execute other code
sudo salt '*' cmd.exec_code perl 'print("hello")'
sudo salt '*' cmd.exec_code ruby 'puts "cheese"' args='["arg1", "arg2"]' env='{"FOO": "bar"}'

Copying Files

# put files into /srv/salt to use salt://
sudo salt '*linux*' cp.get_file salt://files/reset_passwords.pl /tmp/reset_passwords.pl

sudo salt '*linux*' cp.get_dir salt://files /tmp/files
sudo salt '*win*' cp.get_dir salt://files C:/ # no \

sudo salt-cp '*linux*' src dest # slower

# push files from minion; /var/cache/salt/master/minions/minion-id/files
sudo salt '*linux*' cp.push_dir /var/www/html/index.html
sudo salt '*linux*' cp.push_dir /var/www/html

User Administration

# user management
sudo salt 't*' user.add jp2

# get users
sudo salt '*' ps.get_users

# add/remove user to group
sudo salt '*' group.adduser group user 
sudo salt '*' group.deluser group user

# delete group
sudo salt '*' group.delete group

# get all group info
sudo salt '*' group.getent

# set group members (replaces users)
sudo salt '*' group.members group 'user1,user2,user3'

# set password
sudo salt '*' shadow.gen_password 'password'
sudo salt '*' shadow.set_password someuser 'hash'

System Info

# get disk partitons
sudo salt '*' ps.disk_partitions

# get running processes
sudo salt '*' ps.status running
sudo salt '*' ps.top
sudo salt 'linux*' ps.aux '.*'
sudo salt '*' ps.get_pid_list

Services & More

# crontabs!!! (list/add/remove)
sudo salt '*' cron.ls user
sudo salt '*' cron.set_job root '*' '*' '*' '*' '*' cmd
sudo salt '*' cron.set_special root @hourly 'echo foobar'

# install wordpress
sudo salt '*' wordpress.install /var/www/html apache dwallace password123 [email protected] "Daniel's Awesome Blog" https://blog.dwallace.com

# mysql
sudo salt '*' mysql.db_create 'dbname'
sudo salt '*' mysql.db_remove 'dbname'
sudo salt '*' mysql.query 'dbname' 'DELETE from users where id = 4 limit 1'

# services
sudo salt '*' service.get_all
sudo salt '*' service.restart service
sudo salt '*' service.start service
sudo salt '*' service.stop service

Sample .sls File

network_utilities:
  pkg.installed:
    - pkgs:
      - rsync
      - curl

nginx_pkg:
  pkg.installed:
    - name: nginx

nginx_service:
  service.running:
    - name: nginx
    - enable: True
    - require:
      - pkg: nginx_pkg

Firewall Rules

Minion Rules

sudo salt '*' iptables.build_rule match=conntrack connstate=RELATED,ESTABLISHED jump=ACCEPT

sudo salt 't*' cmd.run 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT'
sudo salt 't*' cmd.run 'iptables -A OUTPUT -d 10.3.12.150 -p tcp --dport 4505 -j ACCEPT'
sudo salt 't*' cmd.run 'iptables -A OUTPUT -d 10.3.12.150 -p tcp --dport 4506 -j ACCEPT'

Master Rules

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

sudo iptables -A INPUT -i lo -p tcp -m multiport --dports 4505:4506 -j ACCEPT # allow salt localhost comm
sudo iptables -A INPUT -p tcp -m multiport --dports 4505:4506 -j ACCEPT # minion comm

sudo iptables -A OUTPUT -p tcp -m iprange --dst-range 10.3.12.1-10.3.12.4 -j ACCEPT

sudo iptables -A INPUT -i lo -p tcp -m multiport --dports 4505:4506 -j ACCEPT
sudo iptables -A INPUT -p tcp -m multiport --dports 4505:4506 -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT # inbound
sudo iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT # outbound

Wordpress

Source: https://www.wpbeginner.com/wordpress-security/

Checklist

1. Reset Password
   • Click on profile (top right)
   • Scroll down to “Set New Password”
   • Default user is admin
2. Check when wp-config.php was last edited
   • ls -lt /var/www/html/wp-config.php
3. Check for any file types of .php, .js, .exe
   • ls -la /var/www/html/wp-content/uploads
4. Verify Wordpress Database Information
   • First, begin a mysql session and select the wordpress database:
     • show databases;
     • use wordpress;
     • show tables;
   • Verify Default Wordpress Tables:
     • wp_commentmeta
     • wp_comments
     • wp_links
     • wp_options
     • wp_postmeta
     • wp_posts
     • wp_term_relationships
     • wp_term_taxonomy
     • wp_termmeta
     • wp_terms
     • wp_usermeta
     • wp_users
   • Things to look for:
     • select * from wp_options where option_name=‘active_plugins’;
     • select * from wp_options where option_name=‘cron’;
5. Plugins
   • Default plugins:
     • Akismet Anti-Spam
     • Hello Dolly
6. Updates
   • make sure you are on latest version of wordpress (can find this under the “Updates” section)
   • make sure plugins are up to date
7. Backups
   • take a backup of the entire /var/www/html directory
     • tar -czvf www-backup.tar.gz /var/www/html
8. Disable File editing
   • in wp-config.php add the following line
     • define( ‘DISALLOW_FILE_EDIT’, true );
9. Security Plugins
   • “Limit Login Attempts Reloaded”
     • Default settings:
       • 4 allowed retries
       • 20 minutes lockout
       • 4 lockouts increase lockout time to 24hrs
     • Can configure settings under “Settings” Tab by the plugins name

Windows Notes

By: Aaron Sprouse and Dylan Harvey

Set TLS Settings for Downloading (any download + splunk)

[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"

Require Kerberos Preauth on all Accounts

Get-ADUSer -Filter 'DoesNotRequirePreAuth -eq $true ' | Set-ADAccountControl -doesnotrequirepreauth $false

Download Sysinternals

Invoke-WebRequest -Uri "https://download.sysinternals.com/files/SysinternalsSuite.zip" -OutFile "C:\sysinternals.zip";
Expand-Archive -Path "C:\sysinternals.zip" -DestinationPath "C:\sysinternals\"

Remove WMI Event Subscribers

Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer

Get-WmiObject -Namespace root/subscription -Class __EventFilter

Get-WmiObject -Namespace root/subscription -Class __FilterToConsumerBinding

Get-WmiObject -Class __IntervalTimerInstruction

<command> | Remove-WmiObject

Bins to Remove

• C:\Windows\System32\sethc.exe
• C:\Windows\System32\Utilman.exe
• C:\Windows\System32\osk.exe - May require TrustedInstaller
• C:\Windows\System32\Narrator.exe
• C:\Windows\System32\Magnify.exe
• C:\Windows\System32\DisplaySwitch.exe

Windows Splunk Changes

[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"

splunk.ps1

• Set Indexer IP
• Set username and password (username in script, env $password or replace in script)
• Set index = windows for all log sources

Once Installed

Check Config

C:\Program Files\SplunkUniversalForwarder\etc\system\local\ inputs.conf outputs.conf

Check Log

C:\Program Files\SplunkUniversalForwarder\var\log\splunk\ splunkd.log

Restart the Service (logs may not send otherwise)

Restart-Service SplunkForwarder

inputs.conf

[default]
host = ${HOSTNAME}

[WinEventLog] 
index = windows
checkpointInterval = 5

[WinEventLog://Security]
disabled = 0
index = windows

[WinEventLog://Application]
disabled = 0
index = windows

[WinEventLog://System]
disabled = 0
index = windows

[WinEventLog://DNS Server]
disabled = 0
index = windows

[WinEventLog://Directory Service]
disabled = 0
index = windows

[WinEventLog://Windows Powershell]
disabled = 0
index = windows

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
current_only = 0
disabled = 0
start_from = oldest
index = windows
renderXml = false

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
current_only = 0
disabled = 0
start_from = oldest
index = windows
renderXml = false