├── NCAE Checklists
    ├── Recovery Plan.pdf
    ├── Linux Checklist.pdf
    └── DNS Configuration.pdf
├── Practice Materials
    ├── practice.jpg
    └── iptables-template.sh
├── Defence
    ├── Port Closing Flowchart.png
    ├── Linux Services and Defence Cheat Sheet.pdf
    ├── Auditing Commands.md
    ├── Attack Vectors.md
    └── Defence Checklist.md
├── Linux Terminal
    ├── Linux Commands Cheat Sheet.pdf
    ├── Keyboard Shortcuts.md
    └── Printing Tricks.md
├── LICENSE
└── README.md


/NCAE Checklists/Recovery Plan.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RedefiningReality/Linux-Defence-Materials/HEAD/NCAE Checklists/Recovery Plan.pdf


--------------------------------------------------------------------------------
/Practice Materials/practice.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RedefiningReality/Linux-Defence-Materials/HEAD/Practice Materials/practice.jpg


--------------------------------------------------------------------------------
/Defence/Port Closing Flowchart.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RedefiningReality/Linux-Defence-Materials/HEAD/Defence/Port Closing Flowchart.png


--------------------------------------------------------------------------------
/NCAE Checklists/Linux Checklist.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RedefiningReality/Linux-Defence-Materials/HEAD/NCAE Checklists/Linux Checklist.pdf


--------------------------------------------------------------------------------
/NCAE Checklists/DNS Configuration.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RedefiningReality/Linux-Defence-Materials/HEAD/NCAE Checklists/DNS Configuration.pdf


--------------------------------------------------------------------------------
/Linux Terminal/Linux Commands Cheat Sheet.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RedefiningReality/Linux-Defence-Materials/HEAD/Linux Terminal/Linux Commands Cheat Sheet.pdf


--------------------------------------------------------------------------------
/Defence/Linux Services and Defence Cheat Sheet.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RedefiningReality/Linux-Defence-Materials/HEAD/Defence/Linux Services and Defence Cheat Sheet.pdf


--------------------------------------------------------------------------------
/Linux Terminal/Keyboard Shortcuts.md:
--------------------------------------------------------------------------------
 1 | # Linux Terminal Keyboard Shortcuts
 2 | 
 3 | ## Window Management
 4 | `Ctrl+Alt+F1-6` - terminal windows <br>
 5 | `Ctrl+Alt+F7-12` - GUI windows <br>
 6 | `Ctrl+D` - log out of current window
 7 | 
 8 | ## Avoiding `| more`
 9 | `Shift+PgUp` - scroll up <br>
10 | `Shift+PgDn` - scroll down
11 | 
12 | ## Command History
13 | `Ctrl+R` - recursive search history <br>
14 | `history` -> `!{`num`}` - go back to command number num
15 | 
16 | ## Command Editing
17 | `Ctrl+A` - cursor to beginning of line <br>
18 | `Ctrl+E` - cursor to end of line <br>
19 | `Alt+F` - cursor forward one word <br>
20 | `Alt+B` - cursor back one word
21 | 
22 | `Ctrl+W` - backspace until beginning of word (space encountered) <br>
23 | `Ctrl+U` - backspace until beginning of command <br>
24 | `Ctrl+K` - delete until end of command <br>
25 | `Ctrl+Y` - paste deleted text
26 | 


--------------------------------------------------------------------------------
/Practice Materials/iptables-template.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | iptables -F 
 3 | 
 4 | # Only allow incoming traffic on specified ports 
 5 | iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
 6 | # iptables -A INPUT -p tcp --dport [port] -j ACCEPT 
 7 | # repeat as necessary for desired open TCP ports 
 8 | # iptables -A INPUT -p udp --dport [port] -j ACCEPT 
 9 | # repeat as necessary for desired open UDP ports 
10 | iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT 
11 | iptables -A INPUT -i lo -j ACCEPT 
12 | iptables -P INPUT DROP
13 | 
14 | # Block all outgoing traffic except for established connections 
15 | iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
16 | # iptables -A OUTPUT -p tcp --dport [port] -j ACCEPT 
17 | # repeat as necessary for desired open TCP ports 
18 | # iptables -A OUTPUT -p udp --dport [port] -j ACCEPT 
19 | # repeat as necessary for desired open UDP ports
20 | iptables -A OUTPUT -o lo -j ACCEPT 
21 | iptables -P OUTPUT DROP
22 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2024 John Ford
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Defence/Auditing Commands.md:
--------------------------------------------------------------------------------
 1 | *adapted from [this blog post](https://medium.com/@truvis.thornton/commandline-auditing-using-different-tools-to-security-your-linux-server-and-environments-2fcd361142ef)*
 2 | # Bash Trap Debug
 3 | ```sh
 4 | sudo touch /var/log/commands.log
 5 | sudo chmod 622 /var/log/commands.log
 6 | sudo chattr +a /var/log/commands.log
 7 | ```
 8 | edit `/etc/bashrc` or `/etc/bash.bashrc`, and add the following content
 9 | ```sh
10 | function log_command
11 | {
12 |   declare COMMAND
13 |   COMMAND=$(fc -ln -0 | awk '{$1=$1};1')
14 |   echo "`date +'%b %d %H:%M:%S'` - $$ `whoami` ${PWD} ${COMMAND}" >> /var/log/commands.log
15 | }
16 | trap log_command DEBUG
17 | ```
18 | (optional) ***THE FOLLOWING COULD DAMAGE YOUR MACHINE*** - instead, consider `sudo dpkg-reconfigure dash` and electing not to use dash as the default shell
19 | ```sh
20 | sudo unlink /bin/sh
21 | sudo unlink /usr/bin/sh
22 | sudo ln -s bash /bin/sh
23 | sudo ln -s bash /usr/bin/sh
24 | grep -v "/bash" /etc/shells | sudo xargs -d '\n' rm  # get each line in /etc/shells that doesn't contain "/bash", then remove those files
25 | sudo sed -i '/\/bash/!d' /etc/shells  # remove lines that don't contain "/bash" from /etc/shells
26 | ```
27 | ---
28 | commands from all users running bash will be logged to /var/log/commands.log, which can only be read by root (`sudo cat /var/log/commands.log`)
29 | - search with `sudo grep <string> /var/log/commands.log`
30 |   - `<string>` can be a process ID, user, command, etc
31 | 
32 | # Auditd
33 | ```sh
34 | sudo apt install auditd  # or sudo yum install auditd
35 | echo '-a exit,always -F arch=b32 -S execve -k commands' | sudo tee /etc/audit/rules.d/commands.rules
36 | echo '-a exit,always -F arch=b64 -S execve -k commands' | sudo tee /etc/audit/rules.d/commands.rules
37 | sudo augenrules --check
38 | sudo augenrules --load
39 | sudo systemctl restart auditd
40 | ```
41 | execve syscalls from commands will be logged to /var/log/audit/audit.log, which can only be read by root
42 | - read with `sudo ausearch -i -k commands`
43 |   - add `-p <pid>` to search by process ID or `-ui <uid>` to search by user ID
44 | - view binaries run with `sudo aureport -x`
45 | 


--------------------------------------------------------------------------------
/Linux Terminal/Printing Tricks.md:
--------------------------------------------------------------------------------
 1 | # Printing Tricks
 2 | *aka Useful Commands for Working with Output*
 3 | 
 4 | - `… | grep [contents]` or `grep [contents] [file]` ⇒ only show lines with `[contents]`
 5 |   - `-v [contents]` ⇒ only show lines *without* `[contents]`
 6 |   - `\|` in `[contents]` is an or
 7 |   - `-E` or `egrep` allows regex in `[contents]`
 8 |     - `|` can be used without backslash
 9 |     - `^[start]` ⇒ only show lines that start with `[start]`
10 |     - `[end]$` ⇒ only show lines that end with `[end]`
11 |   - `-i` ⇒ ignore case
12 |   - `-B [num]` ⇒ show `[num]` lines before line
13 |   - `-A [num]` ⇒ show `[num]` lines after line
14 | - `grep -Horn [contents] [dir]` ⇒ recursively search `[dir]` for files containing `[contents]`
15 |   - `-Hrn` (without the `o`) ⇒ display text surrounding `[contents]` as well as filename
16 | 
17 | https://www.cyberciti.biz/faq/grep-regular-expressions/
18 | 
19 | ---
20 | - `… | cut -d [delimiter] -f [field]` ⇒ get `[field]` field from each line after cutting it with `[delimiter]`
21 | - `… | sort` ⇒ sort lines in alphabetical order
22 | - `… | uniq` ⇒ unique (only display consecutive duplicate lines once)
23 |   - ex. `… | sort | uniq` ⇒ remove ALL (not just consecutive) duplicate lines
24 | - `… | base64 -d` ⇒ base-64 decode output
25 | - `… | more` or `… | less` ⇒ scrollable output
26 | - `… | tee [file]` ⇒ both print to standard output and write to `[file]`
27 |   - `-a` ⇒ append instead of overwriting
28 | ---
29 | - `… | tr [original] [new]` ⇒ replace corresponding character in `[original]` with character in same position in new `[new]`
30 |   - ex. `… | tr [a-z] [A-Z]` ⇒ make text uppercase
31 | - `… | tr -d [chars]` ⇒ delete all instances of every character in `[chars]`
32 | - `… | tr -s [chars]` ⇒ (squash) remove repeats for each character in `[chars]`
33 |   - ex. `… | tr -s " " | cut -d " " -f [field]` ⇒ get `[field]` but account for contiguous spaces
34 | ---
35 | - `… | sed 's/[original]/[new]/g'` or `sed 's/[original]/[new]/g' [file]` ⇒ replace all `[original]` with `[new]` in output
36 | - `sed -i 's/[original]/[new]/g' [file]` ⇒ replace all `[original]` with `[new]` in `[file]`
37 | ---
38 | https://www.geeksforgeeks.org/input-output-redirection-in-linux/
39 | 


--------------------------------------------------------------------------------
/Defence/Attack Vectors.md:
--------------------------------------------------------------------------------
 1 | # Common Attack Vectors
 2 | [John's Red Team Manual](https://docs.google.com/document/d/17W30A0wpB7lVTDb7SCjWs0lb9bMAjVR4B7Dp_c2rU2g/)
 3 | 
 4 | ## FTP
 5 | - outdated service
 6 | - anonymous login
 7 | - plaintext login and data transfers
 8 | - insecure passwords
 9 | 
10 | ## SSH
11 | - outdated service
12 | - insecure passwords
13 | 
14 | ## SMB
15 | - outdated service
16 | - anonymous login (null/guest)
17 | - weak encryption
18 | - insecure passwords
19 | 
20 | ## SMTP
21 | - outdated service
22 | - VRFY, EXPN, or RCPT TO user disclosure
23 | - plaintext login and data transfers
24 | - insecure passwords
25 | 
26 | ## HTTP
27 | - outdated service
28 | - web attacks (SQLi, FIV, FUV, XSS, CSRF, etc.)
29 |   - check OWASP [vulnerabilities](https://owasp.org/www-community/vulnerabilities) and [attacks](https://owasp.org/www-community/attacks) lists
30 | 
31 | **Note:** There are so many, that as a defender, you'll just have to accept that you won't be able to find them all, at least in a competition environment. Set up good monitoring or a Web Application Firewall (WAF) or both. In a production environment, it's worth going through the OWASP [web security checklist](https://github.com/0xRadi/OWASP-Web-Checklist).
32 | 
33 | ## HTTPS
34 | - same as HTTP
35 | - weak encryption
36 | 
37 | ## SQL
38 | - outdated service
39 | - weak or nonexistent encryption
40 | - insecure/default passwords
41 | 
42 | ## Privilege Escalation
43 | https://gtfobins.github.io/
44 | - outdated distro
45 | - outdated service
46 | - bad sudo permissions
47 | - bad file permissions (wrong ownership or rwx on file)
48 | - SUID/SGID binaries
49 | - SUID/SGID capability set on binary (check `getcap`)
50 | 
51 | [Linux Privilege Escalation Checklist on HackTricks](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist) has a more complete list along with commands
52 | 
53 | ## Persistence
54 | - SSH authorized_keys
55 | - user account
56 | - service
57 | - cron job
58 | - profile and bashrc
59 | - webshell (eg. PHP)
60 | - backdooring an existing command (PATH hijacking)
61 | - PAM config or custom module
62 | 
63 | [Linux Persistence on PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Persistence.md) has a more complete list along with commands
64 | 


--------------------------------------------------------------------------------
/Defence/Defence Checklist.md:
--------------------------------------------------------------------------------
 1 | # Cyber Defence Checklist
 2 | ## The Big Idea
 3 | **external attack surface is key**
 4 | 1. Determine which services should be accessible.
 5 | 2. Block (firewall) or stop services that shouldn't be.
 6 | 3. Secure services that should be.
 7 |     1. Update to latest version
 8 |     2. Check [Attack Vectors](Attack%20Vectors.md)
 9 | 4. Remove things that run on a "schedule" or "when a specific event occurs".
10 | 5. Prepare for active defence. (Wireshark and/or auditing)
11 | 6. Check for privilege escalation or persistence [attack vectors](Attack%20Vectors.md).
12 | 
13 | **Note:** If server is really outdated, don't worry about 6 because there's nothing you can do *unless* there's potential to escalate through a service.
14 | 
15 | ## The Complete Checklist
16 | - Change root and user passwords
17 | - Remove unneeded users
18 | - Check group membership and sudo permissions
19 | - Upgrade outdated packages
20 | - Check cron and anacron (if applicable) jobs
21 |   - `/etc/crontab`, `/etc/cron.allow`, `/etc/cron.*` directories and `/var/spool/cron`
22 |   - same files/folders as above but replace `cron` with `anacron`
23 |   - For competitions, easiest is to disable the cron service with `systemctl disable cron` or `crond`
24 | - Check systemd timers
25 | - Check running processes
26 | - Apply host firewall
27 |   - I'd use `ufw`, `firewalld`, `iptables`, `nftables` in that order
28 | - Configure and secure externally-accessible services (depends on service)
29 |   - See [attack vectors](Attack%20Vectors.md) and [services/defence cheatsheet](Linux%20Services%20and%20Defence%20Cheat%20Sheet.pdf)
30 | - Backup required directories both locally and remotely
31 |   - Easiest way is to `tar` zip the directory then access remote backup server through `sftp`
32 | - Set up [command line auditing](Auditing%20Commands.md)
33 | - Start Wireshark capture
34 | 
35 | If in a competition, I would make services accessible at this point because your external attack surface is minimised. The rest can be done on the fly.
36 | - Check open ports - consult the [port closing flowchart](Port%20Closing%20Flowchart.png)
37 | - Check enabled (startup) services
38 | - Check running services
39 | - Check additional privilege escalation attack vectors
40 |   - world readable/writable dirs/files
41 |   - writable files for each user
42 |   - SUID/SGID binaries
43 | 
44 | ### Free Defence Solutions
45 | *probably too advanced for limited-time competitions like NCAE Cyber Games, but if you're feeling adventurous, here are some ideas*
46 | - antivirus: [ClamAV](https://www.clamav.net)
47 | - network IDS/IPS: [Snort](https://www.snort.org)
48 | - SIEM: [Wazuh](https://wazuh.com)
49 | - WAF: [ModSecurity](https://github.com/owasp-modsecurity/ModSecurity)
50 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Linux Defence Materials
 2 | A repository of helpful materials related to Linux defence
 3 | 
 4 | This was originally created for the [NCAE Cyber Games competition](https://www.ncaecybergames.org) in an effort to make Illinois Institute of Technology's resources public and share our knowledge with the community, in the spirit of the competition. However, it's certainly not limited to that scope. I still use and make occasional edits to my Linux Commands Cheat Sheet and Defence Checklist to this day. Enjoy, and feel free to submit a GitHub issue with any feedback or questions!
 5 | 
 6 | ### Repository Contents
 7 | If you're just getting started, check out the [NCAE Cyber Sandbox Tutorials](https://www.youtube.com/playlist?list=PLqux0fXsj7x3WYm6ZWuJnGC1rXQZ1018M) on YouTube that will give you an introduction to using Linux and Linux defence concepts.
 8 | 
 9 | **Note:** Where relevant, the links on this README (with the exception of NCAE checklists) are to the original Google Docs, which may be easier to read than the PDF versions in GitHub. Also, if you open them on a PC you get a nice document outline on the side that makes them very easy to navigate! Also also, I cannot guarantee the PDFs in this repo stay up-to-date, so I highly recommend using the Google Docs versions.
10 | 
11 | **tl;dr use the links in this README**
12 | #### [Linux Terminal](Linux%20Terminal/)
13 | - [Linux Commands Cheat Sheet](https://docs.google.com/document/d/1vJxoHrjW607NJDLC1Zln1llrEIqrS6Ea3j9ihJTdblg/) ⇒ all the actually useful Linux commands, including the ones mentioned in the NCAE Cyber Sandbox Tutorials
14 |   - For anyone who wants it, the Windows counterpart is here: [Windows Commands Cheat Sheet](https://docs.google.com/document/d/1CGgADAOZQuMXAyzXVeXRNhQ_PPBYliMXCy-4RNE0UMw/)
15 | - [Printing Tricks](https://github.com/RedefiningReality/Cheatsheets/blob/main/Parsing%20Command%20Output.md) ⇒ commands related to working with command line output: grep, sed, cut, tr, etc. This is also linked in the Linux Commands Cheat Sheet for convenience
16 | - [Keyboard Shortcuts](Linux%20Terminal/Keyboard%20Shortcuts.md) ⇒ window management, navigating history, and rerunning previous commands with select modifications, all through keyboard shortcuts
17 | #### [Linux Defence](Defence/)
18 | - [Attack Vectors](Defence/Attack%20Vectors.md) ⇒ attack vectors by service and the most basic privilege escalation attacks
19 | - [Defence Checklist](Defence/Defence%20Checklist.md) ⇒ Illinois Tech's approach to cyber defence competitions
20 | - [Auditing Commands](Defence/Auditing%20Commands.md) ⇒ various methods to log all commands executed
21 | - [Closing Ports (the right way)](Defence/Port%20Closing%20Flowchart.png) ⇒ I'm tired of people thinking a firewall is the solution to all their problems... actually remove services you don't need!
22 | - [Linux Services and Defence Cheat Sheet](https://docs.google.com/document/d/1DikLS0jAhuflCj3bOlbh5ZIJE6Ou4WkyIxMN0t2ZqU0/) ⇒ all the service setup commands mentioned in the NCAE Cyber Sandbox Tutorials but in the form of a reference sheet + some defence ideas
23 | #### [NCAE Checklists](NCAE%20Checklists/)
24 | - [Linux Checklist](NCAE%20Checklists/Linux%20Checklist.pdf) ⇒ the "boilerplate" Linux defence checklist Illinois Tech used for competitions - we took this one and use it to create separate checklists for each machine
25 |   - **To Do:** fix one-liner for removing extra users (in rare cases, it deletes service users also) and add [command line auditing](Defence/Auditing%20Commands.md) with auditd
26 | - [DNS Configuration](NCAE%20Checklists/DNS%20Configuration.pdf) ⇒ bind9 is a mess, so here are all the changes you need to make written out
27 | - [Recovery Plan](NCAE%20Checklists/Recovery%20Plan.pdf) ⇒ booting into recovery to reset root password and making backups of sensitive files (eg. website source code)
28 | #### [Practice Materials](Practice%20Materials/)
29 | - [iptables Template](Practice%20Materials/iptables-template.sh) ⇒ iptables is even yuckier than bind9, so here's a template you can follow when setting up iptables rules
30 |   - iptables is the "lowest-level" firewalling solution, and that gives it some distinct advantages over ufw or firewalld - namely, red team can just remove those when they inevitably compromise you
31 | - [Illinois Tech Practice Range Network Diagram](Practice%20Materials/practice.jpg) ⇒ the practice network Illinois Tech gave to students in 2023 so they could prepare for the competition - each student got their own unique copy to play around with
32 |   - The actual infrastructure we use for hosting our practice range is fully documented [here](https://github.com/RedefiningReality/Proxmox-Remote-Management/blob/main/Web.md), and if you're a visual learner you can watch [this series](https://youtube.com/playlist?list=PLSpsCUl2cY8at6Dr0c28G6-yC1exBnqrR) on YouTube instead.
33 | 
34 | If you want to play around with some Python scripts I wrote for logging all command line history and monitoring logins, feel free to check out my [Linux Defence Scripts](https://github.com/RedefiningReality/Linux-Defence-Scripts) repo. They're pretty basic, and if I were to rewrite them now I'd probably take a different approach, but they work!
35 | 


--------------------------------------------------------------------------------