├── .gitignore ├── A01 ├── Default_config_rhel_systems.sh ├── Vagrant_Commands.sh ├── Vagrant_and_Virtualbox_Installation.sh └── Vagrantfile ├── A02 ├── 01_Web_server_startup_permissions.sh ├── 02_Documentation_maybe_wrong.sh └── 03_Certificate_trusts.sh ├── A03 ├── 01_Listing_metadata_file_permissions.sh ├── 02_Working_umask_default_permissions.sh ├── 03_Using_chmod_manage_permissions.sh ├── 04_Advanced_symbolic_notation.sh ├── 05_Changing_file_ownership.sh ├── 06_Setting_execute_only_directory.sh └── octal.txt ├── A04 ├── 01_Find_list_special_permissions.sh ├── 02_Using_sticky_bit_prevent_deletions.sh ├── 03_Setting_SGID_directories.sh ├── 04_Collaborative_permissions_apache_webserver.sh ├── 05_Special_permissions_executables.sh └── 06_Using_linux_capabilities.sh ├── A05 ├── 01_Checking_ACL_support.sh ├── 02_Configuring_HTTPD_securly_acls.sh ├── 03_Default_ACLs_existing_files.sh └── 04_Managing_ACL_entries.sh ├── A06 ├── 01_Managing_SELinux_modes.sh ├── 02_Configuring_SELinux_booleans.sh ├── 03_Managing_file_context.sh ├── 04_Relocating_user_home_directories.sh ├── 05_Allowing_access_port_1000.sh └── 06_SELinux_web_content.sh ├── A07 ├── 01_Installing_AppArmor_components.sh ├── 02_Viewing_active_profiles.sh ├── 03_Creating_python_script.sh ├── 04_Generating_profile_for_script.sh ├── 05_Using_aa-logprof_update_profile.sh ├── test.py └── test1.py ├── A08 ├── 01_Understanding_authentication_methods.sh ├── 02_Working_known_hosts.sh ├── 03_Centralizing_known_hosts.sh ├── 04_Authenticating_ssh_clients.sh ├── 05_Implementing_SSH_CA.sh └── 06_Signing_an_SSH_CA.sh ├── A09 ├── 01_su_Substitute_User.sh ├── 02_Using_sudo.sh ├── 03_Using_another_editor.sh └── 04_Using_Polkit_(Formerly_PolicyKit).sh ├── A10 ├── 01_Listing_users.sh ├── 02_Managing_new_users.sh ├── 03_Modifying_deleting_users.sh ├── 04_Working_shadow_data.sh ├── 05_Working_passwords_understanding_authentication.sh ├── 06_Managing_user_passwords.sh ├── 07_Managing_linux_groups.sh └── 08_Working_group_passwords_admins.sh ├── A11 ├── 01_Installing_apache.sh ├── 02_Configuring_SSL_apache.sh ├── 03_Redirect_HTTP_HTTPS.sh └── 04_Investigating_certificate_chain.sh ├── A12 ├── 01_Creating_CA.sh ├── 02_Creating_certificate_signing_request.sh ├── 03_Signing_the_csr.sh └── 04_Configuring_apache_ca_certificate.sh ├── A13 ├── 01_Installing_OpenLDAP.sh ├── 02_Adding_searching_entries_openldap.sh ├── 03_Configuring_StartTLS_openldap.sh ├── 04_Configuring_sssd_ubuntu.sh ├── 05_Configuring_sssd_rocky.sh ├── rockysssd.txt ├── tls.ldif ├── ubuntusssd.txt └── user.ldif ├── A14 ├── 00_Very_important.md ├── 01_Checking_listening_ports.sh ├── 02_Removing_extra_services.sh ├── 03_Securing_ICMP_using_sysctl.sh ├── 04_Listing_user_details.sh └── 05_Locking_failed_login_attemps.sh ├── A15 ├── 01_Basic_firewall_management.sh ├── 02_Adding_removing_services.sh ├── 03_Adding_source_addresses.sh ├── 04_Editing_service_definitions.sh └── 05_Configuring_fail2ban.sh ├── A16 ├── 01_Adding_basic_ufw_rules.sh ├── 02_Tuning_SSH_allow_rules.sh ├── 03_More_accurate_rules.sh ├── 04_Allowing_HTTP_access.sh └── 05_Reporting_on_rules.sh ├── LICENSE ├── Links.md ├── README.md └── README.png /.gitignore: -------------------------------------------------------------------------------- 1 | # Local .terraform directories 2 | **/.terraform/* 3 | .DS_Store 4 | # .tfstate files 5 | *.tfstate 6 | *.tfstate.* 7 | 8 | # Crash log files 9 | crash.log 10 | crash.*.log 11 | 12 | # Exclude all .tfvars files, which are likely to contain sensitive data, such as 13 | # password, private keys, and other secrets. These should not be part of version 14 | # control as they are data points which are potentially sensitive and subject 15 | # to change depending on the environment. 16 | *.tfvars 17 | *.tfvars.json 18 | 19 | # Ignore override files as they are usually used to override resources locally and so 20 | # are not checked in 21 | override.tf 22 | override.tf.json 23 | *_override.tf 24 | *_override.tf.json 25 | 26 | # Include override files you do wish to add to version control using negated pattern 27 | # !example_override.tf 28 | 29 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan 30 | # example: *tfplan* 31 | 32 | # Ignore CLI configuration files 33 | .terraformrc 34 | terraform.rc 35 | -------------------------------------------------------------------------------- /A01/Default_config_rhel_systems.sh: -------------------------------------------------------------------------------- 1 | #If you get some locale warnings use: 2 | export LC_ALL="en_US.UTF-8" 3 | #If this does not work, use: 4 | sudo dnf install -y glibc-langpack-en 5 | 6 | #If tab completion does not work 7 | sudo dnf install -y bash-completion 8 | 9 | #Install the vim enhanced editor 10 | sudo dnf install -y vim-enhanced 11 | 12 | #Install the man pages 13 | sudo dnf install -y man man-pages man-db -------------------------------------------------------------------------------- /A01/Vagrant_Commands.sh: -------------------------------------------------------------------------------- 1 | #Add a Box to Vagrant (copy a box to the local system) 2 | vagrant box add ubuntu/jammy64 3 | 4 | #Create a Working Folder 5 | mkdir linuxclass 6 | 7 | #Change into the Working Folder 8 | cd linuxclass 9 | 10 | #Create a Vagrant Project Folder 11 | mkdir ubuntu 12 | 13 | #Create Your First Vagrant Project 14 | cd ubuntu 15 | vagrant init ubuntu/jammy64 16 | 17 | #Create Your First Virtual Machine 18 | vagrant up 19 | 20 | #Change the Virtual Machine's Name 21 | #Add the following line somewhere after "Vagrant.configure(2) do |config| " and before 22 | #"end ". A good place could be right after the 'config.vm.box = "ubuntu/jammy64" ' line: 23 | config.vm.hostname = "ubuntu01" 24 | 25 | #Be sure to save your changes 26 | 27 | #To apply the settings (instead of vagrant halt an vagrant up) 28 | vagrant reload 29 | 30 | #Assign the Virtual Machine an IP Address (direct under the hostanme) 31 | config.vm.network "private_network", ip: "192.168.56.101" 32 | 33 | #Be sure to save your changes 34 | 35 | #To apply the settings (instead of vagrant halt an vagrant up) 36 | vagrant reload 37 | 38 | #Test 39 | ping -c 3 192.168.56.101 40 | 41 | #Destroy the Virtual Machine 42 | vagrant destroy 43 | 44 | #Create Another Vagrant Project with Multiple Virtual Machines 45 | cd .. 46 | 47 | #Next, let’s create the Vagrant project folder and change into that folder 48 | mkdir multitest 49 | cd multitest 50 | 51 | #Initialize the Vagrant project. This step creates the Vagrantfile 52 | vagrant init ubuntu/jammy64 53 | 54 | #Add two virtual machine definitions. 55 | Vagrant.configure("2") do |config| 56 | config.vm.box = "ubuntu/jammy64" 57 | 58 | config.vm.define "test1" do |test1| 59 | test1.vm.hostname = "test1" 60 | test1.vm.network "private_network", ip: "192.168.56.101" 61 | end 62 | 63 | config.vm.define "test2" do |test2| 64 | test2.vm.hostname = "test2" 65 | test2.vm.network "private_network", ip: "192.168.56.102" 66 | end 67 | end 68 | 69 | #Start the virtual machines. (Remember, that if you do not specify a VM name all the defined VMs will be started.) 70 | vagrant up 71 | 72 | #Check their status with the following command 73 | vagrant status 74 | 75 | #Connect to the test1 virtual machine to confirm that it’s working and then exit it 76 | vagrant ssh test1 77 | exit 78 | 79 | #Connect to the test2 virtual machine to confirm that it’s working 80 | vagrant ssh test2 81 | ping -c 3 192.168.56.101 82 | 83 | #Stop the Virtual Machines 84 | vagrant halt -------------------------------------------------------------------------------- /A01/Vagrant_and_Virtualbox_Installation.sh: -------------------------------------------------------------------------------- 1 | #Update local repos 2 | sudo apt update && sudo apt upgrade 3 | 4 | #Install virtualbox 5 | sudo apt install virtualbox 6 | 7 | #Install vagrant (add hashicorp to the sources list) 8 | wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg 9 | echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list 10 | sudo apt update && sudo apt install vagrant 11 | 12 | #check the version 13 | vagrant --version -------------------------------------------------------------------------------- /A01/Vagrantfile: -------------------------------------------------------------------------------- 1 | # -*- mode: ruby -*- 2 | # vi: set ft=ruby : 3 | 4 | #Place Vagrantfile in the directory you run vagrant from. 5 | 6 | #setting for the rocky VM 7 | Vagrant.configure("2") do |config| 8 | #config.vm.box = "base" 9 | 10 | #settings for the ubuntu VM 11 | config.vm.define "ubuntu" do |ubuntu| 12 | ubuntu.vm.provider "virtualbox" do |vb_ubuntu| 13 | vb_ubuntu.memory = "2048" 14 | vb_ubuntu.cpus = "2" 15 | end 16 | 17 | ubuntu.vm.box = "ubuntu/jammy64" 18 | ubuntu.vm.hostname = "ubuntu" 19 | ubuntu.vm.network "private_network", ip: "192.168.56.102" 20 | 21 | end 22 | 23 | #settings for the opensuse VM 24 | config.vm.define "opensuse" do |opensuse| 25 | opensuse.vm.provider "virtualbox" do |vb_opensuse| 26 | vb_opensuse.memory = "2048" 27 | vb_opensuse.cpus = "2" 28 | end 29 | 30 | opensuse.vm.box = "opensuse/Leap-15.4.x86_64" 31 | opensuse.vm.hostname = "opensuse" 32 | opensuse.vm.network "private_network", ip: "192.168.56.103" 33 | 34 | end 35 | 36 | #settings for the rocky VM 37 | config.vm.define "rocky" do |rocky| 38 | rocky.vm.provider "virtualbox" do |vb_rocky| 39 | vb_rocky.memory = "2048" 40 | vb_rocky.cpus = "2" 41 | end 42 | 43 | rocky.vm.box = "rockylinux/9" 44 | rocky.vm.hostname = "rocky" 45 | rocky.vm.network "private_network", ip: "192.168.56.101" 46 | 47 | end 48 | end -------------------------------------------------------------------------------- /A02/01_Web_server_startup_permissions.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky 2 | 3 | #We install the apache web server 4 | sudo dnf install -y httpd 5 | 6 | #On rocky the service will not be started 7 | 8 | #The listening ports 9 | ss -ntl 10 | 11 | #The permissions 12 | ls -ld /var/www/html 13 | 14 | #SWITCH TO UBUNTU 15 | 16 | #We install the apache web server 17 | sudo apt update && sudo apt install -y apache2 18 | 19 | #On ubuntu the service will be started 20 | 21 | #The listening ports 22 | ss -ntl 23 | 24 | #The permissions the same as on rocky 25 | ls -ld /var/www/html -------------------------------------------------------------------------------- /A02/02_Documentation_maybe_wrong.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #Generate a hash 4 | openssl passwd -1 Password1 5 | 6 | #Run again, it will generate a different hash 7 | openssl passwd -1 Password1 8 | 9 | #And again 10 | openssl passwd -1 Password1 11 | 12 | #If we use the salt from the last output, it generates the same hash 13 | openssl passwd -1 -salt mysalt Password1 14 | 15 | #And again and again 16 | openssl passwd -1 -salt mysalt Password1 -------------------------------------------------------------------------------- /A02/03_Certificate_trusts.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #A comprehensive list 4 | ls -l /etc/ssl/certs 5 | 6 | #Are there any upgradables? 7 | sudo apt list --upgradable 8 | 9 | #We can update this list indirectly 10 | sudo apt update && sudo apt -y upgrade -------------------------------------------------------------------------------- /A03/01_Listing_metadata_file_permissions.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #Show the permissions 4 | ls -l /etc/hosts 5 | 6 | #This is bit special 7 | ls -l /etc/shadow 8 | 9 | #List the size in human readable 10 | ls -lh /etc/services 11 | 12 | #List with a subshell -h does not work 13 | ls -lh $(tty) 14 | 15 | #The block device -h does not work 16 | ls -lh /dev/sda1 17 | 18 | #Show the block device 19 | lsblk 20 | 21 | #Show the statistics 22 | stat /etc/hosts 23 | 24 | #Just an element of the stat 25 | stat -c %a /etc/hosts #numbers 26 | stat -c %A /etc/hosts #letters 27 | 28 | #Time of last access, human-readable 29 | stat -c %x /etc/hosts 30 | 31 | #Time of last data modification, human-readable 32 | stat -c %y /etc/hosts 33 | 34 | #Time of last status change, human-readable 35 | stat -c %z /etc/hosts -------------------------------------------------------------------------------- /A03/02_Working_umask_default_permissions.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #Touch a file 4 | touch file1 5 | 6 | #List the perms 7 | ls -l file1 8 | 9 | #Check the umask 10 | umask 11 | 12 | #Change the umask 13 | umask 0 14 | 15 | #Check the umask 16 | umask 17 | 18 | #Create a file 19 | touch file2 20 | 21 | #Check the perms 22 | ls -l file* 23 | 24 | #What about directories 25 | mkdir dir1 26 | ls -ld dir1 27 | 28 | #Change the umask again 29 | umask 77 30 | umask 31 | touch file3 32 | ls -l file* -------------------------------------------------------------------------------- /A03/03_Using_chmod_manage_permissions.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #Set the umask 4 | umask 002 5 | 6 | #Create a new file 7 | touch new_file 8 | 9 | #List the permissions 10 | ls -l new_file 11 | 12 | #Change the permissions 13 | chmod a+w new_file 14 | 15 | #Add write permission to all users for new_file 16 | chmod -v a+w new_file 17 | 18 | #Set permissions to read, write, execute for owner, and read for group for new_file 19 | chmod -v 740 new_file 20 | 21 | #Add read permission to others for new_file 22 | chmod -v o+r new_file 23 | 24 | #Set permissions to read and write for group and others for new_file 25 | chmod -v go=rw new_file 26 | 27 | #Add execute permission to all users for new_file 28 | chmod -v a+x new_file 29 | 30 | #Remove execute permission from all users for new_file 31 | chmod -v a-x new_file 32 | 33 | #Remove all permissions for group and others for new_file 34 | chmod -v go= new_file 35 | 36 | 37 | 38 | 39 | #Another misunderstanding the difference between: 40 | #chmod +x file and chmod a+x file omitting the object, chmod applied permissions allowed via the 41 | #umask. Using -a explicitly, permissions are assigned regardless of the umask. -------------------------------------------------------------------------------- /A03/04_Advanced_symbolic_notation.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #Create some directories 4 | mkdir -p ubuntu/{22,20,18,16,14}.04/{gold,current} 5 | 6 | #Install tree 7 | sudo apt update && sudo apt install -y tree 8 | 9 | #Tree 10 | tree ubuntu 11 | 12 | #Show the permissions 13 | ls -lR ubuntu/ 14 | 15 | #Set the umask 16 | umask 077 17 | 18 | #Remove 19 | rm -r ubuntu 20 | 21 | #Create the directories again 22 | mkdir -p ubuntu/{22,20,18,16,14}.04/{gold,current} 23 | 24 | #Show the permissions 25 | ls -lR ubuntu/ 26 | 27 | #Create a new file named file1 in the /ubuntu directory 28 | touch /ubuntu/file1 29 | 30 | #List the details of file1 in the /ubuntu directory 31 | ls -l /ubuntu/file1 32 | 33 | #Recursively add execute permission to all users for directories under the ubuntu directory 34 | chmod -vR a+X ubuntu 35 | 36 | #Change the umask again 37 | umask 022 38 | 39 | #Create a new file 40 | touch newfile2 41 | 42 | ls -l newfile2 43 | 44 | #Lets change the permissions 45 | chmod -v +x newfile2 46 | 47 | #The x is set because it is allowed by the umask 48 | 49 | #Lets change the permissions 50 | chmod -v +w newfile2 51 | 52 | #The w is not set because it is not allowed by the umask 53 | 54 | #To change we need the "a" 55 | chmod -v a+w newfile2 -------------------------------------------------------------------------------- /A03/05_Changing_file_ownership.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #List the metadata 4 | ls -l newfile2 5 | 6 | #Check the group membership 7 | id 8 | 9 | #Add a group 10 | sudo usermod -aG sudo vagrant 11 | 12 | #Check the group membership 13 | id #not current in this bash 14 | id vagrant #In the background 15 | 16 | #To renew the group membership we have to logout and login 17 | exit 18 | 19 | #Check the group membership 20 | id 21 | 22 | #List the metadata 23 | ls -l newfile2 24 | 25 | #Change the group (no root need, we belong to the sudo group) 26 | chgrp sudo newfile2 27 | 28 | ls -l newfile2 29 | 30 | #Change the owner (sudo is needed) 31 | sudo chown root newfile2 32 | 33 | ls -l newfile2 34 | 35 | #Or this way (change both) 36 | sudo chown vagrant. newfile2 #If nothing comes after the dot the primary group of the user is used 37 | 38 | ls -l newfile2 -------------------------------------------------------------------------------- /A03/06_Setting_execute_only_directory.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #Create a directory 4 | sudo mkdir -m 701 /shared 5 | 6 | ls -ld /shared 7 | 8 | #Change in to the directory 9 | cd /shared 10 | 11 | ls #permission denied 12 | 13 | #Create a file 14 | sudo vim /shared/file1 15 | 16 | #write some text, save and exit 17 | 18 | #ls is not allowed 19 | ls 20 | 21 | #But if we know the file we can read the content 22 | cat file1 -------------------------------------------------------------------------------- /A03/octal.txt: -------------------------------------------------------------------------------- 1 | 000 = --- = 0 2 | 001 = --x = 1 3 | 010 = -w- = 2 4 | 011 = -wx = 3 5 | 100 = r-- = 4 6 | 101 = r-x = 5 7 | 110 = rw- = 6 8 | 111 = rwx = 7 -------------------------------------------------------------------------------- /A04/01_Find_list_special_permissions.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky 2 | 3 | #Create some directories 4 | mkdir -p ~/perms/dir{1..4} 5 | 6 | #Install tree 7 | sudo dnf install -y tree 8 | 9 | #Use tree 10 | tree perms 11 | 12 | #Change the permissions 13 | chmod -v 1777 ~/perms/dir1 #Sticky bit set 14 | 15 | chmod -v 2777 ~/perms/dir2 #SGID bit set 16 | 17 | chmod -v 3777 ~/perms/dir3 #Both the sticky bit and SGID bit set 18 | 19 | chmod -v 1770 ~/perms/dir4 #Sticky bit is set but no permissions to others 20 | 21 | #List the permissions 22 | ls -l ~/perms 23 | 24 | 25 | find ~/perms/ -type d -perm /g=s,o=t #List dirs where either SGID or Sticky bit set 26 | 27 | find ~/perms/ -type d -perm -g=s,o=t #List dirs where both SGID and Sticky bit set 28 | 29 | find ~/perms/ -type d -perm /o=t #List dirs where Sticky bit set 30 | 31 | find ~/perms/ -type d -perm /o=tw #List dirs where Sticky bit set or world writable 32 | 33 | find ~/perms/ -type d -perm -o=tw #List dirs where both Stick bit and world writable set 34 | 35 | 36 | #SUID 37 | #Used on programs to run as the user owner during execution 38 | 39 | #SGID 40 | #On directories, new files are assigned the group owner from the directory 41 | 42 | #Sticky Bit 43 | #With this set users can only delete files they own from shared directories -------------------------------------------------------------------------------- /A04/02_Using_sticky_bit_prevent_deletions.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky 2 | 3 | #Check the group membership 4 | id 5 | 6 | #Add a group 7 | sudo usermod -aG wheel vagrant 8 | 9 | #Check the group membership and logout/login 10 | id 11 | exit 12 | 13 | #Lets have a look at the /tmp 14 | ls -ld /tmp 15 | 16 | #Create a directory and change the perms/group 17 | sudo mkdir /admin 18 | 19 | #Change the group ownership of /admin to wheel 20 | sudo chgrp wheel /admin 21 | 22 | #Display the detailed listing of the /admin directory 23 | ls -ld /admin 24 | 25 | #Remove all permissions for others on /admin 26 | sudo chmod -v o= /admin 27 | 28 | #Display the detailed listing of the /admin directory again 29 | ls -ld /admin 30 | 31 | #Add write permission for the group on /admin 32 | sudo chmod -v g+w /admin 33 | 34 | #Now lets create some files 35 | touch /admin/vagrant 36 | sudo touch /admin/root 37 | 38 | #Perms as expected, but not what we want 39 | ls -l /admin 40 | 41 | #We are able to delete all content (the vagrant user is in the wheel group and the wheel group has write perms, which includes delete) 42 | rm /admin/* 43 | 44 | ls /admin 45 | 46 | #Lets change the perms 47 | sudo chmod -v o+t /admin 48 | 49 | ls -ld /admin 50 | 51 | #Create the files again 52 | touch /admin/vagrant 53 | sudo touch /admin/root 54 | 55 | #Now we delete 56 | rm /admin/* 57 | 58 | #To see when the x bit is set or not 59 | sudo chmod -v o+x /admin 60 | 61 | sudo chmod -v o-x /admin -------------------------------------------------------------------------------- /A04/03_Setting_SGID_directories.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky 2 | 3 | #we continue where we left off 4 | ls -ld /admin 5 | 6 | ls -l /admin 7 | 8 | #Lets change the umask 9 | umask 027 10 | 11 | #Change the mode 12 | sudo chmod -v g+s /admin 13 | 14 | #Create a file 15 | touch /admin/newfile 16 | 17 | #Display the detailed listing of the newfile in the /admin directory 18 | ls -l /admin/newfile 19 | 20 | #Create a new file named root2 in the /admin directory with root privileges 21 | sudo touch /admin/root2 22 | 23 | #Display the detailed listing of the root2 file in the /admin directory 24 | ls -l /admin/root2 -------------------------------------------------------------------------------- /A04/04_Collaborative_permissions_apache_webserver.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky 2 | 3 | #Check the umask 4 | umask 5 | 6 | #Install apache 7 | sudo dnf install -y httpd 8 | 9 | #List the perms 10 | ls -ld /var/www/html 11 | 12 | #What the groups 13 | tail /etc/group 14 | 15 | #Change the group and perms 16 | sudo chgrp apache /var/www/html 17 | 18 | sudo chmod -v 2750 /var/www/html 19 | 20 | umask 21 | 22 | sudo vim /var/www/html/index.html 23 | #Write some text and save + exit 24 | 25 | #We do not have permissions 26 | ls -l /var/www/html/index.html 27 | 28 | sudo !! 29 | 30 | #Lets start the apache service 31 | sudo systemctl enable --now httpd 32 | 33 | #Curl localhost 34 | curl localhost -------------------------------------------------------------------------------- /A04/05_Special_permissions_executables.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky 2 | 3 | #The shadow file 4 | ls -l /etc/shadow 5 | 6 | #Cat will no work 7 | cat /etc/shadow 8 | 9 | #The passwd command 10 | ls -l /usr/bin/passwd 11 | 12 | #Another example 13 | ls -l $(tty) 14 | 15 | #The write command 16 | ls -l /usr/bin/write -------------------------------------------------------------------------------- /A04/06_Using_linux_capabilities.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #Simple ping 4 | ping 1.1 5 | 6 | #The ping perms 7 | ls -l /usr/bin/ping #No special permissions 8 | 9 | #In backend the "caps" 10 | getcap /usr/bin/ping 11 | 12 | #Show the capabilities 13 | capsh --print 14 | 15 | #Change the caps 16 | sudo setcap "" /usr/bin/ping 17 | 18 | #Ping does not work anymore 19 | ping 1.1 20 | 21 | #Change the caps 22 | sudo setcap "cap_net_raw+ep" /usr/bin/ping 23 | 24 | #Ping does work 25 | ping 1.1 26 | 27 | 28 | #What are the Linux capabilities anyway? 29 | 30 | #Well, the answer is pretty simple - A granular set of permissions assigned to a running program or 31 | #thread or even a program file by root user to allow process use privileged (system-level tasks) 32 | #like killing process owned by different users from a shell of a low privileged user. 33 | #Each capability provides one or more sets of related privileges to the process. -------------------------------------------------------------------------------- /A05/01_Checking_ACL_support.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky 2 | 3 | #Check the acls 4 | getfacl /etc/hosts 5 | 6 | #List the acl packet 7 | sudo dnf list acl 8 | 9 | #If it is not installed 10 | sudo dnf install -y acl 11 | 12 | #List the /boot 13 | ls /boot 14 | 15 | #The kernel version 16 | uname -r 17 | 18 | #Do we have the acl support 19 | grep -i acl /boot/config-$(uname -r) 20 | 21 | #Where does the getfacl command come from? 22 | rpm -qf $(which getfacl) 23 | 24 | #Check the mounts (xfs supports acls) 25 | mount -t xfs 26 | 27 | mount -t ext4 28 | 29 | #If an ext4 partition is present, we check for acl support 30 | lsblk 31 | sudo tune2fs -l /dev/sda2 | grep -i acl -------------------------------------------------------------------------------- /A05/02_Configuring_HTTPD_securly_acls.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky 2 | 3 | #First we remove apache 4 | sudo dnf remove httpd 5 | 6 | #And also the index.html 7 | sudo rm -rf /var/www/html/ 8 | 9 | #Check the umask 10 | umask 11 | 12 | #Install apache 13 | sudo dnf install -y httpd 14 | 15 | #Create a file 16 | touch /var/www/html/file1 17 | 18 | #Set the default acls 19 | sudo setfacl -m d:u:apache:r,d:o:- /var/www/html 20 | 21 | #Check the perms (a + at the end - indicates ACLs) 22 | ls -ld /var/www/html 23 | 24 | getfacl /var/www/html 25 | 26 | #Create a new index.html file 27 | echo "Hello from the new Website!" | sudo tee /var/www/html/index.html 28 | 29 | #The permissions 30 | getfacl /var/www/html/index.html 31 | 32 | ls -l /var/www/html/index.html -------------------------------------------------------------------------------- /A05/03_Default_ACLs_existing_files.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky 2 | 3 | #Switch to the root user and simulate a full login shell 4 | sudo -i 5 | 6 | #The default ACLs are not inherited for existing files 7 | getfacl /var/www/html/file1 8 | 9 | #Set the ACL for the '/var/www/html' directory and its contents recursively to give 'apache' user read permission and deny all permissions for others 10 | setfacl -R -m u:apache:r,o:- /var/www/html 11 | 12 | #Get the ACL for the 'file1' file in the '/var/www/html' directory 13 | getfacl /var/www/html/file1 -------------------------------------------------------------------------------- /A05/04_Managing_ACL_entries.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky 2 | 3 | #Switch to the root user 4 | sudo -i 5 | 6 | #Create a new directory named 'private' with 700 permissions 7 | mkdir -m 700 /private 8 | 9 | #List the contents of the '/private' directory 10 | ls /private 11 | 12 | #List the permissions of the '/private' directory 13 | ls -ld /private 14 | 15 | #Leave the root shell 16 | exit 17 | 18 | #No permissions for 'vagrant' user to access the '/private' directory 19 | ls /private 20 | 21 | #Set the ACL for the '/private' directory to give 'vagrant' user read, write, and execute permissions with root privileges 22 | sudo setfacl -m u:vagrant:rwx /private 23 | 24 | #List the contents of the '/private' directory 25 | ls /private 26 | 27 | #List the permissions of the '/private' directory after setting the ACL 28 | ls -ld /private #Notice the '+' sign at the end of the permissions 29 | 30 | #Set the default ACL for the '/private' directory to give 'vagrant' user read, write, and execute permissions with root privileges 31 | sudo setfacl -m d:u:vagrant:rwx /private 32 | 33 | #Create a new file named 'file1' in the '/private' directory 34 | touch /private/file1 35 | 36 | #Get the ACL for the 'file1' file in the '/private' directory 37 | getfacl /private/file1 38 | 39 | #Create a new file named 'fileroot' in the '/private' directory with root privileges 40 | sudo touch /private/fileroot 41 | 42 | #Get the ACL for the 'fileroot' file in the '/private' directory 43 | getfacl /private/fileroot 44 | 45 | #Set the ACL for the '/private' directory to give 'tux' user read and execute permissions with root privileges 46 | sudo setfacl -m u:tux:r-x /private 47 | 48 | #Get the ACL for the '/private' directory 49 | getfacl /private 50 | 51 | #Remove the ACL for 'tux' user from the '/private' directory with root privileges 52 | sudo setfacl -x u:tux /private 53 | 54 | #Get the ACL for the '/private' directory after removing the ACL for 'tux' user 55 | getfacl /private 56 | 57 | #Set the ACL for the '/private' directory to give 'wheel' group read and execute permissions with root privileges 58 | sudo setfacl -m g:wheel:r-x /private 59 | 60 | #Get the ACL for the '/private' directory 61 | getfacl /private 62 | 63 | #Backup the ACL for the '/private' directory to the '/tmp/backupacl' file 64 | getfacl /private > /tmp/backupacl 65 | 66 | #Display the contents of the '/tmp/backupacl' file 67 | cat /tmp/backupacl 68 | 69 | #Remove the ACL for 'wheel' group from the '/private' directory with root privileges 70 | sudo setfacl -x g:wheel /private 71 | 72 | #Get the ACL for the '/private' directory after removing the ACL for 'wheel' group 73 | getfacl /private 74 | 75 | #Remove the default ACL from the '/private' directory with root privileges 76 | sudo setfacl -k /private 77 | 78 | #Get the ACL for the '/private' directory after removing the default ACL 79 | getfacl /private 80 | 81 | #Remove all ACLs from the '/private' directory with root privileges 82 | sudo setfacl -b /private 83 | 84 | #Get the ACL for the '/private' directory after removing all ACLs 85 | getfacl /private 86 | 87 | #Change the current directory to '/private' 88 | cd /private 89 | 90 | #Display the contents of the '/tmp/backupacl' file 91 | cat /tmp/backupacl 92 | 93 | #Change the current directory to '/' 94 | cd / 95 | 96 | #Restore the ACL for the '/private' directory from the '/tmp/backupacl' file with root privileges 97 | sudo setfacl --restore=/tmp/backupacl 98 | 99 | #List the permissions of the '/private' directory 100 | ls -ld /private 101 | 102 | #Get the ACL for the '/private' directory 103 | getfacl /private -------------------------------------------------------------------------------- /A06/01_Managing_SELinux_modes.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky 2 | 3 | #Check the modes 4 | getenforce 5 | 6 | #The SELinux config 7 | cat /etc/selinux/config 8 | 9 | #Lets work on an example 10 | systemctl status httpd 11 | 12 | sudo systemctl start httpd 13 | 14 | curl localhost 15 | 16 | #Change the context (we will discuss it later) 17 | sudo chcon -t user_home_t /var/www/html/index.html 18 | 19 | #Curl does not work anymore 20 | curl localhost 21 | 22 | #Set SELinux to permissive 23 | sudo setenforce permissive 24 | 25 | #Curl does work 26 | curl localhost 27 | 28 | #But there is a SELinux violation 29 | sudo ausearch -m avc 30 | 31 | sudo ausearch -m avc | tail -n 1 32 | 33 | #Change the context back 34 | sudo chcon -t httpd_sys_content_t /var/www/html/index.html 35 | 36 | #Set SELinux to enforcing 37 | sudo setenforce enforcing 38 | 39 | #Curl does work the SELinux context is correct 40 | curl localhost -------------------------------------------------------------------------------- /A06/02_Configuring_SELinux_booleans.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky 2 | 3 | #Get a list 4 | getsebool -a 5 | 6 | getsebool zoneminder_run_sudo 7 | 8 | getsebool -a | grep policy 9 | 10 | #Install SELinux Utilities (setroubleshoot adds log information in /var/log/messages) 11 | sudo dnf install -y policycoreutils setools setools-console setroubleshoot 12 | 13 | #Get a list 14 | sudo semanage boolean --list 15 | 16 | sudo semanage boolean --list | head 17 | 18 | #Search for policy 19 | sudo semanage boolean --list | grep policy 20 | 21 | #Change the value 22 | sudo setsebool secure_mode_policyload on #setsebool secure_mode_policyload on (-P) 23 | 24 | #Search for policy 25 | sudo semanage boolean --list | grep policy 26 | 27 | #Check SELinux 28 | getenforce 29 | 30 | #To change SELinux at this time will not work anymore 31 | sudo setenforce 0 -------------------------------------------------------------------------------- /A06/03_Managing_file_context.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky (take care with your own systems!!) 2 | 3 | #Start a root session 4 | sudo -i 5 | 6 | #List the SELinux metadata 7 | ls -Z /etc/shadow 8 | 9 | #List the SELinux metadata 10 | ps -Z 11 | 12 | #List the SELinux metadata 13 | ls -Zd . 14 | 15 | #Change the context (if you do not have a test system don't do it) 16 | chcon -t admin_home_t /etc/shadow 17 | 18 | #This will not work anymore 19 | chage -l vagrant 20 | 21 | #What about the logs 22 | ausearch -m avc -ts recent 23 | 24 | grep sealert /var/log/messages 25 | 26 | #Infos from the sealert (in this case not a valid solution) 27 | sealert -l 28 | 29 | #Restore the context 30 | restorecon -v /etc/shadow 31 | 32 | #Now it works 33 | chage -l vagrant -------------------------------------------------------------------------------- /A06/04_Relocating_user_home_directories.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky 2 | 3 | #Check the man pages 4 | man semanage-fcontext 5 | 6 | #The location for context files 7 | sudo ls /etc/selinux/targeted/contexts/files 8 | 9 | #List the SELinux metadata 10 | ls -dZ /home 11 | 12 | ls -dZ /home/vagrant 13 | 14 | #Create a new directory for new user homes 15 | sudo mkdir /staff 16 | 17 | ls -ldZ /staff 18 | 19 | #Set the SELinux context 20 | sudo semanage fcontext -a -e /home /staff 21 | 22 | #If we get an error - this is because of the boolean policy, just reboot 23 | 24 | #Erease the SELinux context 25 | sudo semanage fcontext -d /staff 26 | 27 | #Set it again 28 | sudo semanage fcontext -a -e /home /staff 29 | 30 | #Restore it 31 | sudo restorecon -v /staff 32 | 33 | #Create a user 34 | sudo useradd -m -d /staff/u1 u1 35 | 36 | #Check SELiunx 37 | sudo ls -ldZ /staff/u1 -------------------------------------------------------------------------------- /A06/05_Allowing_access_port_1000.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky 2 | 3 | #Switch to the root user and simulate a full login shell 4 | sudo -i 5 | 6 | #Set SELinux in permissive mode 7 | setenforce 0 8 | 9 | #Install the 'httpd' and 'git' package using dnf package manager 10 | dnf install -y httpd git 11 | 12 | #Stop the 'httpd' service 13 | systemctl stop httpd 14 | 15 | #Display the line containing 'Listen 80' in the '/etc/httpd/conf/httpd.conf' file 16 | grep 'Listen 80' /etc/httpd/conf/httpd.conf 17 | 18 | #List all SELinux network port contexts 19 | semanage port -l 20 | 21 | #List all SELinux network port contexts and filter for 'http' 22 | semanage port -l | grep http 23 | 24 | #Replace 'Listen 80' with 'Listen 1000' in the '/etc/httpd/conf/httpd.conf' file 25 | sed -Ei 's/^(Listen) 80/\1 1000/' /etc/httpd/conf/httpd.conf 26 | 27 | #Display the line containing 'Listen 80' in the '/etc/httpd/conf/httpd.conf' file 28 | grep 'Listen 80' /etc/httpd/conf/httpd.conf 29 | 30 | #Display the line containing 'Listen 1000' in the '/etc/httpd/conf/httpd.conf' file 31 | grep 'Listen 1000' /etc/httpd/conf/httpd.conf 32 | 33 | #Start the 'httpd' service 34 | systemctl start httpd 35 | 36 | #Stop the 'httpd' service 37 | systemctl stop httpd 38 | 39 | #Set SELinux in enforcing mode 40 | setenforce 1 41 | 42 | #Start the 'httpd' service 43 | systemctl start httpd #This will fail 44 | 45 | #Search the audit logs for AVC messages 46 | ausearch -m AVC -ts recent 47 | 48 | #Display the lines containing 'sealert' in the '/var/log/messages' file 49 | grep sealert /var/log/messages 50 | 51 | #Display the SELinux alert with the specified identifier 52 | sealert -l 2a8b1e4e-2b1e-4b1a-8b1e-4b1a2e1b2a1e 53 | 54 | #Add a new SELinux network port context for TCP port 1000 with 'http_port_t' type 55 | semanage port -a -t http_port_t -p tcp 1000 56 | 57 | #Start the 'httpd' service 58 | systemctl start httpd 59 | 60 | #Display the listening sockets 61 | ss -ntl -------------------------------------------------------------------------------- /A06/06_SELinux_web_content.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky 2 | 3 | #Switch to the root user and simulate a full login shell 4 | sudo -i 5 | 6 | #Set SELinux in permissive mode 7 | setenforce 0 8 | 9 | #Create a new directory named 'web' 10 | mkdir /web 11 | 12 | #List the '/web' directory with its security context 13 | ls -ld /web 14 | 15 | #Copy all HTML files from '/usr/share/doc/git' directory to '/web' directory 16 | find /usr/share/doc/git -type f -name "*.html" -exec cp {} /web \; 17 | 18 | #List the contents of the '/web' directory 19 | ls /web 20 | 21 | #Display the line containing '/var/www/html' in the '/etc/httpd/conf/httpd.conf' file 22 | grep /var/www/html /etc/httpd/conf/httpd.conf 23 | 24 | #Replace '/var/www/html' with '/web' in the '/etc/httpd/conf/httpd.conf' file 25 | sed -i 's/\/var\/www\/html/\/web/' /etc/httpd/conf/httpd.conf 26 | 27 | #Display the line containing '/web' in the '/etc/httpd/conf/httpd.conf' file 28 | grep /web /etc/httpd/conf/httpd.conf 29 | 30 | #Restart the 'httpd' service 31 | systemctl restart httpd 32 | 33 | #Display the status of the 'httpd' service 34 | systemctl status httpd 35 | 36 | #Send a GET request to 'http://localhost:1000/everyday.html' 37 | curl http://localhost:1000/everyday.html 38 | 39 | #Set SELinux in enforcing mode 40 | setenforce 1 41 | 42 | #Send a GET request to 'http://localhost:1000/everyday.html' 43 | curl http://localhost:1000/everyday.html #This will fail 44 | 45 | #Search the audit logs for AVC messages 46 | ausearch -m AVC -ts recent 47 | 48 | #Display the lines containing 'sealert' in the '/var/log/messages' file 49 | grep sealert /var/log/messages 50 | 51 | #Display the SELinux alert with the specified identifier 52 | sealert -l 2a8b1e4e-2b1e-4b1a-8b1e-4b1a2e1b2a1e 53 | 54 | #Display the manual page for 'semanage-fcontext' 55 | man semanage-fcontext 56 | 57 | #Add a new file context for '/web' directory that matches all files and directories and has 'httpd_sys_content_t' type 58 | semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" 59 | 60 | #Restore the SELinux context of the '/web' directory and its contents with verbose output 61 | restorecon -Rv /web 62 | 63 | #Send a GET request to 'http://localhost:1000/everyday.html' 64 | curl http://localhost:1000/everyday.html -------------------------------------------------------------------------------- /A07/01_Installing_AppArmor_components.sh: -------------------------------------------------------------------------------- 1 | #Working on opensuse 2 | 3 | #Start a root session 4 | sudo su - 5 | 6 | #Are there any AppArmor tools 7 | aa- TABTAB 8 | 9 | #Install the tools 10 | zypper in -y apparmor-utils 11 | 12 | #Check again 13 | aa- TABTAB 14 | 15 | aa-status 16 | 17 | #Lets install the profiles 18 | zypper in -y apparmor-profiles 19 | 20 | #Check the service 21 | systemctl status apparmor 22 | 23 | #Show the status 24 | aa-status -------------------------------------------------------------------------------- /A07/02_Viewing_active_profiles.sh: -------------------------------------------------------------------------------- 1 | #Working on opensuse 2 | 3 | #Show the status (no profiles are in complain mode) 4 | aa-status 5 | 6 | #We start an example with ntp 7 | sudo zypper in -y ntp 8 | 9 | #Show the status (no change at this time) 10 | aa-status 11 | 12 | #The status of ntp service 13 | sudo systemctl status ntpd 14 | 15 | #Start the ntp service 16 | sudo systemctl start ntpd 17 | 18 | #Show the status (now there is a change) 19 | aa-status 20 | 21 | #Show the process 22 | ps -Zp 7248 23 | 24 | #The AppArmor extension directory 25 | ls /etc/apparmor.d/ 26 | 27 | #The ntp file 28 | less /etc/apparmor.d/usr.sbin.ntpd -------------------------------------------------------------------------------- /A07/03_Creating_python_script.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu with a root session 2 | 3 | apt update && apt install -y apparmor-utils apparmor-profiles 4 | 5 | #Create a python script 6 | vim test.py 7 | 8 | #!/usr/bin/python3 9 | FILE = 'mytext' 10 | try: 11 | open(FILE,'a').close() 12 | print(f'Created file: {FILE}') 13 | except: 14 | print(f'Failed to create file {FILE}') 15 | exit(1) 16 | 17 | #Save and exit 18 | 19 | #Make it executable 20 | chmod u+x test.py 21 | 22 | #Test it 23 | ./test.py 24 | 25 | #List the content 26 | ls 27 | 28 | #Remove the file 29 | rm mytext -------------------------------------------------------------------------------- /A07/04_Generating_profile_for_script.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu with a root session 2 | 3 | #Start a root session 4 | sudo su - 5 | 6 | #Install rsyslog (optional) 7 | apt install -y rsyslog 8 | 9 | #Check the rsyslog service 10 | systemctl status rsyslog 11 | 12 | #Generate a profile 13 | aa-genprof test.py 14 | 15 | #Switch to the other session 16 | ./test.py 17 | 18 | #Back to the other session 19 | Type S (Scan) 20 | 21 | Type A (Allow) 22 | 23 | Type S (Save) 24 | 25 | Type F (Finish) 26 | 27 | #Switch to the other session 28 | ./test.py 29 | #Run again (it works fine) 30 | ./test.py -------------------------------------------------------------------------------- /A07/05_Using_aa-logprof_update_profile.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #Open the script 4 | vim test.py 5 | 6 | #!/usr/bin/python3 7 | FILE = 'mytext' 8 | try: 9 | f = open(FILE,'a') 10 | f.write("This is text") 11 | f.close() 12 | print(f'Created file: {FILE}') 13 | except: 14 | print(f'Failed to create file {FILE}') 15 | exit(1) 16 | 17 | #Save and close 18 | 19 | #Test the script 20 | ./test.py 21 | 22 | #List the content 23 | cat mytext 24 | 25 | #Open the script 26 | vim test.py 27 | 28 | #!/usr/bin/python3 29 | FILE = 'mytext' 30 | try: 31 | f = open(FILE,'a') 32 | f.write("This is text") 33 | print(f'Created file: {FILE}') 34 | f.close() 35 | except: 36 | print(f'Failed to create file {FILE}') 37 | exit(1) 38 | 39 | try: 40 | f = open(FILE, 'r') 41 | f.close() 42 | print(f'Read file: {FILE}') 43 | except: 44 | print(f'Failed to read file {FILE}') 45 | exit(2) 46 | 47 | #Save and exit 48 | 49 | #Test the script (it will fail to read) 50 | ./test.py 51 | 52 | #Edit the profile 53 | aa-logprof 54 | 55 | Type A (Allow) 56 | 57 | Type S (Save) 58 | 59 | #Test the script (it will work) 60 | ./test.py -------------------------------------------------------------------------------- /A07/test.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | FILE = 'mytext' 3 | try: 4 | open(FILE,'a').close() 5 | print(f'Created file: {FILE}') 6 | except: 7 | print(f'Failed to create file {FILE}') 8 | exit(1) -------------------------------------------------------------------------------- /A07/test1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | FILE = 'mytext' 3 | try: 4 | f = open(FILE,'a') 5 | f.write("This is text") 6 | print(f'Created file: {FILE}') 7 | f.close() 8 | except: 9 | print(f'Failed to create file {FILE}') 10 | exit(1) 11 | 12 | try: 13 | f = open(FILE, 'r') 14 | f.close() 15 | print(f'Read file: {FILE}') 16 | except: 17 | print(f'Failed to read file {FILE}') 18 | exit(2) -------------------------------------------------------------------------------- /A08/01_Understanding_authentication_methods.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #Check the remote system 4 | ssh -o PreferredAuthentications=none 192.168.56.101 5 | 6 | #Check the remote system 7 | ssh -o PreferredAuthentications=none 192.168.56.103 8 | 9 | #Check itself 10 | ssh -o PreferredAuthentications=none 192.168.56.102 11 | 12 | #Create a password for the vagrant account 13 | sudo passwd vagrant 14 | 15 | #Switch to opensuse 16 | 17 | #Create a password for the vagrant account 18 | sudo passwd vagrant 19 | 20 | #Switch to rocky 21 | 22 | #Create a password for the vagrant account 23 | sudo passwd vagrant -------------------------------------------------------------------------------- /A08/02_Working_known_hosts.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #Change into .ssh 4 | cd .ssh 5 | 6 | #List the content 7 | ls 8 | 9 | #Count the lines in known_hosts 10 | wc -l known_hosts 11 | 12 | #Show the content 13 | cat known_hosts 14 | 15 | #Lets delete the file 16 | rm known_hosts 17 | 18 | #Start a ssh session 19 | ssh 192.168.56.103 20 | 21 | exit 22 | 23 | #Show the known_hosts file 24 | cat known_hosts 25 | 26 | #No host checking 27 | ssh -o StrictHostKeyChecking=no 192.168.56.103 28 | 29 | exit 30 | 31 | #Show the known_hosts file 32 | cat known_hosts 33 | 34 | #Lets delete the file again 35 | rm known_hosts 36 | 37 | #No host checking and no know_hosts file 38 | ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null 192.168.56.103 39 | 40 | exit 41 | 42 | #No host checking 43 | ssh -o StrictHostKeyChecking=no 192.168.56.103 44 | 45 | exit 46 | 47 | #Rebuild the openSUSE system - this does cause an message for the new ssh session 48 | #Switch to openSUSE 49 | vagrant destroy openSUSE 50 | vagrant up openSUSE 51 | 52 | #Back on Ubuntu 53 | ssh 192.168.56.103 54 | 55 | #Change the config 56 | ssh-keygen -R 192.168.56.103 57 | 58 | #Set the options in a config file 59 | vim config 60 | 61 | Host 192.168.56.* 62 | StrictHostKeyChecking no 63 | UserKnownHostsFile /dev/null 64 | 65 | #Save and exit 66 | 67 | #Remove the known_hosts file 68 | rm known_hosts 69 | 70 | #Start a session 71 | ssh 192.168.56.101 72 | 73 | #Show the known_hosts file (nothing as expected) 74 | cat known_hosts 75 | 76 | #Start a session 77 | ssh 192.168.56.103 78 | 79 | #Show the known_hosts file (nothing as expected) 80 | cat known_hosts -------------------------------------------------------------------------------- /A08/03_Centralizing_known_hosts.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu (in the .ssh folder) 2 | 3 | #Remove the config and known_hosts file 4 | rm config 5 | rm known_hosts 6 | 7 | #Show with ssh key-keyscan what we get from the remote system 8 | ssh-keyscan 192.168.56.103 9 | 10 | #We can show a specfic key 11 | ssh-keyscan -t ecdsa 192.168.56.103 12 | 13 | #Now we store the key in a central store (-a to append) 14 | ssh-keyscan -t ecdsa 192.168.56.101 | sudo tee -a /etc/ssh/ssh_known_hosts 15 | 16 | ssh-keyscan -t ecdsa 192.168.56.102 | sudo tee -a /etc/ssh/ssh_known_hosts 17 | 18 | ssh-keyscan -t ecdsa 192.168.56.103 | sudo tee -a /etc/ssh/ssh_known_hosts 19 | 20 | #We do not have a known_hosts file 21 | ls 22 | 23 | #But we can start an ssh session without promted to accept the key 24 | ssh 192.168.56.103 25 | 26 | exit 27 | 28 | #Still we do not have a known_hosts file 29 | ls 30 | 31 | #Because we have a central store 32 | cat /etc/ssh/ssh_known_hosts -------------------------------------------------------------------------------- /A08/04_Authenticating_ssh_clients.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #Whats in the .ssh directory 4 | ls .ssh 5 | 6 | #We create a ssh key pair with the defaults 7 | ssh-keygen 8 | 9 | #Whats in the .ssh directory 10 | ls .ssh 11 | 12 | #We copy the public key to the remote system 13 | ssh-copy-id 192.168.56.101 14 | 15 | ssh 192.168.56.101 16 | 17 | cat .ssh/authorized_keys #Show the key from ubuntu 18 | 19 | exit 20 | 21 | #To store the passphrase in the current bash session 22 | eval $(ssh-agent) #eval is reading the ouput of ssh-agent 23 | 24 | ssh-add 25 | 26 | #No prompt for the passphrase 27 | ssh 192.168.56.101 28 | 29 | exit 30 | 31 | #Prepare for the openSUSE connection 32 | ssh-copy-id 192.168.56.103 33 | 34 | #No prompt for the passphrase 35 | ssh 192.168.56.103 -------------------------------------------------------------------------------- /A08/05_Implementing_SSH_CA.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu in a root session 2 | 3 | sudo su - 4 | 5 | #We create a certificate authority (-f to give a name) 6 | ssh-keygen -f server_ca 7 | 8 | #Check 9 | ls 10 | 11 | #We can cat the public key 12 | cat server_ca.pub 13 | 14 | #We copy the pub key to our central store 15 | cat server_ca.pub >> /etc/ssh/ssh_known_hosts 16 | 17 | #We add our cert authority 18 | vim /etc/ssh/ssh_known_hosts 19 | 20 | @cert-authority 192.168.56.* # append 21 | 22 | #Save and exit -------------------------------------------------------------------------------- /A08/06_Signing_an_SSH_CA.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu in a root session 2 | 3 | sudo su - 4 | 5 | #We need to grab the pub key from the remote systems 6 | scp vagrant@192.168.56.101:/etc/ssh/ssh_host_rsa_key.pub rocky.pub 7 | 8 | #Now we have the rocky.pub key locally 9 | ls 10 | 11 | #We are going to sign the key (-s its a signing request, -I the identity,-h its host key, -n the name, -V the validity) 12 | ssh-keygen -s server_ca -I rocky -h -n 192.168.56.101 -V +52w rocky.pub 13 | 14 | #We have now the rocky-cert.pub key 15 | ls 16 | 17 | #We copy the pub key 18 | scp rocky-cert.pub vagrant@192.168.56.101:/tmp/ssh_host_rsa_key-cert.pub 19 | 20 | #SSH to rocky 21 | ssh vagrant@192.168.56.101 22 | 23 | #Start a root session 24 | sudo su - 25 | 26 | #Move the key 27 | mv /tmp/ssh_host_rsa_keys-cert.pub /etc/ssh 28 | 29 | #Add the config file 30 | echo 'HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub' >> /etc/ssh/sshd_config 31 | 32 | #Restart the service 33 | systemctl restart sshd 34 | 35 | #We disable SSH root login and set PasswordAuthentication to no 36 | vim /etc/ssh/sshd_config 37 | 38 | PasswordAuthentication no 39 | PermitRootLogin no 40 | 41 | #Save and exit 42 | 43 | #Restart the service 44 | systemctl restart sshd 45 | 46 | #Exit the root and ssh session 47 | exit 48 | exit 49 | 50 | #Lets edit the central known_hosts file 51 | vim /etc/ssh/ssh_known_hosts 52 | 53 | #We remove the rocky entry (ideally, we shoud add the signed cert also ubuntu and opensuse) 54 | 55 | #Save and exit 56 | 57 | #Exit the root session 58 | exit 59 | 60 | #Test the SSH options 61 | ssh -o PreferredAuthentications=none 192.168.56.101 62 | 63 | #Start a ssh session 64 | ssh -v 192.168.56.101 65 | 66 | #In the output scroll up to see: Server host certificate -------------------------------------------------------------------------------- /A09/01_su_Substitute_User.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #No password for root 4 | su 5 | 6 | #Set the root password 7 | sudo passwd root 8 | 9 | #Switch to the root user 10 | su 11 | 12 | #Print the user and group IDs for the current user 13 | id 14 | 15 | #Print the current working directory 16 | pwd 17 | 18 | #Use ps to display information about the current shell 19 | ps -f 20 | 21 | #Exit the current shell, returning to the previous user 22 | exit 23 | 24 | #Switch to the root user, providing an environment similar to what the root user would expect if they logged in directly 25 | su -l 26 | 27 | #Print the current working directory 28 | pwd 29 | 30 | #Print the user and group IDs for the current user 31 | id 32 | 33 | #Use ps to display information about the current shell 34 | ps -f 35 | 36 | #Exit the current shell, returning to the previous user 37 | exit 38 | 39 | #Switch to the 'ubuntu' user, providing an environment similar to what the 'ubuntu' user would expect if they logged in directly 40 | su -l ubuntu 41 | 42 | #Use 'sudo' to switch to the 'ubuntu' user, providing an environment similar to what the 'ubuntu' user would expect if they logged in directly 43 | sudo su - ubuntu 44 | 45 | #Print the user and group IDs for the current user 46 | id 47 | 48 | #Use ps to display information about the current shell 49 | ps -f 50 | 51 | #Exit the current shell, returning to the previous user 52 | exit 53 | 54 | #Display the manual page for the 'su' command 55 | man su 56 | 57 | #Use 'sudo' to lock the root user's password, preventing the root user from logging in directly 58 | sudo passwd -l root -------------------------------------------------------------------------------- /A09/02_Using_sudo.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #List the commands the current user can execute as root using 'sudo' 4 | sudo -l 5 | 6 | #Use 'sudo' to create a new user named 'bob' with home directory and bash as the default shell 7 | sudo useradd -m bob -s /bin/bash 8 | 9 | #Use 'sudo' to set or change the password for the 'bob' user 10 | sudo passwd bob 11 | 12 | #Print the user and group IDs for the 'bob' user 13 | id bob 14 | 15 | #Use 'sudo' to edit the 'sudoers' file, which controls which users can run what software on which machines as which other users 16 | sudo visudo 17 | 18 | #Use 'sudo' to edit the 'bob' file in the '/etc/sudoers.d' directory, which is an additional location for 'sudoers' configuration files 19 | sudo visudo -f /etc/sudoers.d/bob 20 | #bob ALL=(root) /bin/passwd, !/usr/bin/passwd root 21 | #Becareful with the syntax 22 | #bob ALL(root) /bin/passwd, !/usr/bin/passwd root -> will not work 23 | 24 | #Switch to the 'bob' user, providing an environment similar to what the 'bob' user would expect if they logged in directly 25 | su -l bob 26 | 27 | #List the commands the current user can execute as root using 'sudo' 28 | sudo -l 29 | 30 | #Use 'sudo' to set or change the password for the 'ubuntu' user 31 | sudo passwd ubuntu 32 | 33 | #Use 'sudo' to set or change the password for the 'root' user 34 | sudo passwd root 35 | 36 | #List the commands the current user can execute as root using 'sudo' 37 | sudo -l 38 | 39 | #Invalidate the current user's timestamp by resetting the user's sudo timer 40 | sudo -k 41 | 42 | #List the commands the current user can execute as root using 'sudo' 43 | sudo -l -------------------------------------------------------------------------------- /A09/03_Using_another_editor.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #Use 'sudo' to edit the 'sudoers' file, which controls which users can run what software on which machines as which other users 4 | sudo visudo 5 | 6 | #Set the 'EDITOR' environment variable to 'vim', which changes the default editor for commands like 'visudo' 7 | export EDITOR=vim 8 | 9 | #Use 'sudo' and 'vim' (as specified by the 'EDITOR' environment variable) to edit the 'defaults' file in the '/etc/sudoers.d' directory 10 | sudo visudo -f /etc/sudoers.d/defaults 11 | 12 | #In the 'defaults' file, add 'EDITOR' to the 'env_keep' option, which specifies environment variables to be preserved when running commands as root 13 | Defaults env_keep += "EDITOR" 14 | 15 | #Use 'sudo' to edit the 'sudoers' file again, this time using 'vim' as the editor because of the 'EDITOR' environment variable 16 | sudo visudo -------------------------------------------------------------------------------- /A09/04_Using_Polkit_(Formerly_PolicyKit).sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #Display the manual page for the 'polkit' command 4 | man polkit 5 | 6 | #Use 'sudo' to display the contents of the '51-ubuntu-admin.conf' file in the '/etc/polkit-1/localauthority.conf.d' directory 7 | sudo cat /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf 8 | 9 | #Print the user and group IDs for the current user 10 | id 11 | 12 | #Use 'sudo' to add the 'vagrant' user to the 'sudo' group 13 | sudo usermod -aG sudo vagrant 14 | 15 | #Print the user and group IDs for the current user 16 | id 17 | 18 | exit 19 | 20 | #Start new SSH Session 21 | 22 | #Change a line 23 | sudo visudo 24 | 25 | #Break the sudo function 26 | 27 | sudo visudo 28 | 29 | echo $$ 30 | 31 | #Start an new terminal and SSH session 32 | #In the new terminal 33 | pkttyagent -p 34 | 35 | #Switch to the original SSH session 36 | pkexec visudo 37 | 38 | #Switch to the new session and choose the account/password -------------------------------------------------------------------------------- /A10/01_Listing_users.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky 2 | 3 | #List the users 4 | cat /etc/passwd 5 | 6 | #Check the man pages 7 | man 5 passwd 8 | 9 | #If the man pages are not available 10 | sudo mandb 11 | 12 | sudo dnf install -y man-pages man-db man 13 | 14 | sudo mandb 15 | 16 | #Check the database 17 | getent passwd vagrant 18 | 19 | #Check the Order 20 | grep passwd /etc/nsswitch.conf 21 | 22 | #Search for vagrant 23 | grep vagrant /etc/passwd 24 | 25 | #Use cut to print the first and third fields 26 | cut -f1,3 -d: /etc/passwd | grep vagrant 27 | 28 | #Use awk to print the first and third fields 29 | awk -F: '/vagrant/ { print $1 " " $3}' /etc/passwd -------------------------------------------------------------------------------- /A10/02_Managing_new_users.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky with a root session 2 | 3 | sudo -i 4 | 5 | #The defaults 6 | useradd -D 7 | 8 | #Create a user with the defaults 9 | useradd u1 10 | 11 | #The ids for the user 12 | id u1 13 | 14 | #The users home 15 | ls /home 16 | 17 | #Create a user without a home directory 18 | useradd -M u1a 19 | 20 | #The users home 21 | ls /home 22 | 23 | #Search also in the database 24 | getent passwd u1 25 | 26 | #The defaults also the file 27 | useradd -D 28 | 29 | cat /etc/default/useradd 30 | 31 | #But there is more defaults 32 | grep -E '^(CREATE_HOME|USERGROUPS_ENAB)' /etc/login.defs 33 | 34 | #Edit the config file 35 | vim /etc/login.defs 36 | 37 | #Set CREATE_HOME no 38 | 39 | #Save and exit 40 | 41 | #Create an other user 42 | useradd u1b 43 | 44 | #The users home 45 | ls /home 46 | 47 | #We can override the defaults 48 | useradd -m -G wheel -c 'user two' u2 49 | 50 | #Let's proof 51 | ls /home 52 | 53 | id u2 -------------------------------------------------------------------------------- /A10/03_Modifying_deleting_users.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky in a root session 2 | 3 | sudo -i 4 | 5 | #Change some user settings 6 | usermod -c 'User One' -aG wheel -g users u1 7 | 8 | id u1 9 | 10 | #List the user u1 11 | getent passwd u1 12 | 13 | #Delete a user 14 | userdel u1 15 | 16 | #What is not removed from the user u1 17 | ls -l /home 18 | 19 | #Find the infos 20 | find /home /var -nouser 21 | 22 | #And delete the findings 23 | find /home /var -nouser -delete 24 | 25 | #Delete u2 with -r 26 | userdel -r u2 27 | 28 | #Nothing left 29 | find /home /var -nouser -------------------------------------------------------------------------------- /A10/04_Working_shadow_data.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky 2 | 3 | #The shadow file (does not work) 4 | cat /etc/shadow 5 | 6 | cat /etc/passwd 7 | 8 | #The shadow file with getent 9 | getent shadow #does not work 10 | 11 | sudo getent shadow 12 | 13 | #Lets look at specific user 14 | sudo getent shadow vagrant 15 | 16 | #What does this fields mean 17 | man 5 shadow 18 | 19 | #The infos more readable 20 | chage -l $USER 21 | 22 | #Set/change a password 23 | sudo passwd vagrant 24 | 25 | #The infos more readable 26 | chage -l $USER 27 | 28 | #Lets look at specific user 29 | sudo getent shadow vagrant 30 | 31 | #What about 19079 32 | date --date '19079 days ago' -------------------------------------------------------------------------------- /A10/05_Working_passwords_understanding_authentication.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky in a root session 2 | 3 | sudo -i 4 | 5 | #The vagrant user (the values between $) 6 | sudo getent shadow vagrant 7 | 8 | #Lets look a bit closer 9 | awk -F$ '/vagrant/ { print "alg: " $2 "\nsalt: " $3 "\nPassword: " $4 }' /etc/shadow 10 | 11 | #The salt and password combined = hash 12 | openssl passwd -6 -salt V06vZn2mmoattvpA P@ssw0rd 13 | 14 | #Change one character and we get a complete new hash 15 | openssl passwd -6 -salt V06vZn2mmoattvpA P@ssword 16 | 17 | #Do not specify any salt to get randomized hashes 18 | openssl passwd -6 P@ssword 19 | 20 | openssl passwd -6 P@ssword 21 | 22 | openssl passwd -6 P@ssword -------------------------------------------------------------------------------- /A10/06_Managing_user_passwords.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky in a root session 2 | 3 | sudo -i 4 | 5 | #The password settings 6 | vim /etc/login.defs 7 | 8 | #We can set for example PASS_MAX_DAYS 90 9 | 10 | #Save and exit 11 | 12 | #Edit the useradd defaults 13 | vim /etc/default/useradd 14 | 15 | #INACTIVE = 14 16 | 17 | #Create a new user 18 | useradd -m u99 19 | 20 | echo "P@ssw0rd" | passwd u99 --stdin 21 | 22 | #An other way to set the password 23 | echo "u99:P@ssw0rd" | chpasswd 24 | 25 | #Show the infos 26 | chage -l u99 27 | 28 | #Override the defaults 29 | chage -M 99999 -m 0 -E -1 -I -1 u99 30 | 31 | #by-pass the restrictions in login.defs 32 | useradd -r u3 33 | 34 | echo "P@ssw0rd" | passwd u3 --stdin 35 | 36 | chage -l u3 -------------------------------------------------------------------------------- /A10/07_Managing_linux_groups.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky in a root session 2 | 3 | sudo -i 4 | 5 | #Group membership 6 | id vagrant 7 | 8 | id u99 9 | 10 | #Create some groups 11 | groupadd mkt 12 | groupadd sales 13 | 14 | #Did it work 15 | getent group 16 | 17 | cat /etc/group 18 | 19 | #Change group membership (this does override) 20 | usermod -G sales u99 21 | 22 | id u99 23 | 24 | usermod -G mkt u99 25 | 26 | id u99 27 | 28 | #To append 29 | usermod -aG sales u99 30 | 31 | id u99 32 | 33 | #Delete a group 34 | groupdel sales 35 | 36 | id u99 -------------------------------------------------------------------------------- /A10/08_Working_group_passwords_admins.sh: -------------------------------------------------------------------------------- 1 | #Working on the rocky system 2 | 3 | #Add a new group named 'ops' with root privileges 4 | sudo groupadd ops 5 | 6 | #Run a command with the group ID of 'ops' 7 | newgrp ops 8 | 9 | #Set the password for 'ops' group with root privileges 10 | sudo gpasswd ops 11 | 12 | #Run a command with the group ID of 'ops' after setting the password 13 | newgrp ops 14 | 15 | #Print the user identifier, group identifier, and groups for 'vagrant' 16 | id vagrant 17 | 18 | #With the group password set, the group changes to a self-service model 19 | 20 | #Add 'vagrant' user to 'ops' group with root privileges 21 | sudo gpasswd -a vagrant ops 22 | 23 | #Set 'vagrant' user as an administrator of 'ops' group with root privileges 24 | sudo gpasswd -A vagrant ops 25 | 26 | #Add 'user1' to 'ops' group 27 | gpasswd -a user1 ops 28 | 29 | #Get the 'ops' group entry from the group database 30 | getent group ops 31 | 32 | #Search for 'ops' in the shadow file with root privileges 33 | sudo grep ops /etc/gshadow -------------------------------------------------------------------------------- /A11/01_Installing_apache.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu in a root session 2 | 3 | sudo -i 4 | 5 | #Check the hostname 6 | hostnamectl 7 | 8 | #The hostname can be resolved by systemd-resolve 9 | ping ubuntu 10 | 11 | #There is probably not an entry for ubuntu 12 | grep ubuntu /etc/hosts 13 | 14 | cat /etc/hosts 15 | 16 | #The hostname ubuntu is resolved through DNS running on 127.0.0.53 17 | dig ubuntu 18 | 19 | #Check the open ports 20 | ss -ntl 21 | 22 | ss -ntlp 23 | 24 | #Update metadata 25 | apt update 26 | 27 | #Install apache2 (httpd in centos) and CLI browser 28 | apt install -y apache2 w3m 29 | 30 | #Use the browser 31 | w3m localhost 32 | 33 | #Show listening TCP ports, port 80 (HTTP) will be open 34 | ss -ntl 35 | 36 | ss -ntlp -------------------------------------------------------------------------------- /A11/02_Configuring_SSL_apache.sh: -------------------------------------------------------------------------------- 1 | #Working on ubunut in a root session 2 | 3 | sudo -i 4 | 5 | #There are a lot of config files 6 | tree /etc/apache2/ 7 | 8 | tree /etc/apache2/ | tail #Sites available and/or enabled 9 | 10 | #Enable the ssl module 11 | a2enmod ssl 12 | 13 | #List the files 14 | ls /etc/apache2/mods-enabled 15 | 16 | ls -l /etc/apache2/mods-enabled 17 | 18 | #Generate cert request 19 | openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/ubuntu.key -out /etc/ssl/certs/ubuntu.crt #Open dialogue, enter correct CN (Common Name) 20 | 21 | #Lets proof 22 | ls /etc/ssl/private 23 | 24 | ls /etc/ssl/certs 25 | 26 | #We have to edit the apache config file 27 | vim /etc/apache2/sites-available/defaults-ssl.conf 28 | ServerName ubuntu #Under ServerAdmin 29 | SSLCertificateKeyFile /etc/ssl/private/ubuntu.key 30 | SSLCertificateFile /etc/ssl/certs/ubuntu.crt 31 | 32 | #Enable the default-ssl 33 | a2ensite default-ssl 34 | 35 | #Restart the service 36 | systemctl restart apache2 37 | 38 | #Test with the browser 39 | w3m https://ubuntu:443 40 | 41 | #Accept the self signed vert 42 | 43 | #This will show a message about the cert 44 | w3m https://localhost:443 -------------------------------------------------------------------------------- /A11/03_Redirect_HTTP_HTTPS.sh: -------------------------------------------------------------------------------- 1 | #Woking on ubuntu in a root session 2 | 3 | sudo -i 4 | 5 | #Check the apache config 6 | apachectl configtest 7 | 8 | #Lets config the 000-default.conf (Replace everything between Virtualhost with:) 9 | vim /etc/apache2/sites-available/000-default.conf 10 | 11 | 12 | ServerName ubuntu 13 | Redirect / https://ubuntu/ 14 | 15 | 16 | #Save and exit 17 | 18 | #Restart the service 19 | systemctl restart apache2 20 | 21 | #Test 22 | w3m http://ubuntu 23 | 24 | #We are using https -------------------------------------------------------------------------------- /A11/04_Investigating_certificate_chain.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #In the end it will timeout 4 | openssl s_client -connect ubuntu:443 5 | 6 | #In the end it will timeout 7 | openssl s_client -connect ubuntu:443 -showcerts 8 | 9 | #Lets use less 10 | openssl s_client -connect ubuntu:443 -showcerts | less 11 | 12 | #Investigate an "real" Page 13 | openssl s_client -connect admin.ch:443 -showcerts | less -------------------------------------------------------------------------------- /A12/01_Creating_CA.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky in a root session 2 | 3 | sudo -i 4 | 5 | #Create a private directory 6 | mkdir -m 700 ca 7 | 8 | cd ca 9 | 10 | pwd 11 | 12 | ls -a 13 | 14 | #First we create the private key 15 | openssl genrsa -aes256 -out myca.key 4096 16 | 17 | ls -a 18 | 19 | file myca.key 20 | 21 | #Then the public key (the common name is not important) 22 | openssl req -x509 -new -key myca.key -sha256 -days 3650 -out myca.crt 23 | 24 | ls -a 25 | 26 | file myca.crt 27 | 28 | #Now we have to copy the key so that the database can be updated 29 | cp myca.crt /etc/pki/ca-trust/source/anchors/ 30 | 31 | ls -l /etc/pki/ca-trust/source/anchors/ 32 | 33 | #The current information is stored here 34 | ls -l /etc/pki/ca-trust/extracted/ 35 | 36 | #Now we update the database 37 | update-ca-trust extract #This command gets the information from the /etc/pki/ca-trust/source/anchors/ -------------------------------------------------------------------------------- /A12/02_Creating_certificate_signing_request.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu in a root session 2 | 3 | sudo -i 4 | 5 | #Generate private key 6 | openssl genrsa -out /etc/ssl/private/ubuntu.key 7 | 8 | #Create a certificate signing request 9 | openssl req -new -key /etc/ssl/private/ubuntu.key -out /tmp/ubuntu.csr #Set the Common Name to ubuntu 10 | 11 | #Check the files 12 | file /tmp/ubuntu.csr 13 | 14 | #Set a password for vagrant 15 | passwd vagrant 16 | 17 | #Search for the PasswordAuthentication 18 | sudo grep -R 'PasswordAuthentication' /etc/ssh/ 19 | 20 | #We set the PasswordAuthentication to yes - to be able to use scp 21 | sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config 22 | 23 | sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config.d/60-cloudimg-settings.conf 24 | 25 | #Restart the service 26 | systemctl restart sshd -------------------------------------------------------------------------------- /A12/03_Signing_the_csr.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky in a root session in the ca directory 2 | 3 | sudo -i 4 | 5 | pwd 6 | 7 | ls 8 | 9 | #Copy the csr file 10 | scp vagrant@192.168.56.102:/tmp/ubuntu.csr /root/ca 11 | 12 | ls 13 | 14 | #We work on the csr file 15 | openssl x509 -req -in ubuntu.csr -CA myca.crt -CAkey myca.key -CAcreateserial -out ubuntu.crt -days 365 -sha256 16 | 17 | #Copy the public keys to ubuntu 18 | scp ubuntu.crt myca.crt vagrant@192.168.56.102:/tmp/ -------------------------------------------------------------------------------- /A12/04_Configuring_apache_ca_certificate.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu in a root session 2 | 3 | sudo -i 4 | 5 | ls /tmp 6 | 7 | #Copy the keys (for apache to use) 8 | cp /tmp/ubuntu.crt /tmp/myca.crt /etc/ssl/certs/ 9 | 10 | #Copy the public CA key - to update the trust-db 11 | cp /tmp/myca.crt /usr/local/share/ca-certificates/ 12 | 13 | #Update the trust-db 14 | update-ca-certificates 15 | 16 | #Edit the default conf file 17 | vim /etc/apache2/sites-available/default-ssl.conf 18 | 19 | SSLCertificateFile /etc/ssl/certs/ubuntu.crt 20 | SSLCertificateKeyFile /etc/ssl/private/ubuntu.key 21 | SSLCertificateChainFile /etc/ssl/certs/myca.crt 22 | 23 | #Save and exit 24 | 25 | #Restart the apache service 26 | systemctl restart apache2 27 | 28 | #Check the config 29 | w3m https://ubuntu 30 | 31 | #On the rocky system 32 | 33 | vim /etc/hosts #Add the ubuntu IP address and hostname 34 | 35 | #Save and exit 36 | 37 | dnf install -y epel-release #Install the epel-release package 38 | 39 | dnf install -y w3m #Install the w3m package 40 | 41 | #Check the config 42 | w3m https://ubuntu -------------------------------------------------------------------------------- /A13/01_Installing_OpenLDAP.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #Set the FQDN (OpenLDAP pics up the dns suffix) 4 | sudo hostnamectl set-hostname ubuntu.example.com 5 | 6 | #Check 7 | hostnamectl 8 | 9 | #Edit the hosts file 10 | sudo vim /etc/hosts 11 | 12 | 192.168.56.102 ubuntu.example.com ubuntu 13 | 14 | #Save and exit 15 | 16 | #Test 17 | ping -c 3 ubuntu 18 | 19 | #Install OpenLDAP 20 | sudo apt update 21 | 22 | sudo apt install -y slapd ldap-utils # 23 | 24 | #Check the open ports 25 | ss -ntl 26 | 27 | #Whoami (-x Use simple authentication instead of SASL (Simple Authentication and Security Layer) 28 | ldapwhoami -x 29 | 30 | ldapwhoami -Q -Y EXTERNAL -H ldapi:/// # -Q Enable SASL Quiet mode; -Y Specify the SASL mechanism to be used for authentication, -H ldapuri 31 | 32 | #LDAP Search 33 | ldapsearch -x -b dc=example,dc=com cn # -x Use simple authentication; -b searchbase cn= Common name -------------------------------------------------------------------------------- /A13/02_Adding_searching_entries_openldap.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #Create a ldif file (Leightweight Directory Interchange Format) 4 | vim user.ldif 5 | 6 | #Copy the content from the example file 7 | 8 | #Save and exit 9 | 10 | #Add the user 11 | ldapadd -x -D cn=admin,dc=example,dc=com -W -f user.ldif # -x Use simple authentication; -D Use the Distinguished Name; -W Prompt for simple authentication; -f file 12 | 13 | #Search 14 | ldapsearch -x -b dc=example,dc=com '(objectClass=inetorgPerson)' cn 15 | 16 | ldapsearch -x -b dc=example,dc=com '(objectClass=posixGroup)' 17 | 18 | #Set the password for the user (Attention first we hav to set the user password, after that we enter the admin password) 19 | ldappasswd -x -D cn=admin,dc=example,dc=com -S uid=john,ou=People,dc=example,dc=com -W #-S Prompt for new password; -W Prompt for bind password -------------------------------------------------------------------------------- /A13/03_Configuring_StartTLS_openldap.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu in a root session 2 | 3 | sudo -i 4 | 5 | #Copy the public keys into the ldap directory 6 | cp /etc/ssl/certs/{myca,ubuntu}.crt /etc/ldap 7 | 8 | #Copy the private key into the ldap directory 9 | cp /etc/ssl/private/ubuntu.key /etc/ldap 10 | 11 | #Change the group for the private key 12 | chgrp openldap /etc/ldap/ubuntu.key 13 | 14 | #Change the permissions 15 | chmod -v 640 /etc/ldap/ubuntu.key 16 | 17 | #Create the ldif file 18 | vim tls.ldif 19 | 20 | #Copy the content from the example file 21 | 22 | #Save and exit 23 | 24 | #Edit the config 25 | ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f tls.ldif # -Q Enable SASL (Simple Authentication and Security Layer); -Y mechanism for authentication; -H ldapuri 26 | 27 | #Test 28 | ldapwhoami -x -ZZ -H ldap://ubuntu # -ZZ require StartTLS 29 | 30 | #Does not work 31 | ldapwhoami -x -ZZ -------------------------------------------------------------------------------- /A13/04_Configuring_sssd_ubuntu.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #Install the tools 4 | sudo apt install -y sssd-ldap 5 | 6 | #Update the pam module 7 | sudo pam-auth-update --enable mkhomedir 8 | 9 | #Copy a sssd config template 10 | sudo cp /usr/lib/x86_64/-linux-gnu/sssd/conf/sssd.conf /etc/sssd/sssd.conf 11 | 12 | #Change the permissions 13 | sudo chown root. /etc/sssd/sssd.conf 14 | 15 | sudo chmod 0600 /etc/sssd/sssd.conf 16 | 17 | sudo systemctl start sssd 18 | 19 | #Edit the config file 20 | sudo vim /etc/sssd/sssd.conf 21 | 22 | #Copy the content from the example file 23 | 24 | #Save and exit 25 | 26 | #Restart the sssd service 27 | sudo systemctl restart sssd 28 | 29 | #Does it work? 30 | su - john 31 | 32 | pwd 33 | 34 | id -------------------------------------------------------------------------------- /A13/05_Configuring_sssd_rocky.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky 2 | 3 | #Install the tools 4 | sudo dnf install -y sssd sssd-ldap oddjob oddjob-mkhomedir 5 | 6 | #We need to be able to resolve the ubuntu system 7 | echo '192.168.56.102 ubuntu' | sudo tee -a /etc/hosts 8 | 9 | ping ubuntu 10 | 11 | #Edit the pam config (we need --force) 12 | sudo authselect select sssd with-mkhomedir 13 | 14 | sudo authselect select sssd with-mkhomedir --force 15 | 16 | #We must enable the oddjobd service 17 | sudo systemctl enable --now oddjobd 18 | 19 | #Create the sssd config file 20 | sudo vim /etc/sssd/sssd.conf 21 | 22 | #Copy the content from the example file 23 | 24 | #Save and exit 25 | 26 | #Change the permissions 27 | sudo chmod -v 600 /etc/sssd/sssd.conf 28 | sudo chown root. /etc/sssd/sssd.conf 29 | 30 | #Start the sssd service 31 | sudo systemctl enable --now sssd 32 | 33 | #and restart 34 | sudo systemctl restart sssd 35 | 36 | 37 | #Test 38 | su - john 39 | 40 | pwd 41 | 42 | id -------------------------------------------------------------------------------- /A13/rockysssd.txt: -------------------------------------------------------------------------------- 1 | [sssd] 2 | domains = example.com 3 | services = nss, pam 4 | [nss] 5 | 6 | [pam] 7 | 8 | [domain/example.com] 9 | id_provider = ldap 10 | auth_provider = ldap 11 | ldap_uri = ldap://ubuntu 12 | cache_credentials = True 13 | ldap_search_base = dc=example,dc=com 14 | ldap_id_use_start_tls = true -------------------------------------------------------------------------------- /A13/tls.ldif: -------------------------------------------------------------------------------- 1 | dn: cn=config 2 | add: olcTLSCACertificateFile 3 | olcTLSCACertificateFile: /etc/ldap/myca.crt 4 | - 5 | add: olcTLSCertificateFile 6 | olcTLSCertificateFile: /etc/ldap/ubuntu.crt 7 | - 8 | add: olcTLSCertificateKeyFile 9 | olcTLSCertificateKeyFile: /etc/ldap/ubuntu.key -------------------------------------------------------------------------------- /A13/ubuntusssd.txt: -------------------------------------------------------------------------------- 1 | [sssd] 2 | domains = shadowutils, example.com 3 | 4 | [nss] 5 | 6 | [pam] 7 | 8 | [domain/example.com] 9 | id_provider = ldap 10 | auth_provider = ldap 11 | ldap_uri = ldap://ubuntu 12 | cache_credentials = True 13 | ldap_search_base = dc=example,dc=com 14 | ldap_id_use_start_tls = true 15 | 16 | [domain/shadowutils] 17 | id_provider = files 18 | 19 | auth_provider = proxy 20 | proxy_pam_target = sssd-shadowutils 21 | 22 | proxy_fast_alias = True -------------------------------------------------------------------------------- /A13/user.ldif: -------------------------------------------------------------------------------- 1 | dn: ou=People,dc=example,dc=com 2 | objectClass: organizationalUnit 3 | ou: People 4 | 5 | dn: ou=Groups,dc=example,dc=com 6 | objectClass: organizationalUnit 7 | ou: Groups 8 | 9 | dn: cn=staff,ou=Groups,dc=example,dc=com 10 | objectClass: posixGroup 11 | cn: staff 12 | gidNumber: 5000 13 | 14 | dn: uid=john,ou=People,dc=example,dc=com 15 | objectClass: inetOrgPerson 16 | objectClass: posixAccount 17 | objectClass: shadowAccount 18 | uid: john 19 | sn: Wick 20 | givenName: John 21 | cn: John Wick 22 | displayName: John Wick 23 | uidNumber: 10000 24 | gidNumber: 5000 25 | userPassword: {CRYPT}x 26 | gecos: John Wick 27 | loginShell: /bin/bash 28 | homeDirectory: /home/john -------------------------------------------------------------------------------- /A14/00_Very_important.md: -------------------------------------------------------------------------------- 1 | # Hardening Linux systems 2 | 3 | ## Please note the following points 4 | 5 | The hardening of Linux systems must be considered individually. There is no generally applicable solution. 6 | 7 | 1. First find out exactly what information you need about the system to be hardened (services, ports, processes, etc.). 8 | 2. Talk to the person responsible for the system. 9 | 3. Create a plan/concept of how you want to proceed. Make a note of the steps (also Snapshot's, Backup, etc.) so that you can return to a functioning state in an emergency. 10 | 4. Check after each step whether the system is working 100%. -------------------------------------------------------------------------------- /A14/01_Checking_listening_ports.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #List the open ports 4 | ss -ntl 5 | 6 | #List the open ports and the process behind 7 | sudo ss -ntlp 8 | 9 | #Specific for ssh 10 | ss -l '( sport = :ssh )' 11 | 12 | #List the ip 13 | ip a sh 14 | 15 | #Lets config ssh 16 | sudo vim /etc/ssh/sshd_config 17 | 18 | AddressFamily inet 19 | ListenAddress 10.0.2.15 20 | 21 | #Save and exit 22 | 23 | #Restart the service 24 | sudo systemctl restart sshd 25 | 26 | #Check again 27 | ss -l '(sport = :ssh)' -------------------------------------------------------------------------------- /A14/02_Removing_extra_services.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #List the services 4 | sudo systemctl status 5 | 6 | #Disable atd 7 | sudo systemctl disable --now atd 8 | 9 | #What package has atd installed 10 | dpkg -S atd 11 | 12 | #Remove atd 13 | sudo apt purge at 14 | 15 | #Also the dependencies 16 | sudo apt autoremove 17 | 18 | #Don't forget to check the MAC System 19 | sudo apparmor_status 20 | 21 | sudo apparmor_status | less 22 | 23 | sudo getenforce #On Red Hat based systems -------------------------------------------------------------------------------- /A14/03_Securing_ICMP_using_sysctl.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #List the kernel settings 4 | sysctl -a 5 | 6 | #Search for icmp (net.ipv4.icmp_echo_ignore_all) 7 | sysctl -ar 'icmp' 8 | 9 | #Ping work's fine 10 | ping localhost 11 | 12 | #But if we change the settings (this is not permanent) 13 | sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1 14 | 15 | #The ping will fail 16 | ping localhost 17 | 18 | #Set it back 19 | sudo sysctl net.ipv4.icmp_echo_ignore_all=0 20 | 21 | #To change it persistent 22 | sudo vim /etc/sysctl.d/99-icmp.conf 23 | 24 | net.ipv4.icmp_echo_ignore_all=1 25 | 26 | #Save and exit 27 | 28 | #This will emulate whats happend on boot 29 | sudo sysctl --system 30 | 31 | #We check 32 | sysctl -ar 'icmp' 33 | 34 | #It work's 35 | ping localhost -------------------------------------------------------------------------------- /A14/04_Listing_user_details.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #About the current user 4 | last 5 | 6 | #last login time for all accounts 7 | lastlog 8 | 9 | #Search closer 10 | lastlog | grep -v "Never logged in" 11 | 12 | #Search with awk 13 | awk -F: '{ if ($3 >= 1000) print $1 }' /etc/passwd 14 | 15 | #With a loop 16 | for u in $(awk -F: '{ if ($3 >= 1000) print $1 }' /etc/passwd); do 17 | echo $u 18 | lastlog -u $u 19 | sudo chage -l $u | grep '^Last' 20 | done -------------------------------------------------------------------------------- /A14/05_Locking_failed_login_attemps.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu 2 | 3 | #We need a test account 4 | sudo passwd ubuntu 5 | 6 | #Test the login 7 | su - ubuntu 8 | 9 | exit 10 | 11 | #Install the package 12 | sudo apt install libpam-modules 13 | 14 | #Check the man pages 15 | man pam_faillock 16 | 17 | #Edit the file 18 | sudo vim /etc/pam.d/common-auth 19 | 20 | #The First line (if you remove the silent, you will see the message) 21 | auth required pam_faillock.so preauth audit silent deny=3 unlock_time=300 22 | 23 | #This lines bevor auth requisite pam_deny.so 24 | auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=300 25 | auth sufficient pam_faillock.so authsucc audit deny=3 unlock_time=300 26 | 27 | #Save and exit 28 | 29 | #Edit the file 30 | sudo vim /etc/pam.d/common-account 31 | 32 | #At the end 33 | account required pam_faillock.so 34 | 35 | #Loggon with ubuntu more than 3 times (wrong password) 36 | su - ubuntu -------------------------------------------------------------------------------- /A15/01_Basic_firewall_management.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky in a root session 2 | 3 | sudo -i 4 | 5 | #The status 6 | firewall-cmd --state 7 | 8 | #The status 9 | firewall-cmd --list-all 10 | 11 | #Check with systemctl 12 | systemctl status firewalld 13 | 14 | #Start the service (we will discuss later the AllowZoneDrifting) 15 | systemctl enable --now firewalld 16 | 17 | #The status 18 | firewall-cmd --state 19 | 20 | #The status 21 | firewall-cmd --list-all 22 | 23 | #Public Zone with two interfaces 24 | 25 | #List the permanent config 26 | firewall-cmd --list-all --permanent 27 | 28 | #The permanent default config XML templates 29 | ls /usr/lib/firewalld/ 30 | 31 | #Changes to the default will be stored in 32 | ls /etc/firewalld 33 | 34 | #The zone config 35 | ls /etc/firewalld/zones/ -------------------------------------------------------------------------------- /A15/02_Adding_removing_services.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky in a root session 2 | 3 | #List the info 4 | firewall-cmd --list-all 5 | 6 | #The firewalld.conf file 7 | vim /etc/firewalld/firewalld.conf 8 | 9 | #List the info 10 | firewall-cmd --list-all 11 | 12 | #We do not need some services 13 | firewall-cmd --remove-service=cockpit 14 | 15 | firewall-cmd --remove-service=dhcpv6-client 16 | 17 | #Install apache 18 | dnf install httpd 19 | 20 | #Start the service 21 | systemctl enable --now httpd 22 | 23 | (from remote) curl 192.168.56.101 24 | 25 | #Add http 26 | firewall-cmd --add-service=http 27 | 28 | firewall-cmd --list-all 29 | 30 | (from remote) curl 192.168.56.101 31 | 32 | #List the persistemt config 33 | firewall-cmd --list-all --permanent 34 | 35 | #Make it persistent 36 | firewall-cmd --runtime-to-permanent -------------------------------------------------------------------------------- /A15/03_Adding_source_addresses.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky in a root session 2 | 3 | #Remove http 4 | firewall-cmd --remove-service=http 5 | 6 | #Make it persistent 7 | firewall-cmd --runtime-to-permanent 8 | 9 | #List the zones 10 | firewall-cmd --get-active-zones 11 | 12 | firewall-cmd --get-default-zones 13 | 14 | #The internal zone 15 | firewall-cmd --zone=internal --list-all 16 | 17 | #We do not need some services 18 | firewall-cmd --zone=internal --remove-service=cockpit 19 | 20 | firewall-cmd --zone=internal --remove-service=dhcpv6-client 21 | 22 | firewall-cmd --zone=internal --remove-service=mdns 23 | 24 | firewall-cmd --zone=internal --remove-service=samba-client 25 | 26 | #Add http 27 | firewall-cmd --zone=internal --add-service=http 28 | 29 | firewall-cmd --get-active-zones 30 | 31 | firewall-cmd --get-default-zones 32 | 33 | #Add a source 34 | firewall-cmd --zone=internal --add-source=192.168.56.0/24 35 | 36 | firewall-cmd --get-active-zones 37 | 38 | #Check 39 | (from remote) curl 192.168.56.101 40 | 41 | ip a sh 42 | 43 | #Make it persistent 44 | firewall-cmd --runtime-to-permanent -------------------------------------------------------------------------------- /A15/04_Editing_service_definitions.sh: -------------------------------------------------------------------------------- 1 | #Working on rocky in a root session 2 | 3 | #The info 4 | firewall-cmd --info-TABTAB 5 | 6 | #About http 7 | firewall-cmd --info-service=http 8 | 9 | #Add a service for just 15 seconds 10 | firewall-cmd --add-port=443/tcp --timeout=15 11 | 12 | #Check 13 | firewall-cmd --list-all 14 | 15 | #again 16 | firewall-cmd --list-all 17 | 18 | #Copy the file 19 | cp /usr/lib/firewalld/services/http.xml /etc/firewalld/services/ 20 | 21 | #Edit the file with 22 | vim /etc/firewalld/services/http.xml 23 | ... 24 | 25 | ... 26 | 27 | #Save and exit 28 | 29 | #Reload the firewall 30 | firewall-cmd --reload 31 | 32 | #Check the service 33 | firewall-cmd --info-service=http -------------------------------------------------------------------------------- /A15/05_Configuring_fail2ban.sh: -------------------------------------------------------------------------------- 1 | #Working on the rocky system 2 | 3 | #First check the log file for the sshd service 4 | sudo journalctl --unit sshd 5 | 6 | sudo journalctl --unit sshd | grep "Failed password" 7 | 8 | sudo journalctl --unit sshd --since "14:00" 9 | 10 | #We need the epel repository to install fail2ban 11 | sudo dnf install epel-release -y 12 | 13 | #Install fail2ban 14 | sudo dnf install fail2ban -y 15 | 16 | #Create a fail2ban sshd configuration file 17 | sudo vim /etc/fail2ban/jail.d/sshd.conf 18 | 19 | [DEFAULT] 20 | bantime = 72h 21 | findtime = 10m 22 | maxretry = 3 23 | backend = auto 24 | [sshd] 25 | enabled = true 26 | 27 | #Save and exit 28 | 29 | #Start the fail2ban service 30 | sudo systemctl enable --now fail2ban 31 | 32 | #Check the status of the fail2ban service 33 | sudo systemctl status fail2ban 34 | 35 | #Check with the fail2ban client 36 | sudo fail2ban-client status sshd -------------------------------------------------------------------------------- /A16/01_Adding_basic_ufw_rules.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu in a root session 2 | 3 | sudo -i 4 | 5 | #The status 6 | ufw status 7 | 8 | #What is the default (DROP!) 9 | less /etc/default/ufw 10 | 11 | #IMPORTANT - otherwise we are not able to ssh into the system 12 | ufw allow ssh 13 | 14 | #The status 15 | ufw status 16 | 17 | #Enable the firewall 18 | ufw enable 19 | 20 | #The status verbose 21 | ufw status verbose 22 | 23 | #The status numbered 24 | ufw status numbered -------------------------------------------------------------------------------- /A16/02_Tuning_SSH_allow_rules.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu in a root session 2 | 3 | #Check the status 4 | ufw status 5 | 6 | #The IP infos 7 | ip a sh 8 | 9 | #Set a new rule 10 | ufw allow from 10.0.2.0/24 to any port 22 11 | 12 | #The numbered output 13 | ufw status numbered 14 | 15 | #Test a rule deletion 16 | ufw --dry-run delete 3 17 | 18 | #It was just a test 19 | ufw status 20 | 21 | #Now delete rule 3 and 1 22 | ufw delete 3 23 | 24 | ufw delete 1 25 | 26 | #Lets proof 27 | ufw status 28 | 29 | #SWITCH TO rocky 30 | ssh 192.168.56.102 #Does not work 31 | 32 | #Exit the ubuntu ssh session and start the ssh session again -------------------------------------------------------------------------------- /A16/03_More_accurate_rules.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu in a root session 2 | sudo -i 3 | 4 | #Infos 5 | who 6 | 7 | #Check 8 | ufw status 9 | 10 | #Set a new SSH rule 11 | ufw allow proto tcp from 10.0.2.2 to any port 22 12 | 13 | #Check 14 | ufw status 15 | 16 | #A what if 17 | ufw --dry-run delete 1 18 | 19 | #Delete the rule 20 | ufw delete 1 -------------------------------------------------------------------------------- /A16/04_Allowing_HTTP_access.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu in a root session 2 | 3 | sudo -i 4 | 5 | #Install apache2 6 | apt update 7 | 8 | apt install -y apache2 9 | 10 | #SWITCH TO rocky 11 | curl 192.168.56.102 #It works not 12 | 13 | #Set a allow rule 14 | ufw allow from 192.168.56.101 to any port http 15 | 16 | #Check the rules 17 | ufw status 18 | 19 | #SWITCH TO rocky 20 | curl 192.168.56.102 #It works -------------------------------------------------------------------------------- /A16/05_Reporting_on_rules.sh: -------------------------------------------------------------------------------- 1 | #Working on ubuntu in a root session 2 | 3 | sudo -i 4 | 5 | #The raw infos 6 | ufw show raw 7 | 8 | ufw show raw | less 9 | 10 | #The added rules 11 | ufw show added 12 | 13 | #The rules in the filesystem 14 | ls /etc/ufw 15 | 16 | #Reset the ufw 17 | ufw reset 18 | 19 | #Check the status 20 | ufw status -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 Tom Wechsler [Microsoft Azure & CDM MVP] 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Links.md: -------------------------------------------------------------------------------- 1 | # Some helpful links 2 | 3 | 4 | 5 | 6 | 7 | https://app.vagrantup.com/boxes/search 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | https://rockylinux.org/ -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Securing Linux Systems 2 | Linux security with three different distributions (Rocky Linux, Ubuntu and openSUSE)! 3 | 4 | The three different Linux distributions 5 | 6 | ## Content of the sections 7 | 8 | | Sections | Section description | 9 | |-----|-------------------------------------------| 10 | | A01 | Lab setup with Vagrant | 11 | | A02 | Why Securing Linux Systems 12 | | A03 | Understanding the File Mode or Permissions | 13 | | A04 | Managing Special File Permissions | 14 | | A05 | Extending the File Mode with ACLs | 15 | | A06 | Implementing SELinux | 16 | | A07 | Working with AppArmor | 17 | | A08 | Managing SSH Servers and Connections | 18 | | A09 | Elevating Privileges in Linux | 19 | | A10 | Managing Local Users | 20 | | A11 | Implementing HTTPS with the Apache Web Server | 21 | | A12 | Implementing an openSSL Certificate Server | 22 | | A13 | Implementing Identity Management with openLDAP and SSSD | 23 | | A14 | Hardening Your Linux Systems | 24 | | A15 | Implementing Firewalls with Firewalld | 25 | | A16 | Implement Firewalls with UFW | -------------------------------------------------------------------------------- /README.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Securing_Linux_Systems/9dd3e50493bcf6779e6b8bbaaf797606b43fb48f/README.png --------------------------------------------------------------------------------