Pages

Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Saturday, October 26, 2024

Fedora 42 : ... testing Advanced Intrusion Detection Environment (AIDE).

Advanced Intrusion Detection Environment (AIDE) is a utility that creates a database of files on the system, and then uses that database to ensure file integrity and detect system intrusions.. See more on the official fedora documentation webpage.
NOTE : The documentation and translations on the official page are in progress due to ongoing development and resource management ...
I used the DNF tool to install:
[mythcat@fedora ~]$ sudo dnf install aide
... aide      x86_64      0.18.6-5.fc41        rawhide      
Make sure the AIDE database file exists and is accessible:
[mythcat@fedora ~]$ sudo ls -l /var/lib/aide/aide.db.gz
Ensure that the user running AIDE has the necessary permissions:
[mythcat@fedora ~]$ sudo ls -l /var/lib/aide/
Check the AIDE configuration file:
[mythcat@fedora ~]$ sudo cat /etc/aide.conf | grep DBDIR
Check if the AIDE service file exists:
[mythcat@fedora ~]$ sudo ls /usr/lib/systemd/system/ | grep aide
If the service exists then check the status:
[mythcat@fedora ~]$ sudo systemctl status aide
Unit aide.service could not be found.
If the service not exist then take some time to run first time ...
[mythcat@fedora ~]$ sudo /sbin/aide --init
...
End timestamp: 2024-10-26 14:10:00 +0300 (run time: 98m 41s)
You can check each time you want ...
[mythcat@fedora ~]$ sudo /sbin/aide --check
If you want and your Fedora linux need to use this tool, then you can use it like service:
sudo nano /usr/lib/systemd/system/aide.service
Fill with the basic service source code like any unit service :
[Unit]
   Description=Advanced Intrusion Detection Environment
   After=network.target

   [Service]
   Type=simple
   ExecStart=/sbin/aide --init
   ExecStop=/sbin/aide --check
   Restart=on-failure

   [Install]
   WantedBy=multi-user.target
This is a simple tutorial about how to start with AIDE tool ...

Monday, June 10, 2024

Fedora 41 : Install portmaster.

Portmaster is a free and open-source application firewall that does the heavy lifting for you. Restore privacy and take back control over all your computer's network activity.
First, download the RPM package from the official website.
Use the dnf5 tool and install it.
The last step is to open, after restart Fedora, see the result on my openbox environment:

Tuesday, March 26, 2024

Fedora 40 : Fix emergency run mode - part 001.

Run this commands to see errors and all failed systemd units:
[root@fedora mythcat]# dmesg | grep err
[root@fedora mythcat]# systemctl status --failed --all
If you get an error like this:
Recovery unable to mount /home
... check the /etc/fstab file to see how your home is set.

Monday, December 11, 2023

Fedora 39 : ImHex editor.

ImHex is a Hex Editor, a tool to display, decode and analyze binary data to reverse engineer their format, extract informations or patch values in them.
Read more on the official webpage.
Let's install with dnf5 tool:
# dnf5 install imhex.x86_64
Updating and loading repositories:
Repositories loaded.
Package         Arch       Version         Repository                   Size
Upgrading:                
 cpp            x86_64     13.2.1-6.fc40   updates-testing          30.9 MiB
  replacing cpp                          x86_64     13.2.1-5.fc40   updates-testing          30.9 MiB
 gcc            x86_64     13.2.1-6.fc40   updates-testing          94.7 MiB
  replacing gcc                          x86_64     13.2.1-5.fc40   updates-testing          94.7 MiB
 gcc-c++        i686       13.2.1-6.fc40   updates-testing          34.7 MiB
  replacing gcc-c++                      i686       13.2.1-5.fc40   updates-testing          34.7 MiB
 gcc-c++        x86_64     13.2.1-6.fc40   updates-testing          33.9 MiB
  replacing gcc-c++                      x86_64     13.2.1-5.fc40   updates-testing          33.9 MiB
 gcc-plugin-annobin                      x86_64     13.2.1-6.fc40   updates-testing          57.0 KiB
  replacing gcc-plugin-annobin           x86_64     13.2.1-5.fc40   updates-testing          57.0 KiB
 glib2          x86_64     2.78.3-1.fc40   updates-testing          13.5 MiB
  replacing glib2                        x86_64     2.78.1-1.fc40   rawhide                  13.5 MiB
 glib2-devel    x86_64     2.78.3-1.fc40   updates-testing           3.7 MiB
  replacing glib2-devel                  x86_64     2.78.1-1.fc40   rawhide                   3.7 MiB
 libcurl        x86_64     8.5.0-1.fc40    updates-testing         784.6 KiB
  replacing libcurl                      x86_64     8.4.0-1.fc40    rawhide                 776.5 KiB
 libcurl-devel                           x86_64     8.5.0-1.fc40    updates-testing           1.4 MiB
  replacing libcurl-devel                x86_64     8.4.0-1.fc40    rawhide                   1.4 MiB
 libgcc         i686       13.2.1-6.fc40   updates-testing         253.4 KiB
  replacing libgcc                       i686       13.2.1-5.fc40   updates-testing         253.4 KiB
 libgcc         x86_64     13.2.1-6.fc40   updates-testing         230.3 KiB
  replacing libgcc                       x86_64     13.2.1-5.fc40   updates-testing         230.3 KiB
 libgomp        x86_64     13.2.1-6.fc40   updates-testing         485.7 KiB
  replacing libgomp                      x86_64     13.2.1-5.fc40   updates-testing         485.7 KiB
 libquadmath    x86_64     13.2.1-6.fc40   updates-testing         325.9 KiB
  replacing libquadmath                  x86_64     13.2.1-5.fc40   updates-testing         325.9 KiB
 libquadmath-devel                       x86_64     13.2.1-6.fc40   updates-testing          21.4 KiB
  replacing libquadmath-devel            x86_64     13.2.1-5.fc40   updates-testing          21.4 KiB
 libstdc++      x86_64     13.2.1-6.fc40   updates-testing           2.7 MiB
  replacing libstdc++                    x86_64     13.2.1-5.fc40   updates-testing           2.7 MiB
 libstdc++-devel                         x86_64     13.2.1-6.fc40   updates-testing          14.2 MiB
   replacing libstdc++-devel             x86_64     13.2.1-5.fc40   updates-testing          14.1 MiB
Installing:               
 imhex          x86_64     1.31.0-1.fc40   updates-testing          25.6 MiB
Installing dependencies:                           
 glfw           x86_64     1:3.3.8-4.fc39                           updates-testing         290.0 KiB
 nativefiledialog-extended               x86_64     1.1.1-1.fc40    updates-testing          40.8 KiB
 yara           x86_64     4.4.0-1.fc40    updates-testing         612.0 KiB
Installing weak dependencies:                      
 imhex-patterns                          x86_64     1.31.0-1.fc40   updates-testing           9.4 MiB

Transaction Summary:
 Installing:        5 packages
 Upgrading:        16 packages
 Replacing:        16 packages

Total size of inbound packages is 93 MiB. Need to download 93 MiB.
After this operation 36 MiB will be used (install 268 MiB, remove 232 MiB).
Is this ok [y/N]: y ...
I try on run on HP Compaq 6710b but not working:
[mythcat@fedora ~]$ imhex
[15:50:08] [INFO]  [main]       Welcome to ImHex 1.31.0!
[15:50:08] [INFO]  [main]       Compiled using commit Unknown@Unknown
[15:50:08] [INFO]  [main]       Running on Linux 6.7.0-0.rc3.20231129git18d46e76d7c2.30.fc40.x86_64 
#1 SMP PREEMPT_DYNAMIC Wed Nov 29 15:20:20 UTC 2023 (x86_64)
[15:50:09] [ERROR] [main]       GLFW Error [65543] : GLX: Failed to create context: GLXBadFBConfig
[15:50:09] [FATAL] [main]       Failed to create GLFW window: [65543] GLX: Failed to create context: GLXBadFBConfig.
You may not have a renderer available.
The most common cause of this is using a virtual machine
You may want to try a release artifact ending with 'NoGPU'

Sunday, February 7, 2021

Fedora 33 : Running Zeek - part 001.

Zeek is often used as a network analysis tool but can also be deployed as an IDS known as Intrusion Detection System.
The full documentation can be found on this website page.
Let's install this tool on Fedora 33 distro.
[root@desk mythcat]# dnf search zeek
Last metadata expiration check: 0:18:02 ago on Sun 07 Feb 2021 11:21:35 AM EET.
No matches found.
[root@desk mythcat]# dnf config-manager --add-repo 
https://download.opensuse.org/repositories/security:zeek/Fedora_33/security:zeek.repo
Adding repo from: https://download.opensuse.org/repositories/security:zeek/Fedora_33/security:zeek.repo
[root@desk mythcat]# dnf install zeek
The Zeek Network Security Monitor. (Fedora_33)  105 kB/s | 128 kB     00:01    
Last metadata expiration check: 0:00:01 ago on Sun 07 Feb 2021 11:40:31 AM EET.
...
  Verifying        : zeekctl-3.2.3-1.1.x86_64                               8/8 

Installed:
  libbroker-devel-3.2.3-1.1.x86_64       libpcap-devel-14:1.9.1-6.fc33.x86_64  
  openssl-devel-1:1.1.1i-1.fc33.x86_64   zeek-3.2.3-1.1.x86_64                 
  zeek-core-3.2.3-1.1.x86_64             zeek-devel-3.2.3-1.1.x86_64           
  zeek-libcaf-devel-3.2.3-1.1.x86_64     zeekctl-3.2.3-1.1.x86_64              

Complete!
[root@desk mythcat]# whereis zeek
zeek: /opt/zeek/bin/zeek
[root@desk mythcat]# whereis zeekctl
zeekctl: /opt/zeek/bin/zeekctl
I found this informations into the documentation area:
ZeekControl is an interactive shell for easily operating/managing Zeek installations on a single system or even across multiple systems in a traffic-monitoring cluster.
A Minimal Starting Configuration
These are the basic configuration changes to make for a minimal ZeekControl installation that will manage a single Zeek instance on the localhost:
  • In $PREFIX/etc/node.cfg, set the right interface to monitor.
  • In $PREFIX/etc/networks.cfg, comment out the default settings and add the networks that Zeek will consider local to the monitored environment.
  • In $PREFIX/etc/zeekctl.cfg, change the MailTo email address to a desired recipient and the LogRotationInterval to a desired log archival frequency.
Next step is to configure and adjust your PATH environment variable:
[root@desk mythcat]# export PATH=/opt/zeek/bin:$PATH
[root@desk mythcat]# zeekctl

Welcome to ZeekControl 2.2.0

Type "help" for help.
...
Use install , start and diag commands on Zeek command line to check if the Zeek tool works fine.
If you received this error on diag command , then you need to set your network interface:
==== stderr.log
fatal error: problem with interface eth0 (pcap_error: SIOCGIFHWADDR: No such device (pcap_activate))
Let's fix this error using the files configuration:
[root@desk mythcat]# updatedb
[root@desk mythcat]# locate node.cfg
/opt/zeek/etc/node.cfg
[root@desk mythcat]# vi /opt/zeek/etc/node.cfg
I change the row with the interface= with my network interface.
You can find your interface with these commands:
[root@desk mythcat]# ip link show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
...
[root@desk mythcat]# nmcli device status
DEVICE  TYPE      STATE                   CONNECTION 
...
Now I can run the zeekctl command an check if is all right.
And first issue reported by diag and zeekctl is this:
1612693272.168741 Reporter::WARNING Your interface is likely receiving invalid TCP and UDP checksums, most likely from NIC checksum offloading. By default, packets with invalid checksums are discarded by Zeek unless using the -C command-line option or toggling the 'ignore_checksums' variable. Alternatively, disable checksum offloading by the network adapter to ensure Zeek analyzes the actual checksums that are transmitted. /opt/zeek/share/zeek/base/misc/find-checksum-offloading.zeek, line 54
You can see this tool can provide good information for users.

Friday, January 24, 2020

Fedora 31 : The twa web auditor tool.

This tool comes with a good intro: A tiny web auditor with strong opinions.
The tool named twa takes one domain at a time and use these dependencies: bash 4, curl, dig, jq, and nc, along with the POSIX system.
The project can be found at GitHub repository but I can be install easy on Fedora 31 distro:
[root@desk mythcat]# dnf install twa.noarch 
Last metadata expiration check: 0:06:08 ago on Fri 24 Jan 2020 01:57:53 PM EET.
Dependencies resolved.
================================================================================
 Package       Architecture     Version                  Repository        Size
================================================================================
Installing:
 twa           noarch           1.8.0-3.fc31             fedora            18 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 18 k
Installed size: 30 k
Is this ok [y/N]: y
Downloading Packages:
twa-1.8.0-3.fc31.noarch.rpm                      10 kB/s |  18 kB     00:01    
--------------------------------------------------------------------------------
Total                                           6.7 kB/s |  18 kB     00:02     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : twa-1.8.0-3.fc31.noarch                                1/1 
  Running scriptlet: twa-1.8.0-3.fc31.noarch                                1/1 
  Verifying        : twa-1.8.0-3.fc31.noarch                                1/1 

Installed:
  twa-1.8.0-3.fc31.noarch                                                       

Complete!
Let's see some examples with google website responses and this tool:
[mythcat@desk ~]$ twa google.com
FAIL(google.com): TWA-0102: HTTP redirects to HTTP (not secure)
FAIL(google.com): TWA-0205: Strict-Transport-Security missing
MEH(google.com): TWA-0206: X-Frame-Options is 'sameorigin', consider 'deny'
FAIL(google.com): TWA-0209: X-Content-Type-Options missing
FAIL(google.com): TWA-0210: X-XSS-Protection is '0'; XSS filtering disabled
FAIL(google.com): TWA-0214: Referrer-Policy missing
FAIL(google.com): TWA-0219: Content-Security-Policy missing
FAIL(google.com): TWA-0220: Feature-Policy missing
PASS(google.com): Site sends 'Server', but probably only a vendor ID: gws
PASS(google.com): Site doesn't send 'X-Powered-By'
PASS(google.com): Site doesn't send 'Via'
PASS(google.com): Site doesn't send 'X-AspNet-Version'
PASS(google.com): Site doesn't send 'X-AspNetMvc-Version'
PASS(google.com): No SCM repository at: http://google.com/.git/HEAD
PASS(google.com): No SCM repository at: http://google.com/.hg/store/00manifest.i
PASS(google.com): No SCM repository at: http://google.com/.svn/entries
PASS(google.com): No environment file at: http://google.com/.env
PASS(google.com): No environment file at: http://google.com/.dockerenv
PASS(google.com): No config file at: http://google.com/config.xml
PASS(google.com): No config file at: http://google.com/config.json
PASS(google.com): No config file at: http://google.com/config.yaml
PASS(google.com): No config file at: http://google.com/config.yml
PASS(google.com): No config file at: http://google.com/config.ini
^C
The output result line looks like this:
TYPE(domain): explanation where TYPE is one of PASS, MEH, FAIL, UNK, SKIP, and FATAL., see the output example:
PASS: The test passed with flying color.
MEH: The test passed, but with one or more things that could be improved.
FAIL: The test failed and should be fixed.
UNK: The server gave us something we didn't understand.
SKIP: The server gave us something we understood, but that we don't handle yet.
FATAL: A really important test failed, and should be fixed immediately.
Another feature is scoring.
The score format is this: npasses nmehs nfailures nunknowns nskips totally_screwed.
Let's see one example:
[mythcat@desk ~]$ twa google.com | tscore
20 37 2 7 0 0 0
The tool can be used with Alpine Docker container.

Thursday, August 22, 2019

Fedora 30 : Set up the Linux Malware Detect.

If you have an SELinux warning detection then the details you can see how can be fixed:
[mythcat@desk ~]$ su
Password: 
[root@desk mythcat]# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-systemd.pp

[root@desk mythcat]# semodule -X 300 -i my-systemd.pp
This tool comes with three modes that the monitor can be executed with and they relate to what will be monitored.
These modes are USERS|PATHS|FILES.
The options break down as follows:
  • USERS: The users option will take the homedirs of all system users that are above inotify_minuid and monitor them.If inotify_webdir is set then the users webdir, if it exists, will only be monitored;
  • PATHS: A comma spaced list of paths to monitor;
  • FILE: A line spaced file list of paths to monitor
$ maldet --monitor users
$ maldet --monitor /root/initial-setup-ks.cfg
$ maldet --monitor /home/mythcat
Let's test the USERS option:
[mythcat@desk maldetect-1.6.4]$ maldet --monitor users
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(7958): {mon} could not find inotifywait command, install yum package inotify-tools or 
download from https://github.com/rvoicilas/inotify-tools/wiki/


[root@desk maldetect-1.6.4]# dnf search inotify-tools
Last metadata expiration check: 0:01:39 ago on Wed 21 Aug 2019 11:09:22 PM EEST.
============================================ Name Exactly Matched: inotify-tools ======
inotify-tools.i686 : Command line utilities for inotify
inotify-tools.x86_64 : Command line utilities for inotify
================================================ Name Matched: inotify-tools ======
inotify-tools-devel.i686 : Headers and libraries for building apps that use libinotifytools
inotify-tools-devel.x86_64 : Headers and libraries for building apps that use libinotifytools
[root@desk maldetect-1.6.4]# dnf install inotify-tools.x86_64
...
Installed:
  inotify-tools-3.14-16.fc30.x86_64                                                                                          

Complete!
[root@desk maldetect-1.6.4]# maldet --monitor users
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(973): {mon} set inotify max_user_watches to 16384
maldet(973): {mon} added /dev/shm to inotify monitoring array
maldet(973): {mon} added /var/tmp to inotify monitoring array
maldet(973): {mon} added /tmp to inotify monitoring array
maldet(973): {mon} starting inotify process on 3 paths, this might take awhile...
maldet(973): {mon} inotify startup successful (pid: 1800)
maldet(973): {mon} inotify monitoring log: /usr/local/maldetect/logs/inotify_log

Wednesday, August 21, 2019

Fedora 30 : Testing the Linux Malware Detect.

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments.
This tool is provided by R-fx Networks.
Let's install and test it:
[mythcat@desk ~]$ wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
[mythcat@desk ~]$ tar -xf maldetect-current.tar.gz 
[mythcat@desk ~]$ cd maldetect-1.6.4/
[mythcat@desk maldetect-1.6.4]$ su
Password: 
[root@desk maldetect-1.6.4]# ./install.sh
Failed to enable unit: Unit file maldet.service does not exist.
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@r-fx.org>
            (C) 2019, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(31046): {sigup} performing signature update check...
maldet(31046): {sigup} local signature set is version 201907043616
maldet(31046): {sigup} new signature set 2019081912001 available
maldet(31046): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(31046): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(31046): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(31046): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(31046): {sigup} verified md5sum of maldet-clean.tgz
maldet(31046): {sigup} unpacked and installed maldet-clean.tgz
maldet(31046): {sigup} signature set update completed
maldet(31046): {sigup} 15552 signatures (12740 MD5 | 2035 HEX | 777 YARA | 0 USER)
[root@desk maldetect-1.6.4]# vim /usr/local/maldetect/conf.maldet
Change this row to scan_user_access=1
Now you can run it:
[mythcat@desk ~]$ /usr/local/sbin/maldet -a 
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(32628): {scan} signatures loaded: 15552 (12740 MD5 | 2035 HEX | 777 YARA | 0 USER)
maldet(32628): {scan} building file list for , this might take awhile...
maldet(32628): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(32628): {scan} file list completed in 13s, found 44109 files...
maldet(32628): {scan} scan of  (44109 files) in progress...

Wednesday, August 14, 2019

Fedora 30 : First steps with Fedora firewall.

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.[1] A firewall typically establishes a barrier between a trusted internal network and untrusted external network, such as the Internet.[2], see the wikipedia. In this short tutorial about the Fedora firewall subject, I will show you how you can use firewall commands to set it. The install is simple with dnf tool:
[root@desk mythcat]# dnf install firewalld firewall-config 
Let's start with the status of your firewall:
[root@desk mythcat]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
...
You can use start , restart or stop it.

[root@desk mythcat]# systemctl start firewalld
[root@desk mythcat]# systemctl restart firewalld
[root@desk mythcat]# systemctl stop firewalld
Let's see active zones:
[root@desk mythcat]# firewall-cmd --get-active-zones
We can see all active for public zone with:
[root@desk mythcat]# firewall-cmd --zone=public --list-all
We can see all ports for public zone:
[root@desk mythcat]# firewall-cmd --zone=public --list-ports 
These commands are used for add and remove ports:
[root@desk mythcat]# firewall-cmd --permanent --zone=public --add-port=80/tcp
[root@desk mythcat]# firewall-cmd --permanent --zone=public --remove-port=80/tcp
Let's see services:
[root@desk mythcat]# firewall-cmd --get-services 
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client 
bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine cockpit 
condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm 
dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps 
freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability 
http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos 
kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr 
managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql 
nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole 
plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio
 puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client 
samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid 
ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp 
tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http 
wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent 
zabbix-server
Let's add and remove one service named ftp:
[root@desk mythcat]# firewall-cmd --zone=public --add-service=ftp
[root@desk mythcat]# firewall-cmd --zone=public --remove-service=ftp
Let's see all running services:
[root@desk mythcat]# firewall-cmd --zone=public --list-services
If you want to block/unblock any incoming or outgoing connections then use this:
[root@desk mythcat]# firewall-cmd --panic-on
[root@desk mythcat]# firewall-cmd --panic-off 
For example, after you use panic-on then you can check with this:
[root@desk mythcat]# ping google.com -c 1
[root@desk mythcat]# firewall-cmd --query-panic
[root@desk mythcat]# firewall-cmd --panic-off
You can masquerade your IP address with:
[root@desk mythcat]# firewall-cmd --zone=external --query-masquerade
Another example: we can forward all tcp port 80 connections to IP 6.6.6.6 :
[root@desk mythcat]# firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toaddr=6.6.6.6
Let's see ICMP:
[root@desk mythcat]# firewall-cmd --get-icmptypes
address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable 
echo-reply echo-request failed-policy fragmentation-needed host-precedence-violation 
host-prohibited host-redirect host-unknown host-unreachable ip-header-bad 
neighbour-advertisement neighbour-solicitation network-prohibited network-redirect 
network-unknown network-unreachable no-route packet-too-big parameter-problem 
port-unreachable precedence-cutoff protocol-unreachable redirect reject-route 
required-option-missing router-advertisement router-solicitation source-quench 
source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect 
tos-host-unreachable tos-network-redirect tos-network-unreachable 
ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type 
unknown-option
We can use it for block or not the echo:
[root@desk mythcat]# firewall-cmd --zone=external --query-icmp-block=echo-reply
[root@desk mythcat]# firewall-cmd --zone=external --add-icmp-block=echo-reply
[root@desk mythcat]# firewall-cmd --direct --get-rules ipv4 filter IN_public
[root@desk mythcat]# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 
...
I cannot show you a magic rule because this depends by your network and your software. You can use this command to see all into a graphic interface.
[root@desk mythcat]# firewall-config
This will give a good image of your firewall settings.

Wednesday, May 30, 2018

Fedora 28 : The Lynis and system security .

Lynis is a lightweight and easy open source auditing tool to evaluate current system security.
The official webpage can be found here.
I tested the version 263 and now the Fedora development team test the 264 version.
This tool will show you a detailed report of each and every aspect of system :
  • Boot and services
  • Kernel
  • Memory and processes
  • Users, groups, and authentication
  • File systems
  • Home directories
  • File permissions
  • Software: Malware
  • Security frameworks
  • Logging and files
  • SSH support
# dnf install lynis 
# lynis audit system  >> lynix_out.txt
The result is a text file ( 27 Kb sized for my system ) with all infos about your current system security.

Monday, April 17, 2017

Fedora 25 : The YARA tool for Linux security - part 001.

The YARA tool is a multi-platform program running on Windows, Linux and Mac OS X.
The YARA is designed to help malware researchers identify and classify malware samples.
It’s been called for security researchers and everyone else.
Yara provides an easy and effective way to write custom rules based on strings or byte sequences and allows you to make your own detection tools.
You can create descriptions of malware families based on textual or binary patterns or whatever you want to describe.
This descriptions or rules consists of a set of strings and a boolean expression which determine its logic.
The official website can be found here.
The First you need to install the yara tool under your Linux OS.
I used Fedora 25 distro.
[root@localhost mythcat]# dnf install yara
Last metadata expiration check: 0:49:37 ago on Sun Apr 16 22:23:14 2017.
Dependencies resolved.
================================================================================
 Package      Arch           Version              Repository               Size
================================================================================
Installing:
 yara         x86_64         3.5.0-7.fc25         updates-testing         191 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 191 k
Installed size: 861 k
Is this ok [y/N]: y
Downloading Packages:
yara-3.5.0-7.fc25.x86_64.rpm                    171 kB/s | 191 kB     00:01    
--------------------------------------------------------------------------------
Total                                            92 kB/s | 191 kB     00:02     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : yara-3.5.0-7.fc25.x86_64                                    1/1 
  Verifying   : yara-3.5.0-7.fc25.x86_64                                    1/1 

Installed:
  yara.x86_64 3.5.0-7.fc25                                                      

Complete!
Let test it with the basic command:
[mythcat@localhost ~]$ yara
yara: wrong number of arguments
Usage: yara [OPTION]... RULES_FILE FILE | DIR | PID

Try `--help` for more options
[mythcat@localhost ~]$ yara --help
YARA 3.5.0, the pattern matching swiss army knife.
Usage: yara [OPTION]... RULES_FILE FILE | DIR | PID

Mandatory arguments to long options are mandatory for short options too.

  -t,  --tag=TAG                   print only rules tagged as TAG
  -i,  --identifier=IDENTIFIER     print only rules named IDENTIFIER
  -n,  --negate                    print only not satisfied rules (negate)
  -D,  --print-module-data         print module data
  -g,  --print-tags                print tags
  -m,  --print-meta                print metadata
  -s,  --print-strings             print matching strings
  -e,  --print-namespace           print rules' namespace
  -p,  --threads=NUMBER            use the specified NUMBER of threads to scan a directory
  -l,  --max-rules=NUMBER          abort scanning after matching a NUMBER of rules
  -d VAR=VALUE                     define external variable
  -x MODULE=FILE                   pass FILE's content as extra data to MODULE
  -a,  --timeout=SECONDS           abort scanning after the given number of SECONDS
  -k,  --stack-size=SLOTS          set maximum stack size (default=16384)
  -r,  --recursive                 recursively search directories
  -f,  --fast-scan                 fast matching mode
  -w,  --no-warnings               disable warnings
  -v,  --version                   show version information
  -h,  --help                      show this help and exit

Send bug reports and suggestions to: vmalvarez@virustotal.com .
When you use YARA you can use:
  • modules - like extensions to YARA’s core functionality; 
  • external variables; 
  • including files; 
The YARA use rules and this rules are: global rules, private rules, tags and metadata.
The base of the syntax of a YARA rule set is this:
rule RuleName  
{
    strings:
    $test_string1= "Testing"
    $test_string2= {C6 45 ?? ??}
    condition:
    $test_string1 or $test_string2
}
The words strings and Conditions are two important keywords: strings and condition. The rule work with strings and this strings are the unique values to search for, while condition specifies your detection criteria. Some example with con:
all of them       /* all strings in the rule */
any of them       /* any string in the rule */
all of ($a*)      /* all strings whose identifier starts by $a */
any of ($a,$b,$c) /* any of $a, $b or $c */
1 of ($*)         /* same that "any of them" */
You can include also the meta keyword, see:
rule RuleName  
{
   meta:
      author = "Catalin George Festila - rule 001 "
      description = "tell something to the computer"
   strings:
   $test_string1= "first step "
...
The metadata can be referenced using the arg –m option at the command line.
You can add comments to your YARA rules just as if it was a C source file because rules have a syntax that resembles the C language.

Saturday, April 15, 2017

Linux: tools to scan a Linux server for malware and rootkits.

This tools are: chkrootkit, rkhunter, fuser and ISPProtect. All of this tools can be install under Fedora 25 with dnf tool. First tool is chkrootkit is a classic rootkit scanner. It checks your server for suspicious rootkit processes and checks for a list of known rootkit files.
[root@localhost mythcat]# chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
...
The Rootkit Hunter named rkhunter is a Unix-based tool that scans for rootkits, backdoors and possible local exploits.
[root@localhost mythcat]# rkhunter --update
[ Rootkit Hunter version 1.4.2 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/tr                                      [ No update ]
  Checking file i18n/tr.utf8                                 [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]
[root@localhost mythcat]# rkhunter --propupd
[ Rootkit Hunter version 1.4.2 ]
File created: searched for 172 files, found 136
[root@localhost mythcat]# rkhunter -c --enable all --disable none
[ Rootkit Hunter version 1.4.2 ]

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                               [ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preloaded libraries                         [ None found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]

  Performing file properties checks
    Checking for prerequisites                               [ OK ]
    /usr/bin/awk                                             [ OK ]
    /usr/bin/basename                                        [ OK ]
    /usr/bin/bash                                            [ OK ]
    /usr/bin/cat                                             [ OK ]
    /usr/bin/chattr                                          [ OK ]
    /usr/bin/chmod                                           [ OK ]
    /usr/bin/chown                                           [ OK ]
    /usr/bin/cp                                              [ OK ]
...
Another tool is fuser
[root@localhost mythcat]# fuser -vn tcp 5222
...
The output of this command let you to see the recall of anything on your machine that should be listening on tcp port 5222.
[root@localhost mythcat]# fuser -vn tcp 19635
...
This output indicates that there is a process named "foo" running with PID number and listening on port 19635. The last tool is ISPProtect. ISPProtect is a malware scanner for web servers, it scans for malware in website files and CMS systems like Wordpress, Joomla, Drupal

Thursday, March 9, 2017

News: WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency.

This is a old news and comes from WikiLeaks how to start one new series of leaks on the U.S. Central Intelligence Agency.
For me is another way to show bugs to people.
The article can be found here:
Some software come with new updates to fix bugs - like notepad, see article: Notepad++ 7.3.3 update fixe.

Monday, September 12, 2016

Linux with a irc trojan.

Accordind to this article written on Sep 9, 2016 08:40 GMT - Linux OS is vulnerable again.
The new trojan coded in Rust gathers information about the local system and sends it to its C&C server.
The Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety.
The syntax and semantics of Rust is similar to that of the Perl programming language.
However the security researchers have discovered Linux malware coded in languages such as Go (Rex) and Lua (LuaBot), but most of it is coded in C or C++ (Mirai).
The trojan integrates the "irc" Rust library by Aaron Weiss, in order to communicate via the IRC protocol to a remote IRC public channel.
Named "Linux.BackDoor.Irc.16 was designed to be a cross-platform Trojan ...
This tojan has recent discovery by Dr.Web, a Russian antivirus maker and published an article on their blog.

Tuesday, February 9, 2016

Google celebrate Safer Internet Day 2016 with one great gift.

All you have to do is check your secure account.
After that will see this message: To help celebrate Safer Internet Day 2016, we added 2 GB of free Drive storage to your Google account because you completed the Security Checkup.

Monday, January 4, 2016

News: OpenBSD and Nightly Mozilla Firefox security.

W^X ("Write XOR Execute"; spoken as W xor X[1]) is the name of a security feature present in the OpenBSD operating system. It is a memory protection policy whereby every page in a process' address space is either writable or executable, but not both simultaneously. from wikipedia.

The new Nightly Mozilla Firefox comes with enabled the security feature W^X.
Also will be it available to other versions of its web browser once they are upgraded to version 46.
The implementation of W^X makes all Just in Time ( named JIT) code page working with the browser.
This will need to write to pages, a function needs to be called to explicitly make the page writable. Also, that will remove the execute flag at the same time. The good thing is the permissions for memory pages which allows the compiler to patch code without performance overhead.

Wednesday, December 30, 2015

Joanna Rutkowska talk on the 32C3 streaming site.

Joanna Rutkowska covered the last few decades of security on computers.
You can see Joanna Rutkowska 32c3 streaming media.

Wednesday, November 26, 2014

News: Linux best security suite .

I found this article useful for users of the Linux operating system with the internet.
According to this website the best security suite for Linux OS, it's the ESET Antivirus and Antispyware.
This shields your Linux system against malware and keeps out cross-platform threats.
The experts tested most 24 security suites and 8 corporate security solutions. 
The article is very interesting - not only a top of the software. It includes specific test data made with details.