Hack The Sec-Leading Resource Of Linux Tutorial: Security

Setting Up a Port Forwarding Using Uncomplicated Firewall(UFW)

<p style="text-align: center;"><span style="font-family: arial; font-size: large;"><b><u><br />Setting Up a Port Forwarding Using Uncomplicated Firewall(UFW)</u></b></span></p><p><span style="font-family: georgia; font-size: medium;">The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the iptables suite of commands. iptables provide a complete firewall solution that is both highly configurable and highly flexible.</span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnwJqO5t-cjYlTKJwDUOWpBE6hpcStrXARypGodCji4qUFUgtg2ocsVUHZGm_VaZJARKMRjmnlgIDhOUHWEO5wTG0-oclNxRCZpvAiHMjuATmAULsaXKwqEUTKSxNrB7g385tyZmzbc_ZT/s577/firewall_www.hackthesec.co.in.jpg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="359" data-original-width="577" height="199" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnwJqO5t-cjYlTKJwDUOWpBE6hpcStrXARypGodCji4qUFUgtg2ocsVUHZGm_VaZJARKMRjmnlgIDhOUHWEO5wTG0-oclNxRCZpvAiHMjuATmAULsaXKwqEUTKSxNrB7g385tyZmzbc_ZT/s320/firewall_www.hackthesec.co.in.jpg" width="320" /></a></div><span style="font-family: georgia; font-size: medium;"><br /></span><p></p><p><span style="font-family: georgia; font-size: medium;">Becoming proficient in iptables takes time, and getting started with netfilter firewalling using only iptables can be a daunting task. As a result, many frontends for iptables have been created over the years, each trying to achieve a different result and targeting a different audience.</span></p><p></p><p><span style="font-family: georgia; font-size: medium;">The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall. ufw aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated iptables commands to help an administrator who knows what he or she is doing. ufw is an upstream for other distributions and graphical frontends.</span></p><p><span style="color: #2b00fe; font-family: georgia; font-size: medium;"><b><u>Setting Up a Port Forward</u></b></span></p><p><span style="font-family: georgia; font-size: medium;">We are going to forward incoming traffic on the port 8000 to 8081</span></p><p><span style="font-family: georgia; font-size: medium;"><b>Enabling UFW:</b> If not already enabled, start by enabling UFW. Run the following command in the terminal:</span></p><pre class="language-markup" style="background: rgb(39, 40, 34); border-radius: 0.3em; box-sizing: border-box; color: #f8f8f2; direction: ltr; font-family: Consolas, Monaco, "Andale Mono", monospace; font-size: 15.36px; hyphens: none; line-height: 1.2; margin-bottom: 20px; margin-top: 0px; max-width: 100%; overflow: auto; padding: 10px; tab-size: 4; text-shadow: rgba(0, 0, 0, 0.3) 0px 1px; word-break: normal;"><code class="language-markup" style="box-sizing: border-box; direction: ltr; font-family: Consolas, Monaco, "Andale Mono", monospace; font-size: 14.7456px; hyphens: none; line-height: 1.2; tab-size: 4; text-shadow: rgba(0, 0, 0, 0.3) 0px 1px; word-break: normal; word-spacing: normal;">[<a class="token email-link" href="https://www.hackthesec.co.in/2023/02/root@hackthesec" style="background-color: transparent; box-sizing: border-box; color: #007abe; text-decoration-line: none;">root@hackthesec</a> ~]# sudo ufw enable</code></pre><p><span style="font-family: georgia;"><span style="font-size: medium;">Open the UFW configuration file: To set up port forwarding, you must edit the UFW configuration file, <b>located at /etc/default/ufw</b>.</span><span style="font-size: large;">    </span></span></p><p><span style="font-family: georgia; font-size: medium;">We mostly proffered Nano editor  </span></p><pre class="language-markup" style="background: rgb(39, 40, 34); border-radius: 0.3em; box-sizing: border-box; color: #f8f8f2; direction: ltr; font-family: Consolas, Monaco, "Andale Mono", monospace; font-size: 15.36px; hyphens: none; line-height: 1.2; margin-bottom: 20px; margin-top: 0px; max-width: 100%; overflow: auto; padding: 10px; tab-size: 4; text-shadow: rgba(0, 0, 0, 0.3) 0px 1px; word-break: normal;"><code class="language-markup" style="box-sizing: border-box; direction: ltr; font-family: Consolas, Monaco, "Andale Mono", monospace; font-size: 14.7456px; hyphens: none; line-height: 1.2; tab-size: 4; text-shadow: rgba(0, 0, 0, 0.3) 0px 1px; word-break: normal; word-spacing: normal;">[<a class="token email-link" href="https://www.hackthesec.co.in/2023/02/root@hackthesec" style="background-color: transparent; box-sizing: border-box; color: #007abe; text-decoration-line: none;">root@hackthesec</a> ~]# sudo nano /etc/default/ufw</code></pre><p><span style="font-family: georgia; font-size: medium;">Enable packet forwarding: In the UFW configuration file, find the line that says </span></p><p><span style="font-family: georgia; font-size: medium;"><b>DEFAULT_FORWARD_POLICY="DROP" </b></span></p><p><span style="font-family: georgia; font-size: medium;">Change DROP to ACCEPT so it looks like this: </span></p><p><span style="font-family: georgia; font-size: medium;"><b>DEFAULT_FORWARD_POLICY="ACCEPT" </b></span></p><p><span style="font-family: georgia; font-size: medium;">This change allows UFW to forward packets, which is necessary for port forwarding.</span></p><pre class="language-markup" style="background: rgb(39, 40, 34); border-radius: 0.3em; box-sizing: border-box; color: #f8f8f2; direction: ltr; font-family: Consolas, Monaco, "Andale Mono", monospace; font-size: 15.36px; hyphens: none; line-height: 1.2; margin-bottom: 20px; margin-top: 0px; max-width: 100%; overflow: auto; padding: 10px; tab-size: 4; text-shadow: rgba(0, 0, 0, 0.3) 0px 1px; word-break: normal;"><code class="language-markup" style="box-sizing: border-box; direction: ltr; font-family: Consolas, Monaco, "Andale Mono", monospace; font-size: 14.7456px; hyphens: none; line-height: 1.2; tab-size: 4; text-shadow: rgba(0, 0, 0, 0.3) 0px 1px; word-break: normal; word-spacing: normal;">[<a class="token email-link" href="https://www.hackthesec.co.in/2023/02/root@hackthesec" style="background-color: transparent; box-sizing: border-box; color: #007abe; text-decoration-line: none;">root@hackthesec</a> ~]# DEFAULT_FORWARD_POLICY="ACCEPT"</code></pre><p><span style="font-family: verdana; font-size: medium;"></span></p><p><span style="color: #0a0a0a; font-family: georgia;"><span style="font-size: 17px;">Press <b>Ctrl+O</b> to save the changes, then <b>Ctrl+X </b>to exit nano.</span></span></p><p><span style="color: #0a0a0a; font-size: 17px;"><span style="font-family: georgia;"><b>Modify UFW’s before rules:</b> UFW uses a set of "<b>before rules</b>" that are executed before the standard rules. These before rules can be used to set up port forwarding. </span></span></p><pre class="language-markup" style="background: rgb(39, 40, 34); border-radius: 0.3em; box-sizing: border-box; color: #f8f8f2; direction: ltr; font-family: Consolas, Monaco, "Andale Mono", monospace; font-size: 15.36px; hyphens: none; line-height: 1.2; margin-bottom: 20px; margin-top: 0px; max-width: 100%; overflow: auto; padding: 10px; tab-size: 4; text-shadow: rgba(0, 0, 0, 0.3) 0px 1px; word-break: normal;"><code class="language-markup" style="box-sizing: border-box; direction: ltr; font-family: Consolas, Monaco, "Andale Mono", monospace; font-size: 14.7456px; hyphens: none; line-height: 1.2; tab-size: 4; text-shadow: rgba(0, 0, 0, 0.3) 0px 1px; word-break: normal; word-spacing: normal;">[<a class="token email-link" href="https://www.hackthesec.co.in/2023/02/root@hackthesec" style="background-color: transparent; box-sizing: border-box; color: #007abe; text-decoration-line: none;">root@hackthesec</a> ~]# sudo nano /etc/ufw/before.rules </code></pre><p><span style="font-family: georgia; font-size: medium;">Add the following lines at the end of the file, replacing <your-ip> with the IP address of the machine where the packets will be forwarded:</span></p><pre class="language-markup" style="background: rgb(39, 40, 34); border-radius: 0.3em; box-sizing: border-box; direction: ltr; hyphens: none; line-height: 1.2; margin-bottom: 20px; margin-top: 0px; max-width: 100%; overflow: auto; padding: 10px; tab-size: 4; text-shadow: rgba(0, 0, 0, 0.3) 0px 1px; word-break: normal;"><span style="color: #f8f8f2; font-family: Consolas, Monaco, Andale Mono, monospace;"><span style="font-size: 14.7456px;"># NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
 
# Forward traffic from port 8000 to port 8081.
-A PREROUTING -p tcp --dport 8000 -j DNAT --to-destination <your-ip>:8081
 
# Don’t masquerade local traffic.
-A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
 
COMMIT</span></span></pre><p><span style="font-family: georgia;"><span style="color: #0a0a0a; font-size: 17px;">Press </span><b style="color: #0a0a0a; font-size: 17px;">Ctrl+O</b><span style="color: #0a0a0a; font-size: 17px;"> to save the changes, then </span><b style="color: #0a0a0a; font-size: 17px;">Ctrl+X </b><span style="color: #0a0a0a; font-size: 17px;">to exit nano.</span></span></p><p><span style="font-family: georgia; font-size: medium;">Restart UFW: Finally, for the changes to take effects</span></p><pre class="language-markup" style="background: rgb(39, 40, 34); border-radius: 0.3em; box-sizing: border-box; color: #f8f8f2; direction: ltr; font-family: Consolas, Monaco, "Andale Mono", monospace; font-size: 15.36px; hyphens: none; line-height: 1.2; margin-bottom: 20px; margin-top: 0px; max-width: 100%; overflow: auto; padding: 10px; tab-size: 4; text-shadow: rgba(0, 0, 0, 0.3) 0px 1px; word-break: normal;"><code class="language-markup" style="box-sizing: border-box; direction: ltr; font-family: Consolas, Monaco, "Andale Mono", monospace; font-size: 14.7456px; hyphens: none; line-height: 1.2; tab-size: 4; text-shadow: rgba(0, 0, 0, 0.3) 0px 1px; word-break: normal; word-spacing: normal;">[<a class="token email-link" href="https://www.hackthesec.co.in/2023/02/root@hackthesec" style="background-color: transparent; box-sizing: border-box; color: #007abe; text-decoration-line: none;">root@hackthesec</a> ~]# sudo ufw disable 
[<a class="token email-link" href="https://www.hackthesec.co.in/2023/02/root@hackthesec" style="background-color: transparent; box-sizing: border-box; color: #007abe; text-decoration-line: none; word-spacing: normal;">root@hackthesec</a><span style="word-spacing: normal;"> ~]# </span>sudo ufw enable </code></pre><p><span style="font-family: verdana; font-size: medium;"><br /></span></p><p><span style="font-family: georgia; font-size: medium;">@hackthesecurity</span></p>

Setting Up a Port Forwarding Using Uncomplicated Firewall(UFW)

Setting Up a Port Forwarding Using Uncomplicated Firewall(UFW)The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter a…

24 May 2023

How to Install RkHunter for Rootkit/Trojan Scanning

<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="background-color: white; box-sizing: border-box; font-family: Raleway, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 30px; line-height: 1.1; margin-bottom: 10px; margin-top: 20px;">
<u><span style="color: #990000;">Install RkHunter for Rootkit/Trojan Scanning</span></u></h2>
<div>
<div>
<span style="color: #333333; font-family: verdana, geneva, sans-serif;"><span style="font-size: 15px; line-height: 26px;">rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9WmIkraUjyiCVITCByQUNHuPlfMMaExYHynuVl4zEqXtQ0SSuSZYJ_QsThdhHC1KG6Rk6aO6CcYLxVfUTgv8n_5qjC28-d4TR1k2nwb9G9JyKtggTwi7rZEAs4zGpA5Msw9HSrAton3cL/s1600/rkhunter_hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9WmIkraUjyiCVITCByQUNHuPlfMMaExYHynuVl4zEqXtQ0SSuSZYJ_QsThdhHC1KG6Rk6aO6CcYLxVfUTgv8n_5qjC28-d4TR1k2nwb9G9JyKtggTwi7rZEAs4zGpA5Msw9HSrAton3cL/s1600/rkhunter_hackthesec.co.in.png" /></a></div>
<div>
<span style="color: #333333; font-family: verdana, geneva, sans-serif;"><span style="font-size: 15px; line-height: 26px;"><br /></span></span></div>
<div>
<span style="color: #333333; font-family: verdana, geneva, sans-serif;"><span style="font-size: 15px; line-height: 26px;">The tool has been written in Bourne shell, to allow for portability. It can run on almost all UNIX-derived systems.</span></span></div>
</div>
<div>
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace;"><span style="font-size: 12px; line-height: 15.6px;">$ wget http://space.dl.sourceforge.net/project/rkhunter/rkhunter/1.3.8/rkhunter-1.3.8.tar.gz
$ cd rkhunter-1.3.8
$ sh installer.sh</span></span></pre>
</div>
<div>
<span style="color: #333333; font-family: verdana, geneva, sans-serif;"><span style="font-size: 15px; line-height: 26px;">To see the list of commands which can be executed use: the command below:</span></span></div>
<div>
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace;"><span style="font-size: 12px; line-height: 15.6px;">$ rkhunter –help</span></span></pre>
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace;"><span style="font-size: 12px; line-height: 15.6px;"><a href="http://www.hackthesec.co.in/">www.hackthesec.co.in</a></span></span></pre>
</div>
</div>

How to Install RkHunter for Rootkit/Trojan Scanning

Install RkHunter for Rootkit/Trojan Scanning rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of i…

04 May 2016

Installing BDF For Bruteforce Prevention

<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="background-color: white; box-sizing: border-box; font-family: Raleway, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 30px; line-height: 1.1; margin-bottom: 10px; margin-top: 20px;">
<u><span style="color: #990000;">BDF For Bruteforce Prevention</span></u></h2>
<div>
<span style="color: #333333; font-family: verdana, geneva, sans-serif;"><span style="font-size: 15px; line-height: 26px;">BFD is a modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAmCYSAhZM7Yul1Qvhurz5fmAo-Xc9ifqGBC3KsZfEt4obNujDrERENB2qG5hSMRhEZ7prkdXP4Z8UnPWZfipqHKjPeV-_QdErStz4IFr_uU9p2Kx20IH2b74Zg0GFcGAbidYDafsyVPkD/s1600/Brute_Force_Login_Protection_hackthesec.co.in.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAmCYSAhZM7Yul1Qvhurz5fmAo-Xc9ifqGBC3KsZfEt4obNujDrERENB2qG5hSMRhEZ7prkdXP4Z8UnPWZfipqHKjPeV-_QdErStz4IFr_uU9p2Kx20IH2b74Zg0GFcGAbidYDafsyVPkD/s1600/Brute_Force_Login_Protection_hackthesec.co.in.jpg" /></a></div>
<div>
<span style="color: #333333; font-family: verdana, geneva, sans-serif;"><span style="font-size: 15px; line-height: 26px;"> The regular expressions are parsed against logs using the ‘sed’ tool (stream editor) which allows for excellent performance in all environments</span></span></div>
<div>
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace;"><span style="line-height: 15.6px;">wget http://www.rfxn.com/downloads/bfd-current.tar.gz
tar zxvf bfd-current.tar.gz
cd bfd-1.4
sh install.sh</span></span></pre>
</div>
<div>
<span style="color: #333333; font-family: verdana, geneva, sans-serif;"><span style="font-size: 15px; line-height: 26px;">After installing we have to edit configuration file which can be found here:-</span></span></div>
<div>
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace;"><span style="line-height: 15.6px;">/usr/local/bfd/conf.bfd</span></span></pre>
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace;"><span style="line-height: 15.6px;">www.hackthesec.co.in</span></span></pre>
</div>
</div>

Installing BDF For Bruteforce Prevention

BDF For Bruteforce Prevention BFD is a modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options…

04 May 2016

How to Secure a CentOS Server SSH + Fail2ban + DDOS Deflate

<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="color: #990000; font-size: large;"><u><b>Secure a CentOS Server SSH + Fail2ban + DDOS Deflate</b></u></span><br />
<span style="color: #333333; font-family: verdana, geneva, sans-serif;"><span style="font-size: 15px; line-height: 26px;">Secure Shell (SSH) is a UNIX-based command interface and protocol for securely getting access to a remote computer. By default SSH run on port 22. The ideal solution is to change this default value to other port number from 1 to 65535.</span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC2UG7hlDw7h6NEQQGMw8cqPEK5fD0hMP9t4uuwh_H3SQD1Hm-N_oUu0QJlFUL5P0IVx0vT-dfNx5mUNDIv_STffytGS1RHx-D35jGzi0s-EurvbZMlIJorVsPQj5HUGyeA_E_1Zjn1pFX/s1600/Blog1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC2UG7hlDw7h6NEQQGMw8cqPEK5fD0hMP9t4uuwh_H3SQD1Hm-N_oUu0QJlFUL5P0IVx0vT-dfNx5mUNDIv_STffytGS1RHx-D35jGzi0s-EurvbZMlIJorVsPQj5HUGyeA_E_1Zjn1pFX/s400/Blog1.jpg" width="400" /></a></div>
<span style="color: #333333; font-family: verdana, geneva, sans-serif;"><span style="font-size: 15px; line-height: 26px;"><br /></span></span>
<span style="color: #333333; font-family: verdana, geneva, sans-serif;"><span style="font-size: 15px; line-height: 26px;"><b><u>Strengthening SSH access</u></b></span></span><br />
<span style="color: #333333; font-family: verdana, geneva, sans-serif;"><span style="font-size: 15px; line-height: 26px;">login to your server via SSH</span></span><br />
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;">vi /etc/ssh/sshd_config</span></span></pre>
<span style="color: #333333; font-family: verdana, geneva, sans-serif;"><span style="font-size: 15px; line-height: 26px;">Uncommented line that defines the port</span></span><br />
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;">#Port 22

set this to a port that is not already in use

port 8070</span></span></pre>
<br />
<span style="color: #333333; font-family: verdana, geneva, sans-serif;"><span style="font-size: 15px; line-height: 26px;">Allow SSH port on Iptables Firewall</span></span><br />
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;">vi /etc/sysconfig/iptables
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8070 -j ACCEPT
service iptables restart</span></span></pre>
<span style="background-color: white; font-size: 15px; line-height: 26px;"><span style="color: #333333; font-family: verdana, geneva, sans-serif;">Apply this setting</span></span><br />
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;">/etc/init.d/sshd restart</span></span></pre>
<span style="background-color: white; font-size: 15px; line-height: 26px;"><span style="color: #333333; font-family: verdana, geneva, sans-serif;">SSH will now be listening on newly set port. - 8070</span></span><br />
<div style="text-align: center;">
<span style="background-color: white; font-size: 15px; line-height: 26px;"><span style="color: #0b5394; font-family: verdana, geneva, sans-serif;"><b><u>Prevent bruteforce using Fail2ban and DDOS Deflate</u></b></span></span></div>
<div style="text-align: left;">
<span style="background-color: white; font-size: 15px; line-height: 26px;"><span style="color: #333333; font-family: verdana, geneva, sans-serif;"><a href="http://www.fail2ban.org/wiki/index.php/Main_Page">Fail2ban </a>fails to protect against a distributed brute force attack. this is used to block selected IP addresses that may belong to hosts that are trying to breach the system's security.</span></span></div>
<span style="background-color: white; font-size: 15px; line-height: 26px;"><span style="color: #333333; font-family: verdana, geneva, sans-serif;"><b><u>Download and Install Fail2ban </u></b></span></span><br />
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;">rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-7.noarch.rpm
yum install fail2ban
vi /etc/fail2ban/jail.conf</span></span></pre>
<pre style="background-color: whitesmoke; border-radius: 4px; border: 1px solid rgb(204, 204, 204); box-sizing: border-box; margin-bottom: 10px; overflow: auto; padding: 9.5px; word-break: break-all; word-wrap: break-word;"><span style="color: #333333; font-family: Menlo, Monaco, Consolas, Courier New, monospace; font-size: large;"><span style="line-height: 25.7143px;">ignoreip = 127.0.0.1
bantime  = 240
findtime  = 240
maxretry = 10</span></span></pre>
<span style="background-color: white; color: #333333; font-family: verdana, geneva, sans-serif; font-size: 15px; line-height: 26px;">You can change as your need.</span><br />
<span style="background-color: white; font-size: 15px; line-height: 26px;"><span style="color: #333333; font-family: verdana, geneva, sans-serif;"><b><u>Start Fail2ban service</u></b></span></span><br />
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;">service fail2ban start

/etc/init.d/fail2ban start</span></span></pre>
<div style="text-align: center;">
<span style="background-color: white; font-size: 15px; line-height: 26px;"><span style="color: #0b5394; font-family: verdana, geneva, sans-serif;"><b><u> DDOS Deflate</u></b></span></span></div>
<span style="background-color: white;"><span style="color: #333333; font-family: verdana, geneva, sans-serif;"><a href="http://deflate.medialayer.com/" style="font-size: 15px; line-height: 26px;">DoS Deflate</a><span style="font-size: 15px; line-height: 26px;"> is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It utilizes the command below to create a list of IP addresses connected to the server, along with their total number of connections. It is one of the simplest and easiest to install solutions at the software level.</span><br /><span style="font-size: 15px; line-height: 26px;"><b>How To Install (D)DoS Deflate :-</b></span></span></span><br />
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;">cd /tmp
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh</span></span></pre>
<span style="background-color: white; font-size: 15px; line-height: 26px;"><span style="color: #333333; font-family: verdana, geneva, sans-serif;"><b>How To UnInstall (D)DoS Deflate :-</b></span></span><br />
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;">wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos</span></span></pre>
<span style="background-color: white; font-size: 15px; line-height: 26px;"><span style="color: #333333; font-family: verdana, geneva, sans-serif;">How To Edit Configuration File:-<br />you can set your email for email notification and many more option</span></span><br />
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;">vi /usr/local/ddos/ddos.conf</span></span></pre>
<pre style="background-color: whitesmoke; border-radius: 4px; border: 1px solid rgb(204, 204, 204); box-sizing: border-box; margin-bottom: 10px; overflow: auto; padding: 9.5px; word-break: break-all; word-wrap: break-word;"><span style="color: #333333; font-family: Menlo, Monaco, Consolas, Courier New, monospace;"><span style="line-height: 25.7143px;">PROGDIR="/usr/local/ddos"
PROG="/usr/local/ddos/ddos.sh"
IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list"
CRON="/etc/cron.d/ddos.cron"
APF="/etc/apf/apf"
IPT="/sbin/iptables"

##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
#####          option so that the new frequency takes effect
FREQ=1

##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=5

##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=1

##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1

##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO="info@hackthesec.co.in"

##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=600</span></span><span style="color: #333333; font-size: 12px; line-height: 19.2px;">
</span></pre>
<div>
<br /></div>
<span style="background-color: white; font-size: 15px; line-height: 26px;"><span style="color: #333333; font-family: verdana, geneva, sans-serif;"><b>How To Check The Number Of Connected Ips:-</b></span></span><br />
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;">sh /usr/local/ddos/ddos.sh</span></span></pre>
<span style="background-color: white; font-size: 15px; line-height: 26px;"><span style="color: #333333; font-family: verdana, geneva, sans-serif;"><b>How To Restart DDos Deflate:-</b></span></span><br />
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;">sh /usr/local/ddos/ddos.sh -c</span></span></pre>
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><a href="http://www.hackthesec.co.in/">www.hackthesec.co.in</a></span></span></pre>
</div>

How to Secure a CentOS Server SSH + Fail2ban + DDOS Deflate

Secure a CentOS Server SSH + Fail2ban + DDOS Deflate Secure Shell (SSH) is a UNIX-based command interface and protocol for securely getting access to a remote computer. By default SSH run on port 22.…

04 May 2016

Find (View) Default Zone for Firewalld on CentOS 7

<div dir="ltr" style="text-align: left;" trbidi="on">
<h1 class="entry-title" style="background-color: white; border: 0px; box-sizing: inherit; font-family: proxima-nova, sans-serif; line-height: 3.4rem; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">
<span style="font-size: large;"><u>Default Zone for Firewalld on CentOS</u></span></h1>
<div>
<span style="color: #222222; font-family: Verdana, Geneva, sans-serif;"><span style="font-size: 15px; line-height: 26px;"><b>FirewallD </b>is a firewall management tool for Linux operating systems. It provides firewall features by acting as a front-end for the iptables packet filtering system provided by the Linux kernel.The name firewalld adhekres to the Unix convention of naming system daemons by appending the letter “d”.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidMhBSIkaFV-5V29KsSx21R5-88rjd0MpN0qexTBjjWGDo1EGwneJSYHvoMh-TyYEviYXK5AvOi9Y5bvP1whsE8Pk6Rkb9yJr6X8YWfK9aTLzEy9nKUvrNh3DxPLrhJNjGFS7ucm7DIYTN/s1600/firewall-www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidMhBSIkaFV-5V29KsSx21R5-88rjd0MpN0qexTBjjWGDo1EGwneJSYHvoMh-TyYEviYXK5AvOi9Y5bvP1whsE8Pk6Rkb9yJr6X8YWfK9aTLzEy9nKUvrNh3DxPLrhJNjGFS7ucm7DIYTN/s1600/firewall-www.hackthesec.co.in.png" /></a></div>
<div>
<span style="color: #222222; font-family: Verdana, Geneva, sans-serif;"><span style="font-size: 15px; line-height: 26px;">Zones enhance an administrator’s capability to define trusts and restrict network traffic. On installation and without any configuration, the default zone for firewalld is set to the public zone.</span></span></div>
<div>
<span style="background-color: #ffff88; font-family: proxima-nova, sans-serif; font-size: 13px; line-height: 19.5px;">Note: When network interfaces added to firewalld they are assigned to the default zone.</span></div>
<div>
<pre style="background-attachment: scroll; background-clip: initial; background-color: #3c3c3c; background-image: none; background-origin: initial; background-position: 0px 0px; background-repeat: repeat; background-size: initial; border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-size: medium;"><span style="line-height: 15.6px;">firewall-cmd --get-default-zone</span></span></pre>
</div>
<div>
<pre class="xtypo_info" style="background: url("assets/shadow.png") 50% 100% repeat-x rgb(245, 245, 245); border-radius: 4px; border: 1px solid rgb(204, 204, 204); box-shadow: rgb(204, 204, 204) 0px 0px 3px; box-sizing: border-box; color: #333333; font-family: Menlo, Monaco, Consolas, 'Courier New', monospace; font-size: 13px; font-stretch: normal; line-height: 1.42857; margin-bottom: 10px; overflow: auto; padding: 9.5px; tab-size: 4; text-shadow: rgb(255, 255, 255) 0px 1px 0px; white-space: pre-wrap; word-break: break-all; word-wrap: break-word;">public</pre>
</div>
<div>
<span style="color: #222222; font-family: Verdana, Geneva, sans-serif;"><span style="font-size: 15px; line-height: 26px;">In this case the default zone is the public zone. The default trust level of this zone is to not trust the other servers on the network. Only chosen incoming connections are accepted.</span></span></div>
<div>
<a href="http://www.hackthesec.co.in/">www.hackthesec.co.in</a></div>
</div>

Find (View) Default Zone for Firewalld on CentOS 7

Default Zone for Firewalld on CentOS FirewallD is a firewall management tool for Linux operating systems. It provides firewall features by acting as a front-end for the iptables packet filtering syst…

11 Mar 2016

Five Penetration Testing Tools

<div dir="ltr" style="text-align: left;" trbidi="on">
<h1 class="entry-title" style="background-color: white; box-sizing: border-box; font-family: Roboto, sans-serif; line-height: 50px; margin: 0px 0px 7px; word-wrap: break-word;">
<span style="color: red; font-size: x-large;"><u>Five Pentest Tools for you</u></span></h1>
<div>
<div style="background-color: white; box-sizing: border-box; color: #222222; font-family: Verdana, Geneva, sans-serif; font-size: 15px; line-height: 26px; margin-bottom: 26px;">
A pentest, short-name for <strong style="box-sizing: border-box;">penetration test</strong>, is a software attack which looks for security weaknesses in a system. Penetration tests are a component of a full security audit. For example, <strong style="box-sizing: border-box;">the Payment Card Industry Data Security Standard requires penetration testing on a regular schedule, and after system changes</strong>.</div>
<div style="background-color: white; box-sizing: border-box; color: #222222; font-family: Verdana, Geneva, sans-serif; font-size: 15px; line-height: 26px; margin-bottom: 26px;">
In this article, we will talk about five open source pentest tools, but remember that their use against systems not owned by you could <strong style="box-sizing: border-box;">lead to legal troubles</strong>. Keep it in mind!</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHCMh0WeEAo-bkabVtyxDZC9TXH0YBqADtXH0OG_YQWcHzrv_m53R2GgNi9o8tL3nwdgD1Pz-ajNfWD9UvutWCWF0pPAaGA-27M92MpFuX69xahCwYPFk1nT_zhQUKdJEqBtXV8qmQsmir/s1600/penetration-testing-www.hackthesec.co.in.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHCMh0WeEAo-bkabVtyxDZC9TXH0YBqADtXH0OG_YQWcHzrv_m53R2GgNi9o8tL3nwdgD1Pz-ajNfWD9UvutWCWF0pPAaGA-27M92MpFuX69xahCwYPFk1nT_zhQUKdJEqBtXV8qmQsmir/s1600/penetration-testing-www.hackthesec.co.in.jpg" /></a></div>
<h3 style="background-color: white; box-sizing: border-box; color: #111111; font-family: Roboto, sans-serif; font-size: 22px; font-weight: 400; line-height: 30px; margin: 27px 0px 17px;">
</h3>
<h3 style="background-color: white; box-sizing: border-box; color: #111111; font-family: Roboto, sans-serif; font-size: 22px; font-weight: 400; line-height: 30px; margin: 27px 0px 17px;">
<strong style="box-sizing: border-box;">OSWAP ZAP</strong></h3>
<div style="background-color: white; box-sizing: border-box; color: #222222; font-family: Verdana, Geneva, sans-serif; font-size: 15px; line-height: 26px; margin-bottom: 26px;">
<strong style="box-sizing: border-box;"><a href="https://www.owasp.org/">OSWAP </a>ZAP</strong> can help a system administrator find malicious codes <strong style="box-sizing: border-box;">embedded in a Web application</strong>. This software lets an admin choose between automated and manual scanning. When starting the session for the first time, admin will be asked whether he wants the session to be persisted.</div>
<h3 style="background-color: white; box-sizing: border-box; color: #111111; font-family: Roboto, sans-serif; font-size: 22px; font-weight: 400; line-height: 30px; margin: 27px 0px 17px;">
</h3>
<h3 style="background-color: white; box-sizing: border-box; color: #111111; font-family: Roboto, sans-serif; font-size: 22px; font-weight: 400; line-height: 30px; margin: 27px 0px 17px;">
<strong style="box-sizing: border-box;">Zenmap</strong></h3>
<div style="background-color: white; box-sizing: border-box; color: #222222; font-family: Verdana, Geneva, sans-serif; font-size: 15px; line-height: 26px; margin-bottom: 26px;">
Maybe you already know Nmap, a security scanner used to discover hosts and services on a computer network. Commands given to this program are processed sequentially. This makes more difficult for the administrator to track which commands were erroneously entered in previous steps. <a href="https://nmap.org/zenmap/"><strong style="box-sizing: border-box;">Zenmap</strong> </a>tries to solve this problem, implementing a GUI, and an interface for saving profiles and creating sets of Nmap commands.</div>
<h3 style="background-color: white; box-sizing: border-box; color: #111111; font-family: Roboto, sans-serif; font-size: 22px; font-weight: 400; line-height: 30px; margin: 27px 0px 17px;">
</h3>
<h3 style="background-color: white; box-sizing: border-box; color: #111111; font-family: Roboto, sans-serif; font-size: 22px; font-weight: 400; line-height: 30px; margin: 27px 0px 17px;">
<strong style="box-sizing: border-box;">Scapy</strong></h3>
<div style="background-color: white; box-sizing: border-box; color: #222222; font-family: Verdana, Geneva, sans-serif; font-size: 15px; line-height: 26px; margin-bottom: 26px;">
<a href="http://www.secdev.org/projects/scapy/">Scapy </a>is a tool which permits to <strong style="box-sizing: border-box;">interactively decode and inject packets and get answers</strong>. Scapy module can also be imported inside a Python program. There are also optional packages for plotting, 3D graphics, WEP encryption and Web application fingerprinting.</div>
<h3 style="background-color: white; box-sizing: border-box; color: #111111; font-family: Roboto, sans-serif; font-size: 22px; font-weight: 400; line-height: 30px; margin: 27px 0px 17px;">
</h3>
<h3 style="background-color: white; box-sizing: border-box; color: #111111; font-family: Roboto, sans-serif; font-size: 22px; font-weight: 400; line-height: 30px; margin: 27px 0px 17px;">
<strong style="box-sizing: border-box;">BeEF</strong></h3>
</div>
<div>
<strong style="box-sizing: border-box;"><div style="background-color: white; box-sizing: border-box; color: #222222; font-family: Verdana, Geneva, sans-serif; font-size: 15px; font-weight: normal; line-height: 26px; margin-bottom: 26px;">
<a href="http://beefproject.com/">BeEF </a>(Browser Exploitation Framework) it’s a GUI-based open source tool, which<strong style="box-sizing: border-box;">examines how someone could use the Web browser to exploit vulnerabilities</strong>. It can hook one or more Web browsers and use them as beachheads for launching further attacks against the system</div>
<h3 style="background-color: white; box-sizing: border-box; color: #111111; font-family: Roboto, sans-serif; font-size: 22px; font-weight: 400; line-height: 30px; margin: 27px 0px 17px;">
</h3>
<h3 style="background-color: white; box-sizing: border-box; color: #111111; font-family: Roboto, sans-serif; font-size: 22px; font-weight: 400; line-height: 30px; margin: 27px 0px 17px;">
<strong style="box-sizing: border-box;">sqlmap</strong></h3>
<div style="background-color: white; box-sizing: border-box; color: #222222; font-family: Verdana, Geneva, sans-serif; font-size: 15px; font-weight: normal; line-height: 26px; margin-bottom: 26px;">
<a href="http://sqlmap.org/">sqlmap </a>is a CLI software designed for automating the process of detecting and exploiting SQL injection flaws and taking over of database servers. It as <strong style="box-sizing: border-box;">full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB and HSQLDB database management systems</strong>.</div>
<div style="background-color: white; box-sizing: border-box; color: #222222; font-family: Verdana, Geneva, sans-serif; font-size: 15px; font-weight: normal; line-height: 26px; margin-bottom: 26px;">
<a href="http://www.hackthesec.co.in/">HACKTHESEC.CO.IN</a></div>
</strong></div>
</div>

Five Penetration Testing Tools

Five Pentest Tools for you A pentest, short-name for penetration test, is a software attack which looks for security weaknesses in a system. Penetration tests are a component of a full security audit…

08 Mar 2016

Two-step Authentication For SSH On Centos 6

<div dir="ltr" style="text-align: left;" trbidi="on">
<h1 class="entry-title" style="border: 0px; clear: both; font-family: Lato, sans-serif; font-size: 33px; line-height: 1.09091; margin: 0px 0px 12px; outline: 0px; padding: 0px; text-transform: uppercase; vertical-align: baseline;">
<span style="color: red;"><u><i>TWO-STEP AUTHENTICATION FOR SSH ON CENTOS 6</i></u></span></h1>
<div>
<span style="color: black;"><a href="http://code.google.com/p/google-authenticator/" style="background-color: white; border: 0px; font-family: Lato, sans-serif; font-size: 16px; line-height: 24px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Google Authenticator</a><span style="background-color: white; font-family: Lato, sans-serif; font-size: 16px; line-height: 24px;"> implements TOTP (timebased one-time-password) security tokens from RFC6238 via the Google mobile app Google Authenticator. The Authenticator provides a six digit one-time password users must provide in addition to their username and password to login, sometimes branded “two-step authentication”. Here, we install and configure a pluggable authentication module (PAM) which allows login using one-time passcodes.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi40xdu7C_0p2adgn-P278IjXylG1Np3bMARVFPqBxvRtTD4kPiTGPcx0B4ciBJST52hgQl4hU11YfHNBt5PN0MrCV5bfuU98qN5cd6Hr4Yb4eUB1Y1VMajsVrA-Iu86p-kS0cn8hSAkh93/s1600/TwoFactorAuthenticationWith-google_authenticator_www.hackthesec.co.in.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi40xdu7C_0p2adgn-P278IjXylG1Np3bMARVFPqBxvRtTD4kPiTGPcx0B4ciBJST52hgQl4hU11YfHNBt5PN0MrCV5bfuU98qN5cd6Hr4Yb4eUB1Y1VMajsVrA-Iu86p-kS0cn8hSAkh93/s1600/TwoFactorAuthenticationWith-google_authenticator_www.hackthesec.co.in.jpg" /></a></div>
<div>
<span style="color: black;"><span style="background-color: white; font-family: Lato, sans-serif; font-size: 16px; line-height: 24px;"><br /></span></span></div>
<div>
<ul style="background-color: white; display: block; font-family: 'Open Sans', serif, sans-serif; font-size: 18.6px; font-weight: 600; text-align: left; text-decoration: none;">
<li><span style="font-size: 18.6px;"><a href="http://www.hackthesec.co.in/2016/02/secure-ssh-with-google-authenticator.html" target="_blank"><span style="color: red;">Secure SSH with Google Authenticator Two-Factor Authentication on CentOS 7</span></a></span></li>
</ul>
</div>
<div>
<h3 style="border: 0px; clear: both; font-family: Lato, sans-serif; font-size: 22px; line-height: 24px; margin: 36px 0px 12px; outline: 0px; padding: 0px; vertical-align: baseline;">
<span style="color: #0b5394;"><u>Download and Install</u></span></h3>
<div style="border: 0px; color: #2b2b2b; font-family: Lato, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 24px; outline: 0px; padding: 0px; vertical-align: baseline;">
At the time of this writing, only an old version of <b>libpam-google-authenticator</b> is available in the <b><a href="http://www.hackthesec.co.in/2016/01/centos-rhel-scientific-linux-6-enable.html" target="_blank">EPEL package repository</a></b>. Hence, we are going to compile it from source. First, install prerequisites:</div>
<pre style="background-attachment: scroll; background-clip: initial; background-color: #3c3c3c; background-image: none; background-origin: initial; background-position: 0px 0px; background-repeat: repeat; background-size: initial; border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><span style="color: white;">[root@hackthesec]# yum install </span><span style="color: lime;">make gcc pam-devel</span></span></span></pre>
</div>
<div>
<span style="background-color: white; font-family: Lato, sans-serif; font-size: 16px; line-height: 24px;">TOTP (timebased one-time-password) security tokens are time sensitive. Hence, make sure that your system has ntpd running, and is configured to start the service at boot:</span></div>
<div>
<pre style="background-attachment: scroll; background-clip: initial; background-color: #3c3c3c; background-image: none; background-origin: initial; background-position: 0px 0px; background-repeat: repeat; background-size: initial; border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: 'Courier New', Courier, monospace; font-size: medium; line-height: 15.6px;">[root@hackthesec]#</span><span style="font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><span style="color: white;"> service </span><span style="color: orange;">ntpd start</span><span style="color: white;">

</span><span style="color: orange;">Starting </span><span style="color: white;">ntpd:                [  OK  ]

</span></span></span><span style="color: white; font-family: 'Courier New', Courier, monospace; font-size: medium; line-height: 15.6px;">[root@hackthesec]#</span><span style="font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><span style="color: white;"> </span><span style="color: lime;">chkconfig  </span><span style="color: white;">ntpd on</span></span></span></pre>
</div>
<div>
<span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><br /></span></span></div>
<div>
<span style="background-color: white;"><span style="font-family: Lato, sans-serif; font-size: large;"><span style="line-height: 24px;">Then download and install libpam-google-authenticator from source installation and compilation:</span></span></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><span style="color: lime;"><br /></span></span></span></div>
<div>
<pre style="background-attachment: scroll; background-clip: initial; background-color: #3c3c3c; background-image: none; background-origin: initial; background-position: 0px 0px; background-repeat: repeat; background-size: initial; border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: 'Courier New', Courier, monospace; font-size: medium; line-height: 15.6px;">[root@hackthesec]#</span><span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"> cd /tmp

</span></span><span style="color: white; font-family: 'Courier New', Courier, monospace; font-size: medium; line-height: 15.6px;">[root@hackthesec]#</span><span style="font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><span style="color: white;"> </span><span style="color: lime;">wget </span><span style="color: white;">http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2</span></span></span></pre>
<pre style="background-attachment: scroll; background-clip: initial; background-color: #3c3c3c; background-image: none; background-origin: initial; background-position: 0px 0px; background-repeat: repeat; background-size: initial; border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;">
</span></span><span style="color: white; font-family: 'Courier New', Courier, monospace; font-size: medium; line-height: 15.6px;">[root@hackthesec]#</span><span style="font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><span style="color: white;"> </span><span style="color: lime;">bunzip2</span><span style="color: white;"> libpam-google-authenticator-1.0-source.tar.bz2
</span></span></span><span style="color: white; font-family: 'Courier New', Courier, monospace; font-size: medium; line-height: 15.6px;">[root@hackthesec]#</span><span style="font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><span style="color: white;"> </span><span style="color: lime;">tar xf</span><span style="color: white;"> libpam-google-authenticator-1.0-source.tar</span></span></span></pre>
<pre style="background-attachment: scroll; background-clip: initial; background-color: #3c3c3c; background-image: none; background-origin: initial; background-position: 0px 0px; background-repeat: repeat; background-size: initial; border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;">
</span></span><span style="color: white; font-family: 'Courier New', Courier, monospace; font-size: medium; line-height: 15.6px;">[root@hackthesec]#</span><span style="font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><span style="color: white;"> cd </span><span style="color: lime;">libpam-google-authenticator-1.0</span><span style="color: white;">

gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o google-authenticator.o google-authenticator.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o base32.o base32.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o hmac.o hmac.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o sha1.o sha1.c
gcc -g   -o google-authenticator google-authenticator.o base32.o hmac.o sha1.o  -ldl
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator.o pam_google_authenticator.c
gcc -shared -g   -o pam_google_authenticator.so pam_google_authenticator.o base32.o hmac.o sha1.o -lpam
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o demo.o demo.c
gcc -DDEMO --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator_demo.o pam_google_authenticator.c
gcc -g   -rdynamic -o demo demo.o pam_google_authenticator_demo.o base32.o hmac.o sha1.o  -ldl
gcc -DTESTING --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden        \
              -o pam_google_authenticator_testing.o pam_google_authenticator.c
gcc -shared -g   -o pam_google_authenticator_testing.so pam_google_authenticator_testing.o base32.o hmac.o sha1.o -lpam
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator_unittest.o pam_google_authenticator_unittest.c
gcc -g   -rdynamic -o pam_google_authenticator_unittest pam_google_authenticator_unittest.o base32.o hmac.o sha1.o -lc  -ldl</span></span></span></pre>
<pre style="background-attachment: scroll; background-clip: initial; background-color: #3c3c3c; background-image: none; background-origin: initial; background-position: 0px 0px; background-repeat: repeat; background-size: initial; border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: 'Courier New', Courier, monospace; font-size: medium; line-height: 15.6px;">[root@hackthesec]#</span><span style="font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><span style="color: white;"> </span><span style="color: lime;">make install</span><span style="color: white;">

cp pam_google_authenticator.so /lib64/security
cp google-authenticator /usr/local/bin</span></span></span></pre>
</div>
<div>
<h3 style="border: 0px; clear: both; font-family: Lato, sans-serif; font-size: 22px; line-height: 24px; margin: 36px 0px 12px; outline: 0px; padding: 0px; vertical-align: baseline;">
<span style="color: #0b5394;"><u>Set Up Google Authenticator</u></span></h3>
<div style="border: 0px; font-family: Lato, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 24px; outline: 0px; padding: 0px; vertical-align: baseline;">
Before configuring SSH, first set up Google Authenticator. Run “google-authenticator” <span style="border-image-outset: initial; border-image-repeat: initial; border-image-slice: initial; border-image-source: initial; border-image-width: initial; border: 0px; font-family: inherit; font-style: inherit; font-weight: 700; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">as the user you wish to log in with via SSH</span>. You will be prompted with a few questions.</div>
</div>
<div>
<pre style="background-attachment: scroll; background-clip: initial; background-color: #3c3c3c; background-image: none; background-origin: initial; background-position: 0px 0px; background-repeat: repeat; background-size: initial; border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><span style="color: white;">[root@hackthesec]# </span><span style="color: orange;">google-authenticator</span><span style="color: white;">

Do you want me to update your "~/.google_authenticator" file (y/n) y
 
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/user@server%3Fsecret%3DABCD12E3FGHIJKLMN
Your new secret key is: ABCD12E3FGHIJKLMN
Your verification code is 98765432
Your emergency scratch codes are:
  01234567
  89012345
  67890123
  45678901
  23456789
 
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
 
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
 
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y</span></span></span></pre>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><span style="color: lime;"><br /></span></span></span></div>
<div>
<div style="border: 0px; color: #2b2b2b; font-family: Lato, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 24px; outline: 0px; padding: 0px; vertical-align: baseline;">
These settings are stored in the user’s <code style="border: 0px; font-family: monospace, serif; font-size: 15px; font-style: inherit; line-height: 1.6; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><b>~/.google_authenticator</b></code> file.</div>
<div style="border: 0px; color: #2b2b2b; font-family: Lato, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 24px; outline: 0px; padding: 0px; vertical-align: baseline;">
Copy and paste the URL into your browser and scan the QR code that is displayed with the app Google Authenticator on your mobile device. If you can’t scan the QR code, then you can enter the information manually with the given secret key and verification code. A new verification code should be displayed every 30 seconds.</div>
<div style="border: 0px; color: #2b2b2b; font-family: Lato, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 24px; outline: 0px; padding: 0px; vertical-align: baseline;">
Emergency one-time use verification codes are also given for you to write down in a secure place in case you were to not have your mobile device with you.</div>
<h3 style="border: 0px; clear: both; font-family: Lato, sans-serif; font-size: 22px; line-height: 24px; margin: 36px 0px 12px; outline: 0px; padding: 0px; vertical-align: baseline;">
<u><span style="color: #0b5394;">Configure PAM</span></u></h3>
<div style="border: 0px; color: #2b2b2b; font-family: Lato, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 24px; outline: 0px; padding: 0px; vertical-align: baseline;">
Have PAM require Google Authenticator for SSH authentication. Modify<b> <code style="border: 0px; font-family: monospace, serif; font-size: 15px; font-style: inherit; line-height: 1.6; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">/etc/pam.d/sshd</code></b> and add the line “<code style="border: 0px; font-family: monospace, serif; font-size: 15px; font-style: inherit; line-height: 1.6; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><b>auth required pam_google_authenticator.so</b></code>” at the top.</div>
</div>
<div>
<pre style="background-attachment: scroll; background-clip: initial; background-color: #3c3c3c; background-image: none; background-origin: initial; background-position: 0px 0px; background-repeat: repeat; background-size: initial; border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><span style="color: white;">[root@hackthesec]# vi </span><span style="color: lime;">/etc/pam.d/sshd</span><span style="color: white;">

#%PAM-1.0
</span><span style="color: orange;">auth       required     pam_google_authenticator.so
</span><span style="color: white;">auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth</span></span></span></pre>
</div>
<div>
<div style="border: 0px; font-family: Lato, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 24px; outline: 0px; padding: 0px; vertical-align: baseline;">
This will require all users to use Google Authenticator for SSH authentication. To only require those users with Google Authenticator configured for their account (the <code style="border-image-outset: initial; border-image-repeat: initial; border-image-slice: initial; border-image-source: initial; border-image-width: initial; border: 0px; font-family: monospace, serif; font-size: 15px; font-style: inherit; line-height: 1.6; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><b>~/.google_authenticator</b></code> file exists), then instead enter “<code style="border-image-outset: initial; border-image-repeat: initial; border-image-slice: initial; border-image-source: initial; border-image-width: initial; border: 0px; font-family: monospace, serif; font-size: 15px; font-style: inherit; line-height: 1.6; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><b>auth required pam_google_authenticator.so</b></code><code style="border-image-outset: initial; border-image-repeat: initial; border-image-slice: initial; border-image-source: initial; border-image-width: initial; border: 0px; font-family: monospace, serif; font-size: 15px; font-style: inherit; font-weight: inherit; line-height: 1.6; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"> </code><code style="border-image-outset: initial; border-image-repeat: initial; border-image-slice: initial; border-image-source: initial; border-image-width: initial; border: 0px; font-family: monospace, serif; font-size: 15px; font-style: inherit; line-height: 1.6; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><b>nullok</b></code>“.</div>
<div style="border: 0px; font-family: Lato, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 24px; outline: 0px; padding: 0px; vertical-align: baseline;">
The order in which you place items in this file matters. Given this configuration, you will first be prompted for your Google Authenticator verification code, then for your system account password when you SSH into the system.</div>
</div>
<div>
<h3 style="border: 0px; clear: both; font-family: Lato, sans-serif; font-size: 22px; line-height: 24px; margin: 36px 0px 12px; outline: 0px; padding: 0px; vertical-align: baseline;">
<span style="color: #0b5394;"><u>Configure the SSH Service</u></span></h3>
<div style="border: 0px; color: #2b2b2b; font-family: Lato, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 24px; outline: 0px; padding: 0px; vertical-align: baseline;">
Modify <b><code style="border: 0px; font-family: monospace, serif; font-size: 15px; font-style: inherit; line-height: 1.6; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">/etc/ssh/sshd_config</code>.</b> Verify these settings:</div>
</div>
<div>
<pre style="background-attachment: scroll; background-clip: initial; background-color: #3c3c3c; background-image: none; background-origin: initial; background-position: 0px 0px; background-repeat: repeat; background-size: initial; border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="font-family: Courier New, Courier, monospace; font-size: medium;"><span style="color: lime;"><span style="line-height: 15.6px;">[root@hackthesec]# vi /etc/ssh/sshd_config

PasswordAuthentication yes
</span></span><span style="color: white; line-height: 15.6px;">ChallengeResponseAuthentication yes
</span><span style="color: lime; line-height: 15.6px;">UsePAM yes</span></span></pre>
</div>
<div>
<span style="background-color: white; font-family: Lato, sans-serif; font-size: 16px; line-height: 24px;">Restart the SSH service:</span></div>
<div>
<pre style="background-attachment: scroll; background-clip: initial; background-color: #3c3c3c; background-image: none; background-origin: initial; background-position: 0px 0px; background-repeat: repeat; background-size: initial; border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="background-color: transparent; line-height: 15.6px;"><span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;">[root@hackthesec]# </span></span><span style="font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><span style="color: white;">service </span><span style="color: lime;">sshd restart</span></span></span></pre>
</div>
<div>
<span style="background-color: white; font-family: Lato, sans-serif; font-size: 16px; line-height: 24px;">When you SSH into the system as a user configured for Google Authenticator, you will have to enter the verification code that is displayed in you Google Authenticator app, and then by your system password at the next prompt:</span></div>
<div>
<pre style="background-attachment: scroll; background-clip: initial; background-color: #3c3c3c; background-image: none; background-origin: initial; background-position: 0px 0px; background-repeat: repeat; background-size: initial; border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><span style="color: white;">login as: root
</span><span style="color: orange;">Verification code: 002536
</span><span style="color: white;">Password: *******
[root@hackthesec]#</span></span></span></pre>
</div>
<div>
<div style="border: 0px; color: #2b2b2b; font-family: Lato, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 24px; outline: 0px; padding: 0px; vertical-align: baseline;">
If you have any problems, look in the <code style="border: 0px; font-family: monospace, serif; font-size: 15px; font-style: inherit; line-height: 1.6; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><b>/var/log/secure</b></code> system log file.</div>
<div style="border: 0px; color: #2b2b2b; font-family: Lato, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 24px; outline: 0px; padding: 0px; vertical-align: baseline;">
If you have <b>SELinux </b>enabled, you may not be able to login, and get this error in <code style="border: 0px; font-family: monospace, serif; font-size: 15px; font-style: inherit; line-height: 1.6; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><b>/var/log/secure</b></code>:</div>
</div>
<div>
<pre style="background-attachment: scroll; background-clip: initial; background-color: #3c3c3c; background-image: none; background-origin: initial; background-position: 0px 0px; background-repeat: repeat; background-size: initial; border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;">Feb  26 23:42:50 hostname sshd(pam_google_authenticator)[1654]: Failed to update secret file "/home/hackthesec/.google_authenticator"
Feb  26 23:42:50 hostname  sshd[1652]: error: PAM: Cannot make/remove an entry for the specified session for username from 192.168.0.5</span></span></pre>
</div>
<div>
<span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><br /></span></span></div>
<div>
<div style="border: 0px; font-family: Lato, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 24px; outline: 0px; padding: 0px; vertical-align: baseline;">
This is probably due /home/username/.google_authenticator not having an appropriate <a href="http://wiki.centos.org/HowTos/SELinux" style="border-image-outset: initial; border-image-repeat: initial; border-image-slice: initial; border-image-source: initial; border-image-width: initial; border: 0px; font-family: inherit; font-style: inherit; font-weight: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Type Enforcement</a> (TE):</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
</div>
<br />
<div style="orphans: auto; text-align: left; text-indent: 0px; widows: 1;">
<pre style="background-attachment: scroll; background-clip: initial; background-color: #3c3c3c; background-image: none; background-origin: initial; background-position: 0px 0px; background-repeat: repeat; background-size: initial; border-image-outset: initial; border-image-repeat: initial; border-image-slice: initial; border-image-source: initial; border-image-width: initial; border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin: 0px 0px 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="background-color: transparent; line-height: 15.6px;"><span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;">[root@hackthesec]#</span></span><span style="font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><span style="color: white;"> </span><span style="color: lime;">ls -Z /home/hackthesec/.google_authenticator</span><span style="color: white;">
-r--------. hackthesec hackthesec unconfined_u:object_r:user_home_t:s0 /home/hackthesec/.google_authenticator</span></span></span></pre>
</div>
</div>
<div>
<h3 style="border: 0px; clear: both; font-family: Lato, sans-serif; font-size: 22px; line-height: 24px; margin: 36px 0px 12px; outline: 0px; padding: 0px; vertical-align: baseline;">
<span style="color: red;"><u>Skip Google Authenticator Authentication if Logging in from the Local Network</u></span></h3>
<div style="border: 0px; font-family: Lato, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 24px; outline: 0px; padding: 0px; vertical-align: baseline;">
You may trust systems on you local network enough not not require that SSH connections from them use <b>Google Authenticator</b>. If so, modify <code style="border-image-outset: initial; border-image-repeat: initial; border-image-slice: initial; border-image-source: initial; border-image-width: initial; border: 0px; font-family: monospace, serif; font-size: 15px; font-style: inherit; line-height: 1.6; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><b>/etc/pam.d/sshd</b></code> so that it looks like this:</div>
</div>
<div>
<pre style="background-attachment: scroll; background-clip: initial; background-color: #3c3c3c; background-image: none; background-origin: initial; background-position: 0px 0px; background-repeat: repeat; background-size: initial; border-image-outset: initial; border-image-repeat: initial; border-image-slice: initial; border-image-source: initial; border-image-width: initial; border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;">auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth       required     pam_google_authenticator.so</span></span></pre>
</div>
<div>
<span style="background-color: white; font-family: Lato, sans-serif; font-size: 16px; line-height: 24px;">Then add the file </span><code style="background-color: white; border: 0px; font-family: monospace, serif; font-size: 15px; line-height: 24px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><b>/etc/security/access-local.conf</b></code><span style="background-color: white; font-family: Lato, sans-serif; font-size: 16px; line-height: 24px;"> with the contents:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><span style="color: lime;"><br /></span></span></span></div>
<div>
<pre style="background-attachment: scroll; background-clip: initial; background-color: #3c3c3c; background-image: none; background-origin: initial; background-position: 0px 0px; background-repeat: repeat; background-size: initial; border-image-outset: initial; border-image-repeat: initial; border-image-slice: initial; border-image-source: initial; border-image-width: initial; border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"># Google Authenticator can be skipped on local network
+ : ALL : 192.168.0.0/24
+ : ALL : LOCAL
- : ALL : ALL</span></span></pre>
</div>
<div>
<span style="color: white; font-family: Courier New, Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><br /></span></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><a href="http://www.hackthesec.co.in/">www.hackthesec.co.in</a></span></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><span style="color: lime;"><br /></span></span></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace; font-size: medium;"><span style="line-height: 15.6px;"><span style="color: lime;"><br /></span></span></span></div>
</div>

Two-step Authentication For SSH On Centos 6

TWO-STEP AUTHENTICATION FOR SSH ON CENTOS 6 Google Authenticator implements TOTP (timebased one-time-password) security tokens from RFC6238 via the Google mobile app Google Authenticator. The Authent…

26 Feb 2016

Wireshark - vwr_read_s2_s3_W_rec Heap-Based Buffer Overflow

<div dir="ltr" style="text-align: left;" trbidi="on">
<h1 style="background-color: white; box-sizing: border-box; font-family: 'Noto Sans', sans-serif; font-size: 38px; font-stretch: normal; font-weight: 300; line-height: 1.4; margin: 0px; text-align: center;">
<span style="color: #073763;">Wireshark - vwr_read_s2_s3_W_rec Heap-Based Buffer Overflow</span></h1>
<div>
<span style="color: #073763;"><br /></span></div>
<div>
<span style="color: #073763; font-family: Georgia, Times New Roman, serif; font-size: large;"><b>Wireshark </b>is a Free and Open packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues</span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_MAG4F1Kon2P9SxmYif94a3gt6GvVRH5vtUv22pgkSxn-t6Nz_9ruaqeTAPS9WcWT-MDboXJ26Fu_IAgpUHrjDV1ZSdPw-2222mIL4pyLSTJT3tF-62eUjafIS-iBK76aeJ49WoIhE84N/s1600/wireshark-www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_MAG4F1Kon2P9SxmYif94a3gt6GvVRH5vtUv22pgkSxn-t6Nz_9ruaqeTAPS9WcWT-MDboXJ26Fu_IAgpUHrjDV1ZSdPw-2222mIL4pyLSTJT3tF-62eUjafIS-iBK76aeJ49WoIhE84N/s1600/wireshark-www.hackthesec.co.in.png" /></a></div>
<div>
<br /></div>
<div>
<table class="exploit_list" style="background-color: rgb(239, 239, 239) !important; border-radius: 3px !important; border-spacing: 1px; border: 1px solid rgb(221, 221, 221) !important; box-sizing: border-box; color: #666666; font-family: 'Open Sans', sans-serif; font-size: 14px; line-height: 24px; margin-bottom: 10px; margin-top: 10px; padding: 1px !important; width: 679px;"><tbody style="box-sizing: border-box;">
<tr style="background-color: rgb(248, 248, 248) !important; box-sizing: border-box;"><td style="box-sizing: border-box; padding: 5px 10px; text-align: center;"><span style="color: black;"><strong style="box-sizing: border-box;">Author:</strong> Google Security Research</span></td><td style="box-sizing: border-box; padding: 5px 10px; text-align: center;"><br /></td><td style="box-sizing: border-box; padding: 5px 10px; text-align: center;"><br /></td></tr>
<tr style="background-color: rgb(248, 248, 248) !important; box-sizing: border-box;"><td style="box-sizing: border-box; padding: 5px 10px;"><div style="text-align: center;">
<strong style="box-sizing: border-box; color: black;">Download Exploit:</strong><span style="color: black;"> </span><a href="https://www.exploit-db.com/download/39490" style="background-color: transparent; box-sizing: border-box; outline: 0px; text-decoration: none; transition-duration: 0.3s; transition-property: background-color, box-shadow, border, color, opacity;"><span class="fa fa-file-code-o" style="box-sizing: border-box; display: inline-block; font-family: "fontawesome"; font-size: inherit; font-stretch: normal; line-height: 1;"></span> Source</a><span style="color: black;"> </span><span class="fa fa-file-o" style="box-sizing: border-box; color: black; display: inline-block; font-family: "fontawesome"; font-size: inherit; font-stretch: normal; line-height: 1;"></span><span style="color: black;"> </span></div>
<br />
<br />
<a href="http://www.hackthesec.co.in/" target="_blank">www.hackthesec.co.in</a><br />
<span style="color: black;">hackthesec</span><br />
<a href="http://www.hackthesec.co.in/search/label/LATEST%20EXPLOIT" target="_blank">hackthesec exploit</a></td><td colspan="2" style="box-sizing: border-box; padding: 5px 10px;"><br /></td></tr>
</tbody></table>
</div>
</div>

Wireshark - vwr_read_s2_s3_W_rec Heap-Based Buffer Overflow

Wireshark - vwr_read_s2_s3_W_rec Heap-Based Buffer Overflow Wireshark is a Free and Open packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol develo…

25 Feb 2016

How to Hide Application Port Using knockd in Linux

<div dir="ltr" style="text-align: left;" trbidi="on">
<h1 class="post-title single" style="background-color: white; margin: 0px 0px 5px; padding: 0px;">
<span style="color: red; font-size: large;"><u><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="letter-spacing: -1px; line-height: 1.2em;">Hide </span><span style="letter-spacing: -1px; line-height: 38.4px;">Application</span><span style="letter-spacing: -1px; line-height: 1.2em;"> Port Using knockd in Linux</span></span></u></span></h1>
<div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
As a system administrator, we should do everything to secure our server from attackers. As the internet grows, threats to our server is also growing. One of the popular entrances to attack our server is through the port on your server that open. If your SSH server is running on </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipoEw0Znm4kJkLvWo3mEqOj2QT8IMXelfxBtu4l68eChcU2zg0JxuRSX6HX5DyInhphW5j6Gt_TLna7VAj6kJZUUEhhGezwORQDYdtPON2FFzdQ5U3AsN1aQmEYKCSBrMR3k5HXyvk9_Qk/s1600/knock_www.hackthesec.co.in.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipoEw0Znm4kJkLvWo3mEqOj2QT8IMXelfxBtu4l68eChcU2zg0JxuRSX6HX5DyInhphW5j6Gt_TLna7VAj6kJZUUEhhGezwORQDYdtPON2FFzdQ5U3AsN1aQmEYKCSBrMR3k5HXyvk9_Qk/s1600/knock_www.hackthesec.co.in.jpg" /></a></div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
<br /></div>
your machine, then usually the SSH port is listening. Which means it is open, waiting for the connection.<br />
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
Leaving the port open for 24 hours, is not recommended because it is vulnerable. Because we can scan the machine to see the open port. <strong>Nmap</strong> is one of the most popular port scanner that can be used by anyone to scan your machine.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDf3M4nS_qiN_gLL-2-uLTQvMz86c_K8ceCCxtdRLLJw_6Yqznfc6cT1_3jxdmZ0Ab6lOrgHFaQvtI1iE3C50YrkrFnHHGS8Z-8cwgZG6KtRZLa76vYLeBJdpsiy8wYZyeFtlZxzHeOeh5/s1600/nmap_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDf3M4nS_qiN_gLL-2-uLTQvMz86c_K8ceCCxtdRLLJw_6Yqznfc6cT1_3jxdmZ0Ab6lOrgHFaQvtI1iE3C50YrkrFnHHGS8Z-8cwgZG6KtRZLa76vYLeBJdpsiy8wYZyeFtlZxzHeOeh5/s1600/nmap_www.hackthesec.co.in.png" /></a></div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
<br />
How if we can open the on demand and close the port when it’s not used? Sounds interesting. Now we can do it using knockd application.</div>
<h1 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;">
<span style="color: #0b5394;"><u>What is knockd</u></span></h1>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
Knockd is a port-knock server. It listens to all traffice on an ethernet (or PPP) interface, looking for special “knock” sequences of port-hits. (Source : <a href="http://www.zeroflux.org/projects/knock" style="outline: none; text-decoration: none;" title="knockd">http://www.zeroflux.org/projects/knock</a>)</div>
<h1 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;">
<u><span style="color: #0b5394;">How it works</span></u></h1>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
Every application needs a port as a “door” for “listening” requests from other clients. This port usually on open state or close state. There are a lot of ports that available on the server. But there are some ports that agreed by consensus, such as <a href="http://www.hackthesec.co.in/search/label/SSH" target="_blank">SSH </a>(22), Web (80) and <a href="http://www.hackthesec.co.in/search/label/ftp" target="_blank">FTP </a>(21).</div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
A basic rule of server security is to open only used ports and close the rest. You may have some ports that are sometimes used and sometimes not. Leaving those ports open while is not being used is not recommended.</div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
When you install knockd, you can let the client “knock” the server with pattern. The knocking sequence can be custom by you. So this knocking pattern will be unique to each other. If the pattern is match, then the port you need will be opened for a period of time and the request can enter your server.</div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
Once you have done with the application, you can close the port manually or automatically.</div>
<h1 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;">
<span style="color: #0b5394;"><u>How to install knockd</u></span></h1>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
On this article, we are using Zorin 9 OS which based on Ubuntu 14.04 LTS. If you are using another distribution please adjust it to the installation method of your distribution.</div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
Knockd is available on Ubuntu repository. Then we can use <b>apt-get to install knockd</b>.</div>
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-size: small;"><span style="font-size: large; line-height: 15.6px;"><span style="color: white;">$ sudo </span><span style="color: lime;">apt-get</span><span style="color: white;"> install </span><span style="color: lime;">knockd</span></span></span></pre>
<div style="background-color: white; font-family: arial, helvetica, sans-serif; line-height: 21px; margin-bottom: 15px;">
Just wait for a few minutes, then your knockd is already setup.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA67oGT2cT3lLU_cFpxIgca4LBVCdVr35XzzSgoIRxGdboOfQCTdcP3vYAiEZvaFnrPajh3-0WnqGFMQY4c86NPudth9QaKHs2zif51Qlo_htuKkY9SOQnXH2iBwESzXzypeYGDUSHOhum/s1600/install_knockd_hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA67oGT2cT3lLU_cFpxIgca4LBVCdVr35XzzSgoIRxGdboOfQCTdcP3vYAiEZvaFnrPajh3-0WnqGFMQY4c86NPudth9QaKHs2zif51Qlo_htuKkY9SOQnXH2iBwESzXzypeYGDUSHOhum/s1600/install_knockd_hackthesec.co.in.png" /></a></div>
<h1 style="background-color: white; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;">
</h1>
<h1 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;">
<span style="color: #0b5394;"><u>Configure knockd</u></span></h1>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
Knock configuration file is located in <strong>/etc/knockd.conf</strong><br />
The sample configuration is simple and easy to understand.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQSIXg_eYyfRDU_WaXIrcGU0pLzfl4tBOf3YBmLKklE4cV-rJblSvH6DpxO1B0odRgIit6TbE4hSPCnZy0el2QZqri_jvPkn86SritsHJCwGMF-FOu0Tk-MQ3pJpvs9aXLd0TsE1Nk0Qtz/s1600/conf_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQSIXg_eYyfRDU_WaXIrcGU0pLzfl4tBOf3YBmLKklE4cV-rJblSvH6DpxO1B0odRgIit6TbE4hSPCnZy0el2QZqri_jvPkn86SritsHJCwGMF-FOu0Tk-MQ3pJpvs9aXLd0TsE1Nk0Qtz/s640/conf_www.hackthesec.co.in.png" width="640" /></a></div>
<div style="background-color: white; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
<br /></div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
We can see that the configuration is divided into three sections. The <strong>[options]</strong> section, <strong>[openSSH]</strong> section to open SSH port and <strong>[closeSSH]</strong> section to close SSH port.</div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
By default <strong>[options]</strong> section contain only 1 row. It tell us that the knockd log will be recorded using the operating system log application. On Ubuntu, we will see the log in <strong>/var/log/syslog</strong>; folder.</div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
Of course we can choose not to use SysLog. We can change it into this line, if we want to use custom log.</div>
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-size: small;"><span style="font-size: large; line-height: 15.6px;"><span style="color: white;">logfile = /var/log/</span><span style="color: lime;">knockd.log</span></span></span></pre>
<div style="background-color: white; font-family: arial, helvetica, sans-serif; line-height: 21px; margin-bottom: 15px;">
The above line, will put knock log file in <strong>/var/log/knockd.log</strong></div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
[openSSH] sections has identical commands with [closeSSH] section.</div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
<strong>sequence = 1200,1300,1400</strong><br />
This is the knock pattern. It will trigger the command below in the section. The value of this parameter is fully customized. We can choose another random number.</div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
<strong>seq_timeout = 10</strong><br />
This will tell knockd about how long the knock pattern must be completed in.</div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
<strong>command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT</strong><br />
This parameter will open SSH port on port 22</div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
<strong>tcpflags = syn</strong><br />
This parameter indicates that the Client will sends a TCP SYNchronize packet to the server</div>
<h1 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;">
<span style="color: #0b5394;"><u>Setting up the firewall</u></span></h1>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
As we know before, knockd will open particular port temporarily. So we have to make sure firewall is running on the server. Basically, we will close all ports. We are using iptables syntax to do it. Here are the steps.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiP22SstqKcmmXGUdAtWGPbAADZdLIb93deXYAOSeoJhmj_AIQF7ELkMKvr4gB0cePwYjv78nWYOcFtSD8ypVOTF8hIJciPTIUH0BdgB9iNAdhHPwhvoMAJffuQBRpe6LAyyJ5xFIX6qRG0/s1600/iptables_conf_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiP22SstqKcmmXGUdAtWGPbAADZdLIb93deXYAOSeoJhmj_AIQF7ELkMKvr4gB0cePwYjv78nWYOcFtSD8ypVOTF8hIJciPTIUH0BdgB9iNAdhHPwhvoMAJffuQBRpe6LAyyJ5xFIX6qRG0/s1600/iptables_conf_www.hackthesec.co.in.png" /></a></div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
<br />
The 1st command, will allow the current on-going session through firewall.<br />
The 2nd command, will allow the server is able to ping by another machine.<br />
The 3rd command, will reject every requests.</div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
To test the knockd service, we expect that our will firewall will drop all ssh connection. Then knockd will open it temporarily on demand.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjnKpk2fjUFq33I5yQZT9xAlOYCOoljrCBnLYps4L_UevHYclPvJZ4X_PHe1bCjJx4qGncTeTVRwbG7w21widalzYR-AnZkWHZ3bKv8LN3mQAt7a6x4n2dXO1Pplg2qkerE7_KBoL1PCUI/s1600/ip_tables_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjnKpk2fjUFq33I5yQZT9xAlOYCOoljrCBnLYps4L_UevHYclPvJZ4X_PHe1bCjJx4qGncTeTVRwbG7w21widalzYR-AnZkWHZ3bKv8LN3mQAt7a6x4n2dXO1Pplg2qkerE7_KBoL1PCUI/s1600/ip_tables_www.hackthesec.co.in.png" /></a></div>
<h1 style="background-color: white; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;">
</h1>
<h1 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;">
<span style="color: #0b5394;"><u>Test the knockd on server side</u></span></h1>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
Once the firewall and knockd are setup, next we can test them.<br />
To test the firewall, try remote the server via SSH from another machine. (<em>on this article, client IP is 10.1.6.14 and server IP 10.0.76.224</em>)</div>
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-size: small;"><span style="font-size: large; line-height: 15.6px;"><span style="color: white;">$ ssh -l </span><span style="color: lime;">pungki </span><span style="color: white;">10.0.76.224</span></span></span></pre>
<div style="background-color: white; font-family: arial, helvetica, sans-serif; line-height: 21px; margin-bottom: 15px;">
With :<br />
<div style="font-size: 14px;">
<strong>-l</strong> = login name</div>
<div style="font-size: 14px;">
<strong>pungki</strong> = the user name on the destination server</div>
</div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
If the firewall works, then we will get <strong>“Connection refused”</strong> error message.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfRafJqFuFGUE3uaD6U5pfEqKmV8CwgJAc_b6-XdxHSaAoThuavWut-Q8G8Tm590Evw3g9mQkxHS9Zer5iE6Mme7HRMnyKw9fLpuObT6APc5xAgHKO44mQERwZwVKov6nZ-9RU0t_BL04u/s1600/connection_refused_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfRafJqFuFGUE3uaD6U5pfEqKmV8CwgJAc_b6-XdxHSaAoThuavWut-Q8G8Tm590Evw3g9mQkxHS9Zer5iE6Mme7HRMnyKw9fLpuObT6APc5xAgHKO44mQERwZwVKov6nZ-9RU0t_BL04u/s1600/connection_refused_www.hackthesec.co.in.png" /></a></div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
The reason we get the error message is the 10.1.6.14 is not allowed to enter the server. If we use this command, we will see no result.</div>
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-size: small;"><span style="font-size: large; line-height: 15.6px;"><span style="color: white;">$ </span><span style="color: lime;">sudo /sbin/iptables -L</span><span style="color: white;"> -n |grep 10.1.6.14</span></span></span></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlW_3AQMtYbLz_q36ogYB6i0YJjh4ge86K41UwVbalkoKmgBrhnHVhob46hi21H8dr7xaHH_b1G4gc3LK4fwoWEYVtbPg6LhccN3CDsm2CxXbxQJT3HCRSYXNN36U9COiy7LuHd9-2wmmC/s1600/iptables_before_knock_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlW_3AQMtYbLz_q36ogYB6i0YJjh4ge86K41UwVbalkoKmgBrhnHVhob46hi21H8dr7xaHH_b1G4gc3LK4fwoWEYVtbPg6LhccN3CDsm2CxXbxQJT3HCRSYXNN36U9COiy7LuHd9-2wmmC/s1600/iptables_before_knock_www.hackthesec.co.in.png" /></a></div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
Later, we will see the difference after knockd implemented.</div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
Next step, is to test the knockd service.</div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
To run knockd, we need to change knockd default file which located in /etc/default/knockd. Change the value of <strong>START_KNOCKD parameter from 0 to 1</strong>.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaZe0IJykHyWEfqgWsgqhoIjObun1UVhtKQaU8RUIYT6aK8Bf6Y0TVRZgvWb1oYiLvL2oMsJq0UJYuFczFGTS83J7Z-zJqdSX5VvoRNYTCfkCNoOFfVhU5m7dTzPWSKiNZij9_HvXRUjhT/s1600/default_knockd_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaZe0IJykHyWEfqgWsgqhoIjObun1UVhtKQaU8RUIYT6aK8Bf6Y0TVRZgvWb1oYiLvL2oMsJq0UJYuFczFGTS83J7Z-zJqdSX5VvoRNYTCfkCNoOFfVhU5m7dTzPWSKiNZij9_HvXRUjhT/s1600/default_knockd_www.hackthesec.co.in.png" /></a></div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
Save the file. Then type :</div>
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-size: small;"><span style="font-size: large; line-height: 15.6px;"><span style="color: white;">$ sudo </span><span style="color: lime;">service knockd</span><span style="color: white;"> start</span></span></span></pre>
<div style="background-color: white; font-family: arial, helvetica, sans-serif; line-height: 21px; margin-bottom: 15px;">
*<em>note : I tried to run the service using /etc/init.d/knockd start , but it always fail to start</em></div>
<h1 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;">
<span style="color: #0b5394;"><u>Test knockd from Client side</u></span></h1>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
On the client side, we need knock client to “knock” the server. On the client side, we use Centos 5.2. Then we install knock-client from <a href="http://pkgs.repoforge.org/knock/knock-0.5.3.el5.rf.i386.rpm" style="outline: none; text-decoration: none;" title="knock client">http://pkgs.repoforge.org/knock/knock-0.5.3.el5.rf.i386.rpm</a></div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
Then run the command below to knock the server :</div>
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-size: small;"><span style="font-size: large; line-height: 15.6px;">$ knock -v 10.0.76.224 1200 1300 1400</span></span></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT-KXni4C1INDyp91QdgH7yvG91kZqKOEcYMcWhZdz5fsUlTNUldddqAee8sHvviRBFJBgYewr2odXHyNyXjcTQ_5-bCUELvpd05hsNe0CItVvTYgegGHi5rhxYso1PmqIB7Mnxcn_nBYI/s1600/knock_open_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT-KXni4C1INDyp91QdgH7yvG91kZqKOEcYMcWhZdz5fsUlTNUldddqAee8sHvviRBFJBgYewr2odXHyNyXjcTQ_5-bCUELvpd05hsNe0CItVvTYgegGHi5rhxYso1PmqIB7Mnxcn_nBYI/s1600/knock_open_www.hackthesec.co.in.png" /></a></div>
<div style="background-color: white; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
<br /></div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
<strong>-v</strong> = verbose<br />
<strong>10.0.76.224</strong> = Server IP<br />
<strong>1200 1300 1400</strong> = knock sequence which defined in the knockd configuration</div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
After knock the server, now we will see that the client IP is now allowed to enter the server.</div>
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-size: small;"><span style="font-size: large; line-height: 15.6px;"><span style="color: white;">$ sudo /sbin/</span><span style="color: lime;">iptables </span><span style="color: white;">-L -n |grep 10.1.6.14</span></span></span></pre>
<div style="background-color: white; font-family: arial, helvetica, sans-serif; line-height: 21px; margin-bottom: 15px;">
Then we can run SSH to remote the server.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjINYEuu7LmyDs7fvdRsVd38bC5K8Z15OTpi7ZNei7wNDzoWW4jSmV9023OiY4aI0ZfDP5XMeFreENSehDFjnRlBCHQCJjj-hoa-5vx_Bk51mmIEIJYJMT5E9phhW3X_GL67zhkaYP9UPtZ/s1600/ssh_success_after_knock_1_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjINYEuu7LmyDs7fvdRsVd38bC5K8Z15OTpi7ZNei7wNDzoWW4jSmV9023OiY4aI0ZfDP5XMeFreENSehDFjnRlBCHQCJjj-hoa-5vx_Bk51mmIEIJYJMT5E9phhW3X_GL67zhkaYP9UPtZ/s1600/ssh_success_after_knock_1_www.hackthesec.co.in.png" /></a></div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
As we can see on the above image, the host name of are different. After SSH to the remote machine established then the host name is changed from @web01 into @dev-machine.</div>
<h1 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;">
<span style="color: #0b5394;"><u>Close the port</u></span></h1>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
After the client done to remote the server, the client need to close the port. To do that, we can use the command below :</div>
<pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-size: small;"><span style="font-size: large; line-height: 15.6px;"><span style="color: white;">$ </span><span style="color: lime;">knock </span><span style="color: white;">-v 10.0.76.224 1400 1300 1200</span></span></span></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjseKC2KePBKaJufOpIsrsJfwjiU8L08ZMVOMFPEEGBsIcRr-pUpfbtcDurAkGDY-0XYN_hGxf1JUPlAnPg7hF4wVCI7dG1q3-nnq6sWwkUN_a8IKq3OG3nibdSX93H5a_QdfGOrQILERhP/s1600/knock_close_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjseKC2KePBKaJufOpIsrsJfwjiU8L08ZMVOMFPEEGBsIcRr-pUpfbtcDurAkGDY-0XYN_hGxf1JUPlAnPg7hF4wVCI7dG1q3-nnq6sWwkUN_a8IKq3OG3nibdSX93H5a_QdfGOrQILERhP/s1600/knock_close_www.hackthesec.co.in.png" /></a></div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
<em><strong>Please be careful</strong>, to close the port, we put the knock sequence in the opposite order.</em></div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
After knock the server, we will see a prompt again. To check if the knock was success, we use iptables command again. If it was success, we will see that IP 10.1.6.14 will disappeared.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg10Hwu4L6yAHomwQ2jSZ3ZCHYjJfWKC431IPW1b-qU2qyrUw3WGasrdHXFk5gvu0rfzXlobAOaA63L9_blX2lc6Dv3dztXyMRuquceOPguOa_G2UD32-rEM-a-Ltt8hKUU8oQZ7BXBB8l-/s1600/iptables_after_knock_closed_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg10Hwu4L6yAHomwQ2jSZ3ZCHYjJfWKC431IPW1b-qU2qyrUw3WGasrdHXFk5gvu0rfzXlobAOaA63L9_blX2lc6Dv3dztXyMRuquceOPguOa_G2UD32-rEM-a-Ltt8hKUU8oQZ7BXBB8l-/s1600/iptables_after_knock_closed_www.hackthesec.co.in.png" /></a></div>
<div style="background-color: white; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
<br /></div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
On the previous one, after knock to open the port, we saw that the client IP Address - 10.1.6.14 - is allowed to enter the server by firewall. Now, after we knock to close the port, if we check with the same iptables command, the rule was deleted.</div>
<h1 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;">
<span style="color: #0b5394;"><u>Close the port Automatically</u></span></h1>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
Since the close port activity is triggered by client, we will have the possibility that the client forget to close the port. We don’t want it to happen. So we can configure knockd to close the port automatically.</div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
In order to do that, <strong>we need to customize</strong> the knockd configuration file. Here is the sample of modified knockd configuration file.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmfGYEcrmFo1Wvrx5TEsjimq2xDLWx1inxWnY9CSCKNABB2u4tERKJ9cr1p6BbpLVrOrekaIxhr8p4WCnsiwHp-RT1JSy4T_PJMRyBL-yiAM6HQ8MlQNkX5DpP2qFBLO9MNuQjyDG1-pTq/s1600/auto_close_conf_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmfGYEcrmFo1Wvrx5TEsjimq2xDLWx1inxWnY9CSCKNABB2u4tERKJ9cr1p6BbpLVrOrekaIxhr8p4WCnsiwHp-RT1JSy4T_PJMRyBL-yiAM6HQ8MlQNkX5DpP2qFBLO9MNuQjyDG1-pTq/s1600/auto_close_conf_www.hackthesec.co.in.png" /></a></div>
<div style="background-color: white; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
<br /></div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
The command still looks identical. The difference with the previous configuration is we put [openSSH] section and [closeSSH] section in the same block.</div>
<div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
Then we add <strong>cmd_timeout = 10</strong> line to tell the server <strong>to execute the stop_command 10 seconds after start_command is executed</strong>. The port will be automatically closed, but the established connection remain connected.</div>
<div style="background-color: white; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
<a href="http://www.hackthesec.co.in/" target="_blank">www.hackthesec.co.in</a><br />
<a href="http://www.twitter.com/hackthesecurity">www.twitter.com/hackthesecurity</a></div>
<div style="background-color: white; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;">
<br /></div>
</div>
</div>

How to Hide Application Port Using knockd in Linux

Hide Application Port Using knockd in Linux As a system administrator, we should do everything to secure our server from attackers. As the internet grows, threats to our server is also growing. One o…

19 Feb 2016

Load more posts