-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsecurity
89 lines (53 loc) · 3.09 KB
/
security
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#Started from July 29, 2022. I realized maintaining secuity is REALLY important even though Linux default state is quite secure.
1. Make sure "Secure Boot" is enabled in BIOS.
sudo mokutil --sb-state
OR,
dmesg | grep secure
[both command will tell whether SecureBoot is enabled or disable. Enable it if its not already.]
------------------------------------------------------------------------------------------------------
2. In Windows, if you open doubtful or unknown document:
-> Never enable "Macros" if the document ask.
-> Disable Macros functionality if its enabled.
[Macros can contain scripts that can damage the OS security.]
[This primarly affects MS Word, PowerPoint, Excel, etc.]
------------------------------------------------------------------------------------------------------
3. In Windows, application shortcuts can be dangerous because:
-> Windows by default hide file extension.
-> Executable script/program icons can be changed to make it look like a picture or video to confuse.
-> Know what/which application/software/script is asking for administrative permission.
[Always check file type before running them]
-------------------------------------------------------------------------------------------------------
4. Know which port are open. Close the port and identify suspicious program.
netstat -tunlp //to see all open port
ps -o pid=<pid_number> //to see parant id
--------------------------------------------------------------------------------------------------------
5. List out all running process in Tree format. Easier to spot unusally activity:
ps -auxwf
----------------------------------------------------------------------------------------------------
6. After Crowdsrike incident, this can happen too to any Linux distro, so:
https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT/ // Works in Linux distro only.
[Automatic Boot Assessment (ABA) counts the failed attempts of boot; and revert back to old kernel/system.]
-----------------------------------------------------------------------------------------------------------
7. Block known malicious IP, by putting its traffic into null routes
~ To apply:
route add <bad-ip> gw 127.0.0.1 lo // routing the traffic coming from bad ip into loopback address
or
route add -host <bad-ip> reject
or
ip route add blackhole <ip>/cidr // BEST command. No ICMP will be sent. No packet will be forwarded.
~ To verify:
ip route get <bad-ip> // Output: "RTNETLINK answers: Network is unreachable"
~ To block entire subnet:
route add -net <network-ID/cidr> gw 127.0.0.1 lo
~ To undo blocking:
route delete <ip>
route delete -host <ip> reject
ip route delete <ip>/cidr dev eth0
[For advance blocking, use bash script. For persistent blocking, add commands to /etc/rc.local file. Learn, "fail2ban".]
8. Antivirus for Linux!
sudo freshclam // To update "clamscan" datebase
clamscan <path> // To scan
clamscan -r <path> // To scan all files that are in all folder
clamscan -r --move=<path> // To scan and automatically move suspected file
[--remove parameter will automatically delete suspectetd file. Do it at your own risk]
9.