-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Welcome to the Blue Linux Bastion Wiki! This resource is designed to provide detailed information on the scripts and practices involved in hardening Linux systems and getting started for competitions using the tools provided in this repository. Navigate through the sections to get a comprehensive understanding of each script and how to use them effectively. Remember, these were designed for a specific purpose and may not be the best scripts for your needs.
- Overview
- Installation
- Script Descriptions
- Configuration
- Usage Guidelines
- Troubleshooting
- Contributing
- Blue Team Competition Scenario
- License
- Disclaimer
The Blue Linux Bastion project provides a set of scripts intended for the hardening of Linux systems, particularly useful for security competitions or general security enhancement. The scripts include functionalities for user management, SSH and firewall configuration, regular checks to ensure ongoing system integrity, monitoring network connections, and performing network scans.
- Ensure you have root access to the Linux system where these scripts will be deployed.
- Verify that either UFW (Uncomplicated Firewall) or iptables is installed as they are required for firewall rule management.
- Ensure Nmap is installed for running the
rapidenum.shscript.
- Clone the GitHub repository:
git clone https://github.com/fulco/BlueLinuxBastion.git
- Navigate to the cloned directory and make the scripts executable:
chmod +x userkiller.sh croncheck.sh conchecker.sh rapidenum.sh
This script is the main hardening script that performs the following tasks:
- Logs out all users (except the specified user and root) and kills their processes
- Clears cron jobs for all users (except the specified user and root)
- Changes passwords for all users (except the specified user and root)
- Updates the SSH daemon (sshd) to listen on a custom port (defined by
$NEW_SSH_PORT) - Configures firewall rules using UFW (Uncomplicated Firewall) or iptables based on a specified input file
- Creates a backup admin user with sudo access for emergency purposes
- Logs script actions to a file for future reference and troubleshooting (default log file:
/var/log/userkiller.log, can be changed with an optional argument) - Generates the
croncheck.shscript andcronline.txtfile for periodic system checks - Manages system services by displaying enabled and running services and allowing the user to selectively disable non-needed services
- Logs processes and their associated executables before and after making changes
This script is generated by the userkiller.sh script and is designed to be run periodically via cron to ensure that the system remains hardened. It performs the following checks:
- Verifies that the backup admin user exists and has sudo access
- Checks if the SSH configuration file is unchanged and has the immutable flag set
- Checks if the firewall rules are unchanged based on the defined rules (port specified by
$NEW_SSH_PORT)
This file is generated by the userkiller.sh script and contains a cron entry to run the croncheck.sh script periodically and log any failures to the /var/log/croncheck_failure.log file.
The conchecker.sh script is designed to monitor network connections on a Linux system and identify unauthorized connections. It performs the following tasks:
- Retrieves the current user's SSH connection IP and excludes it from the checks
- Parses the output of
netstat -antpto extract connection details - Checks if each connection is allowed based on the
allowed_ips.txtfile - If a connection is unauthorized:
- Prompts the user to kill the associated process
- Prompts the user to add a firewall rule to block the connection
- Logs detailed information about the script's actions with timestamps
The rapidenum.sh script is designed to perform network scans using Nmap to check for open ports associated with specific TCP and UDP services on a given network range. It includes various optimizations to speed up the scanning process:
- Parallelizes the scans by splitting the network range into smaller subsets
- Adjusts Nmap timing and performance options for faster scanning
- Limits the scanned ports based on prior knowledge of likely open ports
- Uses Nmap's ping sweep to identify live hosts before scanning for open ports
- The
allowed_ips.txtfile should contain the allowed IP addresses and ports for SSH access. - The
userkiller.shscript sets the SSH port using the$NEW_SSH_PORTvariable. By default, it is set to 2298. You can modify the value of$NEW_SSH_PORTin the script. - The
userkiller.shscript logs its actions to the/var/log/userkiller.logfile by default. You can change the log file path by providing an optional argument when running the script. - The
conchecker.shscript uses theallowed_ips.txtfile (example below) to determine allowed network connections. Ensure that this file exists and contains the appropriate IP addresses and ports.192.168.0.111 80 192.168.0.201 443
- The
rapidenum.shscript requires a network range as a command-line argument. You can also modify the script to adjust the scanned ports and services based on your specific requirements.Usage: $0 [-d output_directory] [-s service1,service2,...] [-r rate] [-t timeout] network_range -d output_directory Specify the output directory for scan results (default: ./HostServices) -s service1,service2,... Specify the services to scan (default: all services) -r rate Specify the maximum packet rate (default: 1000) -t timeout Specify the timeout in seconds for each host (default: 600) network_range The network range to scan (e.g., 10.1.1.0/24)
- Note: The
$EUIDvariable used in the scripts is a built-in shell variable in Bash that represents the effective user ID of the current user. It does not require any configuration.
Follow these steps to deploy and utilize the scripts:
-
Run
userkiller.shwith a specified username to exclude from hardening operations:sudo ./userkiller.sh username_to_exclude [log_file_path]
-
username_to_exclude: The username to exclude from hardening operations. -
log_file_path(optional): The path to the log file. If not provided, the default log file path/var/log/userkiller.logwill be used.
Example:
sudo ./userkiller.sh john /var/log/custom_userkiller.log
-
-
Enter the new password for the users when prompted.
-
The script will perform the hardening tasks, generate the
croncheck.shscript andcronline.txtfile, and display relevant information. -
Review the generated
cronline.txtfile and add the cron entry to your system's crontab to run thecroncheck.shscript periodically. -
To monitor network connections and identify unauthorized connections, run the
conchecker.shscript:sudo ./conchecker.sh username_to_exclude
Replace
username_to_excludewith the username of the current user's SSH connection to exclude from the checks. -
To perform network scans for open ports and services, run the
rapidenum.shscript:sudo ./rapidenum.sh network_range
Replace
network_rangewith the network range you want to scan (e.g., 10.1.1.0/24).
If you encounter issues, verify the following:
- The scripts are being run with root privileges.
- The firewall and SSH configurations are correctly set according to the script specifications.
- Logs are being generated as expected; consult the specified log file (default:
/var/log/userkiller.log),/var/log/croncheck_failure.log,/var/log/conchecker.log, and/var/log/process_executables.logfor details on any errors or operations. - For the
conchecker.shscript:- Ensure that the
allowed_ips.txtfile exists and contains the correct IP addresses and ports for allowed connections. - Check the
/var/log/conchecker.logfile for detailed logs of the script's actions and any errors encountered.
- Ensure that the
- For the
rapidenum.shscript:- Ensure that Nmap is installed on the system.
- Verify that the network range provided as a command-line argument is valid and reachable.
- Check the generated output files in the
HostServicesdirectory for the scan results.
Contributions are welcome to enhance the scripts' functionality or documentation. Please fork the repository, make your changes, and submit a pull request for review.
This project is released under the MIT License. Full details can be found in the LICENSE file in the repository.
The provided scripts make substantial changes to system configurations. It is strongly recommended to thoroughly test them in a non-production environment before use on critical systems to fully understand their impact. Use these scripts responsibly and only on systems and networks you have permission to scan and modify.
These updated files reflect the changes and improvements made to the code, provide clarity on the usage of the `$EUID` variable, and emphasize the importance of caution and thorough testing before using the scripts in critical environments.