SSH Penetration Testing

Prevention against Brute force attack

A threshold account lockout policy in windows which locked an account after certain numbers of attempt that can be possible in UNIX also through Iptables chain rule.

Here admin can set iptable chain rules for a certain number of login attempts and if user crossed the defined number then the account will get locked for some time period as specified by admin.

Type the given below command to set iptable chain rule for account lockout policy:

sudo iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
sudo iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 120 --hitcount 3 -j DROP




[email protected]:/etc$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW recent: UPDATE seconds: 120 hit_count: 3 name: DEFAULT side: source mask: 255.255.255.255
           tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
sudo service ssh restart

Install iptables-persistent:

sudo apt-get install iptables-persistent
sudo su
iptables-save > /etc/iptables.rules

How to install Oracle VirtualBox on Arch Linux

Follow the below steps to install virtualbox on Arch Linux based Systems.

[Install VirtualBox and VirtualBox Host Module on Arch Linux]
$ sudo pacman -S virtualbox virtualbox-host-modules-arch
[Load VirtualBox module to the kernel]
$ sudo modprobe vboxdrv
[Install Virtualbox Extension Pack]
$ yaourt virtualbox-ext-oracle
[Adding Your Account to the vbox User Group]
$ sudo gpasswd -a $USER vboxusers

HOWTO: ArchLinux – Intel and AMD have CPU meltdown as two major security flaws are blown open

Etkilenen OS versiyonları; 4.14.12-1 versiyonun altındaki tüm Arch Linux işletim sistemleri.

[[email protected] ~]$ uname -a
Linux Dell-Linux 4.14.8-1-ARCH #1 SMP PREEMPT Wed Dec 20 21:27:44 UTC 2017 x86_64 GNU/Linux
[[email protected] ~]$

Çözüm & Solution,
[[email protected] ~]$ sudo pacman -Sy

[[email protected] ~]$ sudo pacman -Syyu
[sudo] password for Arch: 
:: Synchronizing package databases...
 core                             26.8      KiB   204K/s  00:01 [####################################################################] 100%
 extra                            1639.8    KiB   509K/s  00:03 [####################################################################] 100%
 community                        4.3       MiB   675K/s  00:06 [####################################################################] 100%
 multilib                         168.6     KiB   214K/s  00:01 [####################################################################] 100%
 archlinuxfr                      1.5       KiB   3.74M/s 00:00 [####################################################################] 100%
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...

Packages (52) bind-9.11.2-3  bind-tools-9.11.2-3  linux-4.14.12-1  linux-headers-4.14.12-1  mesa-17.3.1-2  

[[email protected] ~]$ uname -a
Linux Dell-Linux 4.14.12-1-ARCH #1 SMP PREEMPT Wed Jan 3 07:02:42 UTC 2018 x86_64 GNU/Linux

AVG-552

Package linux
Status Fixed
Severity High
Type multiple issues
Affected 4.14.7-1
Fixed 4.14.11-1
Current 4.14.12-1 [core]
Ticket FS#56832
Created Thu Jan 4 00:17:01 2018

 

Çekirdeği kontrol etmek için;

[[email protected] ~]$ zgrep CONFIG_PAGE_TABLE_ISOLATION /proc/config.gz
CONFIG_PAGE_TABLE_ISOLATION=y
[[email protected] ~]$ dmesg | grep iso  
[    0.000000] Kernel/User page tables isolation: enabled

AVG-522

Linux Find Large Files

RedHat / CentOS / Fedora Linux

find {/path/to/directory/} -type f -size +{size-in-kb}k -exec ls -lh {} \; | awk '{ print $9 ": " $5 }'

50MB ‘dan büyük dosyaların listelenmesi için;
$ find . -type f -size +50000k -exec ls -lh {} \; | awk ‘{ print $9 “: ” $5 }’

Debian / Ubuntu Linux

find {/path/to/directory/} -type f -size +{size-in-kb}k -exec ls -lh {} \; | awk '{ print $9 ": " $5 }'

50MB ‘dan büyük dosyaların listelenmesi için;
$ find . -type f -size +50000k -exec ls -lh {} \; | awk ‘{ print $8 “: ” $5 }’

Arch linux is patched : KRaCK

Verify like this: If you don’t sync your package databases you will likely pull an old version.

$ sudo pacman -Q wpa_supplicant
wpa_supplicant 1:2.6-8

This should go without saying, but for anyone new to arch make sure you run:
$ sudo pacman -Syu wpa_supplicant

verify like this:
$ sudo pacman -Q wpa_supplicant
wpa_supplicant 1:2.6-11

HOWTO: Deploy script via Trend Micro OfficeScan (GPO)

How to deploy script on Trend Micro OfficeScan (GPO)

HOWTO: Change Postfix configuration for Threat Emulation MTA

How to change Postfix configuration for Threat Emulation MTA

Non-Delivery Configuration:

  1. Connect to command line on Security Gateway (over SSH, or console).
  2. Log in to Expert mode.
  3. Backup the /opt/postfix/etc/postfix/main.cf file:[[email protected]]# cp /opt/postfix/etc/postfix/main.cf /opt/postfix/etc/postfix/main.cf_ORG
  4. Edit the /opt/postfix/etc/postfix/main.cf file:[[email protected]]# vi /opt/postfix/etc/postfix/main.cf
  5. Add the desired parameters. notify_classes = bounce, resource, softwareRefer to official Postfix Configuration Parameters page.
  6. Save the changes in the file and exit from Vi editor.
  7. In SmartDashboard, install the Threat Prevention policy.

Check Point Firewall – Connection Table Analysis

# fw tab -t connections -u > /var/log/connstat_Connections_Table.txt

C:\Users\Windows7\Desktop>connStat.exe -help

Usage: connStat -f
[-a|-c|-s|-r|-l|-p|-d|-n ] -a Show all flags -c Connection state info -s Top X Services used -r Top X Rule used -l Top X Least Used Rules -d Top Clients and Servers -i Interfaces connection directions -p Top Protocols -n Specify X

C:\Users\Windows7\Desktop>connStat.exe -f connstat_Connections_Table.txt -a
Total Number of connections: 2058
============================
Started:        271
Established:    951
Closed:         186
Half Closed:    650

Top 10 Services:
================
Service: 443    Hits: 1101 Rules: 19,4
Service: 80     Hits: 439 Rules: 19,4
Service: 53     Hits: 253 Rules: 17,4,18
Service: 8014   Hits: 105 Rules: 5,12
Service: 5228   Hits: 57 Rules: 19
Service: 25     Hits: 24 Rules: 4,0
Service: 49154  Hits: 12 Rules: 4,12
Service: 3389   Hits: 10 Rules: 5,12
Service: 18192  Hits: 9 Rules: 0
Service: 5223   Hits: 7 Rules: 19

Top 10 Rules:
=============
Rule: 19        Hits: 1573       --this rule should be moved higher--
Rule: 17        Hits: 148
Rule: 04        Hits: 85
Rule: 05        Hits: 74
Rule: 18        Hits: 71
Rule: 12        Hits: 60
Rule: 00        Hits: 38
Rule: 07        Hits: 3
Rule: 03        Hits: 3
Rule: 01        Hits: 3

Top 10 Least Used Rules:
========================
Rule: 01        Hits: 3
Rule: 03        Hits: 3
Rule: 07        Hits: 3
Rule: 00        Hits: 38
Rule: 12        Hits: 60
Rule: 18        Hits: 71
Rule: 05        Hits: 74
Rule: 04        Hits: 85
Rule: 17        Hits: 148
Rule: 19        Hits: 1573

Top 10 Clients:
===============
Client: x.x.x.x     Hits: 184
Client: x.x.x.x    Hits: 158
Client: x.x.x.x      Hits: 150
Client: x.x.x.x    Hits: 117
Client: x.x.x.x    Hits: 99
Client: x.x.x.x    Hits: 89
Client: x.x.x.x    Hits: 82
Client: x.x.x.x    Hits: 68
Client: x.x.x.x     Hits: 66
Client: x.x.x.x    Hits: 63

Top 10 Servers:
===============
Server: x.x.x.x   Hits: 179
Server: x.x.x.x     Hits: 105
Server: x.x.x.x  Hits: 89
Server: x.x.x.x      Hits: 44
Server: x.x.x.x   Hits: 40
Server: x.x.x.x   Hits: 38
Server: x.x.x.x   Hits: 28
Server: x.x.x.x    Hits: 24
Server: x.x.x.x  Hits: 23
Server: x.x.x.x      Hits: 23

Interface Directions (fw ctl if list):
======================================
IF direction: in 06,06 -> out 01,01     Hits: 836
IF direction: in 02,02 -> out 05,05     Hits: 792
IF direction: in 02,02 -> out 05,01     Hits: 176
IF direction: in 01,01 -> out 06,06     Hits: 77
IF direction: in 04,04 -> out 06,06     Hits: 50
IF direction: in 00,00 -> out 01,01     Hits: 36
IF direction: in 00,00 -> out 06,06     Hits: 34
IF direction: in 01,01 -> out 00,00     Hits: 23
IF direction: in 06,06 -> out 04,04     Hits: 16
IF direction: in 06,00 -> out 00,01     Hits: 7

Top Protocols:
==============
Protocol: tcp   Hits: 1793
Protocol: udp   Hits: 265

HOWTO: Check Point upgrade R77.x to R80.10

Pre-R80 Management Server Migration Tool – sk108623Download

Target Version and Products:

[[email protected]:0]# ./pre_upgrade_verifier --help

This is Check Point Pre-Upgrade Verifier for version R80.

Usage: pre_upgrade_verifier -p SecurityManagementPath -c CurrentVersion -t TargetVersion [-u | -a][-f FileName] [-w]
   Or: pre_upgrade_verifier -p SecurityManagementPath -c CurrentVersion -i [-f FileName] [-w]
        -p Path of the installed Security Management Server (FWDIR).
        -c Currently installed version.
        -t Target version.
        -i Check originality of Inspect files only.
        -u Perform plug-in related checks.
        -a Skip main train version checks, perform plug-in related checks only.
        -f Output in file.
        -w Web format file.

where the Currently installed version is one of the following:
NGX_R65 (aliases: 6.0.1.0)
R70 (aliases: R70_R70, 6.0.1.6)
R71 (aliases: R71_R71, 6.0.1.7)
R75 (aliases: R75_R75, 6.0.2.0)
R75.20 (aliases: R75.20_R75.20, 6.0.2.1)
R75.40 (aliases: R75.40_R75.40, 6.0.2.5)
R75.40VS (aliases: R75.40VS_R75.40VS, 6.0.3.0)
R76 (aliases: R76_R76, 6.0.3.5)
R77 (aliases: R77_R77, 6.0.4.0)

where the Target version is one of the following:
R70 (aliases: R70_R70, 6.0.1.6)
R71 (aliases: R71_R71, 6.0.1.7)
R75 (aliases: R75_R75, 6.0.2.0)
R75.20 (aliases: R75.20_R75.20, 6.0.2.1)
R75.40 (aliases: R75.40_R75.40, 6.0.2.5)
R75.40VS (aliases: R75.40VS_R75.40VS, 6.0.3.0)
R76 (aliases: R76_R76, 6.0.3.5)
R77 (aliases: R77_R77, 6.0.4.0)
R80 (aliases: R80_R80, 6.0.4.8)

Analyzes of the currently configuration;
#./pre_upgrade_verifier -p $FWDIR -c R77 -t R80

[[email protected]:0]#  ./pre_upgrade_verifier -p $FWDIR -c R77 -t R80


================================
Action items before upgrade:
================================


Warnings: It is recommended to resolve the following problems.
==============================================================


Title: Application Control deprecated categories
-----
* Description: Rulebase contains Application Control categories or group of categories that were deprecated.
For deprecated categories list and recommended substitutes please refer to sk106783.


To resolve the problem, fix the following categories:

The category: "Social Plugins" in rule Num. 12 of "PoC-Standard" policy is deprecated
The category: "Tunnels" in PoC_Block_APP group is deprecated
The category: "Facebook File Sharing" in PoC_Block_APP group is deprecated
The category: "Torrent Trackers" in PoC_Block_APP group is deprecated, it is recommended to replace it with "P2P File Sharing"
The category: "MySpace Games" in PoC_Block_APP group is deprecated



Pre-upgrade verification report can also be found in /opt/CPsuite-R77/fw1/log in the following formats:
pre_upgrade_verification_report.html
pre_upgrade_verification_report.xsl
pre_upgrade_verification_report.txt (text file)
[[email protected]:0]# ./pre_upgrade_verifier -p $FWDIR -c R77 -t R80
No errors found by the Pre Upgrade Verifier.
[[email protected]:0]# ./migrate export PoC-pre-R80.tgz


You are required to close all clients to Security Management Server
or execute 'cpstop' before the Export operation begins.

Do you want to continue? (y/n) [n]? y


Copying required files...
Compressing files...

The operation completed successfully.

Location of archive with exported database: /var/log/pre_upgrade_r80/PoC-pre-R80.tgz

Check Point CheckMates

HOWTO: Delete all hidden .swp files from terminal

E325: ATTENTION
Found a swap file by the name ".swp"
owned by: subhrcho dated: Wed Dec 26 05:54:45 2012
file name: ~subhrcho/
modified: YES
user name: subhrcho host name: slc04lyo
process ID: 26176
While opening file ".vimrc"
dated: Mon Jan 28 22:45:16 2013
NEWER than swap file!

(1) Another program may be editing the same file.
If this is the case, be careful not to end up with two
different instances of the same file when making changes.
Quit, or continue with caution.

(2) An edit session for this file crashed.
If this is the case, use ":recover" or "vim -r "
to recover the changes (see ":help recovery").
If you did this already, delete the swap file ".swp"
to avoid this message.

Swap file ".swp" already exists!

find . -type f -name “.*.swp” -exec rm -f {} \;

Arch Linux – Creating BIOS and UEFI Bootable USB

Bootable USB disk oluştururken bazı programlar efi bölümü oluşturmuyor. En sağlıklı yöntem dd komutu ile oluşturmaktır. Aşağıdaki yönergeleri uygulayabilirsiniz.

Bootable usb oluşturmadan önce mutlaka usb disk’i unmount etmeniz gerekmektedir.

lsblk
sdb 8:16 1 3.8G 0 disk
`-sdb1 8:17 1 3.7G 0 part /run/media/xxxx/e54c4ce0-9def-4183-a415-c0d98
sr0 11:0 1 1024M 0 rom

sudo umount /dev/sdb1

lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 223.6G 0 disk
|-sda1 8:1 0 512M 0 part /boot
|-sda2 8:2 0 215G 0 part /
`-sda3 8:3 0 8.1G 0 part [SWAP]
sdb 8:16 1 3.8G 0 disk
`-sdb1 8:17 1 3.7G 0 part
sr0 11:0 1 1024M 0 rom

Not : Bootable iso oluştururken (/dev/sdb1) olarak yazmayın.

dd bs=4M if=/path/to/archlinux.iso of=/dev/sdx status=progress && sync &

“Load on Module failed – not enough disc space” error

Policy installation / fetch fails on Centrally Managed

The fix is included since:

As an immediate workaround, manually delete the temporary policy files on the SMB Appliance:

Connect to the command line on SMB Appliance.
Log in to Expert mode.
Delete the temporary policy files:
#rm $FWDIR/state/__tmp/FW1/*
To increase the size of the partition on-the-fly:
[[email protected]]# mount tmpfs /fwtmp -t tmpfs -o size=250m,remount
Install the policy again.
the size of the partition permanently:
Backup the current start up script /pfrm2.0/etc/userScript:
[[email protected]]# cp /pfrm2.0/etc/userScript /pfrm2.0/etc/userScript_ORG

Note: The userScript file does not exist by default. It should be created.
Edit the current start up script /pfrm2.0/etc/userScript
[[email protected]]# vi /pfrm2.0/etc/userScript

Add the following command in this script:
mount tmpfs /fwtmp -t tmpfs -o size=250m,remount

Save the changes and exit from Vi editor.
Reboot the appliance.

error: failed to prepare transaction (could not satisfy dependencies)

[[email protected] ~]$ sudo pacman -Syyu
:: Synchronizing package databases...
 core                     123.6 KiB   155K/s 00:01 [######################] 100%
 extra                   1690.7 KiB   199K/s 00:08 [######################] 100%
 community                  3.7 MiB   392K/s 00:10 [######################] 100%
 multilib                 185.1 KiB   184K/s 00:01 [######################] 100%
 archlinuxfr               15.4 KiB   131K/s 00:00 [######################] 100%
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...
error: failed to prepare transaction (could not satisfy dependencies)
:: sky: installing qt5-base (5.8.0-2) breaks dependency 'qt5-base<5.8.0'

 

Çözüm;
[[email protected] ~]$ sudo pacman -Rdd qt5-base
[[email protected] ~]$ sudo pacman -Syyu

HOWTO: Debug Policy Verification

Solution
Follow these steps:

Connect to command line on Security Management Server / Multi-Domain Security Management Server.

Log in to Expert mode.

On Multi-Domain Security Management Server, switch to the context of the relevant Domain Management Server:

[[email protected]:0]# mdsenv
Start the debug of FWM daemon:

[[email protected]:0]# fw debug fwm on TDERROR_ALL_ALL=5
[[email protected]:0]# fw debug fwm on OPSEC_DEBUG_LEVEL=3
Verify the policy under debug:

Policy Syntax
Security Policy :fwm -d verify $FWDIR/conf/.W 1>> /var/log/Security_Policy_Verification_debug.txt 2>> /var/log/Security_Policy_Verification_debug.txt
Threat Prevention Policy :fwm -d verify -p threatprevention $FWDIR/conf/.W 1>> /var/log/Threat_Prevention_Policy_Verification_debug.txt 2>> /var/log/Threat_Prevention_Policy_Verification_debug.txt
Desktop Policy :fwm -d verify $FWDIR/conf/.S 1>> /var/log/Desktop_Policy_Verification_debug.txt 2>> /var/log/Desktop_Policy_Verification_debug.txt
QoS Policy :fgate -d verify $FWDIR/conf/.F 1>> /var/log/QoS_Policy_Verification_debug.txt 2>> /var/log/QoS_Policy_Verification_debug.txt
Notes:

– is the name of the involved policy package as appears in SmartDashboard R7x / SmartConsole R8x
Take all the relevant outputs / screenshots.

Stop the debug of FWM daemon:

[[email protected]:0]# fw debug fwm off TDERROR_ALL_ALL=0
[[email protected]:0]# fw debug fwm off OPSEC_DEBUG_LEVEL=0