قالب وردپرس درنا توس
Home / Tips and Tricks / Using Ubuntu as Your Primary Operating System, Part 2 (Network Attack Defense) «Null Byte :: WonderHowTo

Using Ubuntu as Your Primary Operating System, Part 2 (Network Attack Defense) «Null Byte :: WonderHowTo



After installing Ubuntu as your primary operating system, you should have protected against USB Rubber Ducky payloads, defended against hard drive forensic investigations, and reduced the total attack surface against physical attacks. If you want to defend yourself against attacks on the network, you want to minimize hardware disclosures, prevent package sniffing, harden firewall rules and much more.

To be more specific, in this part of the mini-series for strengthening your primary Ubuntu installation, you learn to fake your MAC address to deceive passive attackers, disable unused network services such as CUPS and Avahi, specific firewall rules to block data exfil on certain ports and to prevent hackers from sniffing passwords and cookies in your packages with a VPN.

If you've missed the previous article, you should view part one to find out more about my motivations for starting this four-part guide ̵

1; even if you already have Ubuntu installed and just want to lock it.

Step 1: Defend against hardware inventory

When connecting to new Wi-Fi networks and routers, falsify the MAC address of the Wi-Fi adapter . This does not prevent a motivated attacker from learning what operating system you are using, but it can cause confusion and prevent them from discovering hardware information.

For example, a hacker on a Wi-Fi network in a coffee shop can direct his attacks to non-Apple devices. If you appear on the network with an Apple MAC address, the attacker can completely ignore your device. Or they may try a macOS-specific attack on your device that does not work because you are not using a MacBook – you only appear on the network using Apple hardware. This in combination with a fake browser user agent can really confuse a passive opponent.

To fake your MAC address in Ubuntu, open Network Manager and "edit" your Wi-Fi connection. On the Identity tab, enter the MAC address that you want to use in the Cloned address box.

Step 2: Defending Against Abuse of Listening Services

A background process (or service) in a " LISTEN" status may mean that other services and applications on the device and network can communicate with it. These listening services always wait for data to activate a dynamic response. Any service with a local address of 0.0.0.0 and in a listening status is likely accessible to everyone on the local network and possibly to everyone on the internet.

A new Ubuntu installation will only have a few running services installed – so no standard listening ports. But take into account applications that you install in the future. They can open listening ports without informing you.

To track which background processes are in a listening status, we use netstat a tool that is used to print network connections, open ports, and run services. Because the minimum Ubuntu installation was used, the application package net-tools (including netstat) must be installed manually. This can be done with the sudo apt-get install net-tools command.

  sudo apt-get install net-tools

Read package lists ... Ready
Build dependency structure
Read status information ... Done
The following NEW packages are installed:
net tools
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Must receive 194 kB of archives.
After this operation, an additional 803 KB of disk space is used.
Select previously-selected package of net-tools.
(Reading database ... 149085 files and folders that are currently installed.)
Preparation for unpacking ... / net-tools_1.60 + git20161116.90da8a0-1ubuntu1_amd64.deb ...
Unpacking Net Tools (1.60 + git20161116.90da8a0-1ubuntu1) ...
Processing triggers for man-db (2.8.3-2) ...
Setting up net tools (1.60 + git20161116.90da8a0-1ubuntu1) ... 

Use the netstat command below to view services in a "LISTEN" status.

  Sudo Netstat Pulse

Active internet connections (servers only)
Proto Recv-Q Send-Q Local address Foreign address State PID / Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 651 / systemd -olve
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 806 / cupsd
tcp6 0 0 :: 1: 631 ::: * LISTEN 806 / cupsd
udp 47616 0 127.0.0.53:53 0.0.0.0:* 651 / systemd -olve
udp 0 0 0.0.0.0:631 0.0.0.0:* 812 / cups-browsed
udp 2304 0 0.0.0.0:5353 0.0.0.0:* 750 / avahi daemon: r
udp 0 0 0.0.0.0:38284 0.0.0.0:* 750 / avahi daemon: r
udp6 0 0 ::: 37278 ::: * 750 / avahi daemon: r
udp6 25344 0 ::: 5353 ::: * 750 / avahi daemon: r 

Systemd -olve is used to resolve domain names and should probably not be changed or deleted. I will explain "cupsd" and "avahi daemon" in the following sections.

Disable or remove CUPS

Cupsd is a planner for CUPS, a service used by applications to communicate with printers. Several Nmap NSE scripts have been designed to retrieve information from CUPS services and pose a very low security risk. However, if you very rarely have to communicate with printers, CUPS can be disabled by using the systemctl cups-browsed command below. The changes take effect after a restart.

  disable systemctl cups-browsed

Synchronization of cups-browsed.service with SysV service script with / lib / systemd / systemd-sysv-install.
Version: / lib / systemd / systemd-sysv-install disable cups-browsed 

If you are never going to use a printer, CUPS can be completely removed with sudo apt-get autoremove cups-daemon

  sudo apt-get autoremove cups daemon

Read package lists ... Ready
Build dependency structure
Read status information ... Done
The following packages are DELETED:
bluez cups (5.48-0ubuntu3)
cups (2.2.7-1ubuntu2)
cups-browsed (1.20.2-0ubuntu3)
cups core drivers (2.2.7-1ubuntu2)
cups daemon (2.2.7-1ubuntu2)
hplip (3.17.10 + repack0-5)
printer driver gutenprint (5.2.13-2)
printer driver hpcups (3.17.10 + repack0-5)
printer-driver-postscript-hp (3.17.10 + repack0-5)
printer-driver-splix (2.0.0 + svn315-6fakesync1)
0 upgraded, 0 newly installed, 10 to remove and 0 not upgraded.
After this operation, 8,383 kB disk space is freed up.
Do you want to continue? [Y/n] ^ C
root @ nullbyte: / home / tokyoneon # apt-get purge -V cups-daemon
Read package lists ... Ready
Build dependency structure
Read status information ... Done
The following packages are DELETED:
bluez cups * (5.48-0ubuntu3)
cups * (2.2.7-1ubuntu2)
cups-browsed * (1.20.2-0ubuntu3)
cups-core-drivers * (2.2.7-1ubuntu2)
cups daemon * (2.2.7-1ubuntu2)
hplip * (3.17.10 + repackaging0-5)
printer driver gutenprint * (5.2.13-2)
printer driver hpcups * (3.17.10 + repack0-5)
printer-driver-postscript-hp * (3.17.10 + repack0-5)
printer-driver-splix * (2.0.0 + svn315-6fakesync1)
0 upgraded, 0 newly installed, 10 to remove and 0 not upgraded.
After this operation, 8,383 kB disk space is freed up.
Do you want to continue? [Y/n] y 

Disable or remove Avahi

The Avahi daemon implements Apple's Zeroconf architecture (also known as "Rendezvous" or "Bonjour"). The daemon records local IP addresses and static services using mDNS / DNS SD.

In 2011, a denial of service vulnerability was discovered in the avahi daemon. Although this CPU is quite old and low in severity, it illustrates how attackers on a local network find vulnerabilities in network protocols and manipulate running services on a victim's device.

If you do not intend to communicate with Apple products or services on other devices, avahi daemon can be disabled using the following sudo systemctl disable avahi daemon command.

  sudo systemctl disable avahi daemon

Synchronization of avahi-daemon.service status with SysV service script with / lib / systemd / systemd-sysv-install.
Run: / lib / systemd / systemd-sysv-install disable avahi daemon
/Etc/systemd/system/dbus-org.freedesktop.Avahi.service deleted.
/Etc/systemd/system/sockets.target.wants/avahi-daemon.socket. cialis19659014 23: Avahi can also be removed completely with  sudo apt-get purge avahi daemon . Sudo apt purification avahi daemon

Read package lists ... Ready
Build dependency structure
Read status information ... Done
The following packages are DELETED:
avahi daemon * (0.7-3.1ubuntu1)
avahi-utils * (0.7-3.1ubuntu1)
libnss-mdns * (0.10-8ubuntu1)
0 upgraded, 0 newly installed, 3 to remove and 0 not upgraded.
After this operation, 541 kB of disk space is freed up.
Do you want to continue? [Y/n] y 

Step 3: Defending against Port Abuse

An amateur hacker may be trying to filter out data on port 1337 or create an inverted shell on port 4444 (literally listed on Wikipedia as the standard port of Metasploit) . A firewall that only allows outgoing transmissions on a handful of ports will stop hetx0rz in their tracks.

To manage port permissions, we use UFW, a program that aims to provide a user-friendly interface when configuring firewalls. UFW literally stands for U complicated F ire W all. It acts as an Iptables (packet filtering) frontend and is not intended to provide full firewall functionality, but rather an easy way to add or remove simple rules.

1. Reject all incoming and outgoing connections

Use the sudo ufw enable command to enable UFW.

  sudo ufw enable

Firewall is active and enabled at system startup 

Prohibit all incoming connections with the following.

  sudo ufw standard reject incoming 

Then disable all forward connections:

  sudo ufw standard reject forward 

do not allow all outgoing connections:

  sudo ufw standard reject incoming 

you cannot access the internet with Firefox or another application.

2. Find your wireless interface

To allow outbound connections, you must first find the name of your Wi-Fi adapter using the command ifconfig -a .

  ifconfig -a

enp0s8: flags = 4163  mtu 1500
inet 192.168.1.44 netmask 255.255.255.0 broadcast 192.168.1.255
ether e8: e1: e8: c2: bc: b9 txqueuelen 1000 (Ethernet)
RX packets 631 bytes 478024 (478.0 KB)
RX errors 0 decreased 0 exceedances 0 frame 0
TX packets 594 bytes 60517 (60.5 KB)
TX errors 0 dropped 0 exceedances 0 carrier 0 collisions 0
device interrupt 16 basic 0xd040

lo: flags = 73  mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 :: 1 prefixes 128 scopeid 0x10 
loop txqueuelen 1000 (local loopback)
RX packets 259 bytes 17210 (17.2 KB)
RX errors 0 decreased 0 exceedances 0 frame 0
TX packets 259 bytes 17210 (17.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 

I use Ubuntu in VirtualBox for this demo, so my interface name is "enp0s8". With the command ifconfig your wireless interface can be represented as "wlp3s0", "wlp42s0" or something similar.

3. Create firewall exceptions and configure a secure DNS resolver

Allow DNS, HTTP, and HTTPS traffic on the wireless interface using the following three commands:

  sudo ufw allow on  to 1.1.1.1 proto udp port 53 comments & # 39; Allow DNS on  & # 39;
sudo ufw allow on  to a prc tcp port 80 comment & # 39; allow HTTP on  & # 39;
sudo ufw allows [pric] TCP port 443 comments & # 39; allow HTTPS on  & # 39; on  

The "1.1.1.1" address in the DNS command is CloudFlare & # 39; s new privacy-focused DNS resolver. Many internet users do not realize that even if you view a website using encrypted transmissions (small green lock in the URL bar), ISP's can still see every domain name that you visit via DNS requests. The use of the CloudFlare DNS resolver helps prevent Internet Service Providers (ISPs) from poking around in your traffic.

4. Update the Network Manger DNS Configuration

After setting the UFW rules, in the Network Manager you "edit" your Wi-Fi connection and change the field DNS in 1.1.1.1 . Disconnect and reconnect to the Wi-Fi network to make the DNS changes.

View the newly created rules using the command sudo ufw status numbered .

  sudo ufw status numbered

Status: active

To action from
- ------ ----
[ 1] 1.1.1.1 53 / udp ALLOW OUT ANYWHERE on enp0s8 (off) # Allow DNS on enp0s8
[ 2] 443 / tcp ALLOW OUT Anywhere on enp0s8 (off) # Allow HTTPS on enp0s8
[ 3] 80 / tcp ALLOW OUT Anywhere on enp0s8 (off) # Allow HTTP on enp0s8 

Ubuntu can make standard HTTP / HTTPS requests on ports 80 and 443 on the wireless interface you specified. If these rules are too strict for daily activities, allow all outgoing packages using the command below. Allow sudo ufw standard outgoing

5. Monitor the firewall

If you are trying to debug incoming or outgoing connections, use the tail argument -f to track UFW log messages and real-time discrepancies. The command would be tail -f /var/log/ufw.log cialis19459024 right. cialis19659013 straight tail -f /var/log/ufw.log

kernel: [ 3900.250931] [UFW BLOCK] IN = OUT = enp0s8 SRC = 192.168.1.44 DST = 104.193.19.59 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 47090 DF PROTO = TCP SPT = 35944 DPT = 9999 WINDOW = 29200 RES = 0x00 SYN URGP = 0
kernel: [ 3901.280089] [UFW BLOCK] IN = OUT = enp0s8 SRC = 192.168.1.44 DST = 104.193.19.59 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 47091 DF PROTO = TCP SPT = 35944 DPT = 9999 WINDOW = 29200 RES = 0x00 SYN URGP = 0

In the above logs, UFW blocks outgoing connections ( OUT = ) from my local IP address ( 192.168.1.44 ) to the Null Byte server ( 104,193.19.59 ), using TCP with a destination port ( DPT ) of 9999. This can be solved with the help of the UFW command below.

  sudo ufw allow on  from 192.168.1.44 to 104.193.19.59 proto tcp port 9999 

For more information about UFW, use the man ufw command to view the manual and available options .

  man ufw 

Readers interested in firewalling at the granular level should view the wiki of Arch Linux on Iptables.

Step 4: Defend against packet sniffers & cookie hijacking

Packet manipulation attacks on hostile networks can be prevented with a virtual private network (VPN). VPNs offer a range of technologies that:

  • Prevent hackers on Wi-Fi networks from manipulating and spying on your activity.
  • Prevent internet providers such as Verizon and AT&T spying on your activity and selling your data to third parties.
  • Provide censorship evasion where ISPs or network firewalls prevent access to certain websites.

Most premium VPN services start at around $ 5 a month. Some notable VPN providers are: ProtonVPN, Mullvad, VyprVPN and Private Internet Access.

Image via ProtonVPN

Next Up: Hardening & Sandboxing Application

That's it for your presence and activity on hostile networks to harden. In the following article we learn a bit about sandboxing applications and securing our system in the event that a malicious program is running on the device. Then we dive into auditing, using antivirus software and log files from the surveillance system.

Part 2: Using Ubuntu as your primary operating system (Application Hardening & Sandboxing)

Cover image (original) by Tinh t? Photo / Flickr; Screenshots of tokyoneon / Null Byte (unless otherwise stated)

Source link