This assignment is part of linux server course ICT4TN021-7, undertaken at Haaga-Helia UAS.
A) Install SSH-daemon
sudo apt-get install ssh
B) Protect the system with firewall, but open a port for SSH first
sudo ufw allow 22/tcp
sudo ufw enable
C) Move files with ssh
I created a file called testfile with nano in user home directory:
I copied the file in ~/Documents folder with scp:
scp /home/xubuntu/testfile xubuntu@localhost:/home/xubuntu/Documents
I checked that the file was indeed moved there:
D) Automate logging in with public key
I created a public/private rsa key pair, and added it:
Then i logged in via ssh:
I was prompted to enter passphrase for the key. I tried logging in again and got in without a password.
J)Install, configure and start package sysstat. Check with sar-command, that it is running, for example showing log entry “Linux reboot…”. Let sysstat run for a day or two. Examine history of workload amount with sysstat commands sar, iostat, pidstat… Analyze results, explain in detail what the results mean.
I started working on these exercises too late to let sysstat collect 2 days worth of data, but i still analyzed it.
sudo nano /etc/default/sysstat
I changed the value from”false” to “true”. Next i restarted sysstat:
sudo systemctl start sysstat
With commands sar and iostat i get following results:
CPU means amount of processor threads used (in my case 16 because i ran this on a computer with 8 cores and multithreading)
I) Solve Scan of the Month 15. Look for tips Forensic File Recovery with Linux – Undelete. Do not look for example solutions from the internet, if you are not stuck, and write down on your report if you used them. The image file contains real malware code, do not work with it with valuable computers or in intranets, and do not run any programs found in it. All the answers can be found in the image file, In this exercise you are not supposed to examine other systems.
- Show step by step how you identify and recover the deleted rootkit from the / partition.
I downloaded the image file, untarred and mounted it:
tar -xvf honeynet.tar.gz
I mounted the image as sdc1
sudo mount -o “loop,nodev,noexec,ro” honeypot.hda8.dd sdc1
I created folders for allocated and deleted files
mkdir allocated deleted
tsk_recover -a honeypot.hda8.dd allocated
tsk_recover honeypot.hda8.dd deleted
I started to examine the deleted folder.
I found suspicious entries in last/install and last/logclear mentioning “linsniffer”.
I found out that linsniffer was a linux attack from 2001-2002
2. What files make up the deleted rootkit?
lk.tgz, files from etc, last and $OrphanFiles
Sources: http://terokarvinen.com/2017/aikataulu-%e2%80%93-linux-palvelimet-ict4tn021-7-ti-ja-6-to-alkukevat-2018-5-op , https://www.linuxquestions.org/questions/linux-networking-3/linsniffer-atttack-23969/ , http://sebastien.godard.pagesperso-orange.fr/man_sar.html