Linux-palvelimet ICT4TN021-7 linux server course assignment 5

This assignment is part of linux server course ICT4TN021-7, undertaken at Haaga-Helia UAS.


A) Install SSH-daemon

sudo apt-get install ssh



B) Protect the system with firewall, but open a port for SSH first

sudo ufw allow 22/tcp

sudo ufw enable



C) Move files with ssh

I created a file called testfile with nano in user home directory:

nano testfile

I copied the file in ~/Documents folder with scp:

scp /home/xubuntu/testfile xubuntu@localhost:/home/xubuntu/Documents


I checked that the file was indeed moved there:



D) Automate logging in with public key

I created a public/private rsa key pair, and added it:

cd .ssh


ssh-copy-id xubuntu@localhost

Then i logged in via ssh:

ssh xubuntu@localhost

I was prompted to enter passphrase for the key. I tried logging in again and got in without a password.



J)Install, configure and start package sysstat. Check with sar-command, that it is running, for example showing log entry “Linux reboot…”. Let sysstat run for a day or two. Examine history of workload amount with sysstat commands sar, iostat, pidstat… Analyze results, explain in detail what the results mean.

I started working on these exercises too late to let sysstat collect 2 days worth of data, but i still analyzed it.

sudo nano /etc/default/sysstat


I changed the value from”false” to “true”. Next i restarted sysstat:

sudo systemctl start sysstat

With commands sar and iostat i get following results:


CPU means amount of processor threads used (in my case 16 because i ran this on a computer with 8 cores and multithreading)

%user means “Percentage of CPU utilization that occurred while executing at the user level (application). Note that this field includes time spent running virtual processors.”

%nice means “Percentage of CPU utilization that occurred while executing at the user level with nice priority.”

%system means “Percentage of CPU utilization that occurred while executing at the system level (kernel). Note that this field includes time spent servicing hardware and software interrupts.”

%iowait means “Percentage of time that the CPU or CPUs were idle during which the system had an outstanding disk I/O request.”

%steal means “Percentage of time spent in involuntary wait by the virtual CPU or CPUs while the hypervisor was servicing another virtual processor.”

%idle means “Percentage of time that the CPU or CPUs were idle and the system did not have an outstanding disk I/O request.”


I) Solve Scan of the Month 15. Look for tips Forensic File Recovery with Linux – Undelete. Do not look for example solutions from the internet, if you are not stuck, and write down on your report if you used them. The image file contains real malware code, do not work with it with valuable computers or in intranets, and do not run any programs found in it. All the answers can be found in the image file, In this exercise you are not supposed to examine other systems.

  1. Show step by step how you identify and recover the deleted rootkit from the / partition.

I downloaded the image file, untarred and mounted it:

tar -xvf honeynet.tar.gz

cd honeynet

I mounted the image as sdc1

mkdir sdc1

sudo mount -o “loop,nodev,noexec,ro” honeypot.hda8.dd sdc1

I created folders for allocated and deleted files

mkdir allocated deleted

tsk_recover -a honeypot.hda8.dd allocated

tsk_recover honeypot.hda8.dd deleted

I started to examine the deleted folder.

cd deleted

I found suspicious entries in last/install and last/logclear mentioning “linsniffer”.

I found out that linsniffer was a linux attack from 2001-2002

2. What files make up the deleted rootkit?

lk.tgz, files from etc, last and $OrphanFiles


Sources: ,


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s