Verifique a sua fortaleza com lsat - software de auditoria em servidores e desktops
Você pode até estar "vivo na vida real", mas estará "morto na vida virtual" enquanto não estiver conectado à rede global. Mas antes disso, você deve ter ciência e certeza que seu sistema está mais seguro do que antes fazendo auditorias. Este é o foco deste artigo.
[ Hits: 10.011 ]
Por: Mauro Risonho de Paula Assumpção A.K.A firebits em 26/02/2010
Por favor, considere a remoção dos pacotes **************************************** Please consider removing these packages. bind9-host libbind9-50 libindicate-gtk1 libindicate3 libmail-sendmail-perl webmin Por favor, comente todas as informações do intetd.conf **************************************** Please comment out all of these from inetd.conf. **************************************** Lines found in hosts.allow Make sure you wish to allow the following: **************************************** Did not find ALL:ALL in hosts.deny. Lines found in hosts.deny: Por padrão o init level não está setado em nível 5. Bom! **************************************** default init level is not set to 5. Good. **************************************** Consider placing: auth.* /var/log/secure in your /etc/syslog.conf file. **************************************** Consider placing: authpriv.* /var/log/secure in your /etc/syslog.conf file. Os últimos 100 (ou menos) login falhados no seu sistema **************************************** The last 100 (or less) failed login attempts on the system Login Falhas Máximo Recente Em root 0 0 12/31/69 21:00:00 -0300 daemon 0 0 12/31/69 21:00:00 -0300 bin 0 0 12/31/69 21:00:00 -0300 sys 0 0 12/31/69 21:00:00 -0300 sync 0 0 12/31/69 21:00:00 -0300 games 0 0 12/31/69 21:00:00 -0300 man 0 0 12/31/69 21:00:00 -0300 lp 0 0 12/31/69 21:00:00 -0300 mail 0 0 12/31/69 21:00:00 -0300 news 0 0 12/31/69 21:00:00 -0300 uucp 0 0 12/31/69 21:00:00 -0300 proxy 0 0 12/31/69 21:00:00 -0300 www-data 0 0 12/31/69 21:00:00 -0300 backup 0 0 12/31/69 21:00:00 -0300 list 0 0 12/31/69 21:00:00 -0300 irc 0 0 12/31/69 21:00:00 -0300 gnats 0 0 12/31/69 21:00:00 -0300 nobody 0 0 12/31/69 21:00:00 -0300 libuuid 0 0 12/31/69 21:00:00 -0300 syslog 0 0 12/31/69 21:00:00 -0300 messagebus 0 0 12/31/69 21:00:00 -0300 hplip 0 0 12/31/69 21:00:00 -0300 haldaemon 0 0 12/31/69 21:00:00 -0300 kernoops 0 0 12/31/69 21:00:00 -0300 polkituser 0 0 12/31/69 21:00:00 -0300 saned 0 0 12/31/69 21:00:00 -0300 gdm 0 0 12/31/69 21:00:00 -0300 speech-dispatcher 0 0 12/31/69 21:00:00 -0300 supervisor 0 0 12/31/69 21:00:00 -0300 snort 0 0 12/31/69 21:00:00 -0300 havp 0 0 12/31/69 21:00:00 -0300 clamav 0 0 12/31/69 21:00:00 -0300 mysql 0 0 12/31/69 21:00:00 -0300 Debian-exim 0 0 12/31/69 21:00:00 -0300 dansguardian 0 0 12/31/69 21:00:00 -0300 festival 0 0 12/31/69 21:00:00 -0300 ntp 0 0 12/31/69 21:00:00 -0300 mrpa 0 0 12/31/69 21:00:00 -0300 logcheck 0 0 12/31/69 21:00:00 -0300 Lista de arquivos com permissão SUID no sistema: **************************************** This is a list of SUID files on the system: /sbin/mount.ecryptfs_private /bin/umount /bin/su /bin/fusermount /bin/ping /bin/mount /bin/ping6 /lib/dbus-1.0/dbus-daemon-launch-helper Lista de arquivos/diretórios com permissão SGID no sistema: **************************************** This is a list of SGID files/directories on the system: /sbin/unix_chkpwd /etc/ppp/peers /etc/chatscripts /etc/logcheck/violations.d /etc/logcheck/cracking.ignore.d /etc/logcheck/cracking.d /etc/logcheck/ignore.d.paranoid /etc/logcheck/ignore.d.workstation /etc/logcheck/ignore.d.server /etc/logcheck/violations.ignore.d /srv/cvs /srv/cvs/CVSROOT /srv/cvs/CVSROOT/Emptydir Lista de arquivos normais em /dev. MAKEDEV está ok, mas os outros não **************************************** List of normal files in /dev. MAKEDEV is ok, but there should be no other files: /dev/.blkid.tab /dev/.blkid.tab.old /dev/.udev/queue.bin /dev/.udev/db/block:sda9 /dev/.udev/db/block:sda8 /dev/.udev/db/block:sda7 /dev/.udev/db/block:sda6 /dev/.udev/db/block:sda5 /dev/.udev/db/block:sda15 /dev/.udev/db/block:sda14 /dev/.udev/db/block:sda12 /dev/.udev/db/block:sda11 /dev/.udev/db/block:sda10 /dev/.udev/db/input:event6 /dev/.udev/db/sound:card0 /dev/.udev/db/sound:controlC0 /dev/.udev/db/sound:hwC0D0 /dev/.udev/db/sound:audio /dev/.udev/db/sound:pcmC0D0c /dev/.udev/db/sound:adsp /dev/.udev/db/sound:pcmC0D1c /dev/.udev/db/sound:pcmC0D2c /dev/.udev/db/sound:pcmC0D1p /dev/.udev/db/sound:dsp /dev/.udev/db/sound:pcmC0D0p /dev/.udev/db/sound:mixer /dev/.udev/db/sound:card1 /dev/.udev/db/net:wlan0 /dev/.udev/db/sound:adsp1 /dev/.udev/db/sound:dsp1 /dev/.udev/db/sound:pcmC1D0c /dev/.udev/db/sound:controlC1 /dev/.udev/db/sound:audio1 /dev/.udev/db/sound:pcmC1D1c /dev/.udev/db/sound:mixer1 /dev/.udev/db/video4linux:video0 /dev/.udev/db/video4linux:vbi0 /dev/.udev/db/video4linux:radio0 /dev/.udev/db/input:event5 /dev/.udev/db/sound:sequencer2 /dev/.udev/db/sound:sequencer /dev/.udev/db/block:sda1 /dev/.udev/db/block:sda13 /dev/.udev/db/block:sda2 /dev/.udev/db/block:sdd /dev/.udev/db/block:sda /dev/.udev/db/block:sdc /dev/.udev/db/block:sde /dev/.udev/db/block:sdb /dev/.udev/db/sound:seq /dev/.udev/db/sound:timer /dev/.udev/db/input:mouse1 /dev/.udev/db/input:event4 /dev/.udev/db/input:event1 /dev/.udev/db/input:event3 /dev/.udev/db/input:event0 /dev/.udev/db/input:event2 /dev/.udev/db/block:sr0 /dev/.udev/db/block:ram9 /dev/.udev/db/block:loop7 /dev/.udev/db/block:ram7 /dev/.udev/db/block:ram5 /dev/.udev/db/block:ram2 /dev/.udev/db/block:loop2 /dev/.udev/db/block:ram4 /dev/.udev/db/block:ram0 /dev/.udev/db/block:ram14 /dev/.udev/db/block:ram15 /dev/.udev/db/block:ram12 /dev/.udev/db/block:ram13 /dev/.udev/db/block:ram11 /dev/.udev/db/block:loop1 /dev/.udev/db/block:ram10 /dev/.udev/db/net:eth0 /dev/.udev/db/block:loop3 /dev/.udev/db/block:ram1 /dev/.udev/db/block:loop5 /dev/.udev/db/block:loop6 /dev/.udev/db/block:ram8 /dev/.udev/db/block:loop4 /dev/.udev/db/block:ram3 /dev/.udev/db/block:ram6 /dev/.udev/db/block:loop0 /dev/.udev/db/usb:1-9 /dev/.udev/db/usb:usb2 /dev/.udev/db/usb:usb1 /dev/.initramfs/varrun/sendsigs.omit /dev/.initramfs-tools Lista de arquivos com permissão de gravação **************************************** This is a list of world writable files /etc/rc.local Esta é uma lista de grupo de arquivos graváveis **************************************** This is a list of group writable files /etc/pam.d/webmin /etc/rc.local /srv/cvs/CVSROOT/.#cvswrappers /srv/cvs/CVSROOT/.#checkoutlist /srv/cvs/CVSROOT/.#preproxy /srv/cvs/CVSROOT/.#posttag /srv/cvs/CVSROOT/.#rcsinfo /srv/cvs/CVSROOT/.#verifymsg /srv/cvs/CVSROOT/.#loginfo /srv/cvs/CVSROOT/val-tags /srv/cvs/CVSROOT/.#modules /srv/cvs/CVSROOT/.#postproxy /srv/cvs/CVSROOT/.#commitinfo /srv/cvs/CVSROOT/.#config /srv/cvs/CVSROOT/history /srv/cvs/CVSROOT/.#postwatch /srv/cvs/CVSROOT/.#notify /srv/cvs/CVSROOT/.#postadmin /srv/cvs/CVSROOT/.#taginfo Lista de grupo de diretórios de graváveis: **************************************** List of group writable directories: /file0001 /backup /file0004 /tmp /file0003 /file0002 Lista de pastas com permissão de gravação **************************************** List of world writable directories: /backup0001 /backup0002 /tmp /srv/cvs /srv/cvs/CVSROOT /srv/cvs/CVSROOT/Emptydir /file0002 Lista dos arquivos .exrc encontrados no sistema **************************************** This is a list of .exrc files found Lista dos arquivos .forward encontrados no sistema **************************************** This is a list of .forward files found on the system: Lista dos arquivos .rhosts encontrados no sistema **************************************** This is a list of .rhosts files found on the system: Lista dos arquivos .netrc encontrados no sistema **************************************** This is a list of .netrc files found on the system Lista dos arquivos dotfiles encontrados no sistema **************************************** This is a list of dotfiles found on the system Por favor, considere a remoção destas contas de sistema. Verifique se você irá precisar delas para aplicações de seu sistema antes de remover. Além disso, consulte o arquivo securitylinks.txt para mais informações. **************************************** Please consider removing these system accounts. Check to see if you need them for your system applications before removing. Also, consult the securitylinks.txt file for more information. sync man lp news uucp As seguintes contas são SUID 0 no arquivo /etc/passwd. Retire se necessário. **************************************** The following accounts are SUID 0 in /etc/passwd. Remove if needed. Remova as seguintes entradas (se houver) dos respectivos arquivos passwd/group **************************************** Remove the following entries (if any) from the respective passwd/group file(s) As seguintes contas não tem senhas, ou não estão vazias **************************************** The following accounts have no/empty passwords Saída de pwck, nota diretórios inexistentes etc **************************************** Output of pwck, note non existent directories, etc Saída de grpck, nota em grupos que acho que devem ser excluídos. **************************************** Output of grpck, note groups it think should be deleted. Verificar por sticky bits em arquivos tmp **************************************** Checks for sticky bits on tmp files -> is not chmod 644. Check above files for chmod 644. Check above dirs to ensure root ownership. **************************************** Lista de arquivos com nenhum usuário ou grupo: **************************************** List of files with no user or group: /home/firebits /home/firebits/.profile /home/firebits/.gegl-0.0 /backup/DVD1/registro/rfc/rfc3245.txt.pdf . . . (continua) **************************************** Checking default umask on system: Default umask should be 022, 027 or 077. 002 is ok for RedHat. Here are the filenames, and the umask number found in each. Please read through the file and ensure that is what you want. /etc/oinkmaster.conf: = 0027 /etc/profile: 022 **************************************** While checking ftpusers... /etc/ftpusers does not exist or is not readable. This is ok if you are not root, not running ftp or your ftp daemon does not use /etc/ftpusers. Please triple check your configuration and ensure you do not need /etc/ftpusers. ***************************************** **************************************** Checking rc startup scripts: These services were found in /etc/rc(2/3).d Consider removing or disabling unneeded services. **************************************** **************************************** Default limits hashed out in limits.conf. Check /etc/security/limits.conf for the default entry. Make sure to set hard and soft limits for default "*", or for individual users. **************************************** Output from ulimit, check to see if these are reasonable limits. Resource limits can help prevent DOS attacks, read up on them if you need to. time(seconds) unlimited file(blocks) unlimited data(kbytes) unlimited stack(kbytes) 8192 coredump(blocks) 0 memory(kbytes) unlimited locked memory(kbytes) 64 process unlimited nofiles 1024 vmemory(kbytes) unlimited locks unlimited **************************************** sshd config file entries Make sure these are commented out. **************************************** Protcol 2 not found in sshd config, or you are doing 1,2. Change to protcol 2 only. **************************************** This is the lsof output, diff this against a previous run. COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME firefox 23640 supervisor 58u IPv4 148387 0t0 TCP 192.168.1.2:40714->avocado.canonical.com:www (ESTABLISHED) **************************************** /etc/issue exists. Make sure it does not have any system specific information in it. **************************************** /etc/issue.net exists. Make sure it does not have any system specific information in it. **************************************** /etc/motd exists. Make sure it does not have any system specific information in it. **************************************** /etc/banners dir not found. Check securitylinks.txt for more info. **************************************** No ExecCGIs found. Good. **************************************** Check lsatmd5.out for output of checkmd5. If this is a subsequent run, old one is called lsatmd5.out.old
Double Dragon: chkrootkit e portsentry, agora vai rolar pancadaria nos intrusos!
CheckSecurity - Ferramenta para segurança simples e eficaz, com opção para plugins
Os 5 princípios básicos de segurança para empresas
A vida de quem vive de TI: It Crowd!
PHPIDS - PHP Intrusion Detection System, deixe seu site livre de intrusos!
ttyrec - Ferramenta para auditoria de sistemas Linux
Fundamentos da criptografia assimétrica
Suporte TCP Wrapper - Serviços stand-alone no Debian 6
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Efeito "livro" em arquivos PDF
Como resolver o erro no CUPS: Unable to get list of printer drivers
Flatpak: remover runtimes não usados e pacotes
Mudar o gerenciador de login (GDM para SDDM e vice-versa) - parte 2
Como atualizar o Debian 8 para o 10 (10)
Dica sobre iptables ACCEPT e DROP (6)
NGNIX - Aplicar SNAT para evitar roteamento assimetrico (29)
[Python] Automação de scan de vulnerabilidades
[Python] Script para analise de superficie de ataque
[Shell Script] Novo script para redimensionar, rotacionar, converter e espelhar arquivos de imagem
[Shell Script] Iniciador de DOOM (DSDA-DOOM, Doom Retro ou Woof!)
[Shell Script] Script para adicionar bordas às imagens de uma pasta