--- tags: ccdc, CCDC2020 --- # Scripts Linux ## Password Change (all users 1 password) * check if any shells other than bash and search for those here as well * if the -a option exists for passwd you can use `passwd -S -a | awk '/P/{print $1}'` instead of `grep '/bin/bash' /etc/passwd` * if you want change the password of other users than root separtely replace root with `-e root -e user1 -e user2 ...` and add a passwd command for the other users at the end #### One line ``` bash echo -n 'Password: '; read -s pass; echo; for u in $(grep '/bin/bash' /etc/passwd | grep -v root | cut -d ':' -f1); do echo $u; echo -e $pass'\n'$pass | passwd $u; done; unset pass; passwd root; ``` #### Multiline ``` bash echo -n 'Password: '; read -s pass; echo; for u in $(grep '/bin/bash' /etc/passwd | grep -v root | cut -d ':' -f1); do echo $u; echo -e $pass'\n'$pass | passwd $u; done; unset pass; passwd root; ``` ## Firewall Initial Lockdown ### UFW ``` bash allowed="22 25 80/tcp 443/tcp" # change to the ports you actually need ufw reset ufw default deny for p in $allowed; do ufw allow $p; done ufw enable ufw status numbered ``` ### iptables > Make sure you setup PERSISTENT iptables. Or at the very least save the rules with iptables-save #### Clear all rules and Kill ipv6 ``` bash ip6tables -P INPUT DROP ip6tables -P OUTPUT DROP ip6tables -P FORWARD DROP ip6tables -t nat -F ip6tables -t mangle -F ip6tables -F ip6tables -X # Clear all iptables rules iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -F iptables -t mangle -F iptables -F iptables -X ``` #### Add inbound restrictions ```bash allowed="22 25 80 443" # change to the ports you actually need (1:7 for port range) for p in $allowed; do iptables -A INPUT -p tcp --dport $p -j ACCEPT; done iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP # Logging dropped input packets iptables -N LOGGING iptables -A INPUT -j LOGGING iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "iptables-dropped: " --log-level 4 iptables -A LOGGING -j DROP iptables -L ``` ## Firewall outbound lock down ### UFW ``` bash ufw allow out 80/tcp ufw allow out 443/tcp ufw allow out from 0.0.0.0/0 to 1.1.1.1 port 53 proto udp # set ip of internal DNS server in the following ufw allow out from 0.0.0.0/0 to x.x.x.x port 53 proto udp # Uncomment if sending logs to an rsyslog server and set IP of rsyslog server # ufw allow out from 0.0.0.0/0 to x.x.x.x port 514 proto udp # ufw allow out from 0.0.0.0/0 to x.x.x.x port 514 proto tcp ufw default deny outgoing ufw status numbered ``` ### iptables > If using iptables ensure iptables-persistent is installed. ``` bash # change the following to local DNS Server IP iptables -A OUTPUT -p udp --dport 53 -d 1.1.1.1,x.x.x.x -j ACCEPT # where x.x.x.x is the internal/competion DNS server ip # Uncomment if sending logs to an rsyslog server and set IP of rsyslog server # iptables -A OUTPUT -p tcp --dport 514 -d x.x.x.x -j ACCEPT # iptables -A OUTPUT -p udp --dport 514 -d x.x.x.x -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -L ``` ## Persistent iptables ### BACKUP RULES **DO THIS REGUADLESS ONCE YOU HAVE A WORKING RULESET.** ``` bash sudo iptables-save > /usr/share/help/.rules.4 sudo ip6tables-save > /usr/share/help/.rules.6 ``` ### Manual Restore **Do after reboot or failed change.** ``` bash sudo iptables-restore < /usr/share/help/.rules.4 sudo ip6tables-restore < /usr/share/help/.rules.6 ``` ### Debian/Ubuntu auto restore > Newer versions of Ubuntu and Debian have a package: > iptables-persistent that restores a rule save automatically after reboot. ``` bash sudo apt install iptables-persistent ``` > Once installed it will restore the rules in /etc/iptables/rules.v(4|6). > Lets create those: ``` bash sudo iptables-save > /etc/iptables/rules.v4 sudo ip6tables-save > /etc/iptables/rules.v6 ```