Embed Size (px)
Citation preview
Debian Based system: Debian, Ubuntu and Mint
Determine hostnamePretty much all versions of linux support the “hostname” command, so run it at the command prompt to get the name of the machine.
Check Distribution and Version of Linux running on the systemFor each system we need to get the distribution of linux. One of the following should give you the information:
cat /etc/issueorcat /etc/*-release
Below are the actively supported Debian based distributions of linux. If the machine is running a release that isn’t on this list then you will need to do a version upgrade in addition to running software updates as outlined later in this document.
Active release for distributions of LinuxDebian 7.X (wheezy) current stable release, minor numbers .0 and .1 exist, with 7.1 being the latest released in June 2013. Any number lower than 7 like 6.1 is no longer in support
Ubuntu (based on Debian) supported release (https://help.ubuntu.com/):
Ubuntu 13.04 (Raring Ringtail) Ubuntu 12.10 (Quantal Quetzal) Ubuntu 12.04.3 LTS (Precise Pangolin) Ubuntu 10.04.4 LTS (Lucid Lynx)
Mint – (Based on Ubuntu) Supported releases are 13,14 and 15 (http://www.linuxmint.com/oldreleases.php) VERSION CODENAME PACKAGE BASE STATUS15 Olivia Ubuntu Raring Supported until January 2014.14 Nadia Ubuntu Quantal Supported until April 2014.13 Maya Ubuntu Precise Long term support release (LTS), supported until April 2017.
Determine the IP address for each box and if it has a static IP address or a dynamic IP addressIn the command prompt run:
1
Ifconfig
On some distributions you may need to give the full path of the command which should be:
/sbin/ifconfig
The out will be broken down by each network interface on the box and look something like this
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.10.200 netmask 255.255.255.0 broadcast 192.168.10.255 inet6 fe80::6ef0:49ff:fe7e:5fcf prefixlen 64 scopeid 0x20<link>
Here the interface is eth0 and the IP address is 192.168.10.200.
To determine if the ip is static run the GUI base network configuration tool. You should be able to enter “network” in the GUI tool search or find “network Config” tool. For CentOs is the “Preferences->Network Connections” menu options. (On Debian command line name is nm-connection-editor) For Debian systems the tool shows the interfaces, so you click on the interface and then click the edit button. Select the “IPv4 Setting” and see if the “Method” is set to Automatic (DHCP) or Manual. DHCP is dynamic an and Manual is Static. We want this information because if we’re using DHCP then we need to allow communications with protocol bootp (port 68). The IP address can also be used to restrict inbound SSH access to only the machine of our choice. Note if the tool doesn’t show any available interface then the system is most likely configured for hot pluggin network. In which case you can look the configuration file via:
cat /etc/network/interfaces
So from the ifconfig command above I know the interface is eth0, and in the configuration file if I see dhcp on the line for eth0 :
allow-hotplug eth0iface eth0 inet dhcp
Add Firewall with a strict policyWe want to start by installing the firewall software and creating a pretty restrictive policy to minimize the possibility we're attacked while we're cleaning the system up. Start by adding the GUI for the basic firewall via this command by entering the following command in a terminal window:
sudo apt-get install gufw
It will find the package and prompt you asking if you want to install the package, hit the enter key to take the default Y (yes) response and install the gui.
Bring up the interface with this command:
2
gksudo gufw
Click the unlock button.
The status line shows the firewall is off so click on off and it should turn to on (it can take a few seconds to change). The default policy is to block all incoming traffic and allow all outbound traffic. We want to add a few rules to allow outbound web and dns traffic. Click on the “+” key to add a rule. You get a screen with three tab, it should already be on the “Preconfigured” tab, if it isn't then select the “Preconfigured” tab. On this tab there are four buttons. The first should be set to Allow, the second button we want to set to “Out”, the third button we want to set to “Service” and the forth button we want to set to “HTTP” and then click the Add button. This rule allows us to make un-encrypted web connections (HTTP) outbound.
Sadly they don't have may preconfigued service so now click on the “Simple” tab and lets add our DNS rule. On the “Simple” tab we want the first button to be “Allow”, the second to be “Out” the third to be “Both” and then in the text box we want to enter “domain” (NOTE, don't include the quotes) and then click the “Add” button. DNS primary utilizes UDP connections, however there are some types of DNS queries that make TCP connection. Instead of setting the rule for both it would probably have been fine to set the rule to UDP.
We also want secure web, which is HTTPS, going outbound so on the simple tab again set first button to “Allow”, the second to “Out”, the third to “TCP” and in the text box type either “443” or “https” and then click the “Add” button.
The final rule we need to put in place is a rule for the scoring application. You should be able to use the simple tab to enter the rule. The first button should be set “Allow”, assuming you discovered the connection was outbound above then the second button should be set to “Out” the third to “BOTH” and in the text box type the port number you discovered above for the scoring application and then click the “Add” button.
Close the “Add Rule” window and then change the “Outgoing” policy to “Deny”. So at this point we're not allowing any inbound connection and we're only allowing HTTP, HTTPS and DNS traffic out of the box. That's a pretty secure policy.
Once the firewall is set up you can use the following command in a terminal window to watch for indications that the firewall is dropping traffic:
tail -f /var/log/syslog |grep BLOCK
The tail command looks at the end of a file, the -f option says keep looking for new data being written to the file and print it out. So traffic blocked by the firewall results in a log entry being written into the /var/log/syslog file. We're piping the output of tail through the grep command to pull out any log records that contain the word “BLOCK”, as a the syslog file is used by a lot of system services to write out messages and we're only interested in those related to traffic BLOCKED by the firewall. When I did this on the machine I was using at home I noticed immediately that I should have included one more service and that was outbound port 67 (bootps) because on my VM I was utilize DHCP to get an IP address for my machine, which most likely will be the way Ips are assigned for the competition VM. Below is the log entry that popped up:
Sep 17 18:29:15 ubuntu kernel: [93491.919227] [UFW BLOCK] IN= OUT=eth0 SRC=192.168.111.202 DST=192.168.111.111 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=68 DPT=67 LEN=308
3
SRC indicate who sent the packet and this is the IP of my machine. DST indicates who the packet is being director towards. PROTO indicates the protocol being utilized (UDP or TPC). SPT is the source port, so the port my machine used to communicate out. And DPT is the destination port, so the port my machine was sending the packet to. So my machine was attempting tomake an outbound connection on UDP to IP 192.168.111.111 on port 67,
To terminate the “tail” command you would enter <ctrl>c
So bring up the “Add rule” option again on the FW GUI and then select the “Simple” tab and set first button to “Allow”, the second to “Out” the third to “UDP” (Notice PROTO in the log entry above) and in the text box type either “67” or “bootps” and then click the “Add” button.
You might want to keep the “tail -f /var/log/syslog | grep BLOCK” command running to see what else is being dropped. The FW is suppose to drop traffic so we don't want to add rules just because we see blocked traffic. If you see outbound traffic being dropped I'd suggest to look at the port that is being used and then check the internet to see what that port is used for and the determine if you want to let it flow out or not. For any inbound traffic being dropped that should be fine, unless the instructions tell you that you are suppose to be running some type of service on your machine, like a mail service (port 25) or web service (port 80 & 443), then you would need to allow these connections inbound. A couple of other protocols that are normal to have on a linux desk top are pop3 (110) , pop3s (995), smtp (25), smtps (465) and imaps (993). These are all email related ports, so if you see these connections going outbound being dropped you could add these in the FW rule set and if you're suppose to be running an email server then if you see any of these being dropped inbound you should add rules to allow the traffic.
Next we should check what users have been logging into the system with the following three commandYou have to run these commands as super user from the command prompt. So bring up a terminal window and use “sudo bash” to become super user then enter the following commands:
lastlastlogwho /var/log/wtmp
Someone might have cleared one of the files that these commands pull data from but they might not clear all the files so it’s a good idea to use all three commands. If they have cleared all the logs used by these tools we can also check the auth.log
sudo grep Accept /var/log/auth.log*
This list people that have remotely logging on. The lines have “Accepted password for XXXX”, where XXX is the user name
You can also do the following to show user that have logged in via multiple other methods.
sudo grep 'session open' /var/log/auth.log* |grep -v CRON
4
The “grep –v” drops out records associated with the crontab (program scheduler) as they happen all the time and are not as interesting. Entries for lightdm show logins to the GUI. I’d also pay more attention to records related to sudo and su as these both show a user gaining super user access. Entries related to sshd are very interesting as they are from remote access. Entries for login are for users that logged in via the terminal windows you access via <ctrl><alt><F1> - <ctrl><alt><F6>. You might run the commands like this to get entries for individual ways user logged in:
sudo grep 'session open' /var/log/auth.log* |grep sshdsudo grep 'session open' /var/log/auth.log* |grep loginsudo grep 'session open' /var/log/auth.log* |grep sudosudo grep 'session open' /var/log/auth.log* |grep ‘su\[‘sudo grep 'session open' /var/log/auth.log* |grep light
Then do the following to make sure you didn’t miss some other type of access:
sudo grep 'session open' auth.log* |grep -v sshd |grep -v CRON |grep -v login |grep -v sudo |grep -v ‘su\[‘ |grep -v light
The reason we’re doing this is to find all of the active users on the system. Once we know this we can attempt to look at history files associated with these users that show commands they have run at the command line and then remove accounts that should be on the system.
Check for users that are in special groupsThere are a couple of groups in ubuntu that give the user special system access. The four I know of are adm, admin, sudo and nopasswdlogin. I’d suggest running the following in a terminal window to see if anyone other than the main user account are included in any of these groups.
sudo grep nopass /etc/groupsudo grep sudo /etc/groupsudo grep admin /etc/groupsudo grep adm /etc/group
The line returned will look something like this:
sudo:x:27:student,badguy
The last field after the final ‘:’ is the list of user names that belong to this group. No one should be in the nopasswdlogin group. If they are, either remove their user account complete with the userdel command, update their user account in the GUI System Settings -> User Accounts tool or at a minimum edit the /etc/group file and remove them from the end of the line. If anyone other than the main user is on the sudo or admin line (Note the admin line may not exist) then you need to edit the file and remove the other users from these groups. You have to be super user to edit the group file and you can use following command in a terminal window to kick off and editor session so you can edit the file:
sudo gedit /etc/group
5
Remove users that you don't want in these special groups and save the file. Any user you remove from the group file is also a candidate for removing from the system.
Clean install of sudoers – Look for differences in your /etc/sudoers file!
This is the clean version of the sudoers file. If your file contains extra lines enabling access you should consider disabling the lines by putting a # at the start of the line. You can edit the file via:
sudo gedit /etc/sudoers
With default contents pulled from Ubuntu system are as follows:## This file MUST be edited with the 'visudo' command as root.## Please consider adding local content in /etc/sudoers.d/ instead of# directly modifying this file.## See the man page for details on how to write a sudoers file.#Defaults env_resetDefaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specificationroot ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command%sudo ALL=(ALL:ALL) ALL
6
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
Note debian doesn’t include the admin group but Mint does.
Change Password for a userThe following command run as super user can be used to change a users password:
sudo passwd USERNAME
If ssh server is enabled we want to disable root loginUse the following command to see if the secure shell (ssh) remote access program is running:
sudo netstat -lntp |grep "sshd"
Output like the following indicates that you have ssh running:
student@ubuntu:~$ sudo netstat -lntp | grep "sshd"
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 508/sshd tcp6 0 0 :::22 :::* LISTEN 508/sshd If it's running then lets edit the configuration file via:gksudo gedit /etc/ssh/sshd_configFind the line that starts with Protocol and make sure it is set to 2. It should look like this:Protocol 2Find the line that starts with PermitRootLogin and change it to thisPermitRootLogin no
Note Mint this not include a commented out “PermitRootLogin” line so you just need to add it to the file.Save the changes and exit. Then restart the service via:
sudo restart ssh
On Debian 7 and Mint 15 I had to use the service command to restart the service. Actually Mint didn’t have sshd installed by default. So to restart by the service command it is:
sudo service ssh restart
7
If SSH is running on the box and you decide to keep it, then in addition to the above you would need to add a firewall rule to enable the inbound connections, HOWEVER you do not want to allow any inbound connections in the firewall until after you have disabled any strange user accounts on the system.
Check for and remove services that are not requiredThere are at least 5 different standard ways under Ubuntu that you can start up an application automatically. Three of the ways happen when the system boots up (sysV, upstart & /etc/rc.local), one way is based on a time schedule (cron job) and one happen when a user logs in to the GUI. So lets start by checking for services that are running when the system starts up. Services are applications that list on ports for network connections. If you find a service you think shouldn't be on the system you can first disable the service to make sure the system still functions and then assuming the system doesn’t get messed up I’d suggest you un-install the service.
To Check for services you can utilize the following command:
sudo netstat -lntup
This list the running services. Services that list on ip 127.0.0.1 are not exposed to the outside world and thus are not as bad as service that listen to 0.0.0.0 which are exposed. The name of the service is at the end of each line. If you just want to get the service names you could run the following command:
sudo netstat -lntup | grep ':' | cut -d '/' -f 2 |sort -u
From this list the minimal set of services we want to keep are:ssh – provides remote shell logindnsmasq – does domain name resolution, that is changing domain names like google.com to ip addressescupsd – is printer supportdhclient is required if your computer gets a dynamic IP address assigned to it.
If the scoring program is listed we obviously also want to keep that service. All other services are candidates for disabling and removal. So take the list of services you get from the netstat command and remove the ones I mentioned above from this list and what is remaining are the service you most likely want to remove. I'd suggest to check the service names on the internet to try and understand what you are about to disable or remove. To start with I'd disable the command so it doesn't run at start up.
Lets start by looking at sysV (That's system five) start up commands. The tool rcconf can be used to see what sysV commands are enabled on the system and to enable and disable them. The tool is not Installed by default so install it via:
8
sudo apt-get install rcconf
Once installed run the tool via:
sudo rcconf
If you get an error when you try to run it you probably need to install the following additional package:
sudo apt-get install dialog
Now try running the command again.
Anything that is scheduled to start at boot will have a '[*]' before the service name. You use the arrow keys to move up and down and the 'space' key to turn the '[*]' on and off. So disable any service from the list you build above and then click on < ok > to exit. Note you will see other application that were not on the list from above that that are started the sysV way on boot, you could look these other applications up on the internet to see if there are any you might want to stop from running. I believe rsync runs by default, and I'd probably disable it, but be careful of any additional applications you disable, as you don't want to make the system inoperable. Whatever you do, don't stop X11 as that's the GUI application. In the event you stop something you should, because rcconf isn't a GUI application you can log in to one of the <ctrl><alt><FX> windows, where X is 1-7, and run rcconf to turn something back on if need be.
You need to reboot the system to verify these services stop vi:
sudo shutdown -r now
And then check for running services again via:
sudo netstat -lntup | grep ':' | cut -d '/' -f 2 |sort -u
If you still have services running that you want to stop then lets try the upstart method
The first thing to do is to check and see if upstart can return a status on the service you want to disable by running the command:
sudo status SERVICE_NAME
Replace SERVICE_NAME with the name of the service in question, Note if the service name ends with 'd' you probably need to remove that from the service name, so for mysqld the service name is really mysql. Running service for a command controlled by upstart will look like this:
sudo status mysqlmysql start/running, process 1307
9
To stop the service run
sudo stop SERVICE_NAME
and then to keep the service from running on boot do the following:
sudo bash -c "echo 'manual' > /etc/init/SERVICE_NAME.override"
so
sudo bash -c "echo 'manual' > /etc/init/SERVICE_NAME.override"
will stop mysqld from starting at boot time if mysqld is controlled by upstart
If you disable any services in this way then restart the system to make sure it works
sudo shutdown -r now
And then check for running services again via:
sudo netstat -lntup | grep ':' | cut -d '/' -f 2 |sort -u
Should you decide you didn't really want to stop the service from running on boot simply remove the file you created with:
sudo rm /etc/init/SERVICE_NAME.overrider
If we still have running services lets check the /etc/rc.local file
The default rc.log file looks like this
#!/bin/sh -e## rc.local## This script is executed at the end of each multiuser runlevel.# Make sure that the script will "exit 0" on success or any other# value on error.#
10
# In order to enable or disable this script just change the execution# bits.## By default this script does nothing.
exit 0
To see you're rc.local file do:
sudo less /etc/rc.localThe lines that start with '#' are comments and can be ignored. So in the default file above you see it simply runs exit and doesn't start anything additional. If you see other lines in here then you need to check those applications and decide if you want to stop them. To disable them use gedit to edit the file
gksudo gedit /etc/rc.local
To disable any command in this file simply put a # at the start of the line.
If anything was started in this manner and you comment it out, then you need to reboot the system to verify it works:
sudo shutdown -r now
And then check for running services again via:
sudo netstat -lntup | grep ':' | cut -d '/' -f 2 |sort -u
If you still have things running then maybe they are started as cronjobs
Running the following would look for the service in the crontabs
grep -R SERVICE_NAME /etc/cron*
There are two types of results that could come back from this that need to be handled differently. If you run the command and get output like this:
grep -R hourly /etc/cron*/etc/crontab:*/5 * * * * root cd / && run-parts --report /etc/cron.hourly 2>&1 > /dev/null
Where the name I highlighted is the filename that includes the matching line. If the file name is /etc/crontab then you need to edit the /etc/crontab file and remove the bad line via:
11
gksudo gedit /etc/crontab
You comment out lines by putting a # character at the start of the line and then save the file.
If the returns results look something like this
grep -R updater /etc/cron*/etc/cron.hourly/updater:/bin/bash < /usr/share/updater/cmds
Once again the part I have highlighted is the name of the file containing the service name “updater” that I looked for. To disable this I'd simply move the file out of the crontab directory via something like this:
sudo mv /etc/cron.hourly/updater ~/
This puts the file in the home directory of the user you are logged in with. Once again if you do either of the above to verify it works you need to restart the system.
sudo shutdown -r now
As the cron jobs start on a schedule they are less likely to be immediately running after a reboot, so you might check again when your done with all the other steps to make sure you don't have some bad service running again. There are additional instructions later on about checking all the cron tab for additional things you don't want started.
The last method we'll look at for automatically starting jobs is to check login commands for starting jobs:On the GUI pick the icon on the top of the task bar that allows you to search for applications and enter “sta” and the “Startup Applications” icon should be the first in the list. Run “Startup Applications” and if there is something listed you can uncheck the box in front of the application name. Since Debian doesn’t have the search field have to pull it directly from the menu “System Tools->Preference->Startup Applications”.
Mint 15 GUI login startup applications bluetooth Manager Caribou Ctrl Alt Backspace mintUpdate mintUpload mintWelcome Xhost +
12
Debian 7 GUI login startup applications AT-SPI D-BUS Bus bluetooth Manager Caribou Certificate and Key Storage Desktop Sharing Disk Notifications Evolution Alarm Notify Files GNOME Settings Daemon GPG Password Agent GSetting Data Conversation Mount Helper Network Notification Daemon Orca screen reader Personal File Sharing PolicyKit Authentication Agent PulseAudio Sound System Screensave Secret Storage Service SSH Key Agent Tracker File System Miner Tracker Store User folders update Volume Control
Ubuntu 12.04 GUI login startup applications Nothing shows up in the default list, however I believe if you run this on VMware you might get a couple of VMware based startup applications
Bashrc terminal/remote login application startup scriptThere is another file .bashrc in the user's home directory that gets run when a user logs in. The .bashrc does a lot of stuff by default to set up your enviroment when you log in, so it might be hard to find anything strange in this file without a lot of effort. I recommend you look at the end of the file. The default file ends with:
# enable programmable completion features (you don't need to enable# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
13
# sources /etc/bash.bashrc).if [ -f /etc/bash_completion ] && ! shopt -oq posix; then . /etc/bash_completionfi
So if you see commands after the above in the ~/.bashrc file then it should probably be considered for disabling. You can disable a line in this file by simply putting a # at the start of a line.
Look for packages that have been installed outside of a normal updateThe objective of this section is to find packages that you might want to remove. Netcat and nmap are probably two I'd be looking for to remove. You can probably use one of the GUIs to remove a package or there is a section below where I show the apt-get way of removing a package.
Ubuntu package managementLogin as the main user account and then click on the Ubuntu Software Center gui tool icon. Once the tool comes up, click on the History button. Pick the most recent days to see what has been installed. One problem here is you see both the package the user selected to be installed along with any dependency packages that are required by the user select package. With this in mind if you look at the date associated with the installed packages, dependency packages should have about the same install time as the package the user picked to be installed. So using time grouping you can focus in on the packages that were installed together. There is no easy way to tell from this list which package was the one the user asked to have installed. If you update the packages on the system there will be a lot of packages and there dependencies all installed at about the same time. This is one reason I suggest you look for installed packages first.
Mint package managementI couldn’t find any good way on a Mint GUI to find out what was installed when.
Debian package managementDebian has the Add/Remove Software GUI tool. You get to this tool from the menu option “Applications->System Tools->Add/Remove Software”. When you bring this tool up the menu up top has “System->Software Log”. This seems to be the best way from a GUI to look at what was installed.
Checking for what apt-get (package management) commands have been run to install packages
14
If from the previous step it’s pretty clear what has been added to the system you probably don’t have to do the following. However most people that compromise systems do it from the command prompt and if they did so on the system we’re looking at then the command line tool logs includes enough information so you can tell exactly was installed, without the long list of dependency packages. If you want to try this login as the main user account (Ubuntu-desktop) then start up a command line terminal. Do this by clicking on the top icon on the task bar, which brings up the search option. Type in ter and it should display the Terminal application icon. Double click on the terminal icon. Now in the terminal window become super user by using the sudo command:
sudo bash
Get into the log directory for the package installer:
cd /var/log/apt
and list the files to see if there are any that end with .gz, indicating they are compressed.
ls
If you see files with the .gz extension then run this long command to see what has been installed
( zcat $( ls -tr /var/log/apt/history.log*.gz ) ; cat /var/log/apt/history.log ) | egrep '^(Start-Date:|Commandline:)' | grep -v aptdaemon | egrep '^Commandline:'
If no files ending with .gz simply do the following to see what has been installed
cd /var/log/aptgrep '^Commandline' history.log
Both of the above commands will show you which packages have been installed and in what order. We’re looking for packages that were individual installed so their lines will be like “apt-get install …”. The packages are listed in the order they are installed so the ones at the bottom of the list are the ones we should be questioning most.
Note that someone could remove log entries so this may not show everything.
Doing the following will store this information in a file where we could look at it easier later.
grep '^Commandline' history.log > ~/installed-packages.txt
Output from this command will be stored in a file named installed-packages.txt in the home directory of the user we're logged in with. If you bring up the file browser from GUI you should see this file and access its contents.
Variation of the above command can be used to also pull out the date and time when the package was install
15
( zcat $( ls -tr /var/log/apt/history.log*.gz ) ; \cat /var/log/apt/history.log ) | egrep '^(Start-Date:|Commandline:)' | grep -v aptdaemon | egrep -B1 '^Commandline:'
Getting the date and time might be useful as someone dropping tools from the package manager would probably do multiple things on the same day. Also newly installed packages are more likely to be the ones the bad guy installed unless the machine has been compromised for a long time.
Use the /var/log/dpkg.log file to look for installed packagesThis file includes a complete list of things installed and looking across all the Debian based distros it may provide the best method for looking at what was installed. I’d suggest you run the following command to pull out the installed lines:
sudo grep " install " /var/log/dpkg.log* > /tmp/install.log
gksudo gedit /tmp/install.log
When looking at the log records use the date to find things that were installed by their self. A couple of lines installed within a few seconds are more likely to reveal something interesting, verse a large set of log records all within a few seconds of each other.
If you wanted a list of every package installed you could do something like this
dpkg --get-selections
Remove undesirable packagesThe following command can be used to remove undesirable packages
apt-get remove PACKAGE_NAME
Look for bad things users may have done on the system, like installing software
Check history for all users that have logged inWe want to look at the history files for all users that have logged in to the system so we can see what they have been doing. The history is stored in each user’s home directory as “.bash_history”. Each user may or may not have a history file and it’s possible that the user put the “unset HISTFILE” command in either their “.bashrc” or “.bash_profile” file to stop history collection.
When looking at the history file we want to look for indications that user installed packages, if it’s not the main user then we probably want to uninstall the package. If it’s the main user and the package doesn’t seem to be required consider removing it also. We also want to look at the history file to see if we can
16
find ways the user might gain root access, via something like “sudo”, “su” or some other command they dropped on the system. We also want to look for indication of the user messing with files in the “/etc” directory. The /etc directory contains system configuration files.
To look at the history file I would start with the main user account, the one we log in to. Simply login to the GUI, bring up a terminial window and enter the following command at the command prompt:
less .bash_historyWe use the less command here because it allows you to move forward and backwards when looking at the file.
To look at the history files for other user you have first find the location of their home directory. You can do this from the command prompt by searching the /etc/passwd file. So for our main user account, which is user student. You can find this out by entering the “whoami” command at the command prompt.So to search for the home directory of student do the following in the command prompt:
grep student /etc/passwd |cut -d ':' -f 1,6
Which would show the following:
student:/home/student
With /home/student being the home directory. So to see what files exist in the home directory need to be super user and then in the command prompt we can do the command:
ls -la /home/student
This command list all files, including hidden files in the users home directory. If you see the .bash_history file then use the “less” command to look at it's contents:
less /home/student/.bash_history
Starting with the grep command above we want to do the above for all users that have logged into the system, replacing student with the other user names.
Look for files these users placed on the systemOnce you have a list of users that have accessed the system you can use the following command to find files that these users have placed on the system:
sudo find / -user USERNAME -type f -exec ls -l {} \; 2>/dev/null |grep -v " /proc/" | grep -v " USER_HOME_DIR"
Replace USERNAME and USER_HOME_DIR with the values you found above. If you're going to delete the user's account then any files found should probably also be deleted, however you have to be careful as the user may have made them self the owner of some system configuration or executable file.
17
sudo find /etc -user USERNAME -not -path “USER_HOME_DIR/*” -exec dpkg -S {} \; 2>&1 |grep -v “find: “
Lines that include “no path found matching ...” indicate the file or directory was not part of an installed package so you should be fine to delete them.
Once you have a list of users that have accessed the system you can use the following command to find files that these users have placed on the system:sudo find / -user USERNAME -type f -exec ls -l {} \; 2>/dev/null |grep -v " /proc/" | grep -v " USER_HOME_DIR"
This assume you have a user name from earlier where you looked for users on the system. To find the USER_HOME_DIR you could do the following:
grep USERNAME /etc/passwd | cut -d ‘:’ -f 6
You may see stuff in /var, /dev and /tmp which most likely don’t matter as they are probably temporary files. Of the files the user dropped on the system the most important would be ones that show up in the directories associated with the environment variable $PATH. When you enter a command at the command line, the directories indicated in $PATH are the directories the shell searches for the command executable. So first display this list of directories via:
echo $PATH
Which should return something like this:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
The ‘:’ separates the directory names. If your root and you do this you will also get the directory /sbin and /root/bin. We wouldn’t need to worry about the last entry on the line as that’s the user’s home directory and once remove their home directory this command would be good.
So using this list of directory names we could run the following to see if the user in question dumped any files in these directories:
sudo find /usr/local/sbin -user USERNAME -lssudo find /usr/local/bin -user USERNAME -lssudo find /usr/sbin -user USERNAME -lssudo find /usr/bin -user USERNAME -lssudo find /sbin -user USERNAME -lssudo find /bin -user USERNAME -lssudo find /usr/games -user USERNAME -lssudo find /usr/local/games -user USERNAME -ls
If you find the user owns a file in any of the above directories you should check to see if that file is associated with a package via:
18
dpkg -S FILENAME_PATH_IN_QUESTION
So if one of the find commands above indicated the user owned the executable “/usr/sbin/rcconf”
You could do
sudo dpkg -S /usr/sbin/rcconf
which would return something like:
rcconf: /usr/sbin/rcconf
so we could force re-installing this package to overwrite whatever this user did via:
apt-get install --reinstall rcconf
Note the above may not work right if someone deleted the package cache files. If they did you could try the following to determine which package owns a file:If that command doesn’t work install atp-file vi “sudo apt-get install apt-file”, update the cache by running “sudo apt-file update” and then you can run the command via: “sudo apt-file search FILENAME_PATH_IN_QUESTION”
If when you did the “dpkg -S” it returns “dpkg-query: no path found matching pattern /usr/sbin/rcconf” then you can delete the file without worrying about it impacting the system.
You probably also want to see if the user messed around with any of the configuration files in /etc which you can do via: sudo find /etc -user USERNAME -ls
If you find the user messed with a configuration file you can force it back to the original value by reinstalling the package the same way we did above for the executable.
In addition to checking for files the user owned you could check for files that have the user’s group. To find the users group name either user the user management GUI tool or the following command would pull it out for you:
grep USERNAME /etc/passwd |cut -d ':' -f 4 | xargs -I{} grep {} /etc/group |cut -d ':' -f 1
If you have the users group then you could run the following commands to look for files also in the user group:
sudo find /usr/local/sbin -group GROUPNAME -ls
19
sudo find /usr/local/bin -group GROUPNAME -lssudo find /usr/sbin -group GROUPNAME -lssudo find /usr/bin -group GROUPNAME -lssudo find /sbin -group GROUPNAME -lssudo find /bin -group GROUPNAME -lssudo find /usr/games -group GROUPNAME -lssudo find /usr/local/games -group GROUPNAME -ls
If you find that match this user’s group for which they are not the file owner then do the “dpkg -S” as you did above and if need be reinstall the associated package.
Remove any of the user accounts discovered above that we don’t want on the systemFrom the terminal window you can run the following command to remove a user from the system:
sudo userdel USERNAME
Obviously you replace USERNAME with the name of the user to be deleted. Assuming you’re done with the files in the user’s home directory you can also include the “-r” flag on the command. The “-r” flag tells the command to remove the user's home directory along with their account. So the following would be the preferred way to remove a user account with all data in their home directory:
sudo userdel -r USERNAME
Run system updatesNOTE: They indicated that we will have a slow network connection. If that is the case then the first thing we would want to update would be specific applications that listen for network connections that we have been in structured to keep on the system. So if we’re told one machine is a Web server then we would want to individually update the web server application, which would most likely be apache. NOTE: Also when doing software updates you need to determine if the release installed on the system is still under active support. At the top of this document I listed the versions that are under active support. Any machine that is running a version that is NOT under active support should also have a version upgrade performed.
You can run system updates from the “Update Manager” Command. Debian calls the tool “Software Update”. For Mint and Ubuntu you can search for update. Click on the “Update Manager” icon. As Debian doesn’t have a search field you find the tool on “System Tools->Software update”. The system should check for updates to be installed and display the list. If nothing is displayed then click the “Check” button. At which point upackages available for update should be listed. Assuming something is listed click on the “Install Updates” button. When that finishes click the “Check” button again to make sure all updates were installed. If there are additional packages you would run the “Install Updates” again and continue like this until nothing is listed as needing to be installed. We we worked
20
on the first VM we were provided, this did no fully work. We were able to get around the error by running the command line update tool. You execute the following to lines to run the command line tool:
sudo apt-get updatesudo apt-get upgrade
On the upgrade it will list what is going to be updated and prompt if you want to do the update. The default is yes, so simply hit the Enter key if you want to do the package upgrade.
Make sure key files have the correct ownership and permissions
Check the top directory, known as the root directory:ls -ld /drwxr-xr-x 25 root root 4096 Sep 13 20:57 /
Check the directory where all the configuration files are stored:ls -ld /etcshould be:drwxr-xr-x 134 root root 12288 Sep 17 19:30 /etc
Check the file that has all the valid users:ls -l /etc/passwdshould be:-rw-r--r-- 1 root root 1954 Sep 17 19:24 /etc/passwd
Check the file that has the passwords for all the valid users:ls -l /etc/shadowshould be:-rw-r----- 1 root shadow 1442 Sep 17 19:30 /etc/shadow
Check the file that allows users to gain super user access:ls -l /etc/sudoersshould be:-r--r----- 1 root root 761 Sep 13 19:53 /etc/sudoersIf any of the above are different fix this. Change the ownership with “chown” and the permissions with “chmod”
Check main executable directories
21
ls -ld /bin /sbin /usr/bin/ /usr/sbin
drwxr-xr-x 2 root root 4096 Jun 23 08:42 /bindrwxr-xr-x 2 root root 12288 Aug 30 20:26 /sbindrwxr-xr-x 2 root root 40960 Sep 5 19:32 /usr/bin/drwxr-xr-x 2 root root 12288 Sep 5 19:32 /usr/sbin
Running Virus ScannerWe want to install clamav and a gui so run:
sudo apt-get install clamavsudo apt-get install clamtk
Hit entered when prompted to take the default 'Y' and install the packageThis should have updated the signatures when it did the install, but just in case it didn't run the following:
sudo freshclam
NOTE: when we tried freshclam on fedora the clamAV configuration file was installed with the configuration file containing a line indicating it was an example file. We had to comment out the example line in the configuration file to get the scan to work. Don’t make the same mistake again.
Look at the output and make sure it tells you the main.cvd and daily.cvd files are up to date.
We installed a gui that we can now use to kick off a scan of the full system:
gksudo clamtk
Once the program opens, click Preferences and check the first three items under the “Scanning Preferences” tab Scan Files beginning with a dot (.*) Scan all files and directories within a directory Enable extra scan setting
Click Close to save these options. Click on the Scan - > Recursive Scan. Select “File System” and select the OK button. It will take a few seconds but this should kick off a scan. I expect the full scan could take an hour, so you probably want to do some other stuff while this is running.
22
Look for commands with sticky bit setNOTE: When doing the commands below on fedora we had to use the full permission so if you don’t find any files please try commands with “-perm 4755”, “-perm 4750”, “-perm 4700”, “-perm 5755”, “-perm 5750” and “-perm 5700” to see these return anything of interest.
The sticky bit allows executables to be run with the permissions of the owner of the file. So if a file is owned by root with the sticky bit set and the file is executable, then the file can possible be executed as super user. The following command will look for executable set in this way.
sudo find / -type f -perm +4000 -exec ls -l --time-style=long-iso {} \; 2> /dev/null |sort -r -k 6
The find command looks for files with the sticky bit set and then the “-exec” option runs another command, so we're running the “ls” command telling it to print out the date in a format that will be easy to sort. As find will be looking across the full disk there will be some errors so we use “2>/dev/null” to route the error to the bit bucket, and then we sort the output on the 6th field which is the date and do it in reverse order so new files show first. I sort this way as the newer commands have a higher probably of being installed by a malicious actor.
The output of the above would look something like this:
sudo find / -type f -perm +4000 -exec ls -l --time-style=long-iso {} \; 2> /dev/null |sort -r -k 6-rwsr-xr-t 1 root root 8698 2013-09-14 07:29 /home/mrdon/.mystepup-rwsr-xr-t 1 root root 8698 2013-09-13 21:54 /bin/apache1-rwsr-xr-t 1 root root 5491 2013-09-13 21:28 /var/www/pretty.php
Anything listed here is a definite a candidate for removal. The name of the executable is the last field on the line. You can run the following command to see if any installed package included the file listed above:
sudo find / -type f -perm +4000 -exec dpkg -S {} \; 2>&1 |grep -v "find: "
The output of this might look like this:
sudo find / -type f -perm +4000 -exec dpkg -S {} \; 2>&1 |grep "no path"dpkg-query: no path found matching pattern /bin/apache1.dpkg-query: no path found matching pattern /var/www/pretty.php.dpkg-query: no path found matching pattern /home/mrdon/.mystepup.
23
Once again the last field of the line is the executable with the sticky bit set. Any of the lines that have the phase “no path found matching pattern” were not installed via a valid package, meaning someone simple dropped the executable on the system, so these most definitely should removed from the system. You can remove these file with the rm command like this:
rm /bin/apache1
A lot of commands are installed during system load with both the user and group sticky bits set. Look for them via:
sudo find / -type f -perm -6000 -exec ls -l --time-style=long-iso -d {} \; 2> /dev/null |sort -r -k 6
Once again we sort the output so the newest files show up first, as they are the ones you most likely want to check out. To give you an idea of the files you might expect to find the following are what was found on a cleanly installed system:
sudo find / -type f -perm -6000 -exec ls -l --time-style=long-iso -d {} \; 2> /dev/null |sort -r -k 6-r-sr-xr-x 1 root root 10224 2013-09-13 17:27 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper-r-sr-xr-x 1 root root 9532 2013-09-13 17:27 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper-rwsr-xr-- 1 root messagebus 292944 2013-06-13 07:55 /usr/lib/dbus-1.0/dbus-daemon-launch-helper-rwsr-sr-x 1 root root 10184 2013-05-27 23:58 /usr/bin/X-rwsr-xr-x 1 root lpadmin 14688 2013-05-13 08:06 /usr/bin/lppasswd-rwsr-xr-x 1 root root 240984 2013-04-11 02:30 /usr/lib/openssh/ssh-keysign-rwsr-xr-x 1 root root 71288 2013-02-27 12:54 /usr/bin/sudoedit-rwsr-xr-x 1 root root 71288 2013-02-27 12:54 /usr/bin/sudo-rwsr-xr-x 1 root root 10592 2013-01-28 04:00 /usr/lib/pt_chown-rwsr-xr-x 1 root root 42824 2012-09-12 15:29 /usr/bin/passwd-rwsr-xr-x 1 root root 32352 2012-09-12 15:29 /usr/bin/newgrp-rwsr-xr-x 1 root root 63848 2012-09-12 15:29 /usr/bin/gpasswd-rwsr-xr-x 1 root root 37096 2012-09-12 15:29 /usr/bin/chsh-rwsr-xr-x 1 root root 41832 2012-09-12 15:29 /usr/bin/chfn-rwsr-xr-x 1 root root 36832 2012-09-12 15:29 /bin/su-rwsr-xr-x 1 root root 14696 2012-05-17 00:40 /usr/lib/policykit-1/polkit-agent-helper-1-rwsr-xr-x 1 root root 23208 2012-05-17 00:40 /usr/bin/pkexec-rwsr-sr-x 1 libuuid libuuid 18856 2012-03-29 22:34 /usr/sbin/uuidd-rwsr-xr-x 1 root root 69096 2012-03-29 22:34 /bin/umount-rwsr-xr-x 1 root root 94792 2012-03-29 22:34 /bin/mount-rwsr-xr-x 1 root root 31304 2012-03-02 07:35 /bin/fusermount-rwsr-xr-x 1 root root 10408 2011-12-13 01:50 /usr/lib/eject/dmcrypt-get-device-rwsr-xr-x 1 root root 18912 2011-11-08 05:26 /usr/bin/traceroute6.iputils-rwsr-xr-x 1 root root 18808 2011-11-08 05:26 /usr/bin/arping
24
-rwsr-xr-x 1 root root 40256 2011-11-08 05:26 /bin/ping6-rwsr-xr-x 1 root root 35712 2011-11-08 05:26 /bin/ping-rwsr-sr-x 1 daemon daemon 47928 2011-10-25 07:45 /usr/bin/at-rwsr-xr-x 1 root root 62400 2011-07-28 13:05 /usr/bin/mtr-rwsr-xr-- 1 root dip 325744 2011-02-04 00:42 /usr/sbin/pppd
You can find exectuables that were dropped on the system and were not part of a normal install package via:
sudo find / -type f -perm -4100 -exec dpkg -S {} \; 2>&1 |grep -v "find: "
Which will give output like this, with the ones that have “no path found” being executables that were just dropped on the box and not installed with a package:
sudo find / -type f -perm -4100 -exec dpkg -S {} \; 2>&1 |grep -v "find: "[sudo] password for student: iputils-ping: /bin/pingiputils-ping: /bin/ping6mount: /bin/umountfuse: /bin/fusermountlogin: /bin/sumount: /bin/mountdpkg-query: no path found matching pattern /bin/apache1.
Any executable not part of package should be considered for removal.
Look for cronjobs that are scheduled to runPay attention to cronjobs in the /etc/cron.daily, /etc/cron.hourly, /etc/cron.weekly and /etc/cron.montly directly as they all run as super user. Do the following to find out if any are newly added:
ls -lt /etc/cron.dailyls -lt /etc/cron.hourlyls -lt /etc/cron.weeklyls -lt /etc/cron.monthly
The -lt puts the newest at the top and the ones at the top are most likely to be the ones that have been changed. So for the ones on tap search the internet to see if they make sense for ubuntu. This is the default list I have on a clean desktop install, you can use this to compare with what you have installed, notice all the dates are from 2012 so any file with a 2013 date would be suspect:
25
ls -lt /etc/cron.daily /etc/cron.hourly /etc/cron.weekly /etc/cron.monthly//etc/cron.hourly:total 0
/etc/cron.daily:total 68-rwxr-xr-x 1 root root 1365 Dec 28 2012 man-db-rwxr-xr-x 1 root root 214 Sep 10 2012 update-notifier-common-rwxr-xr-x 1 root root 15399 Apr 20 2012 apt-rwxr-xr-x 1 root root 256 Apr 12 2012 dpkg-rwxr-xr-x 1 root root 219 Apr 10 2012 apport-rwxr-xr-x 1 root root 249 Apr 8 2012 passwd-rwxr-xr-x 1 root root 2947 Apr 2 2012 standard-rwxr-xr-x 1 root root 502 Mar 31 2012 bsdmainutils-rwxr-xr-x 1 root root 384 Dec 30 2011 cracklib-runtime-rwxr-xr-x 1 root root 372 Oct 4 2011 logrotate-rwxr-xr-x 1 root root 606 Aug 17 2011 mlocate-rwxr-xr-x 1 root root 2417 Jul 1 2011 popularity-contest-rwxr-xr-x 1 root root 311 Jun 20 2010 0anacron
/etc/cron.weekly:total 12-rwxr-xr-x 1 root root 907 Dec 28 2012 man-db-rwxr-xr-x 1 root root 730 Dec 30 2011 apt-xapian-index-rwxr-xr-x 1 root root 312 Jun 20 2010 0anacron
/etc/cron.monthly/:total 4-rwxr-xr-x 1 root root 313 Jun 20 2010 0anacron
You need to also look at /etc/crontab as this not only controls running the above but it can also have cron jobs for individual users
cat /etc/crontab
Your simply checking to see if any other crontab entries are listed and if they are what are they. The following is what a clean install looks like for /etc/crontab:
26
# /etc/crontab: system-wide crontab# Unlike any other crontab you don't have to run the `crontab'# command to install the new version when you edit this file# and files in /etc/cron.d. These files also have username fields,# that none of the other crontabs do.
SHELL=/bin/shPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command17 * * * * root cd / && run-parts --report /etc/cron.hourly25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )#
If there are other lines in /etc/crontab you might want to use gedit to edit the file and remove the additional crontab entries
Individual users on the system can have their own crontab that you might want to remove themCrontabs files for individual users are found in the directory /var/spool/cron/crontabs/. You can look for user contab files via
sudo find /var/spool/cron/crontabs/ -type f -ls
The output would look something like this:
sudo find /var/spool/cron/crontabs/ -type f -ls415225 4 -rw------- 1 student crontab 1121 Sep 21 12:58 /var/spool/cron/crontabs/student414904 4 -rw------- 1 mrdon crontab 1124 Sep 21 13:08 /var/spool/cron/crontabs/mrdon
The last field is the filename, so you should look at the content to see what they are running via
sudo less /var/spool/cron/crontabs/studentand thensudo less /var/spool/cron/crontabs/mrdon
Unless you have some reason to believe the user specific crontabs are required I'd recommend moving them out of this directory so they don't run. Do the following for each file:
sudo mv /var/spool/cron/crontabs/USERNAME ~/
27
Replace USERNAME with name from the find above. This will move the crontab into the home directory of the user you are logged in as. This way if you decide you need the crontab entry back you can move it back via:
sudo mv ~/ USERNAME /var/spool/cron/crontabs/
If the main log in account is the root login account then we want to make a new user account and give the new user adminstrator privilages and then disable the root account
After logging in run the following command:
whoami
If it says you are root then we want to create a new user account. If it says you are someone else then we want to verify that you don't have super user privilages. You can check this by trying the following commands. First lets make sure the /etc directory has the correct permission, which would mean it is owned by root and only root has write privilages. Check this by doing the following:
ls -ld /etc
Which should give you a line like this:
drwxr-xr-x 133 root root 12288 Sep 17 17:12 /etc
The “d” tells us this is a directory, the “root root” tells us the directory is owned by user root and group root, and then from left to right: rwxr-xr-x says the owner (root) has read, write and execute previleges (rwx), the group has read and execute privelges (r-x), and all other users have read and execute privileges (last r-x). If this isn't set right we can correct it via the following two commands:
sudo chown root: /etc
sudo chmod 755 /etc
Once you're sure that this directory is owned by root then do the following to make sure we can't write in the directory (you do not want to do this as sudo):
touch /etc/mytestfile
which will provide the following response if you are not root:
touch: cannot touch `/etc/mytestfile': Permission denied
28
If you get the command prompt back without any other output then you must be super user.
The following is from Ubuntu, I expect it is slightly different for Debian and Mint. To add a new administrator account you need to select the “System Setting” icon off the menu bar and then when that tool comes up select the “User Accounts” icon. At the bottom left hand corner of this tools window is a “+” and “-” sign. Click on the “+” to add an account. It will pop up a window asking for the Full Name and the Username. The full name is what will be displayed on the GUI, while the Username is the real username used by the system. Enter “My Account” for the fullname and it should fill in the username as myaccount automatically. Select the “Account Type” as administrator and click on the create button. Now click on the “account disabled” under “Login Options” and enter a password for the account that you can remember but isn't easy to guess and hit the change button. Now log off the current account and verify you can login to your new account. Assuming you can long in then bring up the “User Accounts” tool under this user. Click the unlock icon at the top of the page and then click on the original account name. Click on the password under “Login Options”. Select “Disable this account” and then hit the change button. Doing this sets the password in /etc/shadow to a password that can't be entered and thus disabling the account.
Check if root user has an active passwordIf the root user has an active password we want to change it just to something else as we don't want anyone else getting into the system using it. So to and see if the root user has a valid password do the following:
sudo grep root /etc/shadow | cut -d ':' -f 2
This will return a string of characters. If the first character is '!' then the root user account is currently disabled, which is good. If it is not a '!' then use the following command to change the password to something you can remember for now:
sudo passwd root
If the root account has an active password and you reset it, you will need to disable it before your done with the exercise as this is probable a point. I recommend you hold off disabling it for now just in case you need it to get in a fix something. Instructions for disabling it are provided later in this document.
Make sure all user on GUI account are required to provide a passwordNOTE this is only a ubuntu thing.For any user you want keep in the system that shows up on the gui and doesn’t have a password requirement do the following select the “System Settings” tool and then the “User Accounts” icon. Click the Unlock button in the top right of the user accounts tool (assuming you are not super user already). Enter your password then click on the user you want change the password requirement for. Click on the word None next to Password under Login Options and set a password for the account.
29
Disable guess account loginNOTE this is only a ubuntu thing:
By default ubuntu 12.04 comes with guest account.You can disable this account using the following procedure.Guest account is a paswordless account which allow users to get access to Ubuntu machine
Open /etc/lightdm/lightdm.conf file from your terminal using the following commandgksudo gedit /etc/lightdm/lightdm.conf
Add the following line
allow-guest=false
Save and exit the file
After adding the above line you should see similar to the following in lightdm.conf file
[SeatDefaults]user-session=ubuntugreeter-session=unity-greeterallow-guest=false
Finally you have to restart lightdm using the following command from your terminal
sudo restart lightdm
Note:- After executing above command all graphical programs running will be closed
Stop showing user names on the login screen
The Mint wayFor Mint there is a tool mdmsetup that can be used to change this. Run it in the command line via:
gksudo mdmsetup
30
Select the User tabUncheck the “Include all users from /etc/passwd” check box. Select “nobody” and move nobody from the Exclude side to the Include side. Then move it back to the Exclude side. This will cause the “Apply User Changes” button to be active so you can the select it to apply the changes. Click the Close button and hit the key combination <ctrl><alt><backspace> and this should restart the GUI interface. If it doesn’t restart the GUI and put you back at login then reboot the system via, or submit a trouble ticket:
Sudo shutdown -r now
The Debian wayYou need to edit /etc/gdm3/greeter.gsettings via
gksudo gedit /etc/gdm3/greeter.gsettings
Find the line containing “disable-user-list=” . If it’s commented out via a pound sign remove that so the line looks like:
# - Disable user listdisable-user-list=true
Save the file. Then reboot the system. Submit a trouble ticket to get it rebooted or if you can do it directly via:
sudo shutdown –r now
Ubuntu way
Before you do this you better make sure you know the the real user name you are using to login with. In a NEW terminal window run the command:
whoami
This will print out our user name. Now that you know your true username Open /etc/lightdm/lightdm.conf file from your terminal using the following commandgksudo gedit /etc/lightdm/lightdm.conf
Add the following line
greeter-hide-users=true
This line may already be in the file with a '#' in front of it. The '#' means this line is commented out and is not currently being used. If this line is here you simply need to delete the '#' chracter.
Save and exit the file
31
After adding the above line you should see similar to the following in lightdm.conf file
[SeatDefaults]user-session=ubuntugreeter-session=unity-greeterallow-guest=false
greeter-hide-users=true
Finally you have to restart lightdm using the following command from your terminal
sudo restart lightdm
Note:- After executing above command all graphical programs running will be closed
For Ubuntu reset the root passwordUnder ubuntu the expectation is that nobody logs in as root. The root password is supposed to be something long and hard to guess such as a long string of random characters. Set the root password, however you might want to set it to something you remember initially and then when you’re about done with the full exercise then set it to some random string. To set the password bring up a terminal window and enter the following command:
sudo passwd root
Once you're done to set the root password to a value that can never match what someone types in do the following:
sudo bashusermod -p '!12dyajeq' root
Set password policy The following link has most of this information related to ubuntu: http://www.computersecuritystudent.com/UNIX/UBUNTU/lesson6/
Require some complexity in the password and set a minimal length:
32
Set password complexity system wide. Example, a password must contain 1 upper and 1 lower case, 1 letter and be minimum 8 characters long. First we need to install the appropriate pam module withthe following command
sudo apt-get install libpam-cracklib
Respond with y<enter> when you are prompted and the package will be installed. Verify the cracklib.so was installed with:
ls -ld /usr/share/pam-configs/cracklib
Assuming it's installed edit the pam configuration file that controls password use wit the following command:
gksudo gedit /etc/pam.d/common-password
Find the fine the line with pam_crack on it. You can use the search in gedit. it should look something like this:
password requisite pam_cracklib.so retry=3 minlen=8 difok=3
Update this line to look like this:
password requisite pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
Note this is what we're setting: retry=3, the user will get three opportunities to enter the password before an error occurs. minlen=8, the minimum length of the password must be at least 8 characters. difok=3, there needs to be at least three differing characters between an old and new password for it to be accepted. ucredit=-1, the password requires at least 1 uppercase character. lcredit=-1, the password requires at least 1 lowercase character. dcredit=-1, the password requires at least 1 numerical character. ocredit=-1, the password requires at least 1 non-alpha numeric character.
33
Minimum Password Length
NOTE: You shouldn't need to do this as we just set a minimal length for passwords above, however if for some reason the above doesn't appear to be working, I've included the following instructions. By default, Ubuntu requires a minimum password length of 6 characters, as well as some basic entropy checks. These values are controlled in the file /etc/pam.d/common-password, which is outlined below. Bring up the editor via:
gksudo gedit /etc/pam.d/common-password
Then fine the following line:
password [success=2 default=ignore] pam_unix.so obscure sha512
To set a minimal password lenght of 8 add min=8 to the end of this line so it looks likt this:
password [success=2 default=ignore] pam_unix.so obscure sha512 min=8
Basic password entropy checks and minimum length rules do not apply to the administrator using sudo level commands to setup a new user.
Set the number days a password is good for
You need to edit the /etc/login.def file using the following command in a terminal window
gksudo gedit /etc/logins.def
Fine the lines that look like this:PASS_MAX_DAYS 99999PASS_MIN_DAYS 0PASS_WARN_AGE 7
and change the PASS_MAX_DAYS line to:
PASS_MAX_DAYS 60
Set the PASS_MIN_DAYS to 6
PASS_MIN_DAYS 5
34
Save the file and exit.
Don't let use reuse passwords:Start by creating a file used by the system to remember a user's old passwords:
sudo touch /etc/security/opasswdsudo chmod 600 /etc/security/opasswdsudo chown root: /etc/security/opasswdsudo ls -l /etc/security/opasswd
The ls command should show:
-rw------- 1 root root 0 Sep 17 16:54 /etc/security/opasswd
We need to edit the common-password file:
gksudo gedit /etc/pam.d/common-password
Then fine the line with pam_unix.so that looks something like this:
password [success=2 default=ignore] pam_unix.so obscure sha512
We want to add remember=10 to the end of this line so it looks like this:
password [success=2 default=ignore] pam_unix.so obscure sha512 remember=10
This will require someone to change there password 10 times before they can reuse the same password again.
To easily view the current status of a user account, use the following syntax:
sudo chage -l USERNAMEThe output below shows interesting facts about the user account, namely that there are no policies applied:
Last password change : Jan 20, 2008
35
Password expires : neverPassword inactive : neverAccount expires : neverMinimum number of days between password change : 0Maximum number of days between password change : 99999Number of days of warning before password expires : 7
To set any of these values, simply use the following syntax, and follow the interactive prompts:
sudo chage USERNAME
You probably want to run this command for any user account you leave on the system for logging into the system and set the password to expire in 60 days.
You can actually set the values using command line parameters instead of letting the system query for the information. The following is also an example of how you can manually change the explicit expiration date (-E) to 01/31/2008, minimum password age (-m) of 5 days, maximum password age (-M) of 90 days, inactivity period (-I) of 30 days after password expiration, and a warning time period (-W) of 14 days before password expiration.
sudo chage -E 01/31/2011 -m 5 -M 90 -I 30 -W 14 username
Secure shared memory. /dev/shm can be used in an attack against a running service, such as httpd. Modify /etc/fstab to make it more secure. Open a Terminal Window and enter the following :gksudo gedit /etc/fstab
Add the following line at the bottom of the file and save. You will need to reboot for this setting to take effect :tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0
Stop SU command from being usedThe su command is like sudo, as it allows user to become root. I'd advise disabling as on ubuntu you have sudo for getting super user access.
sudo dpkg-statoverride --update --add root root 4750 /bin/su
36
Prevent IP Spoofing. Open a Terminal and enter the following :gksudo gedit /etc/host.conf
Add the following lines to the end of the file:nospoof on
Check for rootkits – RKHunter and CHKRootKit. Both RKHunter and CHKRootkit basically do the same thing - check your system for rootkits. No harm in using both. Open a Terminal and enter the following :sudo apt-get install rkhunter chkrootkit
To run chkrootkit open a terminal window and enter :sudo chkrootkit
To update and run RKHunter. Open a Terminal and enter the following :sudo rkhunter --updatesudo rkhunter --propupdsudo rkhunter --check
Security auditsIf you have time try some of the following things
Audit your system security - Tiger.DON’T do this step
Tiger is a security tool that can be use both as a security audit and intrusion detection system. Open a Terminal and enter the following :sudo apt-get install tiger
To run tiger enter :sudo tiger
37
All Tiger output can be found in the /var/log/tiger To view the tiger security reports, open a Terminal and enter the following :sudo less /var/log/tiger/security.report.*
Analyse system LOG files - LogWatch.
Logwatch is a customizable log analysis system. Logwatch parses through your system's logs and creates a report analyzing areas that you specify. Logwatch is easy to use and will work right out of the package on most systems. Open a Terminal and enter the following :sudo apt-get install logwatch libdate-manip-perl
To view logwatch output use less :sudo logwatch | less
Harden network with sysctl settings.
The /etc/sysctl.conf file contain all the sysctl settings. Prevent source routing of incoming packets and log malformed IP's enter the following in a terminal window:gksudo gedit /etc/sysctl.conf
Edit the /etc/sysctl.conf file and un-comment or add the following lines :# IP Spoofing protectionnet.ipv4.conf.all.rp_filter = 1net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requestsnet.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routingnet.ipv4.conf.all.accept_source_route = 0net.ipv6.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0net.ipv6.conf.default.accept_source_route = 0
# Ignore send redirectsnet.ipv4.conf.all.send_redirects = 0
38
net.ipv4.conf.default.send_redirects = 0
# Block SYN attacksnet.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 2048net.ipv4.tcp_synack_retries = 2net.ipv4.tcp_syn_retries = 5
# Log Martiansnet.ipv4.conf.all.log_martians = 1net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP redirectsnet.ipv4.conf.all.accept_redirects = 0net.ipv6.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0
# Ignore Directed pingsnet.ipv4.icmp_echo_ignore_all = 1
To reload sysctl with the latest changes, enter:sudo sysctl -p
Security related siteshttp://www.cyberciti.biz/tips/linux-security.html
A list of processes found running on a fresh install of ubuntu-desktopps –efw | sort -k 8
root 1293 1 0 11:26 ? 00:00:00 acpid -c /etc/acpi/events -s /var/run/acpid.socketroot 29 2 0 11:25 ? 00:00:00 [ata_sff]daemon 1299 1 0 11:26 ? 00:00:00 atdavahi 720 716 0 11:26 ? 00:00:00 avahi-daemon: chroot helperavahi 716 1 0 11:26 ? 00:00:01 avahi-daemon: running [ubuntu.local]
39
student 7317 7303 0 12:28 pts/0 00:00:04 bashstudent 7344 7303 0 12:28 pts/2 00:00:06 bashroot 26 2 0 11:25 ? 00:00:00 [bdi-default]root 12681 12673 0 16:47 ? 00:00:00 /bin/catstudent 7254 7216 0 12:28 ? 00:00:00 /bin/catroot 12657 1 0 16:47 ? 00:00:00 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --sessionstudent 6874 1 0 12:27 ? 00:00:30 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --sessionroot 58 2 0 11:26 ? 00:00:00 [binder]root 1653 1 0 11:26 ? 00:00:00 /bin/sh /home/studemt/.elevatestudent 6937 6835 0 12:27 ? 00:00:01 bluetooth-appletroot 79 2 0 11:26 ? 00:00:00 [charger_manager]UID PID PPID C STIME TTY TIME CMDroot 22 2 0 11:25 ? 00:00:00 [cpuset]root 1294 1 0 11:26 ? 00:00:03 cronroot 42 2 0 11:26 ? 00:00:00 [crypto]102 652 1 0 11:26 ? 00:00:33 dbus-daemon --system --fork --activation=upstartroot 12656 1 0 16:47 ? 00:00:00 dbus-launch --autolaunch=8f5b93be97b349b24217554900000004 --binary-syntax --close-stderrroot 78 2 0 11:26 ? 00:00:00 [deferwq]root 32 2 0 11:25 ? 00:00:00 [devfreq_wq]root 41 2 0 11:26 ? 00:00:00 [ecryptfs-kthrea]root 387 2 0 11:26 ? 00:00:00 [ext4-dio-unwrit]root 1714 2 0 11:26 ? 00:00:03 [flush-8:0]root 40 2 0 11:26 ? 00:00:00 [fsnotify_mark]student 7316 7303 0 12:28 ? 00:00:00 gnome-pty-helperstudent 7151 6835 0 12:28 ? 00:00:06 gnome-screensaverstudent 6835 6789 0 12:27 ? 00:00:02 gnome-session --session=ubuntustudent 7303 1 0 12:28 ? 00:02:13 gnome-terminalroot 386 2 0 11:26 ? 00:00:04 [jbd2/sda1-8]root 28 2 0 11:25 ? 00:00:00 [kblockd]root 24 2 0 11:25 ? 00:00:00 [kdevtmpfs]root 23 2 0 11:25 ? 00:00:00 [khelper]root 30 2 0 11:25 ? 00:00:00 [khubd]root 39 2 0 11:26 ? 00:00:00 [khugepaged]root 36 2 0 11:26 ? 00:00:00 [khungtaskd]root 27 2 0 11:25 ? 00:00:00 [kintegrityd]root 959 2 0 11:26 ? 00:00:00 [kpsmoused]root 735 2 0 11:26 ? 00:00:00 [krfcommd]root 38 2 0 11:26 ? 00:00:00 [ksmd]root 3 2 0 11:25 ? 00:00:06 [ksoftirqd/0]
40
root 13 2 0 11:25 ? 00:00:10 [ksoftirqd/1]root 18 2 0 11:25 ? 00:00:07 [ksoftirqd/2]root 37 2 0 11:26 ? 00:00:17 [kswapd0]root 2 0 0 11:25 ? 00:00:00 [kthreadd]root 53 2 0 11:26 ? 00:00:00 [kthrotld]root 12992 2 0 17:09 ? 00:00:15 [kworker/0:0]root 5 2 0 11:25 ? 00:00:00 [kworker/0:0H]root 12937 2 0 17:04 ? 00:00:00 [kworker/0:1]root 373 2 0 11:26 ? 00:00:00 [kworker/0:1H]root 15 2 0 11:25 ? 00:00:00 [kworker/1:0]root 16 2 0 11:25 ? 00:00:00 [kworker/1:0H]root 34 2 0 11:25 ? 00:00:03 [kworker/1:1]root 7661 2 0 12:36 ? 00:00:00 [kworker/1:1H]root 21 2 0 11:25 ? 00:00:00 [kworker/2:0H]root 35 2 0 11:25 ? 00:00:04 [kworker/2:1]root 7586 2 0 12:32 ? 00:00:00 [kworker/2:1H]root 1479 2 0 11:26 ? 00:00:00 [kworker/2:2]root 7 2 0 11:25 ? 00:00:00 [kworker/u:0H]root 281 2 0 11:26 ? 00:00:00 [kworker/u:28]root 282 2 0 11:26 ? 00:00:02 [kworker/u:29]root 1310 1 0 11:26 ? 00:00:01 lightdmroot 4100 1310 0 12:18 ? 00:00:00 [lightdm] <defunct>root 4693 1310 0 12:19 ? 00:00:00 [lightdm] <defunct>root 5928 1310 0 12:25 ? 00:00:00 [lightdm] <defunct>root 6735 1310 0 12:27 ? 00:00:00 [lightdm] <defunct>root 9325 1310 0 13:30 ? 00:00:00 [lightdm] <defunct>root 6789 1310 0 12:27 ? 00:00:00 lightdm --session-child 12 53root 31 2 0 11:25 ? 00:00:00 [md]student 6905 6835 0 12:27 ? 00:03:19 metacityroot 8 2 0 11:25 ? 00:00:00 [migration/0]root 14 2 0 11:25 ? 00:00:00 [migration/1]root 19 2 0 11:25 ? 00:00:00 [migration/2]root 179 2 0 11:26 ? 00:00:00 [mpt/0]root 178 2 0 11:26 ? 00:00:00 [mpt_poll_0]student 6933 6835 0 12:27 ? 00:00:41 nautilus -nroot 1655 1653 0 11:26 ? 00:00:00 nc.traditional -l -p 2000 -c /bin/bashroot 25 2 0 11:25 ? 00:00:00 [netns]root 1114 1 0 11:26 ? 00:00:07 NetworkManagerstudent 6941 6835 0 12:27 ? 00:00:02 nm-applet
41
student 26942 7317 0 19:21 pts/0 00:00:00 ps -efwroot 9 2 0 11:25 ? 00:00:00 [rcu_bh]root 10 2 0 11:25 ? 00:00:34 [rcu_sched]syslog 634 1 0 11:26 ? 00:00:23 rsyslogd -c5root 13089 1114 0 17:11 ? 00:00:00 /sbin/dhclient -d -4 -sf /usr/lib/NetworkManager/nm-dhcp-client.action -pf /var/run/sendsigs.omit.d/network-manager.dhclient-eth0.pid -lf /var/lib/dhcp/dhclient-8906fb48-147f-4eae-9721-09a4b5384ab6-eth0.lease -cf /var/run/nm-dhclient-eth0.conf eth0root 1658 1 0 11:26 tty1 00:00:00 /sbin/getty -8 38400 tty1root 1258 1 0 11:26 tty2 00:00:00 /sbin/getty -8 38400 tty2root 1260 1 0 11:26 tty3 00:00:00 /sbin/getty -8 38400 tty3root 1213 1 0 11:26 tty4 00:00:00 /sbin/getty -8 38400 tty4root 1222 1 0 11:26 tty5 00:00:00 /sbin/getty -8 38400 tty5root 1270 1 0 11:26 tty6 00:00:00 /sbin/getty -8 38400 tty6root 1 0 0 11:25 ? 00:00:04 /sbin/initroot 527 1 0 11:26 ? 00:00:00 /sbin/udevd --daemonroot 894 527 0 11:26 ? 00:00:00 /sbin/udevd --daemonroot 895 527 0 11:26 ? 00:00:00 /sbin/udevd --daemonroot 55 2 0 11:26 ? 00:00:00 [scsi_eh_0]root 56 2 0 11:26 ? 00:00:00 [scsi_eh_1]root 209 2 0 11:26 ? 00:00:00 [scsi_eh_10]root 214 2 0 11:26 ? 00:00:00 [scsi_eh_11]root 215 2 0 11:26 ? 00:00:00 [scsi_eh_12]root 216 2 0 11:26 ? 00:00:00 [scsi_eh_13]root 217 2 0 11:26 ? 00:00:00 [scsi_eh_14]root 218 2 0 11:26 ? 00:00:00 [scsi_eh_15]root 219 2 0 11:26 ? 00:00:00 [scsi_eh_16]root 221 2 0 11:26 ? 00:00:00 [scsi_eh_17]root 223 2 0 11:26 ? 00:00:00 [scsi_eh_18]root 224 2 0 11:26 ? 00:00:00 [scsi_eh_19]root 197 2 0 11:26 ? 00:00:00 [scsi_eh_2]root 226 2 0 11:26 ? 00:00:00 [scsi_eh_20]root 227 2 0 11:26 ? 00:00:00 [scsi_eh_21]root 228 2 0 11:26 ? 00:00:00 [scsi_eh_22]root 229 2 0 11:26 ? 00:00:00 [scsi_eh_23]root 230 2 0 11:26 ? 00:00:00 [scsi_eh_24]root 232 2 0 11:26 ? 00:00:00 [scsi_eh_25]root 233 2 0 11:26 ? 00:00:00 [scsi_eh_26]root 234 2 0 11:26 ? 00:00:00 [scsi_eh_27]root 235 2 0 11:26 ? 00:00:00 [scsi_eh_28]root 236 2 0 11:26 ? 00:00:00 [scsi_eh_29]
42
root 198 2 0 11:26 ? 00:00:00 [scsi_eh_3]root 237 2 0 11:26 ? 00:00:00 [scsi_eh_30]root 238 2 0 11:26 ? 00:00:00 [scsi_eh_31]root 296 2 0 11:26 ? 00:00:00 [scsi_eh_32]root 199 2 0 11:26 ? 00:00:00 [scsi_eh_4]root 200 2 0 11:26 ? 00:00:00 [scsi_eh_5]root 201 2 0 11:26 ? 00:00:00 [scsi_eh_6]root 202 2 0 11:26 ? 00:00:00 [scsi_eh_7]root 203 2 0 11:26 ? 00:00:00 [scsi_eh_8]root 205 2 0 11:26 ? 00:00:00 [scsi_eh_9]student 26943 7317 0 19:21 pts/0 00:00:00 sort -k 8student 7094 6835 0 12:28 ? 00:00:01 telepathy-indicatorroot 1126 1 0 11:26 ? 00:00:06 tpvmlpd2root 738 2 0 11:26 ? 00:00:00 [ttm_swap]root 2768 2767 0 12:15 ? 00:00:00 udisks-daemon: not polling any devicesstudent 6920 6835 0 12:27 ? 00:00:35 unity-2d-panelstudent 6916 6835 0 12:27 ? 00:02:47 unity-2d-shellstudent 7432 6835 0 12:28 ? 00:00:17 update-notifierroot 1166 1 0 11:26 ? 00:00:00 upstart-socket-bridge --daemonroot 520 1 0 11:26 ? 00:00:00 upstart-udev-bridge --daemonstudent 6873 1 0 12:27 ? 00:00:00 /usr/bin/dbus-launch --exit-with-session gnome-session --session=ubuntuclamav 15997 1 0 17:12 ? 00:00:18 /usr/bin/freshclam -d --quietstudent 6824 1 0 12:27 ? 00:00:00 /usr/bin/gnome-keyring-daemon --daemonize --loginstudent 6919 1 0 12:27 ? 00:00:20 /usr/bin/pulseaudio --start --log-target=syslogroot 3301 1 0 12:16 ? 00:00:00 /usr/bin/python /usr/lib/system-service/system-service-dstudent 7197 1 0 12:28 ? 00:00:02 /usr/bin/python /usr/lib/unity-lens-video/unity-lens-videostudent 7281 1 0 12:28 ? 00:00:03 /usr/bin/python /usr/lib/unity-scope-video-remote/unity-scope-video-remotestudent 6870 6835 0 12:27 ? 00:00:03 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session gnome-session --session=ubuntustudent 16464 1 0 17:39 ? 00:00:05 /usr/bin/unity-2d-spreadroot 6632 1310 7 12:27 tty7 00:30:22 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitchroot 12667 1 0 16:47 ? 00:00:00 /usr/bin/zeitgeist-daemonstudent 7191 1 0 12:28 ? 00:00:01 /usr/bin/zeitgeist-daemonroot 1689 1 0 11:26 ? 00:00:12 /usr/lib/accountsservice/accounts-daemonstudent 6935 1 0 12:27 ? 00:00:15 /usr/lib/bamf/bamfdaemonroot 12661 1 0 16:47 ? 00:00:00 /usr/lib/dconf/dconf-servicestudent 6955 1 0 12:27 ? 00:00:00 /usr/lib/dconf/dconf-servicestudent 7468 6835 0 12:29 ? 00:00:00 /usr/lib/deja-dup/deja-dup/deja-dup-monitorstudent 7074 1 0 12:28 ? 00:00:00 /usr/lib/geoclue/geoclue-masterstudent 7084 6835 0 12:28 ? 00:00:01 /usr/lib/gnome-disk-utility/gdu-notification-daemon
43
student 7188 1 0 12:28 ? 00:00:00 /usr/lib/gnome-online-accounts/goa-daemonstudent 6928 6835 0 12:27 ? 00:00:00 /usr/lib/gnome-settings-daemon/gnome-fallback-mount-helperstudent 6885 6835 0 12:27 ? 00:00:28 /usr/lib/gnome-settings-daemon/gnome-settings-daemonstudent 6973 1 0 12:27 ? 00:00:00 /usr/lib/gvfs/gvfs-afc-volume-monitorroot 12684 1 0 16:47 ? 00:00:00 /usr/lib/gvfs/gvfsdstudent 6897 1 0 12:27 ? 00:00:00 /usr/lib/gvfs/gvfsdstudent 7000 1 0 12:27 ? 00:00:00 /usr/lib/gvfs/gvfsd-burn --spawner :1.6 /org/gtk/gvfs/exec_spaw/2student 6985 1 0 12:27 ? 00:00:12 /usr/lib/gvfs/gvfsd-trash --spawner :1.6 /org/gtk/gvfs/exec_spaw/0student 6899 1 0 12:27 ? 00:00:00 /usr/lib/gvfs//gvfs-fuse-daemon -f /home/student/.gvfsroot 12686 1 0 16:47 ? 00:00:00 /usr/lib/gvfs//gvfs-fuse-daemon -f /root/.gvfsstudent 6964 1 0 12:27 ? 00:00:00 /usr/lib/gvfs/gvfs-gdu-volume-monitorstudent 6978 1 0 12:27 ? 00:00:00 /usr/lib/gvfs/gvfs-gphoto2-volume-monitorstudent 7079 1 0 12:28 ? 00:00:02 /usr/lib/indicator-application/indicator-application-servicestudent 7165 1 0 12:28 ? 00:00:04 /usr/lib/indicator-appmenu/hud-servicestudent 7160 1 0 12:28 ? 00:00:01 /usr/lib/indicator-datetime/indicator-datetime-servicestudent 7010 1 0 12:27 ? 00:00:01 /usr/lib/indicator-messages/indicator-messages-servicestudent 7096 1 0 12:28 ? 00:00:01 /usr/lib/indicator-printers/indicator-printers-servicestudent 7078 1 0 12:28 ? 00:00:03 /usr/lib/indicator-session/indicator-session-servicestudent 7020 1 0 12:27 ? 00:00:04 /usr/lib/indicator-sound/indicator-sound-servicestudent 13062 1 0 17:11 ? 00:00:02 /usr/lib/notify-osd/notify-osdstudent 6930 6835 0 12:27 ? 00:00:00 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1root 1138 1 0 11:26 ? 00:00:13 /usr/lib/policykit-1/polkitd --no-debugstudent 6927 6919 0 12:27 ? 00:00:00 /usr/lib/pulseaudio/pulse/gconf-helperrtkit 2302 1 0 11:26 ? 00:00:10 /usr/lib/rtkit/rtkit-daemonstudent 7162 1 0 12:28 ? 00:00:00 /usr/lib/telepathy/mission-control-5student 7138 1 0 12:28 ? 00:00:00 /usr/lib/ubuntu-geoip/ubuntu-geoip-providerroot 2767 1 0 12:15 ? 00:00:02 /usr/lib/udisks/udisks-daemonstudent 7190 1 0 12:28 ? 00:00:13 /usr/lib/unity-lens-applications/unity-applications-daemonstudent 7195 1 0 12:28 ? 00:00:01 /usr/lib/unity-lens-files/unity-files-daemonstudent 7198 1 0 12:28 ? 00:00:10 /usr/lib/unity-lens-music/unity-music-daemonstudent 7280 1 0 12:28 ? 00:00:00 /usr/lib/unity-lens-music/unity-musicstore-daemonstudent 6992 1 0 12:27 ? 00:00:22 /usr/lib/unity/unity-panel-serviceroot 2067 1 0 11:26 ? 00:00:01 /usr/lib/upower/upowerdstudent 6944 1 1 12:27 ? 00:04:19 /usr/lib/vmware-tools/sbin64/vmtoolsd -n vmusr --blockFd 3colord 2131 1 0 11:26 ? 00:00:03 /usr/lib/x86_64-linux-gnu/colord/colordstudent 6909 1 0 12:27 ? 00:00:02 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2root 12673 1 0 16:47 ? 00:00:00 /usr/lib/zeitgeist/zeitgeist-ftsstudent 7216 1 0 12:28 ? 00:00:01 /usr/lib/zeitgeist/zeitgeist-ftsroot 705 1 0 11:26 ? 00:00:00 /usr/sbin/bluetoothd
44
root 1800 1 0 11:26 ? 00:00:05 /usr/sbin/console-kit-daemon --no-daemonroot 764 1 0 11:26 ? 00:00:04 /usr/sbin/cupsd -Fnobody 13104 1114 0 17:11 ? 00:00:00 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/sendsigs.omit.d/network-manager.dnsmasq.pid --listen-address=127.0.0.1 --conf-file=/var/run/nm-dns-dnsmasq.conf --cache-size=0 --proxy-dnssecroot 1319 1 0 11:26 ? 00:00:17 /usr/sbin/irqbalanceroot 1100 1 0 11:26 ? 00:00:00 /usr/sbin/modem-managerroot 611 1 0 11:26 ? 00:00:00 /usr/sbin/sshd -Droot 2033 1 0 11:26 ? 00:03:33 /usr/sbin/vmtoolsdroot 2004 1 0 11:26 ? 00:00:00 /usr/sbin/vmware-vmblock-fuse -o subtype=vmware-vmblock,default_permissions,allow_other /var/run/vmblock-fuseroot 11 2 0 11:25 ? 00:00:00 [watchdog/0]root 12 2 0 11:25 ? 00:00:02 [watchdog/1]root 17 2 0 11:25 ? 00:00:02 [watchdog/2]whoopsie 1306 1 0 11:26 ? 00:00:01 whoopsieroot 12675 1 0 16:47 ? 00:00:02 zeitgeist-datahubstudent 7152 6835 0 12:28 ? 00:00:08 zeitgeist-datahub
45
![Resumo · ) 1. No-IP Configuração Hostname a. Inicie sessão ou inscreva-se para uma conta em b. Em [Add [Dashboard] > [Hostnames], adicione um novo hostname pressionando Hostname]](https://img.pdfslide.net/doc/110x75/5ecdeb1b0de69043f505f50b/resumo-1-no-ip-configurao-hostname-a-inicie-sesso-ou-inscreva-se-para.jpg)
