First, backup using mkdir /.backup and rsync -av /etc "/.backup" and rsync -av /home "/.backup"
- Change passwords for our user and root except for scored users
- Change ssh keys by running
ssh.sh - Have local backups by running
backup.sh - Remove unnecessary users from
/etc/shadowand/etc/passwdsudo userdel -r {user name}- Use
cat /etc/group | grep 'adm\|root\|sudo'to check groups. Remove any users that shouldn't be there withdeluser {user name} {group name} - Use
sudo visudoto change sudoers!!!
- Configure firewall!!!
- Default deny
- Configure firewall port and service specific
- Config required ips
- At this point we should have services up and running
- Threat hunting:
- Remove malicious services by running
killALL.sh- Manually check
/etc/crontabto be safe!
- Manually check
- Look for redteam/malicious files by running
hunt.sh - Check for any aliases by running
al.sh - Look for suid (priveledge escalation) by runnning suid.sh
- Use winpeas/linpeas for a more thorough check
- Look for rootkits by using
rkhunter - Update packages by running
pkgUpdate.sh. NOTE: this script takes a while, so you want to use tmux and have this running in the background as you check for other threats- Reinstall any packages that have been compromised
apt-install -reinstall {package name}
- Reinstall any packages that have been compromised
- Look for payloads (Go/Sliver) by running
payload.sh
- Remove malicious services by running
- Service hardening (tbh I'm not sure what this means)
- Backup to backup server. ANdrey will be handling this, let him know whenever you want to backup!