DISCLAIMER: This is developed as a personal cheat-sheet, it is not guarentee to be 100% correct and up to date, you are expected to do your own research if needed to. This document serve as a starting guide for newcomer to CCDC and Blue teaming. More useful resources can be found at Blue team Cheat Sheet
- Run the following command
passwd - For changing another user's password
sudo passwd <username>replace <username> with your desired user
- The present of a
nologinfile prevents all non-root users from logging in
echo "Access is restricted" | sudo tee /etc/nologinAlternatively, write your message directly into the file. If you want to revoke access to a specific user:
sudo usermod -s /sbin/nologin <username>To restrict SSH access to the root user only, edit the SSH daemon configuration file:
sudo nano /etc/ssh/sshd_configAdd or modify the following lines:
PermitRootLogin yes
AllowUsers rootThen restart the SSH service:
sudo systemctl restart sshdIf you cannot disconnect certain SSH sessions, reset the daemon, or block an IP address, someone is already inside, SHUT DOWN THE INTERNET ASAP.
Depends on what package management tools your machine is using
# Centos
sudo yum update -y
# Fedora
sudo dnf update -yAs we cannot afford downtime due to OS updates, we have to work with what we have. However, we are able to update the services running on the machines. The steps bellow details how you can update apache and install git. Repeat this approach for other services.
sudo yum groupinstall "Development Tools"
# Apache dependenies
sudo yum install pcre-devel openssl-devel expat-devel
# git dependencies
sudo yum install curl-devel expat-devel gettext-devel openssl-devel perl-CPAN perl-devel zlib-devel# === Apache ===
wget https://downloads.apache.org/httpd/httpd-2.4.54.tar.gz
tar -xzf httpd-2.4.54.tar.gz
cd httpd-2.4.54
./configure --enable-so --enable-ssl --with-mpm=event
make
sudo make install
# === Git ===
wget https://mirrors.edge.kernel.org/pub/software/scm/git/git-2.37.1.tar.gz
tar -xzf git-2.37.1.tar.gz
cd git-2.37.1
make configure
./configure --prefix=/usr/local
make all
sudo make install
Replace 2.4.54 with the latest version number available from the Apache http server project. For Git, visit the Git SCM Website
# Apache
/usr/local/apache2/bin/httpd -v
# git
git --versionsudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT # http
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT # http over ssl
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT # ssh (optional cause we do not use)
sudo iptables -A INPUT -p tcp --dport 995 -j ACCEPT # pop3 over ssl
sudo iptables -A INPUT -p tcp --dport 110 -j ACCEPT # pop3
sudo iptables -A INPUT -j DROPFancy operations like ports scan countermeasure is doable with iptables, but might not be possible due to your current OS not being supported.
- Disable Root Login: Prevent direct root access via SSH by editing
/etc/ssh/sshd_configand settingPermitRootLogintono. - Change Default SSH Port: Modify the default SSH port (22) to a non-standard port to reduce exposure to automated attacks.
- Use SSH Key Authentication: Implement key-based authentication for enhanced security.
Alternatively on CentOS:
sudo systemctl start firewalld
sudo systemctl enable firewalld
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reloaduse ps aux to monitor connections to your machine. For example:
ps aux | grep sshdThis command will list all SSH sessions on your machine. Additionally:
ps aux --forrestWill organize the output into a tree structure.
To kill a malicious process by PID:
kill -9 [PID]Useful if there is a persistent actor on your machine
sudo ifdown -ato restore
sudo ifup -aIf it does not work, try NetworkManager
nmcli networking off
nmcli networking on
# system services
sudo systemctl stop NetworkManager
sudo systemctl start NetworkManagerBacking up service files is crucial since attackers will try to bring your services down by targeting them
Use the tar command to archive your website files, commonly located in /var/www/html/:
sudo tar -czvf /path/to/backup/web_backup_$(date +%F).tar.gz /var/www/html/To restore:
sudo tar -xzvf /path/to/backup/web_backup_[date].tar.gz -C /var/www/html/If you have git working, imap-backup is a useful tool if you are using an IMAP server like Dovecot Click here for the GitHub repo
For configurations:
Mail server configurations are usually stored in /etc/. Archive these configurations using:
sudo tar -czvf /path/to/backup/mail_config_backup_$(date +%F).tar.gz /etc/[mail_server_directory]/To restore:
sudo tar -xzvf /path/to/backup/mail_config_backup_[date].tar.gz -C /etc/[mail_server_directory]/Disable Root Login: Prevent direct root access via SSH by editing /etc/ssh/sshd_config and setting PermitRootLogin to no.
Consider the following:
If it is a different flavor of SQL, look up the corresponding documentations regarding security and hardening.
If the machine is running MySQL run the mysql_secure_installation script to perform essential security configurations:
sudo mysql_secure_installationThis interactive script will prompt you to:
- Set a strong root password.
- Remove anonymous users.
- Disallow remote root login.
- Remove the test database.
To prevent unauthorized remote access, configure MySQL to listen only on the local interface. Edit the MySQL configuration file (typically located at /etc/my.cnf or /etc/mysql/my.cnf) and set the bind-address directive:
[mysqld]
bind-address = 127.0.0.1restart the service after the change
sudo systemctl restart mysqldNote: The change will mess with the grader script, be sure to notify the White team about your security changes and send them the appropriate certificates (More details in step 4).
1. Generate Certificates You will need OpenSSL installed on your machine
# Generate CA private key
openssl genpkey -algorithm RSA -out ca-key.pem
# Create CA certificate
openssl req -new -x509 -key ca-key.pem -out ca-cert.pem -days 3650
# Generate server private key
openssl genpkey -algorithm RSA -out server-key.pem
# Create server certificate signing request (CSR)
openssl req -new -key server-key.pem -out server-req.pem
# Sign server CSR with CA certificate to get server certificate
openssl x509 -req -in server-req.pem -CA ca-cert.pem -CAkey ca-key.pem -out server-cert.pem -days 3650 -CAcreateserial2. Configure MySQL to use SSL/TLS
Copy the generated certificates and keys to a secure directory, such as /etc/mysql/ssl/, and set appropriate permissions:
sudo mkdir -p /etc/mysql/ssl
sudo cp ca-cert.pem server-cert.pem server-key.pem /etc/mysql/ssl/
sudo chmod 600 /etc/mysql/ssl/server-key.pem
sudo chown -R mysql:mysql /etc/mysql/ssl/Edit the MySQL configuration file (e.g., /etc/my.cnf or /etc/mysql/my.cnf) to include the following lines under the [mysqld] section:
[mysqld]
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pemTo enforce secure connections, add:
require_secure_transport=ON3. Restart service
sudo systemctl restart mysqld4. Configure MySQL Clients to Use SSL/TLS
Clients need access to the CA certificate to verify the server's certificate. Copy the ca-cert.pem file to the client machine securely. To connect on the client side:
mysql --ssl-ca=ca-cert.pem -u username -pTo enforce SSL/TLS usage for a specific user, execute the following query:
ALTER USER 'username'@'host' REQUIRE SSL;To verify SSL status:
SHOW STATUS LIKE 'Ssl_cipher';When you update certificates or keys:
ALTER INSTANCE RELOAD TLS;This command applies the new certificates to new connections while keeping existing connections intact.