1 00:00:00,500 --> 00:00:06,080 Hello and welcome back to the official Start Cop series, the certified Carry On s pen tester. 2 00:00:07,490 --> 00:00:12,140 This module will be on monitoring and managing Linux processes. 3 00:00:15,870 --> 00:00:18,510 And we'll talk about Linux process management. 4 00:00:23,650 --> 00:00:29,890 So it's generally important to think about security in the terms of the scope of all the. 5 00:00:31,370 --> 00:00:33,070 Different methodologies that are out there. 6 00:00:33,080 --> 00:00:39,620 There are so many different types of tools and many picking the right balance of security can be difficult. 7 00:00:39,620 --> 00:00:44,840 And it also largely depends a lot on your organization's objectives. 8 00:00:46,090 --> 00:00:51,260 It's about providing security to a system has to be built in from the ground up. 9 00:00:55,290 --> 00:00:56,280 So this is the outline. 10 00:00:56,640 --> 00:00:58,290 We're going to talk about security policies. 11 00:00:58,290 --> 00:00:59,580 We're going to look at risks. 12 00:00:59,910 --> 00:01:03,270 We're going to look at different security measures to minimize risk. 13 00:01:03,780 --> 00:01:07,680 We'll look at the different types of attacks that we're going to mitigate. 14 00:01:08,100 --> 00:01:11,310 We'll talk about network firewalls. 15 00:01:12,030 --> 00:01:13,130 Network services. 16 00:01:13,290 --> 00:01:23,490 Look at Linux's IP tables, as well as the different roles and other monitoring and logging resources. 17 00:01:28,020 --> 00:01:29,190 This is our chapter flow. 18 00:01:29,190 --> 00:01:35,430 So we're going to start out with security policy in our policy around work all the way up to D package 19 00:01:35,430 --> 00:01:37,800 and post intrusion detection system. 20 00:01:41,330 --> 00:01:47,030 So the security policy of Linux, the definition that outlines the rules and practices that are going 21 00:01:47,030 --> 00:01:47,840 to be followed. 22 00:01:49,040 --> 00:01:56,000 With respect to security in an organization, how can an organization protect their sensitive data? 23 00:01:57,750 --> 00:02:03,900 This is typically driven by a security policy or potentially by a compliance framework that might dictate 24 00:02:03,900 --> 00:02:04,860 security policy. 25 00:02:05,220 --> 00:02:11,040 So in creating a security policy, you want to make sure that it's simple and easy for everyone to understand. 26 00:02:12,800 --> 00:02:19,670 And the objective of the policy is to be able to protect data while keeping the privacy of users intact. 27 00:02:30,680 --> 00:02:35,810 So for these three points on the screen here, the thing about what are you trying to protect? 28 00:02:37,250 --> 00:02:42,680 What are you trying to protect against or what types of attacks and who are you trying to protect from? 29 00:02:42,680 --> 00:02:44,600 So whether it's advanced, persistent threats. 30 00:02:44,990 --> 00:02:46,910 Script kitties, nation states. 31 00:02:47,240 --> 00:02:48,290 Insider threats. 32 00:02:50,440 --> 00:02:51,940 All of these things go into. 33 00:02:53,710 --> 00:02:55,660 Your overall security policy. 34 00:02:58,510 --> 00:03:02,020 So how do we do security measures while we can do? 35 00:03:04,320 --> 00:03:06,000 Services like fail to ban. 36 00:03:06,000 --> 00:03:12,750 That'll make it a lot harder to be able to brute force passwords on servers we can install fail to ban. 37 00:03:14,310 --> 00:03:23,580 If you're running Apache or Engine X, you want to always run an HDP mode or port four, four, three. 38 00:03:23,950 --> 00:03:26,160 You always want to be running securely. 39 00:03:30,020 --> 00:03:35,720 You can also use full disk encryption for devices like laptops, and especially if they're going to 40 00:03:35,720 --> 00:03:37,940 be portable or that people are going to be traveling. 41 00:03:38,270 --> 00:03:44,120 You want to think about this from a perspective of your data and use and your data at rest. 42 00:03:46,090 --> 00:03:49,420 So Dana is just sitting on the the system not being used. 43 00:03:49,420 --> 00:03:50,650 That's generally data at rest. 44 00:03:50,650 --> 00:03:53,890 If you're talking about data that's on a system, it's end use. 45 00:03:54,670 --> 00:03:56,080 That means data, end use. 46 00:03:56,080 --> 00:04:01,570 And then you have data in transit, which is data that's traversing over some type of network. 47 00:04:03,540 --> 00:04:06,090 So let's go ahead and open up our Kali Linux VM. 48 00:04:11,460 --> 00:04:16,260 I'm going to go ahead and run that stat command to see what service we actually have running. 49 00:04:16,770 --> 00:04:24,660 And we can see we only have Port 22 open right now listening. 50 00:04:25,830 --> 00:04:29,190 So let's go ahead and do let's clear the screen. 51 00:04:29,550 --> 00:04:35,130 Let's do an app dash get install fail to manage so you can see what that looks like. 52 00:04:35,520 --> 00:04:37,080 Now we have to make sure we're route. 53 00:04:38,670 --> 00:04:44,850 In this case, we're using the Kali Linux account or the Kelly and Kelly account 54 00:04:51,750 --> 00:04:55,500 and it's going to take a little bit of time to download while it's downloading. 55 00:05:01,670 --> 00:05:05,850 Kali Linux has some other things that are available. 56 00:05:05,870 --> 00:05:14,360 There are not firewalls by default and Callie that there, but there are programs like the Uncomplicated 57 00:05:14,360 --> 00:05:20,780 Firewall and there's even a graphical version for it as well. 58 00:05:21,500 --> 00:05:29,120 So the new version of your uncomplicated firewall is usually UFW, so it's not installed by default. 59 00:05:29,900 --> 00:05:33,350 So we'll do an apt dash get install. 60 00:05:34,760 --> 00:05:37,400 The uncomplicated firewall or UFW. 61 00:05:38,720 --> 00:05:43,940 So the main thing to think about when you're talking about weddings there are certain. 62 00:05:45,910 --> 00:05:49,840 Choices you have to make and really for any Linux distro for that matter. 63 00:05:49,840 --> 00:05:55,690 But notice it created a config file in the etsi ufw directory, so that'd be important for later. 64 00:05:56,350 --> 00:05:58,870 But let's also install the Dewey 65 00:06:01,960 --> 00:06:05,560 for the uncomplicated firewall too, so you can have some contrast. 66 00:06:13,400 --> 00:06:20,270 Kelly Lennox also has a new passport function which can be used to essentially destroy all the keys 67 00:06:20,270 --> 00:06:22,460 on an encrypted partition. 68 00:06:24,810 --> 00:06:27,030 We're not, of course, going to do that through our virtual machine. 69 00:06:33,240 --> 00:06:37,620 But this is the program if you're managing encrypted volumes. 70 00:06:40,930 --> 00:06:48,340 And it supports various algorithms like a TrueCrypt, which has since been replaced by Vera Krebs and 71 00:06:48,340 --> 00:06:50,770 even the Windows Bitlocker solution. 72 00:06:51,690 --> 00:06:51,890 Okay. 73 00:06:52,890 --> 00:06:54,510 So let's go ahead and cut out of here. 74 00:06:57,470 --> 00:07:03,050 So we want to do as we want to set packet filtering rules on the firewall to stop people from being 75 00:07:03,050 --> 00:07:05,030 able to scan the network. 76 00:07:06,800 --> 00:07:08,330 But how do we do that? 77 00:07:11,990 --> 00:07:13,580 So we have to lock down services. 78 00:07:13,580 --> 00:07:21,260 So there are rules or basic security rules, and these are things you should definitely take with you, 79 00:07:22,310 --> 00:07:27,290 whether you're on an ethical hacking perspective or maybe you're on the defensive team at one point, 80 00:07:27,560 --> 00:07:32,930 but if you don't need a service, turn it off because every service and every port that is open. 81 00:07:34,370 --> 00:07:39,500 Gives an attacker even more room to maneuver and potentially. 82 00:07:40,570 --> 00:07:41,740 Find another way in. 83 00:07:43,720 --> 00:07:46,630 It adds to what we call the attack surface. 84 00:07:47,170 --> 00:07:53,470 So some services that might be on by default, they don't have any credentials or they allow only the 85 00:07:53,470 --> 00:07:55,890 set credentials on the first use. 86 00:07:55,930 --> 00:08:01,460 And also, many services will run as route with full administrator privileges. 87 00:08:01,470 --> 00:08:02,800 So you want to be careful with that. 88 00:08:04,120 --> 00:08:09,910 For example, the browser exploitation framework, which is built into Kelly as the default password 89 00:08:09,910 --> 00:08:14,050 of beef and beef which are hardcoded into the source code. 90 00:08:14,170 --> 00:08:15,070 So if we look at. 91 00:08:18,110 --> 00:08:19,490 Some of the export frameworks. 92 00:08:22,800 --> 00:08:23,790 In the new version. 93 00:08:23,790 --> 00:08:24,300 They've. 94 00:08:26,640 --> 00:08:27,950 Move things around a little bit. 95 00:08:27,960 --> 00:08:31,170 So depending on the version you install, you may see. 96 00:08:32,510 --> 00:08:34,250 Things in different locations. 97 00:08:36,110 --> 00:08:36,800 You can also. 98 00:08:38,090 --> 00:08:40,100 Type at the the search box. 99 00:08:41,030 --> 00:08:46,610 But beef is the browser exploitation framework which has been removed in the newer versions because 100 00:08:46,610 --> 00:08:48,140 of security considerations. 101 00:08:48,440 --> 00:08:50,030 But you can always install it. 102 00:08:54,660 --> 00:08:57,080 So let's look at firewall. 103 00:08:57,130 --> 00:08:58,200 So what is a firewall? 104 00:08:58,230 --> 00:09:01,770 A firewall is really just a piece of software or hardware. 105 00:09:03,310 --> 00:09:05,680 That checks the incoming and outgoing packets. 106 00:09:06,430 --> 00:09:08,190 And based on a certain set of rules. 107 00:09:08,200 --> 00:09:13,570 So the point of the firewall is that there are a couple of different kinds. 108 00:09:14,500 --> 00:09:16,000 And we'll talk about those in a minute. 109 00:09:16,000 --> 00:09:21,640 But you have to think about traffic from both directions, incoming and outgoing. 110 00:09:22,100 --> 00:09:26,980 There's, you know, firewalls on many systems, like, for example, the Windows Defender firewall 111 00:09:27,760 --> 00:09:30,160 or the uncomplicated firewall, which is in cally. 112 00:09:30,760 --> 00:09:32,050 So let's go ahead and. 113 00:09:37,620 --> 00:09:42,450 Let's go ahead and check on the status of the uncomplicated firewall 114 00:09:45,360 --> 00:09:46,950 that's currently not running. 115 00:09:48,900 --> 00:09:50,580 So we're going to go ahead and start. 116 00:09:58,550 --> 00:09:59,040 I see. 117 00:09:59,080 --> 00:10:01,420 It's now active and it's excellent. 118 00:10:02,540 --> 00:10:03,920 So it started and finished. 119 00:10:03,920 --> 00:10:08,060 So there's not currently any rules set. 120 00:10:08,060 --> 00:10:12,360 But you can see this is the program for managing the Linux firewall. 121 00:10:12,380 --> 00:10:17,150 The other option you have, it's also called net filter or network filter. 122 00:10:17,870 --> 00:10:18,920 But you have the. 123 00:10:20,610 --> 00:10:22,020 IP tables component. 124 00:10:22,020 --> 00:10:29,030 You have ARB tables, you have many different options with respect to packet filtering inside of Kali 125 00:10:29,040 --> 00:10:29,520 Linux. 126 00:10:33,750 --> 00:10:40,080 So the Linux kernel essentially uses the net filter firewall, which can be controlled from the user 127 00:10:40,080 --> 00:10:44,310 space with the IP tables and IPv6 tables. 128 00:10:44,310 --> 00:10:48,100 So it's IP SIG or IP tables, that's for IP version four. 129 00:10:48,870 --> 00:10:51,840 If it's IP six tables, that's for IP version six. 130 00:10:54,490 --> 00:11:00,690 And there's also another tool called Firewall Builder or F.W. Builder, if you want a Google based tool. 131 00:11:03,590 --> 00:11:04,910 To be able to put rules in. 132 00:11:04,910 --> 00:11:06,110 So let's go ahead and. 133 00:11:08,540 --> 00:11:12,740 Take a look at the gooey, uncomplicated firewall. 134 00:11:14,010 --> 00:11:15,480 And this is pretty much what it looks like. 135 00:11:15,480 --> 00:11:18,210 There's you can set different profiles for different networks. 136 00:11:18,780 --> 00:11:21,210 You can pick whether it's incoming or outgoing. 137 00:11:22,320 --> 00:11:24,390 And you can set different rules based on. 138 00:11:26,280 --> 00:11:26,940 Certain programs. 139 00:11:26,940 --> 00:11:31,110 Of course, it's off right now, so we had to turn it on to be able to set rules. 140 00:11:31,680 --> 00:11:37,050 You can do simple, allow or deny or just even limiting particular traffic. 141 00:11:37,470 --> 00:11:39,720 You can limit certain applications. 142 00:11:41,290 --> 00:11:45,520 Based on categories and you can pick a direction incoming or outgoing or both. 143 00:11:47,780 --> 00:11:49,550 So let's say I want to block. 144 00:11:53,670 --> 00:11:55,350 Games traffic from. 145 00:11:57,140 --> 00:11:59,240 On the battlefield, 1942. 146 00:12:01,110 --> 00:12:01,890 And we'd say. 147 00:12:03,860 --> 00:12:07,340 Deny both directions and we could add. 148 00:12:10,040 --> 00:12:15,620 And we now have a role and that's it added that support for that particular application. 149 00:12:16,640 --> 00:12:19,460 And then whenever we try to run that application, we'll get an entry in the log. 150 00:12:20,960 --> 00:12:22,490 Let's go ahead and open up a. 151 00:12:26,480 --> 00:12:27,170 New tab. 152 00:12:30,650 --> 00:12:39,050 Let's do a pseudo AB dash, get install F.W. and put our password in. 153 00:12:40,540 --> 00:12:41,860 So it's 40 megabytes. 154 00:12:41,860 --> 00:12:44,710 It's a little bit bigger than the uncomplicated firewall, but. 155 00:12:47,320 --> 00:12:49,900 And this will work on both Linux, Unix and Windows. 156 00:12:52,280 --> 00:12:53,810 Believe Mako us as well. 157 00:13:07,530 --> 00:13:10,290 So the firewall builder is also on. 158 00:13:12,000 --> 00:13:14,640 SourceForge as well as GitHub. 159 00:13:14,700 --> 00:13:18,330 If you want to download it, you click download and pick your. 160 00:13:18,990 --> 00:13:21,240 It's under the new GPL license. 161 00:13:21,600 --> 00:13:23,640 You go and download the version that you want. 162 00:13:24,790 --> 00:13:30,430 Whether it's windows or whether it's if it's Ubuntu, you've got Debian packages, of course you can 163 00:13:30,430 --> 00:13:33,010 just install it from the CALLY repository. 164 00:13:42,600 --> 00:13:47,970 Now that it's installed, we can look at the multi-platform firewall configuration tool. 165 00:13:48,090 --> 00:13:56,730 So it's a good and it supports firewalls based on IP tables for the kernel IP filter, PDFs and Cisco 166 00:13:56,730 --> 00:13:59,190 Pix and many other different types of firewalls. 167 00:14:03,870 --> 00:14:09,540 So how do we can figure firewalls or we have a net filter which does four distinct tables? 168 00:14:10,110 --> 00:14:13,350 So it has, of course, the filter itself, which are the rules. 169 00:14:16,610 --> 00:14:22,520 And these are net filters, a mechanism provided by the kernel that enables you to customize handlers 170 00:14:22,880 --> 00:14:25,400 to implement various network related operations. 171 00:14:26,570 --> 00:14:34,430 Packet Filtering Nat Network Address Translation where you're translating source and destination addresses 172 00:14:34,880 --> 00:14:36,170 to particular ports. 173 00:14:37,600 --> 00:14:38,470 And then you have. 174 00:14:41,390 --> 00:14:47,900 That filter can be controlled with the help of the terminal and IP tables and IPv6 tables. 175 00:14:49,670 --> 00:14:59,330 Mango will actually change the IP packet itself and then they're all built there or they're all table 176 00:15:00,200 --> 00:15:07,520 allows other modifications before the packet reaches the connection tracking and each table contains 177 00:15:07,520 --> 00:15:09,260 a list of rules called chains. 178 00:15:09,680 --> 00:15:15,500 The firewall uses the standard chains to handle packets based on predefined circumstances. 179 00:15:18,840 --> 00:15:22,150 With respect to the different chains and the tables we have. 180 00:15:22,630 --> 00:15:24,370 Let's now take a look at the different. 181 00:15:25,930 --> 00:15:28,300 Standard chains on the net filter table. 182 00:15:34,460 --> 00:15:38,120 So there are three standard chains, essentially input. 183 00:15:42,130 --> 00:15:43,600 Which are packets that. 184 00:15:45,350 --> 00:15:47,450 Our destined for the firewall itself. 185 00:15:48,020 --> 00:15:53,870 Then you have the output, which are packets that are going to be ordered by the firewall are going 186 00:15:53,870 --> 00:15:54,590 to be sent out. 187 00:16:00,440 --> 00:16:05,250 Then you have four packets, which means packets that pass through the firewall, which is not their 188 00:16:05,250 --> 00:16:06,570 source nor their destination. 189 00:16:07,230 --> 00:16:14,760 So with the NAT table, there's also three standard chains, one for pre routing, which modifies packets 190 00:16:14,760 --> 00:16:19,980 as soon as they arrive, one for post routing, which modifies them when they're ready to go on their 191 00:16:19,980 --> 00:16:20,340 way. 192 00:16:25,380 --> 00:16:29,700 Then lastly, the output to modify packages generated by the firewall itself. 193 00:16:32,310 --> 00:16:35,820 So let's look at the different syntax table. 194 00:16:37,100 --> 00:16:39,300 Or syntax of IP tables. 195 00:16:40,020 --> 00:16:41,220 IP six tables four. 196 00:16:41,220 --> 00:16:42,330 IP versus six. 197 00:16:51,210 --> 00:16:51,840 So there's that. 198 00:16:52,290 --> 00:16:57,540 The three major options are Dash L, which lists the rules in the in the chain. 199 00:17:01,100 --> 00:17:03,200 So let's go back over to our Kelly Box. 200 00:17:05,240 --> 00:17:06,860 Go ahead and make it full screen. 201 00:17:19,780 --> 00:17:24,160 So we can see IP tables dash to the table and then. 202 00:17:26,090 --> 00:17:26,570 A. 203 00:17:27,660 --> 00:17:30,300 C or D for the chain and then the rule. 204 00:17:37,980 --> 00:17:39,120 So we'll go ahead and do. 205 00:17:45,760 --> 00:17:48,400 So I tables is not currently in use in this case. 206 00:17:51,250 --> 00:17:53,590 Because it's using the uncomplicated firewall. 207 00:17:55,180 --> 00:18:01,180 So one of the things I was saying about you have to enable it for the system so you can either use IP 208 00:18:01,180 --> 00:18:04,780 tables or you can use the uncomplicated firewall. 209 00:18:17,440 --> 00:18:29,470 So if we do IP tables, dash and dash L for input when else we don't have, it's not showing up because 210 00:18:30,100 --> 00:18:30,940 we're not sudo. 211 00:18:30,940 --> 00:18:31,960 So we have to be root. 212 00:18:39,040 --> 00:18:43,630 So there's all of the IP chains or the IP tables. 213 00:18:43,630 --> 00:18:44,140 Chains. 214 00:18:46,070 --> 00:18:51,980 Some of these were added in by the uncomplicated firewall, as we have, except we have a drop. 215 00:18:54,880 --> 00:18:55,930 So we can pick our. 216 00:18:58,690 --> 00:19:00,250 Let's go inside the screen again. 217 00:19:12,760 --> 00:19:14,590 So this is all the input roles. 218 00:19:14,920 --> 00:19:20,180 So our uncomplicated firewall before logging, before input, after input. 219 00:19:20,200 --> 00:19:26,620 So these are how you essentially manipulate the roles if we're going to do a dash and that will actually 220 00:19:26,620 --> 00:19:27,760 create a new chain. 221 00:19:30,560 --> 00:19:32,090 If you want to test a new service. 222 00:19:34,870 --> 00:19:35,800 Or something like that. 223 00:19:36,130 --> 00:19:39,010 That might be a reason why you're going to you would create a new change. 224 00:19:54,770 --> 00:19:56,810 So we just created a new chain. 225 00:20:18,050 --> 00:20:19,910 And there we can see our new chain at the bottom. 226 00:20:20,950 --> 00:20:22,570 So we need to create new change. 227 00:20:22,570 --> 00:20:23,500 That's definitely. 228 00:20:24,900 --> 00:20:25,680 The way you do it. 229 00:20:25,680 --> 00:20:31,500 If you're doing a chain that is empty and you say, do you want to delete it later? 230 00:20:31,920 --> 00:20:33,930 You can do that with the following command. 231 00:20:40,680 --> 00:20:43,680 In the IP table's dash X and then the name of the chain. 232 00:20:44,940 --> 00:20:47,430 And now notice when we do the IP tables. 233 00:20:49,110 --> 00:20:53,160 Dash l command that the chain is no longer there. 234 00:20:56,700 --> 00:21:01,200 So that's how you add and remove chains within IP tables. 235 00:21:05,970 --> 00:21:09,540 We can also add roles at the end of given chains. 236 00:21:10,020 --> 00:21:13,260 We can delete individual roles inside of the chain. 237 00:21:17,240 --> 00:21:19,880 You can use the dash F for flushing a chain as well. 238 00:21:22,020 --> 00:21:26,880 And the syntax is pretty much the same for IPv6 tables. 239 00:21:30,060 --> 00:21:31,710 You just put a six in front of the. 240 00:21:33,650 --> 00:21:35,330 Or in between IP and tables. 241 00:21:46,180 --> 00:21:49,330 And there's all the six change. 242 00:22:09,150 --> 00:22:14,010 So if you wanted to, once you have your change, then you can start working with things like roles. 243 00:22:14,520 --> 00:22:21,240 For example, if you wanted to deny all incoming traffic, you could do IP tables. 244 00:22:22,140 --> 00:22:25,560 Dash IP and you could say Input drop. 245 00:22:27,370 --> 00:22:28,210 Essentially. 246 00:22:30,120 --> 00:22:31,770 All of the traffic. 247 00:22:37,640 --> 00:22:40,370 I would now be not permitted to come through based on the rule. 248 00:22:49,000 --> 00:22:50,500 So we do have IP tables. 249 00:22:52,390 --> 00:22:58,060 You can also do dash dash list as well, which does the same thing as the upper case low case L. 250 00:23:02,500 --> 00:23:03,880 And if there's the input. 251 00:23:05,680 --> 00:23:06,640 RC drop. 252 00:23:16,430 --> 00:23:18,350 So let's change that back to accept. 253 00:23:22,000 --> 00:23:23,020 So the screen here 254 00:23:27,400 --> 00:23:28,100 and there we go. 255 00:23:28,120 --> 00:23:29,770 So we can now accept traffic again. 256 00:23:30,550 --> 00:23:32,290 You can do that for many different ways. 257 00:23:32,920 --> 00:23:40,150 IPv4 tables or IP tables applies to IP version for IPv6 tables, of course, applies to IP version six. 258 00:23:40,870 --> 00:23:42,670 So now let's look at the different rules. 259 00:23:43,060 --> 00:23:50,140 So each rule creates essentially one invocation of IP tables or IP six tables and rules are stored in 260 00:23:50,140 --> 00:23:50,740 a script. 261 00:23:51,490 --> 00:23:55,420 So the system is automatically configured the same way every time it boots. 262 00:23:56,620 --> 00:23:59,860 So we want we already installed F.W. Builder. 263 00:23:59,950 --> 00:24:01,510 So let's go ahead and run that. 264 00:24:09,160 --> 00:24:10,720 And we now have our gooey here. 265 00:24:10,960 --> 00:24:12,160 We see our quick start. 266 00:24:12,910 --> 00:24:17,920 You can watch the guide or you can sit close and you can go ahead and start looking at your different 267 00:24:18,820 --> 00:24:19,450 rules. 268 00:24:21,030 --> 00:24:23,340 You can look at standard filters. 269 00:24:24,150 --> 00:24:25,020 Standard rules. 270 00:24:29,010 --> 00:24:29,870 You can do a user. 271 00:24:29,880 --> 00:24:33,300 We can create new firewall or call the new object. 272 00:24:37,160 --> 00:24:42,260 New firewall and will pick what software it's running on so we can add in. 273 00:24:42,260 --> 00:24:44,570 We can essentially build out our network with this tool. 274 00:24:45,170 --> 00:24:46,280 It's very useful. 275 00:24:47,030 --> 00:24:51,920 Let's say this one's an RSA and we'll say next and then you'll have to give it. 276 00:24:51,920 --> 00:24:55,100 The S&P read and write community string. 277 00:24:56,810 --> 00:24:59,180 Or you can configure the interfaces manually. 278 00:25:01,180 --> 00:25:04,600 Then you have to actually add the physical interface and the IP address. 279 00:25:15,460 --> 00:25:20,950 The main thing to think about when you're building an actual firewall, you want to think about your. 280 00:25:23,060 --> 00:25:27,710 Interfaces, you know, networks, your servers and then what ports you want to allow. 281 00:25:27,710 --> 00:25:33,080 So the services are based on IP, ICMP, TCP, UDP. 282 00:25:33,560 --> 00:25:34,370 It could be even. 283 00:25:37,900 --> 00:25:39,910 Be done based on policies. 284 00:25:39,910 --> 00:25:44,530 You can actually add new firewalls and services from this menu as well. 285 00:25:46,680 --> 00:25:48,450 I'll say this one's IP tables. 286 00:25:52,220 --> 00:25:58,190 Call it the county firewall and we'll say boom and finish. 287 00:26:12,780 --> 00:26:14,520 Now let's talk about monitoring and logging. 288 00:26:14,520 --> 00:26:21,330 Monitoring and logging are pretty important with security, especially from a defensive side, but also 289 00:26:21,540 --> 00:26:25,320 from an offensive side, because you can get a lot of information from logs. 290 00:26:25,320 --> 00:26:28,470 So they need to be monitored securely. 291 00:26:28,800 --> 00:26:34,290 There's a program called Log Check, which will monitor logs every hour by default. 292 00:26:34,290 --> 00:26:37,920 And I'll send unusual messages to administrators. 293 00:26:39,240 --> 00:26:39,810 And so. 294 00:26:41,110 --> 00:26:44,980 Let's go ahead and switch over to our Kelly Box and we'll. 295 00:26:55,570 --> 00:27:00,520 So we'll go do an app, get install log check because it's not installed. 296 00:27:00,700 --> 00:27:05,320 So you have to do a little bit of work there to get it installed first. 297 00:27:06,190 --> 00:27:12,040 You can have it report different values, whether it's a paranoid level, server level and even a workstation 298 00:27:12,040 --> 00:27:12,430 level. 299 00:27:12,790 --> 00:27:18,280 So paranoid is very verbose and should be probably restricted to servers that are. 300 00:27:20,780 --> 00:27:25,790 Your highest high importance servers and things like firewalls and so on and so forth. 301 00:27:26,330 --> 00:27:30,710 So server is the default mode that's recommended for most servers. 302 00:27:32,750 --> 00:27:34,580 So it's good to look at log check. 303 00:27:35,510 --> 00:27:38,150 So this will scan your logs for interesting lines. 304 00:27:44,120 --> 00:27:47,990 So the list of moderate files in the. 305 00:27:49,720 --> 00:27:52,690 Etsy log check stakeholder. 306 00:27:59,480 --> 00:28:03,500 And it also will look at the ah syslog directory as well. 307 00:28:08,210 --> 00:28:15,770 So there's log check and we can see the different log files and also the config file 308 00:28:18,800 --> 00:28:22,880 as the config file for based on want you want to monitor. 309 00:28:45,620 --> 00:28:47,690 So this is the ah syslog config. 310 00:28:47,690 --> 00:28:53,270 So this is what is kind of getting run by standard on Linux. 311 00:28:53,270 --> 00:29:00,080 So it's keeping track of the crime job, the authorization log, the privileged authorization log, 312 00:29:00,080 --> 00:29:01,070 the user log. 313 00:29:01,700 --> 00:29:04,700 These are all going to be in your var slash log directory. 314 00:29:06,620 --> 00:29:10,190 So you could have log check monitor some of these as well. 315 00:29:12,950 --> 00:29:20,000 Generally you want to customize log check to include some extra messaging depending on services. 316 00:29:20,300 --> 00:29:23,660 Unless you want to get a lot of just non useful information. 317 00:29:35,680 --> 00:29:45,070 So again, we saw that the log check log files and now let's talk about top topics is a very flexible 318 00:29:45,070 --> 00:29:47,620 tool comes with most Linux distributions. 319 00:29:48,460 --> 00:29:53,860 It's good to go back to our Kelly distro and let's look at top. 320 00:29:54,250 --> 00:30:01,420 So this displays Linux processes and essentially you can look at things like your command line, you 321 00:30:01,420 --> 00:30:06,940 can look at CPU memory, all that kind of stuff. 322 00:30:06,940 --> 00:30:07,240 So. 323 00:30:09,530 --> 00:30:11,990 Unlike other commands, like peace, it's interactive. 324 00:30:11,990 --> 00:30:15,500 So you can browse through the list or you can kill processes. 325 00:30:16,430 --> 00:30:19,520 So let's let's just go ahead and open it up. 326 00:30:19,520 --> 00:30:20,360 So there's top. 327 00:30:20,780 --> 00:30:27,320 You can see that it has the up time currently one user, what kind of load it has, you can see things 328 00:30:27,320 --> 00:30:35,870 like memory and then notice there's a process ID the user and then a priority and it also keeps track 329 00:30:35,870 --> 00:30:38,270 of the percentages of your CPU and your memory. 330 00:30:44,310 --> 00:30:49,440 So the upper half has the output with resources while the lower half has the processor. 331 00:30:49,440 --> 00:30:55,560 So you can actually use the arrow keys to scroll down through it or the page up and page down keys. 332 00:30:57,760 --> 00:30:59,740 And if you want to quit, just press quit. 333 00:31:00,520 --> 00:31:06,880 There's one more logging tool that I want to show you because I do like variety and I like color in 334 00:31:06,880 --> 00:31:07,720 my slides. 335 00:31:08,290 --> 00:31:10,900 So let's go ahead and look at each top. 336 00:31:13,720 --> 00:31:16,270 You're not going to have it by default in most cases. 337 00:31:16,600 --> 00:31:18,190 It's very much like Bob. 338 00:31:18,760 --> 00:31:21,160 And it also has a. 339 00:31:23,750 --> 00:31:28,190 Little fancier interface, for lack of a better word. 340 00:31:28,610 --> 00:31:30,380 So let's go ahead and look at H Top. 341 00:31:31,010 --> 00:31:33,830 Notice that you have a color coded scheme. 342 00:31:34,340 --> 00:31:41,690 You actually get kind of a bar graph chart showing how much memory out of how much swapped space as 343 00:31:41,690 --> 00:31:44,960 well and what the average load is. 344 00:31:46,010 --> 00:31:49,880 And it's just and it has some at the bottom notice, it has some different commands. 345 00:31:49,880 --> 00:31:53,330 You can change the nice values which will get into a little bit later. 346 00:31:53,870 --> 00:31:56,180 You can search for specific processes. 347 00:31:57,160 --> 00:32:00,430 Like, for example, I wanted to search for Firefox. 348 00:32:00,440 --> 00:32:03,740 It's not currently running, but maybe I want to search for 349 00:32:07,880 --> 00:32:10,520 the current job so I can jump right to it. 350 00:32:11,270 --> 00:32:13,260 So it's a nice way to be able to. 351 00:32:15,710 --> 00:32:16,460 Work with it. 352 00:32:16,460 --> 00:32:22,430 You can actually look at the tree structure as well and see where the processes have spawned from. 353 00:32:24,010 --> 00:32:30,460 So if you scroll up to the top, you can see the what folder that the file is coming out of and where 354 00:32:30,460 --> 00:32:31,060 it's running from. 355 00:32:31,060 --> 00:32:33,580 So it's a very useful monitoring tool. 356 00:32:33,880 --> 00:32:36,880 You can also filter out based on certain criteria. 357 00:32:38,030 --> 00:32:40,100 So maybe I want a filter based on just us. 358 00:32:40,100 --> 00:32:40,460 Our. 359 00:32:42,160 --> 00:32:43,780 So it's very, very useful. 360 00:32:43,880 --> 00:32:45,820 And once you're done, you can hit enter. 361 00:32:46,150 --> 00:32:49,660 If you want to collapse everything you can press f six. 362 00:32:50,590 --> 00:32:53,410 Maybe you want to customize it to what you want it to show. 363 00:32:53,920 --> 00:32:58,240 So it's even though it's a command line utility, it's a very useful tool. 364 00:32:59,020 --> 00:33:00,430 Let's go ahead and put it out of here. 365 00:33:00,850 --> 00:33:02,110 Let's look at one more. 366 00:33:03,160 --> 00:33:06,780 There is genome system monitor 367 00:33:09,280 --> 00:33:16,480 and it is very much like top and provides a lot of the same features. 368 00:33:16,900 --> 00:33:20,440 But it may not be installed by default depending on what 369 00:33:24,040 --> 00:33:27,630 flavor or what desktop environment of call you installed. 370 00:33:27,640 --> 00:33:29,620 So you will have to install it. 371 00:33:29,650 --> 00:33:31,630 And this is this is the actual package. 372 00:33:32,020 --> 00:33:35,830 But there's a couple other dependencies that when the libraries that go with it. 373 00:33:36,490 --> 00:33:38,140 So we can go ahead and let that install. 374 00:33:53,580 --> 00:33:54,780 Go and clear the screen. 375 00:34:09,890 --> 00:34:11,780 And there's the genome system monitor. 376 00:34:11,780 --> 00:34:18,260 So it's roughly the same features as TOP, but it's in a more graphical interface and click between 377 00:34:18,800 --> 00:34:21,350 resources processes. 378 00:34:21,830 --> 00:34:26,150 It's also very similar to the Windows Task Manager. 379 00:34:26,750 --> 00:34:31,730 You can click on processes and them or you have a little menu down here at the bottom right where you 380 00:34:31,730 --> 00:34:32,960 can get some more information. 381 00:34:33,350 --> 00:34:34,760 How much CPU time? 382 00:34:34,970 --> 00:34:35,350 What the. 383 00:34:35,510 --> 00:34:40,550 The priority is the nice value and the other information about it. 384 00:34:43,170 --> 00:34:45,660 So it's a very, very useful utility to have. 385 00:34:45,660 --> 00:34:52,600 You can see your CPU kind of in real time, see what file systems you have loaded, of course, on singular 386 00:34:52,620 --> 00:34:52,850 disk. 387 00:34:52,860 --> 00:34:55,470 So you may have more disks here if you if you run this, but no. 388 00:34:56,010 --> 00:35:00,840 So we looked at top h top and also genome system monitor. 389 00:35:02,070 --> 00:35:07,820 So if you want to kill an application that you're in, you can hit control C, we can go back to top 390 00:35:08,460 --> 00:35:08,560 it. 391 00:35:08,590 --> 00:35:10,740 Just make sure that it's not still actually running. 392 00:35:15,360 --> 00:35:23,350 So it's very important to be able to search for things and monitor things within Kelly Olynyk for anything 393 00:35:23,520 --> 00:35:25,170 anyone exists or for that matter. 394 00:35:25,770 --> 00:35:29,460 Let's go ahead and get out of this menu. 395 00:35:30,600 --> 00:35:31,530 F10 to quit. 396 00:35:32,010 --> 00:35:32,790 So the screen. 397 00:35:38,010 --> 00:35:42,360 So we looked at top, we looked at each top and we looked at genome system monitor. 398 00:35:42,870 --> 00:35:43,830 There's also a. 399 00:35:45,430 --> 00:35:47,110 One more we can look at. 400 00:35:47,110 --> 00:35:54,010 There's piece, and if you type the AWACS command, you kind of get a same similar view to what you 401 00:35:54,010 --> 00:35:54,760 get in top. 402 00:35:55,030 --> 00:35:59,770 You just don't get as much information and it's not formatted as nicely. 403 00:35:59,800 --> 00:36:05,760 So some people like the peace command or the essentially it's just a snapshot of the current processes. 404 00:36:05,770 --> 00:36:11,830 So if you want a more up to date real time monitoring solution, that's why you want to. 405 00:36:22,300 --> 00:36:26,080 So let's talk about the advanced intrusion detection environment. 406 00:36:27,430 --> 00:36:29,470 The advanced intrusion detection environment. 407 00:36:47,110 --> 00:36:48,640 This may not be installed. 408 00:36:49,630 --> 00:36:53,050 Essentially what this does is it looks at things like file integrity. 409 00:36:53,380 --> 00:37:01,000 So if any files were modified are and you have any previous images with the system, this will help 410 00:37:01,330 --> 00:37:02,230 guard against that. 411 00:37:02,710 --> 00:37:04,900 Let's go ahead and clear the screen, 412 00:37:08,290 --> 00:37:11,270 do an app dash, get install aid. 413 00:37:11,530 --> 00:37:13,210 And of course, it is case sensitive. 414 00:37:14,200 --> 00:37:21,700 So it's roughly 2500 kilobytes and it takes a little bit to set up the config files. 415 00:37:31,390 --> 00:37:40,900 So aid stores its configuration in two places the etsy slash adt slash can or dot config file and the 416 00:37:40,900 --> 00:37:47,260 etsy slash A.D. slash a deacon thing dot d file. 417 00:38:02,660 --> 00:38:04,310 As the aide went ahead and installed. 418 00:38:08,950 --> 00:38:11,110 So the advanced intrusion detection environment. 419 00:38:11,110 --> 00:38:14,630 So you can do a check for inconsistencies. 420 00:38:14,650 --> 00:38:17,590 Of course, you have to initialize the database to do this. 421 00:38:18,990 --> 00:38:19,350 And. 422 00:38:20,830 --> 00:38:24,130 You can start based on regular expressions. 423 00:38:30,410 --> 00:38:31,850 So it's going to aid the aid. 424 00:38:32,150 --> 00:38:35,090 I mean, we have to. 425 00:38:40,800 --> 00:38:41,070 First. 426 00:38:41,070 --> 00:38:43,050 Let's go look at the config file, actually. 427 00:38:50,120 --> 00:38:57,920 So there's the config file and it's going to say this is an example of a log that's being set. 428 00:38:59,360 --> 00:39:00,470 And that as you can. 429 00:39:01,600 --> 00:39:05,170 Run this as a daily cron job based on a database. 430 00:39:11,370 --> 00:39:14,060 There are lots more useful things you can do with this program. 431 00:39:18,180 --> 00:39:19,920 So that's the config file there. 432 00:39:21,090 --> 00:39:26,250 Some people have called ADE the free trip wire, which is the. 433 00:39:27,710 --> 00:39:28,790 Professional version. 434 00:39:30,080 --> 00:39:35,450 So essentially, if you're going to do some additional hardening on a system, this is a good option. 435 00:39:35,840 --> 00:39:38,720 It is a small, yet powerful open source idea tool. 436 00:39:40,370 --> 00:39:42,620 And it has many different features. 437 00:39:42,920 --> 00:39:46,880 So you can install it on almost every flavor of Linux. 438 00:39:51,190 --> 00:39:55,690 So we can do an eight dash movie to see what version we're running. 439 00:39:55,690 --> 00:39:56,200 So that matters. 440 00:39:56,200 --> 00:40:01,330 We have AC Linux, we have different hash files. 441 00:40:01,330 --> 00:40:03,280 So these are some of the different options that come with it. 442 00:40:03,760 --> 00:40:10,420 If we want to edit the aid config file, we can open it with our favorite text editor. 443 00:40:26,740 --> 00:40:29,080 And sometimes instructions do change to this. 444 00:40:29,110 --> 00:40:35,260 Be aware that just because something is in one place the first time you do it, it may not necessarily 445 00:40:35,260 --> 00:40:37,180 be there the next time. 446 00:40:37,210 --> 00:40:45,940 So in the NCA directory now we're going to have to actually change to the directory or putting in the 447 00:40:46,210 --> 00:40:47,950 the full path would have actually helped. 448 00:40:48,490 --> 00:40:50,380 So now we have the aid. 449 00:40:52,160 --> 00:40:53,060 Config file. 450 00:40:54,020 --> 00:40:58,730 So there's some default permissions, the default rules that it looks at. 451 00:40:59,510 --> 00:41:03,410 You can actually defined new custom rules. 452 00:41:03,950 --> 00:41:04,460 So. 453 00:41:11,330 --> 00:41:18,740 For example, if you wanted to look for things like access control, you could put in a rule. 454 00:41:22,180 --> 00:41:24,280 And it has a pretty well documented. 455 00:41:28,100 --> 00:41:30,230 File as far as config files go. 456 00:41:39,200 --> 00:41:41,810 So of course you want to make sure these paths are good. 457 00:41:42,890 --> 00:41:44,720 You can change the verbose level. 458 00:41:48,850 --> 00:41:51,010 Maybe we want to go ahead and add a rule. 459 00:41:52,070 --> 00:41:54,520 And what we'll do is we'll go ahead and comment here. 460 00:41:56,500 --> 00:42:10,780 This rule is going to check access control only chip changes and file slash directory permissions. 461 00:42:16,370 --> 00:42:19,040 So then we'll make the roll call. 462 00:42:19,040 --> 00:42:20,960 This firm's equals P. 463 00:42:22,720 --> 00:42:29,410 Plus U plus g plus a, c, l plus C, Linux plus. 464 00:42:30,130 --> 00:42:34,210 So essentially we can almost use regular expression type syntax. 465 00:42:34,690 --> 00:42:37,750 So there's our rule that we've just added. 466 00:42:39,210 --> 00:42:43,980 And we're going to go ahead and escape from in certain mode because the reason why we're going to. 467 00:42:43,980 --> 00:42:44,200 Right. 468 00:42:44,220 --> 00:42:47,910 Quit and there we go. 469 00:42:48,720 --> 00:42:53,220 Maybe we might want to check, file and content type. 470 00:42:55,420 --> 00:42:58,240 There's all kinds of rules you can put in or. 471 00:43:01,510 --> 00:43:06,370 So let's look at one more command since we have the I.D. taken care of, let's go and change back to 472 00:43:06,370 --> 00:43:07,270 the home directory. 473 00:43:08,290 --> 00:43:15,670 And we're going to go ahead and we're going to look at the D package command, another useful command, 474 00:43:15,670 --> 00:43:19,660 which is essentially the Debian package manager as it's aptly named. 475 00:43:20,110 --> 00:43:27,910 So if we want to understand the different options that DE package can do, so it actually maintains 476 00:43:27,910 --> 00:43:31,390 a certain amount of information on install packages. 477 00:43:33,580 --> 00:43:40,060 So if you want to get a whole lot of information, you can do D, package dash L and see all the different 478 00:43:40,060 --> 00:43:45,940 packages, packages that are there, what version they are, and a little bit about them. 479 00:43:46,810 --> 00:43:48,700 So maybe this is not so useful. 480 00:43:48,700 --> 00:43:50,710 So let's not look at the whole thing. 481 00:43:51,670 --> 00:43:53,290 Let's do a D package. 482 00:43:55,830 --> 00:44:01,620 Dash l and let's grep for Apache two. 483 00:44:02,310 --> 00:44:06,570 Maybe we only want to see the things that are with respect to our web server. 484 00:44:08,960 --> 00:44:14,480 Maybe you want to look at the list of the packages that apply to the uncomplicated firewall. 485 00:44:17,030 --> 00:44:17,800 And there we go. 486 00:44:17,810 --> 00:44:18,830 So there's all the different. 487 00:44:22,690 --> 00:44:25,330 Files that were installed by a particular package. 488 00:44:32,320 --> 00:44:36,550 You can also install with a package as well. 489 00:44:36,560 --> 00:44:39,460 If you're sudo to root, you can do d package. 490 00:44:41,920 --> 00:44:44,110 Dash I and then the name of the file 491 00:44:47,530 --> 00:44:52,540 so that for some reason a package won't install with the apt, you might be able to do it. 492 00:44:52,540 --> 00:44:53,980 But the package command. 493 00:45:00,140 --> 00:45:05,000 You can also uninstall certain packages as well with the Dash R command. 494 00:45:17,390 --> 00:45:20,360 And you can also verify a package as well. 495 00:45:29,970 --> 00:45:32,970 These are all the different check sums that. 496 00:45:35,720 --> 00:45:38,660 The package is going to be concerned with. 497 00:45:48,540 --> 00:45:49,950 So it will take some time. 498 00:45:56,620 --> 00:46:04,540 So this command should print out a line for every package that fails verification. 499 00:46:05,650 --> 00:46:09,760 Let's go ahead and do D package dash V. 500 00:46:11,980 --> 00:46:14,380 And so sometimes these commands do change. 501 00:46:16,630 --> 00:46:18,040 See, that's still in there. 502 00:46:21,910 --> 00:46:23,140 Daschle for all. 503 00:46:23,140 --> 00:46:24,190 I got to put the package name. 504 00:46:24,340 --> 00:46:24,910 Silly me. 505 00:46:28,210 --> 00:46:31,600 So let's go ahead and do let's say TB dump. 506 00:46:35,830 --> 00:46:36,610 All right, how about. 507 00:46:50,280 --> 00:46:52,980 Now let's go ahead and get into some practice questions. 508 00:46:53,760 --> 00:46:56,730 So the network layer firewall works as a. 509 00:46:59,060 --> 00:47:06,860 Frame, filter, packet filter or both a frame as well as packet filter or none of the above. 510 00:47:13,380 --> 00:47:19,360 Correct answer is B network layer firewall works as a packet filter. 511 00:47:19,380 --> 00:47:24,600 It can also filter against certain ports and protocols as well. 512 00:47:25,500 --> 00:47:29,580 But this is one of the most basic types of firewalls that we talked about. 513 00:47:31,300 --> 00:47:39,160 Question two Network layer firewalls have two subcategories known as stateful and stateless firewalls. 514 00:47:40,360 --> 00:47:48,880 Bit oriented for firewall and byte oriented firewalls or frame firewalls and packet firewalls or none 515 00:47:48,880 --> 00:47:49,480 of the above. 516 00:48:04,440 --> 00:48:05,490 The answer is. 517 00:48:06,710 --> 00:48:09,590 A stateful and stateless firewalls. 518 00:48:10,010 --> 00:48:15,080 Again, many of the firewalls of today are considered what are known as Next-Gen firewalls. 519 00:48:15,350 --> 00:48:19,880 They combine elements of both stateful and stateless filtering. 520 00:48:20,660 --> 00:48:26,210 So a stateful firewall means that it can keep track of the state or the TCP connection. 521 00:48:26,600 --> 00:48:29,480 Stateless firewalls are typically just packet filters. 522 00:48:32,420 --> 00:48:38,090 So a firewall is installed at the point where the secure internal network and untrusted external network 523 00:48:38,090 --> 00:48:41,150 meet, which is also known as what? 524 00:48:42,680 --> 00:48:43,520 A choke point. 525 00:48:45,810 --> 00:48:46,690 A meeting point. 526 00:48:48,710 --> 00:48:52,040 Firewall point or a secure point. 527 00:48:59,380 --> 00:49:01,030 The answer is a choke point. 528 00:49:01,060 --> 00:49:05,920 This is also another word for DMZ or demilitarized zone. 529 00:49:06,460 --> 00:49:13,930 DMZ typically has two firewalls, one facing the public Internet and one facing the internal network. 530 00:49:14,290 --> 00:49:18,730 And then in the DMZ are the demilitarized zone as the last bastion of. 531 00:49:21,440 --> 00:49:23,540 Servers and security that. 532 00:49:26,330 --> 00:49:31,580 Users and also administrators can go through before they're allowed to get access to the trusted network. 533 00:49:32,120 --> 00:49:38,120 You might have things like an email server at the choke point or some web server that needs to be accessible 534 00:49:38,120 --> 00:49:38,510 from. 535 00:49:40,210 --> 00:49:41,530 External systems. 536 00:49:43,660 --> 00:49:43,960 All right. 537 00:49:43,960 --> 00:49:45,370 Let's get on to number four. 538 00:49:45,730 --> 00:49:50,080 Which of the following are the types of firewalls? 539 00:49:52,370 --> 00:49:53,690 We just went over this briefly. 540 00:49:53,690 --> 00:49:57,950 We have packet filtering firewalls, dual home gateway firewalls. 541 00:49:58,940 --> 00:50:00,650 Screened hosted firewalls. 542 00:50:02,700 --> 00:50:03,930 Or D all of the above. 543 00:50:11,210 --> 00:50:13,880 Answer is a packet filtering firewall. 544 00:50:21,800 --> 00:50:24,860 So a proxy firewall filters out what layer? 545 00:50:26,090 --> 00:50:28,520 And we're referencing the OSSI model. 546 00:50:32,230 --> 00:50:34,540 Which is prerequisite knowledge for this course, but. 547 00:50:38,360 --> 00:50:44,270 Physical layer, the data link layer, the network layer or the application layer. 548 00:50:55,020 --> 00:50:57,120 And the answer is D the application layer. 549 00:51:03,730 --> 00:51:05,350 So let's recap what we talked about. 550 00:51:05,350 --> 00:51:09,650 So we talked about running Kaley on publicly accessible servers. 551 00:51:09,650 --> 00:51:13,780 Do you want to change any default passwords for services that might be configured? 552 00:51:14,140 --> 00:51:16,060 If you don't need the service, turn it off. 553 00:51:16,540 --> 00:51:21,220 You can also use fail to band to detect and block password guessing attacks. 554 00:51:21,670 --> 00:51:28,960 If you do run web services like Apache, run them over IDPs to keep attackers from sniffing your traffic. 555 00:51:29,800 --> 00:51:33,790 You can implement firewall rules to forbid all the outbound traffic. 556 00:51:36,080 --> 00:51:42,710 Remember we talked about firewalls filtering both in ingress traffic and egress traffic or inbound and 557 00:51:42,710 --> 00:51:43,250 outbound. 558 00:51:44,190 --> 00:51:52,470 We looked at the log chat program, how to monitor log files every hour by default, and also sending 559 00:51:52,470 --> 00:51:56,400 unusual log messages and emails to the administrator for further analysis. 560 00:51:57,270 --> 00:52:05,040 And we looked at top and top, as well as the genome system monitor for an interactive tool to display 561 00:52:05,370 --> 00:52:06,810 currently running processes. 562 00:52:06,810 --> 00:52:13,850 So you want to have log checks and monitoring your processes as part of your continuous monitoring program. 563 00:52:13,860 --> 00:52:19,560 Ideally, you want to have those logs being generated and sent somewhere that's centrally managed. 564 00:52:20,730 --> 00:52:24,060 And then we looked at the Advanced Intrusion Detection Environment Tool. 565 00:52:24,720 --> 00:52:30,930 This tool checks for file integrity and will detect any changes against a previously recorded image 566 00:52:30,930 --> 00:52:31,950 of the valid system. 567 00:52:31,950 --> 00:52:37,290 So it has to have a baseline first and it must have a database that's been initialized. 568 00:52:48,790 --> 00:52:51,970 So as a summary to recap, we talked about security policies. 569 00:52:52,330 --> 00:52:54,670 We looked at different security measures that are out there. 570 00:52:54,700 --> 00:52:56,890 We looked at securing network services. 571 00:52:57,850 --> 00:53:03,580 We looked at using firewalls for network security and the different types of firewalls, stateless and 572 00:53:03,580 --> 00:53:04,150 stateful. 573 00:53:04,150 --> 00:53:06,910 We talked about the uncomplicated firewall. 574 00:53:07,580 --> 00:53:10,020 We talked about the graphical uncomplicated firewall. 575 00:53:10,030 --> 00:53:13,120 We also looked at the firewall builder program. 576 00:53:14,180 --> 00:53:19,100 If you want to build out your network and your firewalls from a graphical perspective, we looked at 577 00:53:19,490 --> 00:53:25,220 IP tables in the various chains that are part of that, and we looked at the different rule sets that 578 00:53:25,220 --> 00:53:31,040 can be applied to them and then how to add and remove different chains as well as adding and removing 579 00:53:31,040 --> 00:53:31,670 rules. 580 00:53:32,420 --> 00:53:39,410 We also talked about monitoring and logging with top and top and monitoring systems in real time. 581 00:53:40,470 --> 00:53:45,690 And we also looked at the advanced intrusion detection environment or aid program. 582 00:53:48,410 --> 00:53:51,200 I thank you for your attention in this module. 583 00:53:52,870 --> 00:53:54,250 And we'll see you in the next one.