diff --git a/Event-Notes/CCDC2024/CCDC-Qualifier-2024/README.md b/Event-Notes/CCDC2024/CCDC-Qualifier-2024/README.md index 378bf1c0..870c1c3f 100644 --- a/Event-Notes/CCDC2024/CCDC-Qualifier-2024/README.md +++ b/Event-Notes/CCDC2024/CCDC-Qualifier-2024/README.md @@ -1 +1 @@ -Big Empty \ No newline at end of file +No Read ME currently written. \ No newline at end of file diff --git a/Event-Notes/Service-First-15/DNS/Linux/README.md b/Event-Notes/Service-First-15/DNS/Linux/README.md index 37b7c9fc..84318b1f 100644 --- a/Event-Notes/Service-First-15/DNS/Linux/README.md +++ b/Event-Notes/Service-First-15/DNS/Linux/README.md @@ -16,6 +16,6 @@ The only service that this may rely on is the a proxy if we are exposing a DNS s ## First 30 * Audit the DNS Server each machine is configured to use (/etc/resolv.conf, nmtui) * Can Wazuh do this? What about Zabbix -* Is DNSSec something that is good +* Question(Need to look into): Is DNSSec something that is good? ## Stretch Goals Enable DNSSec. \ No newline at end of file diff --git a/OperatingSystem-Services/Platform-Linux/3-Terraform/graph.png b/OperatingSystem-Services/Platform-Linux/3-Terraform/graph.png new file mode 100644 index 00000000..dfd48dd5 Binary files /dev/null and b/OperatingSystem-Services/Platform-Linux/3-Terraform/graph.png differ diff --git a/OperatingSystem-Services/Platform-Linux/3-Terraform/help/terraform-help-commands b/OperatingSystem-Services/Platform-Linux/3-Terraform/help/terraform-help-commands new file mode 100644 index 00000000..f6ff4ce6 --- /dev/null +++ b/OperatingSystem-Services/Platform-Linux/3-Terraform/help/terraform-help-commands @@ -0,0 +1,93 @@ +# About +This a helpfile listing the components used in the creation of a teraform based infrastructure. This uses aws-provider based examples, but are general to any terraform provider. This is organized into 2 groups, components & files. + +*Of course, this is not every single aspect of terraform, but should be a decent start to creating a full terraform-based infrastructure* + + +## Components +### Providers: +Providers are like toolboxes for your infrastructure. They define which cloud service or infrastructure you're working with (e.g., AWS, Azure, Google Cloud). If you're building on AWS, for example, you need the AWS provider. +```hcl +provider "aws" { + region = "us-west-2" +} +``` +```hcl +provider "" { + +} +``` + +### Resources: +Resources are the actual components you are building, like EC2 instances or S3 buckets. +A resource is like telling the worker to build a single unit in your skyscraper — an EC2 instance in AWS. +```hcl +resource "aws-instance" "example" { + ami = "ami-####" # Specific to AWS EC2 instance + instance_type = "t2.micro" # Specific to AWS EC2 instance +} +``` +```hcl +resource "" "" { + +} +``` +#### keyword vs key +keys are configuration attributes/fields (usually specific to the provider) +keywords are reserved words specific to the programming language (ITC. Terraform) +- resource = keyword +- ami = key +- instance_type = key + +### Modules: +Reusable chunks of code. +Sub-blueprint. +Instead of writing the same set of instructions over and over again, you create a module that you can reuse across your projects. +If you need multiple identical floors in your skyscraper, a module is a reusable floor plan. + +```hcl +module "web_server" { + source = "./modules/web_server" + instance_count = 3 # a custom variable defined within the web_server module +} +``` +```hcl +module "web_server" { + source = "" + +} +``` + +### State +Terraform keeps track of the infrastructure using a statefile. + +### Output +Outputs are like a report card after the construction is done. They tell you useful things like where the main door is (the public IP of the instance), so you know where to go or connect to after your infrastructure is built. +```yaml +output "instance_ip" { + value = aws_instance.example.public_ip +} + +``` + + +### Data +data keyword like a scout who goes out to gather information about things that already exist. **You’re not creating anything new**; you’re just finding what’s already there (like discovering where roads or pipelines already exist before you build). +```yaml +data "aws_vpc" "default" { + default = true +} +``` + + +# Files & Directories +Note: All the entire terraform component can be written in 1 main.tf file. Convention is to split up these components into logical component files. +## main.tf +- used to declare resources + +## variables.tf +- a file to hold resuables variable names that you may use through out the terraform creation + + +## modules +A higher level Directory used to section off, organize and/or seperate often general components, for example, subnets, & a vpc files/details. \ No newline at end of file diff --git a/OperatingSystem-Services/Platform-Linux/3-Terraform/help/workflow.md b/OperatingSystem-Services/Platform-Linux/3-Terraform/help/workflow.md new file mode 100644 index 00000000..cd571093 --- /dev/null +++ b/OperatingSystem-Services/Platform-Linux/3-Terraform/help/workflow.md @@ -0,0 +1,156 @@ +# Table of Contents +- [About](#about) +- [Workflow](#workflow) + - [Install Terraform on linux](#install-terraform-on-linux) + - [Configure the Terraform provider](#configure-the-terraform-provider) + - [Write configuration files](#write-configuration-files) + - [Initialize Terraform](#initialize-terraform) + - [Run terraform plan](#run-terraform-plan) + - [Create resources with terraform apply](#create-resources-with-terraform-apply) + - [Delete resources using terraform destroy](#delete-resources-using-terraform-destroy) +- [Notes:](#notes) + +# About +This file describes the general flow I use for starting and creating a aws-based teraform infrastructure + +Author: Chisom Ukaegbu + +# Workflow +## Install Terraform on linux +1. Install Terraform (ubuntu debian ver.) + + - ` wget -O - https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings hashicorp-archive-keyring.gpg` + + - `echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list` + + - `sudo apt update && sudo apt install terraform ` + + + +## Configure the Terraform provider +For our example we will focus on using aws as the cloud provider aka the place where out machines will be created & hosted + +AWS will be our cloud provider and set up an account on aws cloud provider + +0. You will need AWS Access KEY ID & AWS Secret Key ID + This is gathered from the aws web console. Create a user or use a preexisting user. + + ![aws-create-user.png](/images/aws-create-user.png) + + + Grab there access and secret key ids. + + ![alt text](/imageS/aws-secret-key.png) + +1. Run `Aws Configure` in your terminal. + Input your keys +```sh +blueteam@cyber-range tf-tuts % aws configure +AWS Access Key ID [****************PYVK]: ****PYVK +AWS Secret Access Key [****************duMt]: ****duMt +Default region name [eu-central-1]: +Default output format [None]: +blueteam@cyber-range tf-tuts % +``` + +## Write configuration files +1. Setup Cloud Provider + + Convention says to place this config in a file name provider.tf. It does not matter aslong as the file has the .tf extension and is unique in name. + +```yaml + terraform { +    required_providers { +        aws = { +            source = hashicorp/aws +            version = " ~> 4.19.0" +    } + } +    } +``` +2. Create instances + + Create a main.tf file. Convention is to name the file "main.tf" + + This is where the block of the cofiguration for the virtual machines will be deployed + +```yaml +# creating the code to create an EC2 instance in AWS using Terraform. +resource "aws_instance" "my_vm" { + + ami                       = "ami-065deacbcaac64cf2" //Ubuntu AMI + instance_type             = "t2.micro" + + tags = { +   Name = "My EC2 instance", + } + +########### +# declared a resource block of type “aws_instance”. +### This instructs Terraform that we want to create an EC2 instance resource in AWS with the given attributes + +# second parameter is “`my_vm`”, an internal identifier that refers to this ##particular EC2 instance elsewhere in the code. We can assign any name to this identifier + + +# assigned a `tag` “Name” with the value “My EC2 Instance”. +``` + +## Initialize Terraform +1. Intialize terraform + + Run this command in your terminal of the same directory your provider is. + ```sh + terraform init + ``` + You should see these hidden files. when running + ```sh + ls -l + . .. .terraform .terraform.lock.hcl provider.tf + ``` + +2. Format the code + This command will auto fixed syntax and indentation of your configuration code + ```sh + terraform fmt + ``` + + +## Run terraform plan + This command will output 2 scenarios + output: identify and highlight resources that will be created, updated, or deleted if we choose to execute the current version of the code + + or + + Show issues regarding your terraform file + + ```sh + terraform plan` + ``` + ![t-fmt-1]() + ![t-fmt-2]() + + + +## Create resources with terraform apply + +Running the command `terraform apply` will begin to create +```sh +terraform apply +``` + +Now if you navigate to aws, you will see the instances created. + +Make sure you are in the same region as the provider you selected. + +## Delete resources using terraform destroy + +```sh +terraform destory +``` + +Will delete any resources provisioned by your terraform script. +Virtual machines, vpcs, subnets etc are considered resources + + +# Notes: +There is more you can do with terraform but this is a quick start guide for creating an instance or network for the first time. \ No newline at end of file diff --git a/OperatingSystem-Services/Platform-Linux/3-Terraform/images/aws-create-user.png b/OperatingSystem-Services/Platform-Linux/3-Terraform/images/aws-create-user.png new file mode 100644 index 00000000..bea3e336 Binary files /dev/null and b/OperatingSystem-Services/Platform-Linux/3-Terraform/images/aws-create-user.png differ diff --git a/OperatingSystem-Services/Platform-Linux/3-Terraform/images/aws-secret-key.png b/OperatingSystem-Services/Platform-Linux/3-Terraform/images/aws-secret-key.png new file mode 100644 index 00000000..afdb9c3d Binary files /dev/null and b/OperatingSystem-Services/Platform-Linux/3-Terraform/images/aws-secret-key.png differ diff --git a/OperatingSystem-Services/Platform-Linux/3-Terraform/images/t-fmt-1.png b/OperatingSystem-Services/Platform-Linux/3-Terraform/images/t-fmt-1.png new file mode 100644 index 00000000..ac7a359d Binary files /dev/null and b/OperatingSystem-Services/Platform-Linux/3-Terraform/images/t-fmt-1.png differ diff --git a/OperatingSystem-Services/Platform-Linux/3-Terraform/images/t-fmt-2.png b/OperatingSystem-Services/Platform-Linux/3-Terraform/images/t-fmt-2.png new file mode 100644 index 00000000..bbb34fae Binary files /dev/null and b/OperatingSystem-Services/Platform-Linux/3-Terraform/images/t-fmt-2.png differ diff --git a/OperatingSystem-Services/Platform-Linux/3-Terraform/main.tf b/OperatingSystem-Services/Platform-Linux/3-Terraform/main.tf new file mode 100644 index 00000000..78ca88d1 --- /dev/null +++ b/OperatingSystem-Services/Platform-Linux/3-Terraform/main.tf @@ -0,0 +1,200 @@ +resource "aws_instance" "my_vm" { + count = 4 + ami = "ami-0866a3c8686eaeeba" //Ubuntu AMI + instance_type = var.instance_type + tags = { + Name = "Ubuntu-Machine-${count.index}", + } + subnet_id = aws_subnet.practice_priv_subnet.id +} + +resource "aws_instance" "rh_linux" { + count = 3 + ami = "ami-0583d8c7a9c35822c" + instance_type = var.instance_type + + tags = { + Name = "Red-hat-linux-Machine-${count.index}" + } + subnet_id = aws_subnet.practice_priv_subnet.id +} + +resource "aws_instance" "windows-machine" { + count = 6 + ami = "ami-073e3b46f8802d31b" + instance_type = var.instance_type + tags = { + Name = "windows-machine-${count.index}" + } + subnet_id = aws_subnet.practice_priv_subnet.id +} + + + +resource "aws_vpc" "practice_vpc" { + cidr_block = var.vpc_cidr #"10.0.0.0/16" + tags = { + Name = "Blueteam practice VPC" + } +} +# VPC auto creates a +# - default route table(which has no internet) +# allows communitcation internally + + + +resource "aws_subnet" "practice_pub_subnet" { + vpc_id = aws_vpc.practice_vpc.id + cidr_block = var.public_subnet_cidr + map_public_ip_on_launch = true +} + +resource "aws_subnet" "practice_priv_subnet" { + vpc_id = aws_vpc.practice_vpc.id + cidr_block = var.private_subnet_cidr +} + +# set up internet gateway for public subnets +resource "aws_internet_gateway" "igw" { + vpc_id = aws_vpc.practice_vpc.id + tags = { + Name = "practice_pub_igw" + } +} + +# To make the subnets named “Public” public, we have to create routes using IGW which will enable the traffic from the Internet to access these subnets. +# Subnets are private by default +# We need to create a second route table for the public subnet to reacht the internet +# route table for public subnet +resource "aws_route_table" "practice_second_rt" { + vpc_id = aws_vpc.practice_vpc.id + + route { + cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.igw.id + } + + tags = { + Name = "2nd route table" + } +} + +# Associate public subnets w/ the 2nd route table +resource "aws_route_table_association" "practice_public_subnet_assoc" { + count = 1 + subnet_id = aws_subnet.practice_pub_subnet.id + route_table_id = aws_route_table.practice_second_rt.id +} + + +# Nat gateway +resource "aws_eip" "nat_eip" { + vpc = true +} + +# creates the nat gateway +resource "aws_nat_gateway" "practice_nat_gateway" { + allocation_id = aws_eip.nat_eip.id + subnet_id = aws_subnet.practice_pub_subnet.id +} + +# route table for nat gateway +resource "aws_route_table" "practice_private_route_table" { + vpc_id = aws_vpc.practice_vpc.id + + route { + cidr_block = "0.0.0.0/0" + nat_gateway_id = aws_nat_gateway.practice_nat_gateway.id + } +} + +# Associate the nat gateway with the private subnet +resource "aws_route_table_association" "practice_private_subnet_association" { + subnet_id = aws_subnet.practice_priv_subnet.id + route_table_id = aws_route_table.practice_private_route_table.id + +} + + +###### +## Wireguard Configs +###### + +# Security Group for VPN to allow traffic +resource "aws_security_group" "practice_wireguard_sg" { + vpc_id = aws_vpc.practice_vpc.id + ingress { + from_port = 51820 + to_port = 51820 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] # Allow traffic to WireGuard on the public internet + } + # SSH itself doesn’t operate over port 51820. Instead, port 51820 is set up to handle WireGuard VPN traffic. The idea is to use WireGuard as a secure VPN tunnel to access the private network, including the EC2 instance, as if you were on the same internal network. + # Here’s how it works: + # Connect to WireGuard: You connect to your EC2 instance using the WireGuard client on your machine. This creates a secure tunnel to the EC2 instance via port 51820. + # SSH over the VPN: Once connected through WireGuard, your machine will have an internal IP within the VPN network, allowing you to SSH to the instance using its private IP over port 22. The SSH traffic will be routed securely over the VPN. + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + # outbound traffic + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_instance" "practice_wireguard_server" { + ami = "ami-0866a3c8686eaeeba" + instance_type = "t2.micro" + subnet_id = aws_subnet.practice_pub_subnet.id + security_groups = [aws_security_group.practice_wireguard_sg.id] + # Install WireGuard and set up server configuration + # we use anisible to install wireguard docker easy + key_name = aws_key_pair.chisom_keypair.key_name + tags = { + Name = "WireGuard Server" + } +} +### ssh key +# aws prefers rsa keys, personal experience +# ecdsa was prompted w/ errors +resource "aws_key_pair" "chisom_keypair" { + key_name = var.pub_key_name + public_key = var.pub_key_pair +} + + +output "ec2_ip" { + value = aws_instance.practice_wireguard_server.public_ip + +} + +output "rh_linux_priv_ip" { + value = [for i in aws_instance.rh_linux : i.private_ip] +} + +output "rh_linux_public_ip" { + value = [for i in aws_instance.rh_linux : i.public_ip] +} +output "windows_private_ips" { + value = [for i in aws_instance.windows-machine : i.private_ip] +} + +output "windows_pub_ips" { + value = [for i in aws_instance.windows-machine : i.public_ip] +} + +resource "aws_eip" "wireguard_eip" { + vpc = true + instance = aws_instance.practice_wireguard_server.id +} + + + diff --git a/OperatingSystem-Services/Platform-Linux/3-Terraform/modules/subnet/subnet.tf b/OperatingSystem-Services/Platform-Linux/3-Terraform/modules/subnet/subnet.tf new file mode 100644 index 00000000..af28f9c5 --- /dev/null +++ b/OperatingSystem-Services/Platform-Linux/3-Terraform/modules/subnet/subnet.tf @@ -0,0 +1,13 @@ +#Public subnet +resource "aws_subnet" "practice_pub_subnet" { + vpc_id = var.vpc_id +} + +variable "vpc_id" { + # place holder for vpc id output + # required for output +} + +output "practice_pub_subnet_id" { + value = aws_subnet.practice_pub_subnet +} \ No newline at end of file diff --git a/OperatingSystem-Services/Platform-Linux/3-Terraform/modules/vpc/variables.tf b/OperatingSystem-Services/Platform-Linux/3-Terraform/modules/vpc/variables.tf new file mode 100644 index 00000000..c1c77ac8 --- /dev/null +++ b/OperatingSystem-Services/Platform-Linux/3-Terraform/modules/vpc/variables.tf @@ -0,0 +1,18 @@ +variable "vpc_cidr_block" { + description = "cidr block for vpc" + type = string + default = "10.0.0.0/16" +} + +variable "pub_sub_cidr" { + description = "cidr block for pub subnet" + type = string + default = "10.0.1.0/8" +} + +variable "priv_sub_cidr" { + description = "cidr block for pub subnet" + type = string + default = "10.0.2.0/8" +} + diff --git a/OperatingSystem-Services/Platform-Linux/3-Terraform/modules/vpc/vpc.tf b/OperatingSystem-Services/Platform-Linux/3-Terraform/modules/vpc/vpc.tf new file mode 100644 index 00000000..49a249a2 --- /dev/null +++ b/OperatingSystem-Services/Platform-Linux/3-Terraform/modules/vpc/vpc.tf @@ -0,0 +1,14 @@ +resource "aws_vpc" "practice_pub_vpc" { + cidr_block = var.vpc_cidr_block + tags = { + name = "practice_vpc" + } +} + +output "vpc_id" { + value = aws_vpc.practice_pub_vpc + +} +output "vpc_cidr" { + value = var.vpc_cidr_block +} \ No newline at end of file diff --git a/OperatingSystem-Services/Platform-Linux/3-Terraform/outputs.tf b/OperatingSystem-Services/Platform-Linux/3-Terraform/outputs.tf new file mode 100644 index 00000000..3d071550 --- /dev/null +++ b/OperatingSystem-Services/Platform-Linux/3-Terraform/outputs.tf @@ -0,0 +1,4 @@ +output "ec2_machines" { + # Here * indicates that there are more than one arn because count is 4 + value = aws_instance.my_vm.*.arn +} \ No newline at end of file diff --git a/OperatingSystem-Services/Platform-Linux/3-Terraform/provider.tf b/OperatingSystem-Services/Platform-Linux/3-Terraform/provider.tf new file mode 100644 index 00000000..9cbd1807 --- /dev/null +++ b/OperatingSystem-Services/Platform-Linux/3-Terraform/provider.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.19.0" + } + } +} + diff --git a/OperatingSystem-Services/Platform-Linux/3-Terraform/secrets/client_private.key b/OperatingSystem-Services/Platform-Linux/3-Terraform/secrets/client_private.key new file mode 100644 index 00000000..f1d244a5 --- /dev/null +++ b/OperatingSystem-Services/Platform-Linux/3-Terraform/secrets/client_private.key @@ -0,0 +1 @@ +sGn+25TVmvdAre8pfTreILfvvGkm5cCBpCMIoyonjVI= diff --git a/OperatingSystem-Services/Platform-Linux/3-Terraform/secrets/client_public.key b/OperatingSystem-Services/Platform-Linux/3-Terraform/secrets/client_public.key new file mode 100644 index 00000000..fed7bdec --- /dev/null +++ b/OperatingSystem-Services/Platform-Linux/3-Terraform/secrets/client_public.key @@ -0,0 +1 @@ +JSjRvBJB0rP6BDO5eP4wGGPXt9R16T56O8tygLx1FBk= diff --git a/OperatingSystem-Services/Platform-Linux/3-Terraform/variables.tf b/OperatingSystem-Services/Platform-Linux/3-Terraform/variables.tf new file mode 100644 index 00000000..0af1f96f --- /dev/null +++ b/OperatingSystem-Services/Platform-Linux/3-Terraform/variables.tf @@ -0,0 +1,32 @@ +variable "public_subnet_cidr" { + type = string + description = "Public Subnet CIDR values" + default = "10.0.1.0/24" +} + +variable "private_subnet_cidr" { + type = string + description = "Private subnet CIDR values for proxy and gateway" + default = "10.0.2.0/24" +} + +variable "vpc_cidr" { + type = string + default = "10.0.0.0/16" +} + + +variable "instance_type" { + type = string + default = "t2.micro" +} + +variable "pub_key_pair" { + type = string + default = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCl6EmEzInqOZZgXfBPx6ueKTQ+IkUdjV9rcrNzb/UYwyW3xYWku4HUx9MF/+LvNk2+OFBaXJuSzGlKGOn5RWbM40j6TIrF7EjjIVZbIDHybCKuGKULRnkr2ecNwQ70eCvuK2QYWXDkmBB+UlZ8AGzuDCTtZtrmDNdVDMepqiIkNVNVhGye/1RCmT6o0cb3zAB64TjQ9AC5D281OLv+Wg+xT3anMaL01cRg40G6yCafZubRz1but5U+/Ymq4CYsKho6bqJa7PJeCdT8Mz/EFO7eBRteYeI3PyTsN+rGWj04L7fv5vZO8MbfIY9+KXeU10wW7uvx+u/LCOx+WfXATVh62agBtnVAo8+XNE/J5gAz4l6DQuL+k7esFHSnnYzNcYQQrKyzd8n/trbTdonMiyFkkSlJMOTlDqbzKb1wPNy53z/UH7cDP2fP7tngabp+uVKDF1zMKlfMn6XkcTHkSJu+D7jkpRxinRGvAIpjEqFzo5Iqr51c3Jg8osAhdMBdUEk= omnil@DESKTOP-HJ31GBB" +} + +variable "pub_key_name" { + type = string + default = "chisom-key" +} \ No newline at end of file diff --git a/OperatingSystem-Services/Platform-Windows/First15/WindowsFirst15.md b/OperatingSystem-Services/Platform-Windows/First15/WindowsFirst15.md new file mode 100644 index 00000000..852ad942 --- /dev/null +++ b/OperatingSystem-Services/Platform-Windows/First15/WindowsFirst15.md @@ -0,0 +1,157 @@ +# Windows First 15 + +## Part 1: Initial Network and System Analysis + +### 1. Nmap Scan for Network Reconnaissance + +**Identify Active Machines:** +``` sh + + fping -a -g -r 1 -q > live_hosts.txt +``` +**Perform Nmap Scan:** +```sh + nmap -sV -O -T4 -p- -iL live_hosts.txt +``` +**Document Findings:** + +- Add discovered IPs and services to a shared document or whiteboard. +- Inform the team about active IPs and services. + +## Part 2: Securing the Compromised Server + +### 2. Create/Alter Admin(s) Account + +**Create an Admin Account:** +```sh + net user admin /add + net localgroup administrators admin /add +``` +***Using GUI +You(blueteam) can also `ctrl+alt+delete` > `change password`, to alter the password of the current account you are on. + +### 3. Turn on Windows Defender + +**Enable Windows Defender Firewall:** + +- Use Windows Search to find "Windows Defender Firewall". +- Turn it on (may be located on the left side of the screen/window). + +**Initiate a Scan:** + +- Use Windows Security to run a scan. +- Search "Windows Security" using Window's Search bar and turn it on. + +## Part 3: Secure Remote Access and Configuration + +### 1. Generate and Change Machine Keys + +**Generate SSH Keys:** + +Run this command on the host machine: +```sh + # On a Windows machine + ssh-keygen -t rsa -b 4096 -f C:\Users\YourUsername\.ssh\ssh_key_name + ssh-keygen -t -f + + # On a Linux machine + ssh-keygen -t rsa -b 4096 -f /home//.ssh/custom_key_name + ssh-keygen -t -f +``` +- **Windows**: Keys are located in C:\Users\YourUsername\.ssh\ directory. +- **Linux**: Keys are located in /home/yourusername/.ssh/ directory. + +**Copy Public Key to Remote Computer:** +```sh + # From a Linux machine + ssh-copy-id -i ~/.ssh/your_public_key.pub username@windows_machine_ip +``` +```sh + # Manually copying from Linux to Windows(target) machine (to be done on Windows(target) machine) + mkdir C:\Users\YourUsername\.ssh\ + notepad C:\Users\YourUsername\.ssh\authorized_keys +``` +```sh + # Note: Remember to change permissions on Windows(target) machine: + icacls "C:\Users\YourUsername\.ssh" /inheritance:r /grant:r :F /t /c + icacls "C:\Users\\.ssh\authorized_keys" /inheritance:r /grant:r :F /t /c +``` +```sh + # From a Windows machine + $key = Get-Content C:\Users\YourUsername\.ssh\my_ssh_key.pub + ssh username@windows_machine_ip "mkdir C:\Users\YourUsername\.ssh\ -Force; + echo $key >> C:\Users\YourUsername\.ssh\authorized_keys" +``` +### 5. Test SSH Key Access + +- Use another terminal to SSH into the server and ensure key-based authentication works. + +### 6. Disable Password Authentication + +**Edit SSHD Config:** +```sh + ## Back up files (cmd) + Copy-Item -Path "C:\Source\Path\file.txt" -Destination "C:\Backup\Path\file.txt" -Force + + ## Modify sshd configuration + notepad C:\ProgramData\ssh\sshd_config +``` +- Set PasswordAuthentication to no. +- Set PermitRootLogin to no. + +**Restart SSHD Service:** +```sh + Restart-Service sshd +``` +## Removing Programs & Malware + +### 7. Keylog Prevention and Service Checks + +**Check for Suspicious Scheduled Tasks and Services:** + + # List running & scheduled tasks/services + + # Tasks + schtasks /query /fo LIST /v + + # Services + Get-Service | Where-Object { $_.Status -eq 'Running' } + +### 8. Process Explorer + +- Download Process Explorer. +- Remove malicious/suspicious processes. +- Pay particular attention to svchost processes, which are often linked to malware. + +### 9. Change Passwords for Critical Accounts & Services + +**Change Passwords:** +```sh + net user +``` +### 10. Disable Unknown Users + +**Identify and Disable Suspicious Accounts:** +```sh + net user + net user /active:no +``` +### 11. Kill Malicious Processes and Sessions + +**Check Open SSH Sessions and Processes:** +```sh + query user # To see logged-in users + tasklist /v # To list detailed processes + taskkill /F /PID # To kill a specific process +``` +Reminder: Look at the task scheduler + +## Extra + +### 12. Run Audit Scripts + +**Install and Run Lynis:** + + powershell -Command "Invoke-WebRequest -Uri https://cisofy.com/files/lynis-3.0.8.zip -OutFile lynis.zip" + powershell -Command "Expand-Archive -Path lynis.zip -DestinationPath ." + cd lynis && powershell -ExecutionPolicy Bypass -File lynis.ps1 diff --git a/OperatingSystem-Services/Service-Containers/Kubernetes/Resources/Inject-Writeups/inject01.md b/OperatingSystem-Services/Service-Containers/Kubernetes/Resources/Inject-Writeups/inject01.md index f775a997..36776a2b 100644 --- a/OperatingSystem-Services/Service-Containers/Kubernetes/Resources/Inject-Writeups/inject01.md +++ b/OperatingSystem-Services/Service-Containers/Kubernetes/Resources/Inject-Writeups/inject01.md @@ -15,7 +15,7 @@ Simple Static Web server hosted on Kubernetes [Easy] ## Dependencies -- You could delete one of the following peices and see if they notice, +- You could delete one of the following pieces and see if they notice, - Deployment itself - kubectl get deployments - kubectl delete deployment