dunkirk.sh / ncae-tools
this repo has no description
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat: update dns section

Kieran Klukas afa4d5fc 0580cf7c

+488 -326
+1 -33
05-dns-rsync-cron.md 06-rsync-cron.md
··· 1 - # DNS, Rsync, and Cron Services 2 - 3 - ## DNS Service (BIND) 4 - 5 - ### Service Name 6 - - `named` (most distributions) 7 - 8 - ### Configuration Location 9 - - Ubuntu: `/etc/bind/` 10 - - CentOS: May be in different location 11 - 12 - ### Check Service 13 - ```bash 14 - systemctl status named 15 - ``` 16 - 17 - ### Basic Concept 18 - DNS translates domain names to IP addresses (forward lookup) and IP addresses to domain names (reverse lookup). 19 - 20 - **Forward lookup**: `example.com` → `192.168.1.100` 21 - **Reverse lookup**: `192.168.1.100` → `example.com` 22 - 23 - ### Key Files (Bind) 24 - - `named.conf` - Main configuration 25 - - Zone files - Define DNS records for domains 26 - 27 - **This is a complex service** - requires understanding of: 28 - - Zone files 29 - - DNS record types (A, PTR, CNAME, MX, etc.) 30 - - Forward vs reverse zones 31 - - DNS hierarchy 32 - 33 - --- 1 + # Rsync and Cron Services 34 2 35 3 ## Rsync - File Synchronization/Backup 36 4
+281
05-dns-service.md
··· 1 + # DNS Service (BIND) 2 + 3 + ## Overview 4 + 5 + DNS translates domain names to IP addresses (forward lookup) and IP addresses to domain names (reverse lookup). 6 + 7 + - **Forward lookup**: `ncaecybergames.org` → `192.168.8.2` 8 + - **Reverse lookup**: `192.168.8.2` → `ncaecybergames.org` 9 + 10 + --- 11 + 12 + ## Service Name 13 + 14 + - `named` (not `bind`) 15 + 16 + ```bash 17 + systemctl status named 18 + sudo systemctl start named 19 + sudo systemctl enable named 20 + ``` 21 + 22 + --- 23 + 24 + ## Configuration Locations 25 + 26 + ### Ubuntu 27 + ``` 28 + /etc/bind/ 29 + ├── named.conf # Main config (includes other files) 30 + ├── named.conf.options # Server options 31 + ├── named.conf.local # Local zone definitions 32 + ├── named.conf.default-zones # Default zones (localhost, etc.) 33 + ├── db.empty # Template file to copy for new zones 34 + ├── db.local # Localhost zone file 35 + ├── db.127 # Localhost reverse zone 36 + └── zones/ # Your custom zone files (create this) 37 + ``` 38 + 39 + ### CentOS/RHEL 40 + Configuration may be in a different location - check `/etc/named/` or `/var/named/` 41 + 42 + --- 43 + 44 + ## Key Concepts 45 + 46 + ### Zone Files 47 + - **Forward zone**: Maps domain names → IP addresses (A records) 48 + - **Reverse zone**: Maps IP addresses → domain names (PTR records) 49 + 50 + ### Include Structure 51 + The main `named.conf` typically includes other config files: 52 + ``` 53 + include "/etc/bind/named.conf.options"; 54 + include "/etc/bind/named.conf.local"; 55 + include "/etc/bind/named.conf.default-zones"; 56 + ``` 57 + 58 + ### allow-update Directive 59 + 60 + Controls whether dynamic DNS updates are permitted for a zone: 61 + 62 + ``` 63 + zone "example.org" IN { 64 + type master; 65 + file "/etc/bind/zones/forward.example.org"; 66 + allow-update { none; }; # No dynamic updates allowed 67 + }; 68 + ``` 69 + 70 + | Value | Meaning | 71 + |-------|---------| 72 + | `{ none; }` | No updates allowed (static zone, manual edits only) | 73 + | `{ key mykey; }` | Allow updates signed with a specific TSIG key | 74 + | `{ 192.168.8.5; }` | Allow updates from a specific IP address | 75 + 76 + **For competition: Always use `{ none; };`** - prevents attackers from remotely modifying your DNS records. 77 + 78 + --- 79 + 80 + ## Setting Up DNS Zones 81 + 82 + ### Step 1: Add Zone Definitions 83 + 84 + Edit the zones config file (Ubuntu: `named.conf.default-zones`): 85 + ```bash 86 + sudo nano /etc/bind/named.conf.default-zones 87 + ``` 88 + 89 + Add a **forward lookup zone**: 90 + ``` 91 + zone "ncaecybergames.org" IN { 92 + type master; 93 + file "/etc/bind/zones/forward.ncaecybergames.org"; 94 + allow-update { none; }; 95 + }; 96 + ``` 97 + 98 + Add a **reverse lookup zone**: 99 + ``` 100 + zone "8.168.192.in-addr.arpa" IN { 101 + type master; 102 + file "/etc/bind/zones/reverse.ncaecybergames.org"; 103 + allow-update { none; }; 104 + }; 105 + ``` 106 + 107 + **Important**: For reverse zones, write the network portion of the IP **backwards**: 108 + - IP: `192.168.8.x` → Zone: `8.168.192.in-addr.arpa` 109 + 110 + --- 111 + 112 + ### Step 2: Create Zone Files Directory 113 + 114 + ```bash 115 + sudo mkdir /etc/bind/zones 116 + ``` 117 + 118 + --- 119 + 120 + ### Step 3: Copy Template Files 121 + 122 + Copy the empty template (preserves correct ownership and permissions): 123 + ```bash 124 + sudo cp /etc/bind/db.empty /etc/bind/zones/forward.ncaecybergames.org 125 + sudo cp /etc/bind/db.empty /etc/bind/zones/reverse.ncaecybergames.org 126 + ``` 127 + 128 + **Why copy instead of create from scratch?** 129 + - Preserves correct ownership (`root:bind`) 130 + - Preserves correct permissions (`644`) 131 + - If permissions/ownership are wrong, bind can't read the files 132 + 133 + Check permissions: 134 + ```bash 135 + ls -l /etc/bind/zones/ 136 + ``` 137 + 138 + --- 139 + 140 + ### Step 4: Configure Forward Zone File 141 + 142 + ```bash 143 + sudo nano /etc/bind/zones/forward.ncaecybergames.org 144 + ``` 145 + 146 + Example forward zone file: 147 + ``` 148 + $TTL 604800 149 + @ IN SOA ncaecybergames.org. root. ( 150 + 2 ; Serial (INCREMENT THIS ON EVERY CHANGE!) 151 + 604800 ; Refresh 152 + 86400 ; Retry 153 + 2419200 ; Expire 154 + 604800 ) ; Negative Cache TTL 155 + 156 + @ IN NS sandbox-ubuntu. 157 + sandbox-ubuntu IN A 192.168.8.2 158 + www IN A 192.168.8.2 159 + ``` 160 + 161 + **Key points:** 162 + - Replace `localhost` with your domain (`ncaecybergames.org.`) 163 + - Replace `localhost` after `NS` with your server hostname (`sandbox-ubuntu.`) 164 + - **Always increment the serial number** when making changes (1→2→3...) 165 + - Add A records for each subdomain 166 + 167 + --- 168 + 169 + ### Step 5: Configure Reverse Zone File 170 + 171 + ```bash 172 + sudo nano /etc/bind/zones/reverse.ncaecybergames.org 173 + ``` 174 + 175 + Example reverse zone file: 176 + ``` 177 + $TTL 604800 178 + @ IN SOA ncaecybergames.org. root.ncaecybergames.org. ( 179 + 2 ; Serial (INCREMENT THIS ON EVERY CHANGE!) 180 + 604800 ; Refresh 181 + 86400 ; Retry 182 + 2419200 ; Expire 183 + 604800 ) ; Negative Cache TTL 184 + 185 + @ IN NS sandbox-ubuntu. 186 + 2 IN PTR www.ncaecybergames.org. 187 + 2 IN PTR sandbox-ubuntu.ncaecybergames.org. 188 + ``` 189 + 190 + **Key points:** 191 + - For reverse zones, domain names end with a **period** (`.`) 192 + - PTR record uses only the **host portion** of IP (for `192.168.8.2`, just use `2`) 193 + - Multiple PTR records can point to the same IP 194 + 195 + --- 196 + 197 + ## Start and Test DNS 198 + 199 + ### Start the Service 200 + ```bash 201 + sudo systemctl start named 202 + systemctl status named 203 + ``` 204 + 205 + If it fails to start, check for typos in your config files (missing semicolons, periods, spaces). 206 + 207 + --- 208 + 209 + ### Configure Client to Use Your DNS Server 210 + 211 + Edit `/etc/resolv.conf`: 212 + ```bash 213 + sudo nano /etc/resolv.conf 214 + ``` 215 + 216 + Add your DNS server: 217 + ``` 218 + nameserver 192.168.8.2 219 + ``` 220 + 221 + Or add to netplan (`/etc/netplan/*.yaml`): 222 + ```yaml 223 + nameservers: 224 + addresses: 225 + - 192.168.8.2 226 + ``` 227 + 228 + --- 229 + 230 + ## Testing DNS 231 + 232 + ### Using nslookup 233 + 234 + Forward lookup: 235 + ```bash 236 + nslookup www.ncaecybergames.org 237 + ``` 238 + 239 + Reverse lookup: 240 + ```bash 241 + nslookup 192.168.8.2 242 + ``` 243 + 244 + ### Using Browser 245 + Navigate to `http://www.ncaecybergames.org` - should load your web server. 246 + 247 + --- 248 + 249 + ## Troubleshooting 250 + 251 + ### Service Won't Start 252 + - Check for typos in zone files (missing semicolons, periods) 253 + - Check file permissions (`644`) and ownership (`root:bind`) 254 + - Check config syntax: `named-checkconf` 255 + - Check zone file syntax: `named-checkzone ncaecybergames.org /etc/bind/zones/forward.ncaecybergames.org` 256 + 257 + ### DNS Not Resolving 258 + - Verify service is running: `systemctl status named` 259 + - Check `/etc/resolv.conf` has your DNS server listed 260 + - Test with `nslookup` to isolate DNS vs other issues 261 + 262 + ### Common Mistakes 263 + - Forgetting to increment serial number after changes 264 + - Missing periods at end of domain names in reverse zone files 265 + - Wrong file permissions/ownership 266 + - Typos in IP addresses or domain names 267 + - Missing semicolons in config files 268 + 269 + --- 270 + 271 + ## Quick Reference 272 + 273 + | Task | Command | 274 + |------|---------| 275 + | Check service status | `systemctl status named` | 276 + | Start service | `sudo systemctl start named` | 277 + | Restart after config change | `sudo systemctl restart named` | 278 + | Check config syntax | `named-checkconf` | 279 + | Check zone syntax | `named-checkzone DOMAIN ZONEFILE` | 280 + | Forward lookup | `nslookup DOMAIN` | 281 + | Reverse lookup | `nslookup IP` |
06-ufw-firewall.md 07-ufw-firewall.md
-293
07-active-connection-defense.md
··· 1 - # Active Connection Defense 2 - 3 - ## Overview 4 - Monitoring and managing active network connections is critical during competitions. This guide covers tools for identifying who's connected to your system and how to terminate malicious connections. 5 - 6 - ## Core Monitoring Tools 7 - 8 - ### netstat - Network Statistics 9 - 10 - **Most useful form**: 11 - ```bash 12 - sudo netstat -tunap 13 - ``` 14 - 15 - **Breakdown**: 16 - - `-t` = TCP connections 17 - - `-u` = UDP connections 18 - - `-n` = Show numeric ports (22 instead of "ssh") 19 - - `-a` = Show listening and established connections 20 - - `-p` = Show process IDs (requires sudo) 21 - 22 - **Output columns**: 23 - ``` 24 - Proto Local Address Foreign Address State PID/Program 25 - tcp 192.168.195.100:22 192.168.195.2:51736 ESTABLISHED 265408/sshd 26 - ``` 27 - 28 - **Common filters**: 29 - ```bash 30 - netstat -tunap | grep ESTABLISHED # Only active connections 31 - netstat -tunap | grep :22 # Only SSH connections 32 - netstat -tunap | less # Scroll through output 33 - ``` 34 - 35 - ### ss - Socket Statistics 36 - 37 - Modern replacement for netstat. Similar syntax: 38 - 39 - ```bash 40 - ss # Basic output (lots of info) 41 - ss | grep ESTAB # Only established connections 42 - ss -tunap # Same flags as netstat 43 - ``` 44 - 45 - **Advantage**: ss is installed on more modern systems by default. 46 - 47 - ### w - Who is logged in 48 - 49 - ```bash 50 - w 51 - ``` 52 - 53 - **Shows**: 54 - - Username 55 - - From where (IP address or `:0` for local console) 56 - - Login time 57 - - What they're doing 58 - 59 - **Example output**: 60 - ``` 61 - USER FROM WHAT 62 - sandbox :0 -bash 63 - bob 192.168.195.2 -bash 64 - jenny 192.168.195.2 -bash 65 - ``` 66 - 67 - **Key indicator**: 68 - - `:0` = Local console (physically at the machine) 69 - - IP address = Remote connection (SSH, etc.) 70 - 71 - ## Finding Process Information 72 - 73 - ### top - Interactive Process Viewer 74 - 75 - ```bash 76 - top 77 - ``` 78 - 79 - - Shows CPU/memory usage 80 - - Lists running processes 81 - - Press `q` to quit 82 - 83 - ### htop - Enhanced Process Viewer 84 - 85 - ```bash 86 - htop # If installed (not always available) 87 - ``` 88 - 89 - More colorful and interactive than `top`. 90 - 91 - ### ps - Process Status 92 - 93 - ```bash 94 - ps aux # All processes, all users 95 - ps aux | grep ssh # Find SSH processes 96 - ``` 97 - 98 - ## Killing Connections 99 - 100 - ### Kill by Process ID (PID) 101 - 102 - 1. **Find the PID**: 103 - ```bash 104 - sudo netstat -tunap 105 - # Example output shows PID 265465 for jenny's SSH connection 106 - ``` 107 - 108 - 2. **Kill the process**: 109 - ```bash 110 - sudo kill 265465 111 - ``` 112 - 113 - **From the user's perspective**: Connection closes immediately 114 - ``` 115 - Connection to 192.168.195.100 closed by remote host. 116 - ``` 117 - 118 - ### Kill by Username (pkill) 119 - 120 - ```bash 121 - sudo pkill -kill -u jenny # Kill all processes for user jenny 122 - sudo pkill -kill -u bob # Kill all processes for user bob 123 - ``` 124 - 125 - **Warning**: This kills ALL processes for that user, including: 126 - - Active SSH sessions 127 - - Running programs 128 - - Background jobs 129 - 130 - ### Kill Signal Types 131 - 132 - ```bash 133 - sudo kill PID # SIGTERM (graceful shutdown, default) 134 - sudo kill -9 PID # SIGKILL (force kill immediately) 135 - sudo pkill -kill -u user # -kill = SIGKILL 136 - ``` 137 - 138 - ## Competition Workflow 139 - 140 - ### Active Defense Pattern 141 - 142 - 1. **Someone monitors connections**: 143 - ```bash 144 - # Run periodically or in a loop 145 - sudo netstat -tunap 146 - ``` 147 - 148 - 2. **Identify suspicious connections**: 149 - - Unknown IP addresses 150 - - Unexpected users logged in 151 - - Unusual ports 152 - 153 - 3. **Kill immediately**: 154 - ```bash 155 - sudo pkill -kill -u <suspicious_user> 156 - # or 157 - sudo kill <PID> 158 - ``` 159 - 160 - 4. **Someone else hardens the system**: 161 - - Change passwords 162 - - Disable accounts 163 - - Configure firewall 164 - - Close unnecessary services 165 - 166 - ### Example Monitoring Script 167 - 168 - ```bash 169 - #!/bin/bash 170 - # Quick connection checker 171 - while true; do 172 - clear 173 - echo "=== Active SSH Connections ===" 174 - sudo netstat -tunap | grep :22 | grep ESTABLISHED 175 - sleep 5 176 - done 177 - ``` 178 - 179 - ## Common Scenarios 180 - 181 - ### Scenario 1: Unknown SSH Connection 182 - 183 - ```bash 184 - # See who's connected 185 - w 186 - 187 - # Find their process ID 188 - sudo netstat -tunap | grep ESTABLISHED 189 - 190 - # Kill by PID 191 - sudo kill 265465 192 - ``` 193 - 194 - ### Scenario 2: Brute Force Attempts 195 - 196 - ```bash 197 - # See all connection attempts 198 - sudo netstat -tunap | grep :22 199 - 200 - # Check auth logs 201 - sudo tail -f /var/log/auth.log 202 - 203 - # Block the source IP with firewall 204 - sudo ufw deny from <attacker_ip> 205 - ``` 206 - 207 - ### Scenario 3: Multiple Sessions from Same User 208 - 209 - ```bash 210 - # Kill all sessions for a user 211 - sudo pkill -kill -u jenny 212 - 213 - # Disable the account 214 - sudo passwd -l jenny # Lock password 215 - sudo usermod -s /bin/false jenny # Disable shell 216 - ``` 217 - 218 - ## Warnings and Gotchas 219 - 220 - ### Don't Kill Yourself 221 - 222 - ```bash 223 - # BAD - if you're logged in as sandbox: 224 - sudo pkill -kill -u sandbox 225 - # This kills YOUR session too! 226 - ``` 227 - 228 - **Better approach**: Kill by specific PID if you're using the same username. 229 - 230 - ### Don't Kill Teammates 231 - 232 - - Check with team before killing connections 233 - - Look at FROM addresses to identify internal vs external 234 - - Local (`:0`) connections are usually teammates at the console 235 - 236 - ### Shared Accounts 237 - 238 - If red team is using the same account as you: 239 - - Kill by PID (specific to their connection) 240 - - Don't kill by username (you'll disconnect yourself) 241 - 242 - ## Process Information Fields 243 - 244 - **Understanding PID in netstat**: 245 - ```bash 246 - sudo netstat -tunap 247 - ``` 248 - 249 - Output: 250 - ``` 251 - PID/Program name 252 - 265408/sshd: sandbox 253 - 265465/sshd: jenny 254 - ``` 255 - 256 - - PID: Process ID (unique number) 257 - - Program: Which service (sshd, apache2, etc.) 258 - - User context: Which user owns the process 259 - 260 - ## Monitoring vs. Hardening 261 - 262 - **Active monitoring** (short-term): 263 - - Running netstat/ss repeatedly 264 - - Killing suspicious connections as they appear 265 - - Playing "whack-a-mole" 266 - 267 - **Hardening** (long-term): 268 - - Change passwords 269 - - Disable unused accounts 270 - - Configure firewall rules 271 - - Close unnecessary services 272 - - Update vulnerable software 273 - 274 - **Best practice**: Use monitoring to buy time while someone else hardens the system. You can't watch connections for 6 hours straight. 275 - 276 - ## Tool Availability 277 - 278 - | Tool | Typical Availability | 279 - |------|---------------------| 280 - | netstat | Most systems (may need `net-tools` package) | 281 - | ss | Modern systems (usually pre-installed) | 282 - | w | All Unix/Linux systems | 283 - | top | All Unix/Linux systems | 284 - | htop | Optional (install with apt/yum) | 285 - | ps | All Unix/Linux systems | 286 - 287 - **If netstat is missing**: 288 - ```bash 289 - sudo apt install net-tools # Debian/Ubuntu 290 - sudo yum install net-tools # CentOS/RHEL 291 - ``` 292 - 293 - Or just use `ss` instead.
+206
08-active-connection-defense.md
··· 1 + # Active Connection Defense 2 + 3 + Techniques for monitoring and terminating suspicious connections during competition. 4 + 5 + --- 6 + 7 + ## View Active Connections 8 + 9 + ### netstat Command 10 + 11 + Basic usage (too much output): 12 + ```bash 13 + netstat 14 + ``` 15 + 16 + **Useful filtered version:** 17 + ```bash 18 + netstat -tu # TCP and UDP connections only 19 + netstat -tun # + resolve port numbers (shows 22 instead of "ssh") 20 + netstat -tuna # + show listening ports too 21 + sudo netstat -tunap # + show process IDs (requires sudo) 22 + ``` 23 + 24 + **Remember: `netstat -tunap`** (tuna + p) 25 + 26 + | Flag | Meaning | 27 + |------|---------| 28 + | `-t` | TCP connections | 29 + | `-u` | UDP connections | 30 + | `-n` | Show port numbers (not names) | 31 + | `-a` | Show all (including listening) | 32 + | `-p` | Show process IDs (requires sudo) | 33 + 34 + Example output: 35 + ``` 36 + Proto Local Address Foreign Address State PID/Program 37 + tcp 192.168.8.2:22 192.168.8.100:51736 ESTABLISHED 26546/sshd: jenny 38 + tcp 192.168.8.2:22 192.168.8.100:51732 ESTABLISHED 26540/sshd: bob 39 + ``` 40 + 41 + ### Filter with grep 42 + ```bash 43 + sudo netstat -tunap | grep ESTABLISHED 44 + sudo netstat -tunap | grep ssh 45 + ``` 46 + 47 + ### ss Command (alternative to netstat) 48 + 49 + Some systems don't have netstat - use `ss` instead: 50 + ```bash 51 + ss 52 + ss -t # TCP only 53 + ss | grep ESTABLISHED 54 + ``` 55 + 56 + --- 57 + 58 + ## View Logged-In Users 59 + 60 + ### w Command 61 + ```bash 62 + w 63 + ``` 64 + 65 + Shows: 66 + - Username 67 + - TTY (terminal) 68 + - From (IP address for remote, `:0` for local GUI) 69 + - Login time 70 + - What they're running 71 + 72 + Example output: 73 + ``` 74 + USER TTY FROM LOGIN@ WHAT 75 + sandbox :0 :0 09:00 /usr/bin/gnome-shell <- Local GUI 76 + bob pts/1 192.168.8.100 10:15 -bash <- Remote SSH 77 + jenny pts/2 192.168.8.100 10:16 -bash <- Remote SSH 78 + ``` 79 + 80 + **Note:** `:0` means local GUI session (probably your teammate), IP address means remote connection (possibly attacker). 81 + 82 + --- 83 + 84 + ## Kill Connections 85 + 86 + ### Kill by Process ID 87 + 88 + 1. Find the PID with `netstat -tunap` 89 + 2. Kill it: 90 + ```bash 91 + sudo kill <PID> 92 + ``` 93 + 94 + Example: 95 + ```bash 96 + sudo netstat -tunap | grep ESTABLISHED 97 + # See jenny's connection has PID 26546 98 + sudo kill 26546 99 + ``` 100 + 101 + ### Kill by Username 102 + 103 + Log out all sessions for a specific user: 104 + ```bash 105 + sudo pkill -kill -u jenny 106 + sudo pkill -kill -u bob 107 + ``` 108 + 109 + **⚠️ WARNING: Don't kill yourself!** 110 + ```bash 111 + sudo pkill -kill -u sandbox # This kills YOUR session too! 112 + ``` 113 + 114 + If attacker is using the same account as you, kill by PID instead. 115 + 116 + --- 117 + 118 + ## Monitor Processes 119 + 120 + ### top Command 121 + ```bash 122 + top # Live view of running processes 123 + htop # Fancier version (may need to install) 124 + ``` 125 + 126 + Press `q` to quit. 127 + 128 + ### ps Command 129 + ```bash 130 + ps -aux # Show all processes with details 131 + ps -aux | grep python # Find Python scripts 132 + ps -aux | grep bash # Find bash scripts 133 + ``` 134 + 135 + Look for suspicious scripts running in background (attackers may leave these). 136 + 137 + --- 138 + 139 + ## Send Messages to Users 140 + 141 + ### Broadcast to All Users 142 + ```bash 143 + wall "Server shutting down in 5 minutes. Please save your work." 144 + ``` 145 + 146 + All logged-in users see the message in their terminal. 147 + 148 + ### Message Specific User 149 + ```bash 150 + w # Find their TTY (e.g., pts/2) 151 + sudo write bob pts/2 # Opens interactive message 152 + # Type your message, Ctrl+C to end 153 + ``` 154 + 155 + --- 156 + 157 + ## Competition Strategy 158 + 159 + ### Active Defense Workflow 160 + 161 + 1. **Monitor continuously:** 162 + ```bash 163 + sudo netstat -tunap | grep ESTABLISHED 164 + w 165 + ``` 166 + 167 + 2. **Identify suspicious connections:** 168 + - Unknown usernames 169 + - Connections from unexpected IPs 170 + - Multiple sessions from same IP 171 + 172 + 3. **Kill suspicious connections:** 173 + ```bash 174 + sudo kill <PID> # By process ID 175 + sudo pkill -kill -u <user> # By username 176 + ``` 177 + 178 + 4. **Meanwhile, teammate secures server:** 179 + - Change passwords 180 + - Lock down user accounts 181 + - Enable firewall 182 + - Remove unnecessary services 183 + 184 + ### Watch Out For 185 + 186 + - **Background scripts**: Attackers may leave Python/bash scripts running 187 + ```bash 188 + ps -aux | grep python 189 + ps -aux | grep bash 190 + ``` 191 + - **Cron jobs**: Check `crontab -l` and `/etc/cron.*` 192 + - **Friendly fire**: Don't kill your own sessions or teammates! 193 + 194 + --- 195 + 196 + ## Quick Reference 197 + 198 + | Task | Command | 199 + |------|---------| 200 + | View connections | `sudo netstat -tunap` | 201 + | View logged-in users | `w` | 202 + | Kill by PID | `sudo kill <PID>` | 203 + | Kill by username | `sudo pkill -kill -u <user>` | 204 + | View processes | `ps -aux` or `top` | 205 + | Broadcast message | `wall "message"` | 206 + | Message specific user | `sudo write <user> <tty>` |
08-mikrotik-router.md 09-mikrotik-router.md