Broker Check


03the only ports I should need are 53, 80 , 443, and whatever port we decide for splunk. In case 03 has a scoring service I would also need port 21.

My plan is to change passwords. Then remove unnecessary users and services

I would then apply updates as necessary.

Then I will add an av and set up firewall


 for windows 7

ports 80,443,123,for windows 7ports 80,443,123,

:remove superflous userschange /remove local admin and guest account

disable ssh

change passwords

turn off unneeded services and ports

get an av or set up defender, turn on firewall

if time permits a security update

monitor services and network .Check privliges

create win 7 registry back up
apps needed





michas powershell script

08 plan 

Secure Windows Password 

Net user (useraccount) (password) 

Disable Admin account 

Net user administrator /active:no 

Disable guest 

Net user administrator /active:no 

(implement LAPS?) 

Reverse Encryption disabled 

Account lockout threshold 3 

Net accounts /lockoutwindows:3 

Windows audit policies 

Turn Windows firewall 

Install Firefox 

Install updates 

Disable unneccesary services 



RDP UserMOde 

Remote Registry  

RD Config  

SSDP Discovery 

UPnP Device Host 

Remote Desktpo 

WWW Publishing Service 

Deny ports  







Install Service packs 

Look in to SCW – Security Configuration Wizard – add/remove win components 

Install Regmon and Filemon from sysinternals 

Disable shares 

Needed Services 

Install Splunk and Configure 

Install .net framework 4.5 for update to powershell 

Start NTP 

  1. Select Start > Run, type regedit, and then select OK. 
  1. Locate and then select the following registry subkey: 


  1. In the right-pane, right-click AnnounceFlags, and then select Modify. 
  1. In Edit DWORD Value, type A in the Value data box, and then select OK. 
  1. Close Registry Editor. 
  1. At the command prompt, type the following command to restart the Windows Time service, and then press Enter: 

net stop w32time && net start w32time 



Debian Need ports

  • 80, http
  • 22, ssh
  • 110, pop3
  • 143, imap
  • 220, imap3
  • 389, ldap
  • 443,https
  • 465, smtps
  • 587,smtp




  1. Change all passwords 
  • Could use script 
  • Take networking down during the password change as extra precaution 
  1. Change passwords on database (mysql?) 
  1. Make user account 
  1. Disable root 
  1. Check /etc/passwd for accounts that shouldn’t be there (also on database) 
  1. Lock accounts don’t delete just in case (-l to lock –u to unlock) 
  1. Update apt repositories 
  1. updates!!! 
  • Apt-get update 
  • Apt-get upgrade 
  • Apt-get dist-upgrade 
  1. Install antivirus 
  • Apt-get install clamav 
  1. Run antivirus 
  • Freshclam 
  • Clamscan 
  1. Install aide 
  • Apt-get install aide 
  • Aide –init 
  • Aide.wrapper –init 
  1. Re-enable network if taken down 
  1. Monitor network with netstat –tulpna 
  1. Ps aux 
  1. Check iptables/setup firewall 

 2012 palo alto first copy 

  1. Change Administrators password on Windows 2012 
  1. Look at users and make sure administrator is the only admin account. 
  1. Run scipt to lock down fire wall on win2012 

#### Windows 2012 script #### 

# This will delete all firewall rules and deny all 

Netsh advfirewall reset 

Netsh advfirewall set currentprofile state on 

Netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound 

Netsh advfirewall set allprofiles logging allowedconnections enable 

Netsh advfirewall set allprofiles logging filename C:\pfirewall.log 

Get-content -Path ‘C:\firewall.log’ 

Netsh advfirewall firewall add rule name=”IP Block” dir=outbound interface=any action=block 



#Sets up for outbound 

Netsh advfirewall firewall add rule name=”out-custom” dir=out action=allow 


Remoteport=80,443,22 protocol=tcp enable=yes 


#set inbound but done not enable 

Netsh advfirewall firewall add rule name=”in-custom” dir=in action=allow enable=no 


#This will enable it 

netsh advfirewall firewall set rule name="in-custom" new localport=23 protocol=tcp enable=yes 


#Download putty and chrome 

Invoke-WebRequest –Uri -OutFile putty.exe 

Invoke-WebRequest -Uri -OutFile C:\chrome.exe 




  1. Log into palo alto through ssh 
  1. Change password for palo alto 


Set mgt-config users admin password 



  1. Show basic info for interfaces and record 

Show interface management 

Show interface all 

  1. Preforme WAN settings based on this information ##NEED TO WORK ON## 
  1. Preform pasting rules from rules downloaded on win2012 
  1. Show management services 

Disable unnecessary things 

  1. Only allow https 

>set seviceconfig system service disable-http yes 


  1. set NTP 

Go to Device > Setup > Services and select the NTP tab. 

In the NTP Server Address field, enter the IP address or hostname of a NTP server. 

In the Authentication Type field, select one of the following: 

None (default). This option disables NTP authentication. 

Symmetric Key. This option uses symmetric key exchange, which are shared secrets. Enter the key ID, algorithm, authentication key, and confirm the authentication key. 

Autokey. This option uses auto key, or public key cryptography. 


  1. Watch traffic 







The Gist: 

  • update 
  • passwords 
  • users 
  • services 




The Meat and Potatoes in no particular order: 

  1. Change password 
  • passwd username 
  1. Update system 
  • repositories... 
  • sudo apt-get update 
  • !! apt-get upgrade 
  1. Create new user 
  • sudo useradd -d /home/beater -s /bin/bash -m beater 
  • sudo adduser <username> sudo looks way easier! 
  • sudo usermod -a -G sudo beater 
  1. Disable root account 
  • sudo passwd -l root 
  • -u will enable the above 
  1. Disable account 
  • usermod -s /usr/sbin/nologin "username" 
  1. Which active accounts are running 
  • cat /etc/passwd | egrep -v '\/false|\/nologin|\/shutdown|\/halt' | cut -d':' -f 1,7 
  • should be: 
  • root:/bin/bash 
  • sync:/bin/sync 
  • libuuid: 
  • speech-dispatcher:/bin/sh 
  • beater:/bin/bash 
  1. Limit logins (focus on what is in the passwd file (/etc/passwd), and if you delete/disable accounts there, you don’t have to worry about them having login rights. You also take care of services in step 6, so I wouldn’t worry about step 7) 
  • sudo vi /etc/securetty 
  • # out the terminals that we don’t want 
  1. Only allow root to modify securetty (If you have disabled root, this shouldn’t be a problem, and can be ignored) 
  • sudo chown root:root /etc/securetty 
  • sudo chmod 0600 /etc/securetty 
  1. Secure /tmp folder 
  • Create 1GB filesystem 
  • sudo dd if=/dev/zero of=/usr/tmpDSK bs=1024 count=1024000 
  • Create backup of /tmp 
  • sudo cp -Rpf /tmp /tmpbackup 
  • Mount new /tmp partition and set permissions 
  • sudo mount -t tmpfs -o loop,noexec,nosuid,rw /usr/tmpDSK /tmp 
  • sudo chmod 1777 /tmp 
  • Copy and then remove backup folder 
  • sudo cp -Rpf /tmpbackup/* /tmp/ 
  • sudo rm -rf /tmpbackup/* 
  • Set /tmp in fbtab 
  • /usr/tmpDSK /tmp tmpfs loop,nosuid,noexec,rw 0 0 
  • Test it 
  • sudo mount -o remount /tmp 
  • try executing a script or run a binary file 
  1. Secure /var/tmp 
  • sudo mv /var/tmp /var/tmpold 
    sudo ln -s /tmp /var/tmp 
    sudo cp -prf /var/tmpold/* /tmp/ 
  • Restart services that need to use /tmp partition? 
  1. Set process limits for users 
  • user1 hard nproc 100 
  • @group1 hard nproc 20 
  1. Find out what services are running 
  • sudo initctl list | grep running 
  • what is normal? 
  • avahi-daemon start/running, process 793 
  • start/running 
  • rsyslog start/running, process 796 
  • tty4 start/running, process 1196 
  • udev start/running, process 649 
  • upstart-udev-bridge start/running, process 644 
  • whoopsie start/running, process 1309 
  • apport start/running 
  • systemd-logind start/running, process 784 
  • tty5 start/running, process 1201 
  • modemmanager start/running, process 957 
  • start/running 
  • dbus start/running, process 738 
  • resolvconf start/running 
  • start/running 
  • network-manager start/running, process 1006 
  • cups-browsed start/running, process 1399 
  • vmware-tools-thinprint start/running 
  • cron start/running, process 1274 
  • lightdm start/running, process 1465 
  • start/running 
  • acpid start/running, process 1314 
  • bluetooth start/running, process 768 
  • start/running 
  • start/running 
  • start/running 
  • ufw start/running 
  • start/running 
  • cups start/running, process 2351 
  • upstart-socket-bridge start/running, process 927 
  • anacron start/running, process 1272 
  • start/running 
  • tty2 start/running, process 1209 
  • upstart-file-bridge start/running, process 813 
  • start/running 
  • tty3 start/running, process 1210 
  • network-interface (lo) start/running 
  • network-interface (eth0) start/running 
  • tty1 start/running, process 1513 
  • start/running 
  • network-interface-security (network-manager) start/running 
  • network-interface-security (network-interface/eth0) start/running 
  • network-interface-security (network-interface/lo) start/running 
  • network-interface-security (networking) start/running 
  • networking start/running 
  • tty6 start/running, process 1213 
  1. Disable a service 
  • echo "manual" > /etc/init/service.override 
  • update-rc.d -f service_name remove 
  1. Remove service (I think disable them is the best idea) 
  • sudo apt-get purge service_name 
  1. Remove Telnet (Disable is good enough. You can disable ssh too) 
  • sudo apt-get purge telnetd inetutils-telnetd telnetd-ssl 
  1. Scan open ports 
  • sudo apt-get install nmap 
  • nmap -v -sT localhost 
  • SYN scanning 
  • sudo nmap -v -sS localhost 
  1. Review logs (you can forward all logs to the log server) 
  • /var/log/messages - The main system logs or current activity logs are available. 
  • /var/log/auth.log - Authentication logs 
  • /var/log/kern.log - Kernel logs 
  • /var/log/cron.log - Crond logs (cron job) 
  • /var/log/maillog - Mail server logs 
  • /var/log/boot.log - System boot log 
  • /var/log/mysqld.log - MySQL database server log file I assume that SQL is not on my workstation 
  • /var/log/secure - Authentication log 
  • /var/log/ufw.log - Firewall log 
  • /var/log/utmp or /var/log/wtmp - Login records file 
  1. Mitigating DOS 
  • netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n 
  • shows how many connections each ip has 
  1. Disable Shell Accounts - to see which active accounts are on your server, run: 
  • cat /etc/passwd | egrep -v '\/false|\/nologin|\/shutdown|\/halt' | cut -d':' -f 1,7 
  1. You can disable account using this command: (You can use sudo userdel <username> if you want to delete the account instead) 
  • usermod -s /usr/sbin/nologin "username" 



  • rwho -a - 
  • finger user_name - System info about a user. Try: finger root last. This lists the users last logged-in on your system 
  • history | more - Show the last (1000 or so) commands executed from the command line on the current account. The | more causes the display to stop after each screen fill 
  • pwd - Print working directory, i.e. display the name of your current directory on the screen 
  • hostname - Print the name of the local host (the machine on which you are working) 
  • whoami - Print your login name 
  • id username - Print user id (uid) and his/her group id (gid), effective id (if different than the real id) and the supplementary groups 
  • ps - List the processes that are have been run by the current user 
  • ps aux | more - List all the processes currently running, even those without the controlling terminal, together with the name of the user that owns each process 
  • top - Keep listing the currently running processes, sorted by cpu usage (top users first) 
  • uname -a - Info on your server. 


Memory info (in kilobytes). (free -h makes it easier to read) 


Print disk info about all the file systems in a human-readable form. 

df -h 

Print detailed disk usage for each subdirectory starting at root (in a human readable form). 

du / -bh | more 

(as root. Use /sbin/lsmod to execute this command when you are a non-root user.) Show the kernel modules currently loaded. 


Show the current user environment. 


Show the content of the environment variable PATH. This command can be used to show other environment variables as well. Use set to see the full environment. 

echo $PATH 

Print kernel messages (the current content of the so-called kernel ring buffer). Press q to quit less. Use less /var/log/dmesg to see what dmesg dumped into the file right after bootup. - only works on dedciated systems 

dmesg | less 

Commands for Process control 

PID Bring a background or stopped process to the foreground. 


PID Send the process to the background. This is the opposite of fg. The same can be accomplished with Ctrl z 


Run any command in the background (the symbol & means run the command in the background? 

any_command & 

Force a process shutdown. First determine the PID of the process to kill using ps. 

kill PID 

Kill program(s) by name. 

killall -9 program_name 

Run program_name adjusting its priority. Since the priority is not specified in this example, it will be adjusted by 10 (the process will run slower), from the default value (usually 0). The lower the number (of niceness to other users on the system), the higher the priority. The priority value may be in the range -20 to 19. Only root may specify negative values. Use top to display the priorities of the running processes. 

nice program_name 

(as root) Change the priority of a running process to -1. Normal users can only adjust processes they own, and only up from the current value (make them run slower). 

renice -1 PID 

Mitigating (D)DOS 


To set the hardware clock from the system clock, use the command (as root) setclock 

date 123123572000 (Run apt-get install ntp if NTP server isn’t already installed. If installed, run dpkg-reconfigure tzdata to set the correct time zone. NTP servers can be found in /etc/ntp.config if you need to change the NTP server to synchronize with) 


Link(s) I should look at 


Show version: lsb_release -a 


lsb_release -a   to check version 

uname -r 


cd /etc/apt/ 


cat sources.list 






sudo do-release-upgrade 



sudo /etc/init.d/networking restart 



*.* @ 

@ is upd 

@@ is TCP 


school: pickles 

home: collegeboy