Posted: January 13, 2012 in LINUX, Ubuntu Command ref
Tags: ,

##How to view installed packages on ubuntu



# dpkg –list

# dpkg –info packageName

# apt-get remove packageName


4: Keep Linux Kernel and Software Up to Date

# apt-get update && apt-get upgrade


#6.3: Locking User Accounts After Login Failures

To see failed login attempts, enter:


To unlock an account after login failures, run:

faillog -r -u userName


Note you can use passwd command to lock and unlock accounts:

# lock account

passwd -l userName

# unlocak account

passwd -u userName

#6.4: How Do I Verify No Accounts Have Empty Passwords?


Type the following command

# awk -F: ‘($2 == “”) {print}’ /etc/shadow

Lock all empty password accounts:

# passwd -l accountName


#6.5: Make Sure No Non-Root Accounts Have UID Set To 0


Only root account have UID 0 with full permissions to access the system. Type the following command to display all accounts with UID set to 0:

# awk -F: ‘($3 == “0”) {print}’ /etc/passwd


Q.How Do I Secure Grub Boot Loader?

#1: Create A Password For Grub


Type grub-md5-crypt command to create password in MD5 format:

# grub-md5-cryptOutput:



Retype password:<ENTER-YOUR-PASSWORD>



Please note that you need to copy and paste the MD5 password ($1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0) to your configuration file. Use mouse to copy the same.

#2 Add MD5 Password To Grub Configuration File


Under Debian GNU/Linux the Grub configuration file is located at /boot/grub/menu.lst. (Red Hat / Fedora user use /boot/grub/grub.conf file)

# vi /boot/grub/menu.lst


Edit file and add a password line as follows:

password –md5 $1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0


To require use of the password for entering single user mode, change the value of the lockalternative variable in the file /boot/grub/menu.lst to true, as shown in the following example.


# lockalternative=true



To disable the reboot action taken by pressing the Ctrl+Alt+Delete key combination, comment out the following line in the file /etc/event.d/control-alt-delete.


#exec /sbin/shutdown -r now “Control-Alt-Delete pressed”



#9.1: Find Listening Network Ports


Use the following command to list all open ports and associated programs:

netstat -tulpn


nmap -sT -O localhost

nmap -sT -O server.example.com


#15: Disable Unwanted SUID and SGID Binaries

#See all set user id files:

find / -perm +4000

# See all group id files

find / -perm +2000

# Or combine both in a single command

find / \( -perm -4000 -o -perm -2000 \) -print

find / -path -prune -o -type f -perm +6000 -ls


#15.1: World-Writable Files


Anyone can modify world-writable file resulting into a security issue. Use the following command to find all world writable and sticky bits set files:

find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print


#15.2: Noowner Files


Files not owned by any user or group can pose a security problem. Just find them with the following command which do not belong to a valid user and a valid group

find /dir -xdev \( -nouser -o -nogroup \) -print


ArpON – Protect yourself from MITM attacks.

ArpON (Arp handler inspectiON) is a portable handler daemon that make ARP secure in order to avoid the Man In The Middle through ARP Spoofing/Poisoning. It detects and blocks also Man In The Middle through ARP Spoofing/Poisoning for DHCP Spoofing, DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks.


This is possible using two kinds of anti ARP Poisoning tecniques: the first is based on SARPI or “Static Arp Inspection” the second on DARPI or “Dynamic Arp Inspection” approach. SARPI and DARPI protects both unidirectional, bidirectional and distributed attacks.


Here’s a very quick example of it’s usage, we will use SARPI.


arpon -n 10 -g -u 1 -s -i eth0


ArpON “Arp handler inspection” version 1.90 (http://arpon.sourceforge.net)


[00/02/2011 – 08:32:04 PST] Device: (eth0) MAC: 0:24:21:66:9:5a Inet4: Netmask:


[00/02/2011 – 08:32:04 PST] Device: (eth0) MAC: 0:24:21:66:9:5a Inet4: Netmask:

[00/02/2011 – 08:32:04 PST] SARPI Start…

[00/02/2011 – 08:32:04 PST] SARPI protects these Arp Cache’s entries:

[00/02/2011 – 08:32:04 PST] 1) ->  0:66:78:d6:92:c8

[00/02/2011 – 08:32:04 PST] SARPI Arp Cache refresh timeout: 1 minute.

[00/02/2011 – 08:32:04 PST] SARPI Realtime Protect actived!




-n 10 ~ Sets priority

-g ~ Works in logging mode

-u 1 ~ Sets sarpi timeout to 1 minute

-s ~ Manage arp cache statically


You can get ArpON with the apt-get command or visit here



Multiple network interfaces and ARP flux


$sysctl -a | grep net.ipv4.conf.*.arp

A Simple Fix That May Work


If all three network interfaces are on different IP networks (such as 10.x.x.x, 172.16.x.x, 192.168.x.x) then executing the following will work:


sysctl -w net.ipv4.conf.all.arp_filter=1


However, if they are all on the same IP network, which is the case here, then this won’t achieve the desired results.

A More Effective Solution


The following can be added to your /etc/sysctl.conf file once you’ve tested it.


sysctl -w net.ipv4.conf.all.arp_ignore=1

sysctl -w net.ipv4.conf.all.arp_announce=2



1/ Clearing ARP cache and table.

You need the “arp -d hostname’ repeatedly to accomplish this.

You could make a script. Is there an easier way ?


2/ Clearing the routing table

“route del ROUTEDESCRIPTOR” repeatedly.


3/changing the mac of my eth0 card and also changing it back to the original

See “man ethtool”, the -e -E options change the firmware setting. The

“ethtool ethN -s phyad 01:22:33:44:55” will temporarily change (till reboot or re-command).


4/ restarting the network and taking it down.

For a fixed config the RedHat “ifup ethN” and “ifdown ethN” will do. But als osee the

“ip” command and the older deprecated (but very common) “ifconfig” command.


5/ assigning static IP’s and masks and then restarting the network to make sure it worked

I’d use “ip”, but “ifconfig” is good too.

ip addr add dev eth0

ip link set eth0 up

ip link set eth0 down


ifconfig eth0 up

ifconfig eth0 down


6/Firewall stuff

“man iptables” stuff. Search google.com/linux for “iptables howto”.


7/ ACL’s







see “man acl” and “man COMMAND” for the above. Totally POSIX AFAIK.

If you don’t have these then “su -; yum -y install acl”, but I think they are in the default distro.

Reply With Quote


“ip neighbor flush all” – clears the arp table(s).

2/ “ip route flush all” – clears the entire route table.


The lesson is that the “ip” command subsumes nearly all the arp/route/ifconfig command and should be used instead.

The following output is from executing this command on the HN.


$sysctl -a | grep net.ipv4.conf.*.arp

$cat /proc/net/arp


$ip route ls


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s