Pages

Wednesday 19 November 2014

decode@india.com ransomware


If you get something alike:

Attention! Your computer was attacked by virus-encoder.

All your files are encrypted cryptographically strong, without the original key recovery is impossible!
To get the decoder and the original key, you need to to write us at the email decode@india.com with the subject "encryption" stating your id.
Write in the case, do not waste your and our time on empty threats. 

Responses to letters only appropriate people are not adequate ignore.

You probably already know that you are infected with decode@india.com ransomware and you will most probably search all the blogs, install all the tools they are advertising which do not remove anything, because anyway this ransomware as it seems to me self-deletes itself after encryption.


Some antivirus vendors already  detect the ransomware and you can have a look here (5fab6fbdff1a72cd5eafdd27b5ee11a9):


What else can we say about this ransomware, well first about the infection and how it happens. A registry entry that exploits a vulnerability:  

HKEY_CURRENT_USER\CONTROL PANEL\DESKTOP\TILEWALLPAPER = 48
HKEY_CURRENT_USER\CONTROL PANEL\DESKTOP\WALLPAPER = %APPDATA%\bytor.bmp

Here I noticed some different location for the files:

C:\Documents and Settings\<User>\Start Menu\Programs\Startup\Autostart\bytor.bmp
but also:
C:\Users\<User>\AppData\Roaming\bytor.bmp
C:\Documents and Settings\<User>\Start Menu\Programs\Startup\msiexec.exe 
or something like this
C:\Users\<User>\appdata\local\temp\vup.exe
C:\Windows\system32\isobwdev.exe
C:\Windows\SysWOW64\cleen.bat
C:\Users\rado\AppData\Local\Temp\oQ3jKRk.exe

The following files were temporarily written to disk then later removed:
C:\cleen.bat


Anything else we can say is that it pretty much resembles the functions of Cryptolocker, so if you like to restore the files from shadow copies (Shadow Explorer) it is pointless. Read the following I found about Cryptolocker:


In addition to encrypting the files, the malware also executes several commands to make recovery of files even more difficult. The following command is executed to delete the volume's shadow copies, which removes Windows automatic volume backups:

vssadmin.exe Delete Shadows /All /Quiet
The following commands are also executed to disable the Windows Error Recovery screen at startup:
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures

The malware also attempts to disable the following services to reduce security, disable Windows updates, and disable error reporting in order to avoid detection:
wscsvc
WinDefend
wuauserv
BITS
ERSvc
WerSvc

What happens if you write to decode@india.com:
Hello. The cost of obtaining a decoder and a unique key is 1 Bitcoin.
_________________________________________________________________________________

Send us an example of an encrypted file, upload the file to sendspace.com and send us the link, we decrypt it and send it,

After payment we will send  decoder and unique password for your id. 
_______________________________________________________________________________

Payment can be made by exchanging e-currency you comfortable in your country on Bitcoin,
In exchange, you must specify our Bitcoin wallet, our Bitcoin Wallet is _____________________  repeat our Bitcoin Wallet is ________________________
After payment email us quoting the number Bitcoin wallet on which the payment was made and your id.

What can be done?
- Make regular backups.
- Patch your windows:
- If you think an e-mail has a strange attach file - don't open it. If it is from someone you know, first verify that indeed this is the case.

Disinfecting (based on the information we have) and if we suppose anything is left at all:

You will need AVZ4 ( Get it from here http://www.z-oleg.com/secur/avz/download.php) and load a custom script (File>Customscripts). Before loading add the user profile (Replace <User> with what you use). This script might or might not work - use at your own risk!

begin
ExecuteAVUpdate;
ShowMessage('AVZ automatically will close all network connections.'+#13#10+'After restarting networks will be up.');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
if not IsWOW64
  then
   begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(true);
   end;
ClearQuarantine;

TerminateProcessByName('C:\Documents and Settings\<User>\Start Menu\Programs\Startup\msiexec.exe');
TerminateProcessByName('C:\Users\<User>\appdata\local\temp\vup.exe');
TerminateProcessByName('C:\Windows\system32\isobwdev.exe');
TerminateProcessByName('C:\Windows\SysWOW64\cleen.bat');
TerminateProcessByName('C:\Users\<User>\AppData\Local\Temp\oQ3jKRk.exe');
QuarantineFile('C:\Documents and Settings\<User>\Start Menu\Programs\Startup\msiexec.exe');
QuarantineFile('C:\Users\<User>\appdata\local\temp\vup.exe', '');
QuarantineFile('C:\Windows\system32\isobwdev.exe' , '' );
QuarantineFile('C:\Windows\SysWOW64\cleen.bat', '');
QuarantineFile('C:\Users\<User>\AppData\Local\Temp\oQ3jKRk.exe' , '');
QuarantineFile('C:\Users\<User>\AppData\Roaming\bytor.bmp', '');
DeleteFile('C:\Documents and Settings\<User>\Start Menu\Programs\Startup\msiexec.exe');
DeleteFile('C:\Users\<User>\appdata\local\temp\vup.exe');
DeleteFile('C:\Windows\system32\isobwdev.exe');
DeleteFile('C:\Windows\SysWOW64\cleen.bat');
DeleteFile('C:\Users\<User>\AppData\Local\Temp\oQ3jKRk.exe');
DeleteFile('C:\Users\<User>\AppData\Roaming\bytor.bmp');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','vup'); 
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','isobwdev'); 
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','cleen'); 
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','oQ3jKRk');
RegKeyParamDel('HKEY_CURRENT_USER','Control Panel\Desktop\','bytor');   
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(false);
end.

After the restart you can collect a sample that you can send:
begin
CreateQurantineArchive(GetAVZDirectory+'sample.zip'); 
end.

References:

Thursday 6 November 2014

Dell Inspiron 1545 Goes into Sleep mode randomly

I had a case recently where a Dell Inspiron 1545 that went in sleep mode randomly for no apparent reason so I had to isolate the problem:

- I checked the Power settings
- Tested the memmory
- Tested the hard drive

In the end it turned out to be the wristband on our colleagues hand that had a magnet. We also found a spot where if you hold enough the magnet it will put the laptop into sleep. It also seems that this is not an exception for any 1545 dell inspiron. 

References:
http://en.community.dell.com/support-forums/laptop/f/3518/t/19506101

PHP Project - system information on linux

This is a project I wrote a while ago in 2012. The system is written in PHP and C++ and has a login and several sections summary (overall summary), graphs (network graphs), logs search, routes and traffic information, disk usage etc. The C++ part contains a wrapper that collects all logs. The project is intended to be used as  a console for Linux server monitoring. If you find this product interesting or would like to purchase it. Please contact me here and we will discuss it further.

Login
Summary
Graphs

Search

Network Status

Process Tree

Disk Usage

Processes

Routes

Thursday 9 October 2014

.htaccess on UbuntuServer 14.04

I had to set-up pretty quickly a web server. Unfortunately I lose time by typing those command, rather than just copy pasting in the ssh.

sudo apt-get update

sudo  apt-get install apache2 mysql-server php5 php-pear php5-mysql

With this we are done with apache. Now let us configure htacess:

In /etc/apache2
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>

Now lets generate a htpasswd file
sudo htpasswd -c /var/.htpasswd-all <username>

Create the .htaccess file. Here we filter out which files can have access, but also you can use part of the file name.

<FilesMatch "^(file1|file2|something3|something5|some7).*$">
AuthName "<username>"
AuthUserFile /var/.htpasswd-all
AuthType basic
Require valid-user
</FilesMatch>

Reload apache:
sudo /etc/init.d/apache2 reload

References:
http://www.askapache.com/htaccess/htaccess.html#Password_Protect_wp-login-php
https://help.ubuntu.com/community/EnablingUseOfApacheHtaccessFiles
http://httpd.apache.org/docs/2.2/programs/htpasswd.html

Tuesday 30 September 2014

iPad mini and iOS 8.0.2

Yesterday I tried upgrading the iOS version to 8.0.2 trough iTunes. After this my device was bricked. However the good thing is that recovering the device was quite simple. You can read the full instructions in the references. Or read my short version here: 

1. Get the firmware for the specific device. If in doubt and if you still keep the box - have a look I retrieved the exact model from there otherwise there is a Device ID you can probably look up.

2. Press the "home" and "power" buttons together for 10 seconds at which point you must release "power" but continue to hold "home". After about 15 seconds, the device will enter recovery mode.

If anything else is showing on the screen, such as the "connect to iTunes" logo, you got it wrong.

If  I have to compare it is much easier than flashing any Android device.

3. Stop all other services running that you won't need - virtualization software etc.

4. Hold down the shift key (on Windows) or the option key (on OSX) on your keyboard whilst clicking the "Restore" button in iTunes with your mouse. If you do this correctly, an Explorer or Finder window will pop up and allow you to navigate to the firmware 

References:
http://www.ipadforums.net/threads/official-apple-ios-firmware-download-links-for-ipad.24939/
http://www.ipadforums.net/threads/tutorial-failsafe-method-to-restore-the-current-version-of-ios.52863/
http://www.ipadforums.net/threads/ipad-4-update-error-4005.121699/

Monday 8 September 2014

Backing up to FreeNAS with SSH, CIFS share

I wanted to have a backup of some files in our infrastructure on a CIFS share that can be both accessible on Windows and Linux. 

However I had some issues: “cannot chmod target file”. because I used mc on my mounted share. So I used SSH for my first copy, where I had another issue on FreeNAS - the service did not start from the webgui and I started investigating:

[root@itsoft ~]# /usr/sbin/sshd                                                 
Could not load host key: /etc/ssh/ssh_host_rsa_key
Could not load host key: /etc/ssh/ssh_host_dsa_key                              
Could not load host key: /etc/ssh/ssh_host_ecdsa_key                            
Disabling protocol version 2. Could not load host key                           
sshd: no hostkeys available -- exiting.

Well that's not that bad lets generate the keys and then turn on the service:

ssh-keygen -t rsa
ssh-keygen -t dsa
ssh-keygen -t ecdsa

On the host you want to copy from you can execute something similar:

scp -r /some/local/path user1@destination:/some/remote/path


And that's it about the SSH.

Now back to the share on FreeNAS. I had my share configured as this:






On the host you want to copy from (in my case ubuntu server) you will need this:
sudo apt-get install cifs-utils

In fstab add:
//<ip>/directory /mount/point cifs defaults,user=,password= 0 0

Notice here the user and password - I have left it blank so it can write as nobody. So where did the problem with mc come from? Well it is quite simple actually when you press F5, untick the option “Preserve attributes“.

References:

http://technology.mattrude.com/2010/01/enable-ssh-no-password-authorization-with-freenas/
http://knowledgelayer.softlayer.com/procedure/mount-nas-storage-linux
http://stackoverflow.com/questions/13451974/how-to-execute-a-scp-command-with-the-user-name-and-password-in-one-line
http://askubuntu.com/questions/313093/how-do-i-mount-a-cifs-share-via-fstab-and-give-full-rw-to-guest

Friday 29 August 2014

Vili's Blog

I just want to take my time to congratulate a friend of mine - Velislav Krastev on his new blog: http://vkrastev1blog.com/

He is working on a bitcoin program you can find his project here:

And as far as I see he has started to cover some pretty interesting subjects about Java in general :). Let us wish him luck with his new beginning.


Thursday 14 August 2014

NetSecL Legacy, GrSecurity, Linux Security, IPTables.

When I began with NetSecL Linux as a Linux distribution my main concern was the security of that system, so I decided to make this article explaining some of the approaches that were used in the distribution. I am open to help if you would like a server or any other system hardened (NAS, mail, create secure virtual environments etc.) - please contact me.

So let's begin with the vulnerabilities - one of the things that NetSecL protected against were different methods of exploitation.  Here naturally GrSecurity was the solution to this problems. Apart from the patch that grsecurity supplies I needed also to recompile gcc and binutils - you will probably need to check this https://pax.grsecurity.net/. I now see that the binutils is out of date. But you can check this paxtest - it will test your security.

bash-3.1# paxtest blackhat
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect) : Killed
Anonymous mapping randomisation test : 16 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 25 bits (guessed)
Main executable randomisation (ET_EXEC) : 16 bits (guessed)
Main executable randomisation (ET_DYN) : 16 bits (guessed)
Shared library randomisation test : 16 bits (guessed)
Stack randomisation test (SEGMEXEC) : 23 bits (guessed)
Stack randomisation test (PAGEEXEC) : 24 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Vulnerable
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed
Writable text segments : Killed

Lets begin with the patch we have from https://grsecurity.net/ . Choose the appropriate kernel version and apply the patch to it. If you are using it on OpenSuse you might want to recompile the gcc itself to have the needed plugins otherwise you will get a warning (as far as I remember) and you will miss some of the important features.

patch -p1 < 
make menuconfig

Lets begin with the kernel configuration, this is one of my config files - after applying GrSecurity patch:

#
# Security options
#

#
# Grsecurity
#
CONFIG_TASK_SIZE_MAX_SHIFT=47
CONFIG_PAX_USERCOPY_SLABS=y
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
CONFIG_GRKERNSEC_PROC_GID=10

#
# Customize Configuration
#

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
CONFIG_PAX_SOFTMODE=y
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_XATTR_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_MPROTECT_COMPAT is not set
# CONFIG_PAX_ELFRELOCS is not set
# CONFIG_PAX_KERNEXEC is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
# CONFIG_PAX_RANDKSTACK is not set
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y

#
# Miscellaneous hardening features
#
# CONFIG_PAX_MEMORY_STACKLEAK is not set
# CONFIG_PAX_MEMORY_UDEREF is not set
CONFIG_PAX_REFCOUNT=y
# CONFIG_PAX_USERCOPY is not set
# CONFIG_PAX_SIZE_OVERFLOW is not set
# CONFIG_PAX_LATENT_ENTROPY is not set

#
# Memory Protections
#
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
# CONFIG_GRKERNSEC_KERN_LOCKOUT is not set

#
# Role Based Access Control Options
#
# CONFIG_GRKERNSEC_NO_RBAC is not set
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
# CONFIG_GRKERNSEC_PROC_ADD is not set
CONFIG_GRKERNSEC_LINK=y
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
CONFIG_GRKERNSEC_FIFO=y
# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
CONFIG_GRKERNSEC_AUDIT_PTRACE=y
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#
# Executable Protections
#
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
# CONFIG_GRKERNSEC_TPE is not set

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl Support
#
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y

#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
CONFIG_KEYS=y
CONFIG_TRUSTED_KEYS=m
CONFIG_ENCRYPTED_KEYS=m
CONFIG_KEYS_DEBUG_PROC_KEYS=y
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_PATH=y
CONFIG_INTEL_TXT=y
CONFIG_LSM_MMAP_MIN_ADDR=65536
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
# CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
CONFIG_INTEGRITY=y
CONFIG_IMA=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_AUDIT=y
CONFIG_IMA_LSM_RULES=y
CONFIG_DEFAULT_SECURITY_SELINUX=y
# CONFIG_DEFAULT_SECURITY_DAC is not set
CONFIG_DEFAULT_SECURITY="selinux"
CONFIG_XOR_BLOCKS=m
CONFIG_ASYNC_CORE=m
CONFIG_ASYNC_MEMCPY=m
CONFIG_ASYNC_XOR=m
CONFIG_ASYNC_PQ=m
CONFIG_ASYNC_RAID6_RECOV=m
CONFIG_ASYNC_TX_DISABLE_PQ_VAL_DMA=y
CONFIG_ASYNC_TX_DISABLE_XOR_VAL_DMA=y
CONFIG_CRYPTO=y



This is a script that applies the permissions paxctl permission and the key to a normally workin system - mprotect "breaks" some of the working software and permissions should be applied:

#!/bin/sh
#These are permissions for PaX and the paranoid kernels
#Don't edit unless you know what you are doing!
#This script is ran once and then "chmod -x"-ed if you change it you must make it executable again (chmod +x) and re-run it.
#Please report any problems on i_stanchev@ml1.net
echo "Converting /sbin/ adding PT_PAX_FLAGS"
paxctl -Cq /sbin/*
echo "Converting /usr/sbin/ adding PT_PAX_FLAGS"
paxctl -Cq /usr/sbin/*
echo "Converting /usr/bin/ adding PT_PAX_FLAGS"
paxctl -Cq /usr/bin/*
echo "Converting /usr/lib/ adding PT_PAX_FLAGS"
paxctl -Cq /usr/lib64/gimp/2.0/plug-ins/*
paxctl -Cq /usr/lib64/gnome-vfs-2.0/*
paxctl -Cq /usr/lib/gnome-vfs-2.0/*
paxctl -Cq /usr/lib/YaST2/bin/*
paxctl -Cq /usr/lib64/YaST2/plugin/*
echo "Converting /usr/libexec/ adding PT_PAX_FLAGS"
paxctl -Cq /usr/libexec/*
echo "Converting /usr/libexec/xfce4/panel-plugins/ adding PT_PAX_FLAGS"
paxctl -Cq /usr/libexec/xfce4/panel-plugins/*
echo "Converting /usr/lib/qt/bin/ adding PT_PAX_FLAGS"
paxctl -Cq /usr/lib/qt/bin/*
echo "Applying paxctl permissions"
paxctl -mq /usr/lib/gnome-vfs-2.0/*
paxctl -mq /usr/lib64/gnome-vfs-2.0/*
paxctl -mq /usr/lib/YaST2/bin/*
paxctl -mq /usr/lib64/YaST2/plugin/*
paxctl -mq /usr/lib64/gimp/2.0/plug-ins/*
paxctl -mq /usr/bin/*
paxctl -permsx /usr/bin/wine-preloader
paxctl -permsx /usr/bin/wine
paxctl -permsx /usr/bin/wine64-preloader
paxctl -permsx /usr/bin/wine64
paxctl -Cq /usr/lib64/firefox/firefox-bin
paxctl -mq /usr/lib64/firefox/firefox-bin
paxctl -mq /usr/sbin/*
paxctl -mq /sbin/*
paxctl -mq /usr/libexec/*
echo "Done applying paxctl permissions"

Compiling the kernel:

make bzImage
make modules
make INSTALL_MOD_STRIP=1 modules_install
make install
mkinitrd



This is another component the NetSecL Firewall which ensures the network security of the OS. Here you should consider also stopping your unneeded services and comment them out in inetd. This is the script of the firewall:

#!/bin/bash
#This program is free software; you can redistribute it and/or
#modify it under the terms of the GNU General Public License
#as published by the Free Software Foundation; either version 2
#of the License, or (at your option) any later version.
#
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#GNU General Public License for more details.
#
#You should have received a copy of the GNU General Public License
#along with this program; if not, write to the Free Software
#Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
#
# This firewall was developed for the NetSecL Linux Distribution and was put together by:
# Yuriy Stanchev - NetSecL Maintainer
#
#The nesecl-firewall is being discussed in the NetSecL forum
#http://netsecl.com/forum/index.php?PHPSESSID=030b98b33c1707cfa364e792b17bfbfe&board=2.0

if [ "$1" = "start" ]; then

IPTABLES="/usr/sbin/iptables"

#Probe internet interfaces
if [ "$(/sbin/ifconfig | /bin/grep eth0)" ]; then
INTERNET="eth0"

elif [ "$(/sbin/ifconfig | /bin/grep eth1)" ]; then
INTERNET="eth1"

else INTERNET="ppp0"

fi

#Get the DNS Server
NAMESERVER=`grep nameserver /etc/resolv.conf |head -1|awk '{print $2}'`
#NAMESERVER="" #Manually set this variabale if the DNS is not recognized
if [ "$NAMESERVER" = "" ]; then
 echo "You must manually set the DNS Server. Please edit /etc/rc.d/rc.firewall or use netconfig to configure your network and set a DNS Server."
fi

CLASS_A="127.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_DEST="255.255.255.255"

# FTP (20, 21) SSH (22) SMTP (25) WHOIS (43) WWW (80) POP (110) IDENT (113) USENET (119)  IMAP (143) SSL (443) PROXY (8008, 8080)
PORTS="20 21 25 80 110 113 443 8080" #
PASSIVEFTP="Y"
PINGDEATH="Y" 
LOGGING="N" 
BEHINDROUTER="Y" #This Rules allows connections from your Router to you (Assumes that the DNS is the IP of your Router/Gateway) 
SSHDREQ="N" #ALLOW INCOMING SSHD REQUESTS
SSHSRV="N" #ALLOW SSH server

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# Firewall initialization, remove everything, start with clean tables
$IPTABLES -F # remove all rules
$IPTABLES -t nat -F # remove all rules
$IPTABLES -t mangle -F # delete all user-defined chains
$IPTABLES -X # delete all user-defined chains
$IPTABLES -t nat -X # remove all rules
$IPTABLES -t mangle -X # delete all user-defined chains

#enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

#Disable Source Routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done

#Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Reduce SYN Floods
echo 4096 >/proc/sys/net/ipv4/tcp_max_syn_backlog 

#IP Forward
echo 0 > /proc/sys/net/ipv4/ip_forward

#Disable ICMP redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > f$
done

# Send Redirect Messges
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done

echo 0 > /proc/sys/net/ipv4/conf/all/secure_redirects

# Drop Spoofed Packets coming in on an interface, which, if replied to,
# would result in the reply goingout a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > f$
done

# Log packets with impossible addresses
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done

# Set up our logging and packet 'executing' chains
$IPTABLES -N LOG_DROP
$IPTABLES -N logaborted2
$IPTABLES -A logaborted2 -j LOG --log-prefix "ABORTED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
$IPTABLES -A logaborted2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -N logaborted
$IPTABLES -A logaborted -m limit --limit 1/second --limit-burst 10 -j logaborted2
$IPTABLES -A logaborted -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4 

# allow everything for loop device
$IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -A OUTPUT -j ACCEPT

if [ "$BEHINDROUTER" = "Y" ]; then
$IPTABLES -A INPUT -i $INTERNET -s $NAMESERVER -j ACCEPT
fi

#portscan detector
$IPTABLES -N PORTSCAN
#portscan detection module
# NMAP FIN/URG/PSH
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -m recent --set -j PORTSCAN
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -m recent --set -j PORTSCAN
# SYN/RST
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m recent --set -j PORTSCAN
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -m recent --set -j PORTSCAN
# SYN/FIN -- Scan(probably)
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m recent --set -j PORTSCAN
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -m recent --set -j PORTSCAN
# NMAP FIN Stealth
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -m recent --set -j PORTSCAN
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL FIN -m recent --set -j PORTSCAN
# ALL/ALL Scan
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -m recent --set -j PORTSCAN
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL ALL -m recent --set -j PORTSCAN
# NMAP Null Scan
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -m recent --set -j PORTSCAN
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -m recent --set -j PORTSCAN
#XMAS
$IPTABLES -A INPUT -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -m recent --set -j PORTSCAN
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -m recent --set -j PORTSCAN

if [ "$LOGGING" = "Y" ]; then
$IPTABLES -A LOG_DROP -m limit --limit 6/minute --limit-burst 1 -j LOG --log-prefix "PORTSCAN SHUN " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
$IPTABLES -A LOG_DROP -j DROP 
fi

$IPTABLES -A PORTSCAN -j DROP


# Drop packets with bad tcp flags
$IPTABLES -N BAD_FLAGS
$IPTABLES -A INPUT -p tcp --tcp-option 64 -m recent --set -j BAD_FLAGS
$IPTABLES -A INPUT -p tcp --tcp-option 128 -m recent --set -j BAD_FLAGS

if [ "$LOGGING" = "Y" ]; then
$IPTABLES -A LOG_DROP -m limit --limit 6/minute --limit-burst 1 -j LOG --log-prefix "BADFLAGS SHUN " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
$IPTABLES -A LOG_DROP -j DROP 
fi

$IPTABLES -A BAD_FLAGS -j DROP

# Drop packets that are too small Note:
$IPTABLES -N SMALL
$IPTABLES -A INPUT -p udp -m length --length 0:27 -m recent --set -j SMALL
$IPTABLES -A INPUT -p tcp -m length --length 0:39 -m recent --set -j SMALL
$IPTABLES -A INPUT -p icmp -m length --length 0:27 -m recent --set -j SMALL
$IPTABLES -A INPUT -p 30 -m length --length 0:31 -m recent --set -j SMALL
$IPTABLES -A INPUT -p 47 -m length --length 0:39 -m recent --set -j SMALL
$IPTABLES -A INPUT -p 50 -m length --length 0:49 -m recent --set -j SMALL
$IPTABLES -A INPUT -p 51 -m length --length 0:35 -m recent --set -j SMALL
$IPTABLES -A INPUT -m length --length 0:19 -m recent --set -j SMALL

if [ "$LOGGING" = "Y" ]; then
$IPTABLES -A LOG_DROP -m limit --limit 6/minute --limit-burst 1 -j LOG --log-prefix "SMALL SHUN " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
$IPTABLES -A LOG_DROP -j DROP 
fi 

$IPTABLES -A SMALL -j DROP

# Reject all BOGUS packets
$IPTABLES -N BOGUS
$IPTABLES -t filter -p all -A INPUT -m conntrack --ctstate INVALID -j BOGUS
$IPTABLES -t filter -p all -A OUTPUT -m conntrack --ctstate INVALID -j BOGUS
$IPTABLES -t filter -p all -A FORWARD -m conntrack --ctstate INVALID -j BOGUS

if [ "$LOGGING" = "Y" ]; then
$IPTABLES -A LOG_DROP -m limit --limit 6/minute --limit-burst 1 -j LOG --log-prefix "BOGUS SHUN " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
$IPTABLES -A LOG_DROP -j DROP 
fi 

$IPTABLES -A BOGUS -j REJECT

#Enforce SYN only connections on NEW connections
$IPTABLES -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
$IPTABLES -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

# Drop packets to "odd" ports
$IPTABLES -N ODDPORTS
$IPTABLES -A INPUT -p udp --sport 2:21 -m recent --set -j ODDPORTS
$IPTABLES -A INPUT -p udp --dport 2:21 -m recent --set -j ODDPORTS
$IPTABLES -A INPUT -p tcp --dport 0 -m recent --set -j ODDPORTS
$IPTABLES -A INPUT -p tcp --sport 0 -m recent --set -j ODDPORTS
$IPTABLES -A FORWARD -i $INTERNET -p udp --dport 2:21 -m recent --set -j ODDPORTS
$IPTABLES -A FORWARD -i $INTERNET -p tcp --dport 0 -m recent --set -j ODDPORTS
$IPTABLES -A FORWARD -i $INTERNET -p tcp --sport 0 -m recent --set -j ODDPORTS

if [ "$LOGGING" = "Y" ]; then
$IPTABLES -A LOG_DROP -m limit --limit 6/minute --limit-burst 1 -j LOG --log-prefix "ODDPORTS SHUN " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
$IPTABLES -A LOG_DROP -j DROP 
fi 

$IPTABLES -A ODDPORTS -j DROP

#BLOCK OS Fingerprint Detection
$IPTABLES -N os-fingerprint
$IPTABLES -F os-fingerprint
$IPTABLES -A os-fingerprint -p tcp --dport 0 -j DROP
$IPTABLES -A os-fingerprint -p udp --dport 0 -j DROP
$IPTABLES -A os-fingerprint -p tcp --sport 0 -j DROP
$IPTABLES -A os-fingerprint -p udp --sport 0 -j DROP
$IPTABLES -A os-fingerprint -p icmp --icmp-type address-mask-request -j DROP
$IPTABLES -A os-fingerprint -p icmp --icmp-type address-mask-reply -j DROP

#
#refuse packets claiming to be from a Class_A private network.
$IPTABLES -A INPUT -i $INTERNET -s $CLASS_A -j DROP

#refuse packets claiming to be from a Class_B private network.
$IPTABLES -A INPUT -i $INTERNET -s $CLASS_B -j DROP

#refuse packets claiming to be from a Class_C private network.
$IPTABLES -A INPUT -i $INTERNET -s $CLASS_C -j DROP

#Refuse Class E reserved IP
$IPTABLES -A INPUT -i $INTERNET -s $CLASS_D_MULTICAST -j DROP

#Refuse Class D multicast address
$IPTABLES -A INPUT -s $CLASS_E_RESERVED_NET -j DROP

#refuse malformed broadcacst packets
$IPTABLES -A INPUT -i $INTERNET -s $BROADCAST_DEST -j LOG
$IPTABLES -A INPUT -i $INTERNET -s $BROADCAST_DEST -j DROP

$IPTABLES -A INPUT -i $INTERNET -d $BROADCAST_DEST -j LOG
$IPTABLES -A INPUT -i $INTERNET -d $BROADCAST_DEST -j DROP

#Refuse addresses defined as reserved by the IANA
$IPTABLES -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP
$IPTABLES -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP

COMBLOCK="0:1 2 8 13 98 111 137:139 161:162 445 901 1214 1524 1999 2049 3049 4329 6346 3128 8000 12345 27444 27665 31335 31337 65535"
TCPBLOCK="$COMBLOCK 512:515 1080 2000 3128 6000:6063"
UDPBLOCK="$COMBLOCK 520 123 517:518 1427 4045 9000"

$IPTABLES -N bad-ports
$IPTABLES -F bad-ports

echo -n "FW: Blocking attacks to TCP port "
for i in $TCPBLOCK;
do
echo -n "$i "
$IPTABLES -A INPUT -p tcp --dport $i -j DROP
$IPTABLES -A OUTPUT -p tcp --dport $i -j DROP
$IPTABLES -A FORWARD -p tcp --dport $i -j DROP
$IPTABLES -A bad-ports -p tcp --dport $i -j DROP
done
echo ""

echo -n "FW: Blocking attacks to UDP port "
for i in $UDPBLOCK;
do
echo -n "$i "
$IPTABLES -A INPUT -p udp --dport $i -j DROP
$IPTABLES -A OUTPUT -p udp --dport $i -j DROP
$IPTABLES -A FORWARD -p udp --dport $i -j DROP
$IPTABLES -A bad-ports -p udp --dport $i -j DROP
done
echo ""

# allow DNS in all directions
if [ "$NAMESERVER" != "" ]; then
$IPTABLES -A OUTPUT -p tcp --sport 0:65535 -d $NAMESERVER --dport 53:53 -j ACCEPT
$IPTABLES -A INPUT -p tcp ! --syn -s $NAMESERVER --sport 53:53 --dport 0:65535 -j ACCEPT
fi



#ALLOW INCOMING SSHD REQUESTS.

if [ "$SSHDREQ" = "Y" ]; then
$IPTABLES -N allow-ssh-input
$IPTABLES -F allow-ssh-input
$IPTABLES -A allow-ssh-input -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 22 -j ACCEPT
$IPTABLES -A allow-ssh-input -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport 22 -j ACCEPT
$IPTABLES -A allow-ssh-input -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport 22 -j ACCEPT
$IPTABLES -A allow-ssh-input -m state --state ESTABLISHED,RELATED -p tcp --dport 22 -j ACCEPT
fi

if [ "$SSHSRV" = "Y" ]; then
$IPTABLES -A INPUT -j allow-ssh-input
fi

# Detect aborted TCP connections.
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --tcp-flags RST RST -j logaborted

# Allow previously established connections
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "INVALID input: "
$IPTABLES -A INPUT -m state --state INVALID -j DROP

$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "INVALID output: "
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

#Ping of death
if [ "$PINGDEATH" = "Y" ]; then
$IPTABLES -N ping-death
$IPTABLES -A ping-death -m limit --limit 1/s --limit-burst 4 -j ACCEPT
$IPTABLES -A ping-death -j LOG --log-prefix "iptables ping-death: "
$IPTABLES -A ping-death -j DROP
$IPTABLES -A INPUT -i $INTERNET -p icmp --icmp-type echo-request -j ping-death
$IPTABLES -A FORWARD -i $INTERNET -p icmp --icmp-type echo-request -j ping-death
fi

#Stealth scan
$IPTABLES -N stealth-scan
$IPTABLES -A stealth-scan -j LOG --log-prefix "iptables stealth-scan: "
$IPTABLES -A stealth-scan -j DROP
$IPTABLES -A INPUT -i $INTERNET -p tcp ! --syn -m state --state NEW -j stealth-scan
$IPTABLES -A FORWARD -i $INTERNET -p tcp ! --syn -m state --state NEW -j stealth-scan

# Allow certain critical ICMP types
$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable
$IPTABLES -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable
$IPTABLES -A FORWARD -p icmp --icmp-type destination-unreachable -j ACCEPT &> /dev/null # Dest unreachable
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded
$IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -j ACCEPT &> /dev/null # Time exceeded
$IPTABLES -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem
$IPTABLES -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem
$IPTABLES -A FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT &> /dev/null # Parameter Problem

$IPTABLES -A INPUT --fragment -p icmp -j LOG --log-prefix "Fragmented IMCP: "
$IPTABLES -A INPUT --fragment -p icmp -j DROP

# PORTS
if [ "$NAMESERVER" != "" ]; then

for i in $PORTS;
do
$IPTABLES -A OUTPUT -p tcp --sport 1024:65535 -d $NAMESERVER --dport $i:$i -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 1024:65535 -d $NAMESERVER --dport $i:$i -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp ! --syn -s $NAMESERVER --sport $i --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
done

# Passive ftp
if [ "$PASSIVEFTP" = "Y" ]; then
$IPTABLES -A OUTPUT -p tcp --sport 1024:65535 -d $NAMESERVER --dport 1024:65535 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 1024:65535 -d $NAMESERVER --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp ! --syn -s $NAMESERVER --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
fi

fi

if [ "$LOGGING" = "Y" ]; then
$IPTABLES -A LOG_DROP -j LOG --log-prefix "Attack log: "
$IPTABLES -A LOG_DROP -j DROP
$IPTABLES -A INPUT -j LOG_DROP # drop all incomming
$IPTABLES -A FORWARD -j LOG_DROP # drop all forwarded
fi 

elif [ "$1" = "stop" ]; then
iptables -F
iptables -X
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P INPUT ACCEPT


elif [ "$1" = "status" ]; then
iptables -L -v

else
echo "usage: $0 start|stop|status"
fi

exit $RETVAL

I will stop here - there is much more to it, however if you are interested in any way please contact me. I hope you liked the article and it was helpful for you to harden the system you have.

References: