Sécurité Unix/Linux

Course 3
Osman SALEM
Associate Professor - HDR
[email protected]
 Permission levels

◼ “r” means “read only” permission

◼ “w” means “write” permission
◼ “x” means “execute” permission
◼ In case of directory, “x” grants permission to list directory
contents
Introduction to Linux

Access Permissions

◼ Each of the three permissions are assigned to three defined

categories of users.
◼ The categories are:
◼ owner — The owner of the file or application.
◼ group — The group that owns the file or application.
◼ others — All users with access to the system.
 File Permissions

User (you)
 File Permissions

Group
 File Permissions

“The World”: other

 Command: chmod

◼ If you own the file, you can change it’s permissions with “chmod”
◼ Syntax: chmod [user/group/others/all]+[permission] [file(s)]
◼ Below we grant execute permission to all:
 Permissions
◼ u: user or file creator
◼ g: groupof users "
◼ o: others
◼ a: all
◼ Permissions
◼ r, read, 4 in octal
◼ w, write, 2 in octal
◼ x, execution, 1 in octal
◼ ...|...|...
u g o
◼ rwx r-x r-x or 755
◼ chmod permissions fichiers
◼ u, g et o for user, group, other, a for all
◼ a (=all) all users
◼ + - = addition/suppression
◼ chmod g+w,o+r a.png
◼ chmod g-x,o-x share
◼ chmod a+x filename.sh
Introduction to Linux
Access Permission of File

◼ The #'s can be:

0 = Nothing
1 = Execute
2 = Write
3 = Execute & Write (2 + 1)
4 = Read
5 = Execute & Read (4 + 1)
6 = Read & Write (4 + 2)
7 = Execute & Read & Write (4 + 2 + 1)
 Permissions

◼ Exemples to modify permissions:

◼ chmod ug+w fichier
◼ chmod go-rwx fichier
◼ chmod u=rwx,g=rw,o=r fichiers
◼ chmod u=rwx,g=r fichiers
◼ chmod u=rwx,g=r,o= fichiers
◼ chmod 700 /home/rep-a-moi
◼ chmod 764 test
Permissions
Introduction to Linux

Permissions

chmod 751 myfile

change the file permissions to rwx for owner, rx for group and x for others

chmod go=+r myfile

Add read permission for the group and others
Introduction to Linux

Access Permission of File/Directory

◼ The ownership of the file or directory can be changed using

the command
chown <owner> <file/directory name>
◼ The group of the file or directory can be changed using the
command
chgrp <group> <file/directory name>
 Change the File Ownership with chown
and chgrp

◼ User root can use chown and chgrp as follows:

◼ chown new_user.new_group file
◼ chown new_user file
◼ chown .new_group file
◼ chgrp new_group file
 Introduction

◼ Secure remote access to a computer

◼ Login and password are encrypted
◼ Principle
◼ A server (sshd) listening on the
◼ port 22 and uses TCP Protocol
◼ A client (ssh) requesting a connection on the port 22
◼ Data are encrypted
◼ Client authenticated to the server (login and password)
◼ The server returns a shell to the client
◼ Whole commands are encrypted before being transmitted
◼ Commands on the client are executed on the server
◼ Similar to telnet, rlogin, rsh . . .
◼ BUT in SSH, whole data are encrypted
Firewalls

firewall
isolates organization’s internal net from larger
Internet, allowing some packets to pass,
blocking others.

privately administered Internet

222.22/16
 Firewall goals

◼ All traffic from outside to inside and vice-versa passes

through the firewall

◼ Only authorized traffic, as defined by local security

policy, will be allowed to pass
 Access control lists

Apply rules from top to bottom:

source dest source dest flag
action protocol
address address port port bit
outside of
allow 222.22/16 TCP > 1023 80 Any
222.22/16

allow outside of 222.22/16

TCP 80 > 1023 ACK
222.22/16

outside of
allow 222.22/16 UDP > 1023 53 ---
222.22/16
allow outside of 222.22/16
UDP 53 > 1023 ----
222.22/16

deny all all all all all all

 Firewall Lab: iptables

◼ Converts linux box into a packet filter

◼ Included in most linux distributions today

linux linux
hosts host w/ external
iptables network

your job:
configure
 Firewall lab: iptables

◼ iptables
◼ Provides firewall capability to a linux host
◼ Comes installed with most linux distributions
◼ Three types of tables: FILTER, NAT, MANGLE
◼ Let’s only consider FILTER table as the starting point
 IPTables

◼ Three tables each consists of one or more

chains

◼ filter
◼ nat
◼ mangle
 Filter Table

◼ Consists of three chains

◼ FORWARD
◼ For packets forwarded from one network interface to
another network interface
◼ INPUT
◼ For packets sent to firewall host
◼ OUTPUT
◼ For packets sent by firewall host
Network or host firewall?

Network firewall: linux host with 2 interfaces:

filter
table

linux
protected host w/ Internet
network iptables
Network or host firewall?

Network firewall: linux host with 2 interfaces:

filter
table

linux
protected host w/ Internet
network iptables

Host firewall: linux host with 1 interface:

filter
table

linux network
host w/
iptables
 Chain types for host firewall

◼ INPUT: to control packets entering the interface

◼ OUTPUT: to control packets leaving the interface
◼ FORWARD: to control packets being masqueraded, or sent to remote
hosts

linux
host w/ network
iptables INPUT
chain

linux
host w/ network
iptables OUTPUT
chain
 INPUT, OUTPUT, FORWARD CHAINS

◼ INPUT chain applies for all packets destined to firewall

◼ OUTPUT chain applies for all packets originating from
firewall
◼ FORWARD chain applies for all packets passing through
firewall.
Chain types for network firewall

linux
protected host w/ Internet
INPUT
network iptables
chain

linux
protected host w/ Internet
network iptables OUTPUT
chain

linux
protected host w/ Internet FORWARD
network iptables chain
 iptables: Example command

sudo iptables –A INPUT –s 232.16.4.0/24 –j ACCEPT

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED
-j ACCEPT
sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT

◼ Sets a rule
◼ Accepts packets that enter with source address in 232.16.4/24
◼ Kernel applies the rules in order
◼ The first rule that matches packet determines the action for that
packet
◼ Append: -A
◼ Adds rule to bottom of list of existing rules
 iptables: Example command

iptables –A INPUT –j DROP

◼ Sets a rule
◼ Rejects all packets that enter from interface eth0 (except for
those accepted by previous rules)

sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT

sudo iptables -A INPUT -j DROP

sudo iptables -P INPUT DROP
 iptables: More examples

iptables –L
◼ list current rules
iptables –F
◼ flush all rules
iptables –D INPUT 2
◼ deletes 2nd rule in INPUT chain
iptables –I INPUT 1 –p tcp –-syn –s 232.16.4.0/24 –
d 0/0:22 –j ACCEPT
◼ -I INPUT 1: insert INPUT rule at top
◼ Accept TCP SYNs to from 232.16.4.0/24 to firewall port 22
(ssh)
 Syntax of iptables commad

◼ iptables -t TABLE -A CHAIN -[i|o] IFACE -s w.x.y.z -d a.b.c.d -p PROT

-m state --state STATE -j ACTION

◼ TABLE = nat | filter | mangle

◼ CHAIN = INPUT | OUTPUT | FORWARD | PREROUTING|
POSTROUTING
◼ IFACE = eth0 | eth1 | ppp0 | ...
◼ PROT = tcp | icmp | udp
◼ STATE = NEW | ESTABLISHED | RELATED | …
◼ ACTION = DROP | ACCEPT | REJECT | DNAT | SNAT |…
 iptables Options

-p protocol type (tcp, udp, icmp)

-s source IP address & port number
-d dest IP address & port number
-i interface name (lo, ppp0, eth0)
-j target (ACCEPT, DENY)
-l log this packet
--sport source port
--dport dest port
--icmp-type
 iptable Syntax

▪ -t <-table->: If you don't specify a table, then the filter table is assumed. As
discussed before, the possible built-in tables include: filter, nat, mangle
▪ -j <target>: Jump to the specified target chain when the packet matches the
current rule.

▪ -A: Append rule to end of a chain

▪ -F: Flush. Deletes all the rules in the selected table
 Iptables: 3 tables

◼ FILTER
◼ Used to filter the traffic
◼ 3 chain types: INPUT, OUTPUT and FORWARD
◼ NAT
◼ Hide internal network hosts from outside world. Outside world
only sees the gateway’s external IP address, and no other
internal IP addresses
◼ PREROUTING, POSTROUTING, INPUT and OUTPUT
◼ MANGLE
◼ Used to modify the some fields in the packet header
◼ Not widely used
◼ Don’t worry about it
 Tables, Chains & Rules

◼ Three types of tables: FILTER, NAT, MANGLE

◼ A table consists of chains:
◼ For example, a filter table can have an INPUT chain, OUTPUT
chain, and a FORWARD chain
◼ A chain consists of a set of rules
◼ Why we called chains ?
 Rule Operations

◼ -I Add a rule to the head of a chain

◼ -A Appends a rule to the tail of a chain
◼ -D Deletes a rule that matches the specifiers
◼ -R Replaces a rule in a chain

Syntax
iptables -t table -OP chain specifiers
iptables -t table -OP chain line# specifiers
iptables -OP chain specifiers
sudo iptables -I INPUT 1 -i lo -j ACCEPT
 Tables, Chains & Rules

◼ First FIT:
◼ Examples:
iptables –A input –s 192.168.100.0/24 –p tcp –j ACCEPT (A: Append)
◼ Permit SSH & deny TELNET
iptables –A INPUT –p tcp --dport 22 –j ACCEPT
iptables –A INPUT –p tcp --dport telnet –j DROP
◼ Delete rule (D: Delete)
iptables –D INPUT 2 ou
iptables –D INPUT -p tcp --dport telnet –j DROP
◼ Action: Targets/Jumps:
◼ ACCEPT, REJECT, DROP, MASQUERADE, RETURN
 Chain Operations

◼ Listing a chain
iptables -t table -L chain
iptables -L chain
iptables -L

◼ Flags
-n addr/port numbers rather than names
-v verbose
--line-numbers include line numbers in the listing
 Chain Operations

◼ Flushing a chain
Deletes all rules associated with a chain
iptables -t table -F chain
iptables -F chain
iptables -F

◼ Setting the default policy of a chain (filter)

iptables -P chain policy
policy – DROP, ACCEPT
 Chain Operations

◼ Creating a user chain

iptables -t table -N chain
iptables -N chain

◼ Deleting a user chain

iptables -t table -X chain
iptables -X chain
iptables -X

◼ Renaming a user chain

iptables -t table -E old new
iptables -E old new
 Filtering

◼ Erase the whole content of the table:

◼ iptables –F
◼ Listing :
◼ iptables -L -t filter
◼ iptables -L -t mangle
◼ iptables -L -t nat
◼ Protocol based filter:
◼ iptables -A INPUT -p udp --dport 514 -j ACCEPT
◼ Create new chain:
◼ iptables -N nom (ex: iptables -N INTRANET)
◼ Rename a chain:
◼ iptables -E old_name new_name
Port specs

◼ --sport Source port

◼ --dport Destination port
◼ -p tcp --sport 80
◼ -p udp –-dport 53
◼ -p tcp,udp --sport 0:1023
◼ -p tcp,udp --sport 1024
◼ -p tcp,udp –-dport 1024:
 icmp Type and Code RFC 792

◼ -p icmp –icmp-type echo-request

◼ Examples
◼ echo-request
◼ echo-reply
◼ destination-unreachable
◼ time-exceeded
 Filtering

◼ Redirection to a user created chain:

◼ iptables -A INPUT -s 10.10.10.0/24 -j INTRANET
◼ ICMP:
◼ iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP

◼ iptables -p icmp --help : for more details about icmp

◼ Many ports :
◼ iptables -A INPUT -p tcp -m multiport --dport 23,80 -j DROP

◼ @ MAC:
◼ iptables -A INPUT -p tcp -m mac --mac-source 00:bb:aa:cc:ed:08 -j DROP
◼ iptables -A INPUT -p tcp -m mac --mac-destination 00:bb:aa:cc:ed:08 -j DROP

◼ Port redirection:
◼ iptables -t nat -A PREROUTING -p tcp --dport 2323 -j REDIRECT --to-port 23
 Filtre: Default action

◼ Default policy

◼ iptables -P INPUT DROP

◼ iptables -P OUTPUT ACCEPT

◼ There is no policy REJECT

◼ sudo iptables -A INPUT -j DROP
◼ sudo iptables -P INPUT DROP
 Operations on chains

◼ Operations to manage whole chains

◼ N: create a new chain
◼ X: delete a chain
◼ E: rename a chain
◼ P: change the policy of built-in chain
◼ L:list the rules in a chain
◼ F: flush the rules out of a chain
◼ Manipulate rules inside a chain
◼ A: append a new rule to a chain
◼ I: insert a new rule at some position in a chain
◼ R: Replace a rule at some position in a chain
◼ D: delete a rule in a chain
 TCP Flags

◼ -p tcp –tcp-flags SYN,ACK,FIN SYN

◼ Tests SYN, ACK, FIN flags to see if the SYN bit is the only

flag set
◼ Possible flags

◼ ACK

◼ FIN

◼ RST

◼ PSH

◼ SYN

◼ URG
 SYN

◼ -p tcp –tcp-flags SYN,ACK,RST SYN

◼ Tests tcp packets for SYN to be set
◼ -p tcp –-syn
Filters all packets requesting tcp connection
◼ !: shorthand for --tcp-flags:
◼ -p tcp ! --syn
 DoS, DDoS: SYN Flooding

• SYN FLOOD:
• Syn request held for 75 sec

SYN

SY
SY C K
N+
SYN+ACK

AC

N
A
K
SY AC
SY + A
ACK

N K
N CK
SYN
SYN+ACK SYN
SYN SYN+ACK
Source SYN+ACK victime ACK

192.168.0.7 182.108.0.7
N victime
SY AC K
N+ 182.108.0.7
SY K
AC

DoS DDoS

K CK
N YN
AC + A
SY S
 Rate Limits

-m limit –-limit rate/unit

◼ rate/unit
◼ rate
◼ Packets per unit time
◼ unit
◼ Second, minute, hour, day

-m limit –-limit-burst number –-limit rate/unit

◼ number – max permitted burst before rate limit is applied
 Filtering

◼ ICMP rate limiting (echo-request ou ping) : 1 by second

◼ iptables -A INPUT -p icmp -icmp-type echo-request -m limit --limit 1/s -j
ACCEPT

◼ To protect against « SYN flooding », limit the SYN request to 5 packet

per second
◼ iptables -A INPUT -p tcp -syn -m limit --limit 5/s -j ACCEPT
 User chain

◼ Create new user chain:

◼ iptables -N tcppaquets

◼ Redirect the TCP traffic to your newly created chain

◼ iptables -A INPUT -p tcp -j tcppaquets
 Connection State

◼ -m state --state state-specifier

◼ State-specifiers

◼ NEW

◼ Associated with a connection request

◼ ESTABLISHED
◼ Associated with an established connection
◼ RELATED
◼ Associated with a new connection request related to an
established connection (ftp-data, icmp error)
◼ INVALID
◼ Associated with a bad connection or is malformed
 Statefull firewall

◼ Statefull firewall – state deprecated

◼ 4 possibles states for connexion :
1. NEW: new request for connexion
2. ESTABLISHED: connexion is already established
3. RELATED: connexion is related to another connexion
4. INVALID: received packets do not belong to any existing connection
◼ Exemples:
◼ Autorise the input packets for established connexion
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Iptables –A INPUT –p tcp –j REJECT
◼ Relayer tous paquets concernant des nouvelles connexions sur le port 22
iptables -A OUTPOUT-p tcp --dport 22 -m state –-state NEW,ESTABLISHED,RELATED -j
ACCEPT
 Statefull firewall

◼ conntrack
◼ Newest version
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Targets/Actions

◼ Target types

◼ Firewall actions – filter table chains & user defined

◼ ACCEPT, DROP, REJECT, LOG, RETURN
◼ NAT support
◼ DNAT, MASQUERADE, REDIRECT, SNAT
 Firewall Actions

◼ -j ACCEPT
◼ Lets the packet satisfying the specification pass to the next chain in
the packet path
◼ -j DROP
◼ The packet satisfying the specification is dropped with no error
packet sent to the sender
◼ Stealth mode – used for packet blocking on sensitive hosts
 Firewall Actions

◼ -j REJECT
◼ The packet satisfying the specification is dropped with an error packet sent
to the sender
◼ -j REJECT default error is port unreachable
◼ -j REJECT --reject-with flag
◼ icmp-net-unreachable
◼ icmp-host-unreachable
◼ icmp-port-unreachable
◼ Icmp-proto-unreachable
◼ icmp-net-prohibited
◼ icmp-host-prohibited
◼ tcp-reset
◼ Sends a tcp packet with the RST bit set
 Firewall Actions

◼ -j LOG
◼ Causes the packet satisfying the specification to be logged using the
Syslog facility
◼ --log-prefix “IPT description of entry”
◼ IPT identifies the source of the log entry, i.e. Iptables
◼ Description within quotes is limited to 29 characters
◼ --log-ip-options
◼ --log-level
◼ --log-tcp-options
◼ --log-tcp-sequence
◼ To log a dropped packet a log rule must precede the dropping rule
 Log files

◼ Exemple:
◼ iptables -A OUTPUT -j LOG (nano /etc/syslog.conf)
◼ iptables -A INPUT -j LOG
◼ iptables -A FORWARD -j LOG
◼ Log rejected packets inside /var/log/messages
◼ iptables -N LOG_DROP
◼ iptables -A LOG_DROP -p tcp --dport 22 -j LOG --log-prefix ``ssh
access attempt``
◼ iptables -A LOG_DROP -p tcp --dport 22 -j DROP
◼ iptables –I INPUT 1 –j LOG_DROP
 Backup your configuration

◼ sudo apt install iptables-persistent

◼ iptables-save > file.txt
◼ iptables –F
◼ iptables –L
◼ iptables-restore < file.txt
◼ iptables –L
◼ apt-get install iptables-persistent ==>
/etc/iptables/rules.v4
◼ /etc/init.d/iptables-persistent save
◼ /etc/init.d/iptables-persistent reload
◼ sudo systemctl restart netfilter-persistent
 Knockd: port knocking server

◼ Listen for special sequences of port hits

◼ apt-get install knockd
◼ cat /etc/knockd.conf
[options]
logfile = /var/log/knockd.log
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 10
tcpflags = syn
command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 10
tcpflags = syn
command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
 Knockd: port knocking server
Details: https://www.digitalocean.com/community/tutorials/how-to-use-port-knocking-to-hide-your-
ssh-daemon-from-attackers-on-ubuntu

nano /etc/default/knockd
START_KNOCKD=1
KNOCKD_OPTS="-i eth0“

sudo /etc/init.d/knockd start

Or
service knockd start

On the Client

knock -v 192.168.1.250 7000 8000 9000

hitting tcp 192.168.1.250:7000
hitting tcp 192.168.1.250:8000
hitting tcp 192.168.1.250:9000

knock –v 192.168.1.100 3333:tcp 9999:udp 1010:udp 8675:tcp

 Firewall: port knocking
apt-get install -y nmap

#!/bin/bash
for i in 100 200 300 400
do
nmap -Pn --max-retries 0 -p $i 10.102.178.168
done

./knockknock.sh
 Port knocking

◼ GATE 1: labelisé avec auth1

◼ GATE 2: si label=auth1 => alors changer label=auth2 sinon état
initial
◼ GATE 3: si label=auth2 => alors changer label=auth3 sinon état
initial
 Port knocking

#!/bin/bash
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F

iptables -N KNOCKING
iptables -N GATE1
iptables -N GATE2
iptables -N GATE3
iptables -N PASSED

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -j KNOCKING

iptables -A PASSED -m recent --name AUTH3 --remove

iptables -A PASSED -p tcp --dport 22 -j ACCEPT
iptables -A PASSED -j GATE1
 Port knocking

iptables -A KNOCKING -m recent --rcheck --seconds 30 --name AUTH3 -j PASSED

iptables -A KNOCKING -m recent --rcheck --seconds 30 --name AUTH2 -j GATE3
iptables -A KNOCKING -m recent --rcheck --seconds 30 --name AUTH1 -j GATE2
iptables -A KNOCKING -j GATE1

iptables -A GATE1 -p tcp --dport 1111 -m recent --name AUTH1 --set -j DROP
iptables -A GATE1 -j DROP

iptables -A GATE2 -m recent --name AUTH1 --remove

iptables -A GATE2 -p tcp --dport 2222 -m recent --name AUTH2 --set -j DROP
iptables -A GATE2 -j GATE1

iptables -A GATE3 -m recent --name AUTH2 --remove

iptables -A GATE3 -p tcp --dport 3333 -m recent --name AUTH3 --set -j DROP
iptables -A GATE3 -j GATE1
 Port knocking

#!/bin/bash
[$# != 0 ] && echo number of argument && exit 128
your_server=$1
for x in 1111 2222 3333;
do
nmap -Pn --host_timeout 201 --max-retries 0 -p $x your_server && sleep 1;
done && ssh amir@${yourserver}

Hping –p 1111 –c 1 –syn DIP

 Private Network

◼ Private IP network is an IP network with Private IP Addresses (Can it be

connected directly to the Internet?)

◼ Generally, private networks use addresses from the following

experimental address ranges (non-routable addresses):
◼ 10.0.0.0 – 10.255.255.255
◼ 172.16.0.0 – 172.31.255.255
◼ 192.168.0.0 – 192.168.255.255
 Uncomplicated firewall: ufw

◼ Installed by default since ubuntu 18.04

◼ apt install ufw
◼ sudo systemctl enable --now ufw
◼ sudo ufw default deny incoming
◼ sudo ufw default allow outgoing
◼ sudo ufw allow 22/tcp
◼ sudo ufw allow 53 => both tcp and udp
◼ ufw allow deny 23
◼ ufw allow http
◼ ufw allow https
◼ ufw allow ssh
◼ sudo ufw allow 6000:6007/tcp
◼ sudo ufw deny 6000:6007/udp
◼ sudo ufw allow from 203.0.113.4/24
◼ sudo ufw allow from 203.0.113.4/24 to any port 22
◼ sudo ufw allow from 104.22.11.213 to any port 25 proto tcp
◼ sudo ufw enable
◼ sudo ufw status
◼ ls -l /etc/ufw => users.rules
◼ Log => /var/log/kern.log

◼
 Uncomplicated firewall: ufw
◼ sudo ufw deny http
◼ sudo ufw deny from 203.0.113.4
◼ sudo ufw deny out 25
◼ sudo ufw allow proto tcp from 202.54.2.5 to 172.24.13.45 port 22
◼ sudo systemctl status ufw.service
◼ sudo ufw status
◼ sudo ufw enable
◼ sudo ufw status => list rules
◼ sudo ufw reload
◼ ufw status numbered
◼ ufw delete 1
◼ sudo ufw delete allow http or ufw delete allow 8080
◼ sudo ufw disable
◼ sudo ufw reset
 Uncomplicated firewall: ufw

◼ ufw limit ssh # (6attempts/30sec)

◼ ufw status verbose
◼ ufw status numbered
◼ ufw delete 2
◼ sudo ufw delete allow 80/tcp
◼ sudo ufw delete deny from 192.168.1.100
◼ cat /etc/ufw/user.rules
◼ Ufw show raw
◼ ufw app list
◼ ufw app info OpenSSH
◼ ufw allow OpenSSH
◼ ufw status > backup.txt
◼ ufw reset
◼ ufw < backup.txt
◼ ufw enable
 Encryption Technologies
◼ GNU Privacy Guard (GPG)
◼ Implementation of Phil Zimmermann's Pretty Good Privacy
◼ Used to encrypt or sign files or messages
◼ Hard to crack
◼ Use public/private key
◼ Encrypt your files
◼ Encrypt email messages
◼ Key distribution
◼ Recipients must use gpg
◼ gpg --gen-key or gpg --full-generate-key
◼ gpg --list-keys
◼ Symmetric encryption
◼ gpg -c file.txt
◼ gpg -d file.txt.gpg
◼ shred -u -z file.txt (-u option to delete the file, and the -z option to overwrite the deleted file with zeros)
◼ less file.txt.gp
◼ sudo mkdir /shared
◼ sudo chown oscar:oscar /shared
◼ sudo chmod 755 /shared
◼ mv file.txt.gpg /shared
◼ su - user1
◼ cd /shared
◼ gpg –d file.txt.gpg
 Encryption Technologies
◼ Public keys encryption
◼ gpg --export –a –o oscar_public_key.txt
◼ Change to account of user1
◼ gpg --import oscar_public_key.txt
◼ gpg -s -e file.txt ➔ asymmetrically encrypt it (-e), and sign it (-s)
◼ gpg –d file.txt.gpg
◼ gpg --edit-key Oscar ➔ trust and 5 and y
◼ sudo apt install gnupg-agent
◼ gpg -s file.txt => signing a file without encryption
◼ gpg --verify file.txt.gpg