Linux basics (theory)

What is Linux?
Why Linux is superior to other systems?
SOCs
Nano and other editors
The importance of configuration text files
Server services and most used ports
Using a port scanner
Linux distributions
Virtual Machines
Basic commands
Daemons
SSH: Secure Remote Access
Device hardening
Popular log files
Common file systems
Hard links
Staying up-to-date
Processes
Forks

What is Linux?

Linux is an open-source, Unix-like operating system. It is widely used for servers, desktops, and mobile devices. It was created by Linus Torvalds in 1991. Unlike proprietary systems like Windows or macOS, Linux allows us to freely modify and distribute its source code. On Windows, the terminal is called CMD, while on Linux, it's referred to as CLI (Command Line Interface).

Why Linux is superior to other systems?

Linux is considered superior to other operating systems for several reasons:

Open-source: Anyone can modify and contribute to its development.
Stability: Linux is known for its reliability and uptime, making it ideal for servers and critical applications.
Security: Linux has strong built-in security features, making it less susceptible to viruses and malware.
Customizability: We can customize nearly every aspect of the system, from the kernel to the user interface.
Performance: Linux runs efficiently even on older hardware, providing faster performance compared to many other OSes.

SOCs

One of its advantages is its flexibility, especially when configured for use in a Security Operations Center (SOC). Linux allows administrators to customize the operating system by installing only the necessary packages, making it a lean and efficient platform. By carefully selecting and configuring software tools, administrators can create a system that is perfectly suited to the unique needs of a SOC.

Network packet capture software is an essential tool for SOC analysts, enabling them to capture and thoroughly examine network transactions. Wireshark is one of the most widely used packet capture tools for network analysis. In addition to packet capture tools, other commonly used tools in SOC environments include:

Malware analysis tools: Used to safely analyze and observe malware behavior without compromising the underlying system.
Intrusion detection systems (IDS): These monitor network traffic and alert administrators to suspicious activity in real-time.
Firewalls: Used to control traffic flow into and out of a network, protecting it from unauthorized access.
Log managers: Help in managing, collecting, and analyzing large amounts of log data generated by network devices.
Security information and event management (SIEM): Provides real-time analysis and management of security alerts and events.
Ticketing systems: Used for tracking and managing security incidents and task assignments within the SOC.

Here are some examples of these tools:

Sguil

Sguil is an open-source security console that provides real-time access to intrusion detection system (IDS) alerts. It is often used in combination with other tools in Security Onion, a specialized Linux distribution, to help analysts manage and investigate security events.

Bro/Zeek

Zeek (formerly known as Bro) is a powerful network monitoring platform that captures and analyzes network traffic. It is commonly used in SOC environments for real-time traffic analysis and alert generation based on traffic patterns.

Snort

Snort is a widely used network intrusion detection system (NIDS) that logs network packets and analyzes traffic in real-time. It uses signature-based detection to identify potential threats and is commonly deployed in SOCs to detect early signs of intrusion.

Elastic Stack (ELK)

The Elastic Stack (consisting of Elasticsearch, Logstash, and Kibana) is a set of tools often used in SOCs for searching, analyzing, and visualizing large volumes of log data. The Elastic Stack helps analysts quickly access and process data, which is crucial for effective incident response.

Nano and other editors

In Linux, text editors are essential for editing configuration files, writing scripts, and more. Some popular text editors include:

Nano: A simple, user-friendly command-line text editor suitable for beginners.
Vim: A highly configurable, powerful text editor designed for efficient text editing.
Emacs: A powerful, extensible, customizable text editor known for its vast set of features.

The importance of configuration text files

Linux stores configuration settings in plain-text files. These files allow us to customize the behavior of the system, services, and applications. Common examples of configuration files include:

/etc/fstab: Defines how disk drives and partitions are mounted.
/etc/passwd: Contains user account information.
/etc/ssh/sshd_config: Configuration for the SSH server.
/etc/network/interfaces: Defines network interface configurations.
/etc/hosts: Maps hostnames to IP addresses, allowing for local hostname resolution.

Text-based configuration files make Linux flexible, as they can be easily edited, version-controlled, and scripted for automation tasks.

Server services and most used ports

A port in computer networking refers to a logical endpoint for communication in a network. It is a 16-bit number (ranging from 0 to 65535) used by the Transport Layer protocols, such as TCP (Transmission Control Protocol) and UDP (User Datagram Protocol), to distinguish different services or applications running on a device. Ports allow multiple applications or services to run on the same machine without interfering with each other by assigning unique numbers for each service.

Here are key points about ports:

Well-known Ports: Ports 0-1023 are typically reserved for system or widely used services (e.g., HTTP uses port 80, HTTPS uses port 443).
Registered Ports: Ports 1024-49151 are used by applications that are not as widely standardized as well-known ports but are still registered for specific services.
Dynamic or Private Ports: Ports 49152-65535 are used for temporary connections by client applications and are often assigned dynamically by the operating system.

Ports play a crucial role in network communication, ensuring that data is routed to the correct service or application on a device. Linux is widely used for hosting server applications. Some of the most common server services and their associated ports include:

Service	Port
HTTP (Web Server)	80
HTTPS (Secure Web Server)	443
SSH (Secure Shell)	22
FTP (File Transfer Protocol)	21
SMTP (Email Sending)	25
IMAP (Email Receiving)	143
MySQL (Database Server)	3306
DNS (Domain Name System)	53

Using a port scanner

A port scanner is a tool used to check which ports are open on a given server or network device. Commonly used port scanners include:

Nmap: A powerful and widely used network scanning tool that can detect open ports, services, and vulnerabilities.
Netcat: A simple tool for reading and writing data across network connections using TCP (Transmission Control Protocol) or UDP (User Datagram Protocol).
Telnet: A simple command-line tool for testing connectivity to remote servers over specific ports.

By using a port scanner like Nmap, network administrators can check the security and configuration of their systems, identify open ports, and detect unauthorized services.

Linux distributions

Linux distributions refer to the various flavors of Linux operating systems that are packaged with different sets of software, tools, and configurations to meet specific needs. Popular Linux distributions like Ubuntu, CentOS, and Debian are commonly used in SOCs. Security-focused distributions like Kali Linux and Security Onion are tailored for penetration testing and security monitoring. Each distribution has its own package management system, software repositories, and intended use cases, making it essential to choose the right one based on the specific requirements of the SOC or organization. Raspbian is a Debian Linux derivative used in the Raspberry Pi boards.

Virtual Machines

Virtual machines (VMs) provide a convenient way to run Linux on a Windows machine without needing to dual-boot or modify the underlying hardware. By using software like VMware or VirtualBox, we can create a virtualized environment to install and run a Linux distribution alongside our existing Windows operating system. This allows developers, administrators, and security analysts to test, configure, or run Linux tools within a controlled and isolated environment. It is an efficient solution for running Linux-specific applications or conducting security analysis, all while keeping the host Windows system intact.

Basic commands

`ls`	Listing the contents of a directory.
`cd`	Changing the current directory.
`pwd`	Displaying the current working directory.
`mkdir`	Creating a new directory.
`rmdir`	Removing an empty directory.
`rm`	Removing files or directories.
`cp`	Copying files or directories.
`mv`	Moving or renames files or directories.
`touch`	Creating an empty file or updates the timestamp of an existing file.
`cat`	Displaying the contents of a file.
`echo`	Displaying text or variables to the terminal.
`chmod`	Changing file permissions.
`chown`	Changing file ownership.
`ps`	Displaying a list of currently running processes.
`top`	Displaying real-time information about system processes and resource usage.
`grep`	Searching for a pattern in files or output.
`find`	Searching for files and directories in a directory hierarchy.
`df`	Displaying information about disk space usage.
`du`	Displaying disk space usage for files and directories.
`man`	Displaying the manual for a command.
`sudo`	Executing a command with superuser privileges (admin).
`ifconfig`	Displaying or configures network interfaces. (Deprecated, use `ip` instead)
`apt-get`	Package management tool for handling installation, upgrades, and removals of software packages in all Debian Linux derivatives (e.g., Raspbian).
`shutdown`	Shuting down the system.
`passwd`	Changing the password of a user account.
`crontab`	Scheduling and managing recurring tasks or jobs to run automatically at specified times and intervals.

Daemons

Daemons are background processes that run continuously on a Linux system, often starting automatically during the system boot. They are responsible for handling specific system or application tasks, such as scheduling, logging, or managing services. Common examples of daemons include:

cron: Manages scheduled tasks and automates repetitive jobs.
sshd: Handles incoming SSH connections for secure remote access.
httpd: Powers web servers, such as Apache or Nginx.

Daemons usually have names ending in d, indicating their function as a service process. They enhance Linux's multitasking capabilities by enabling smooth background operations and service management without user intervention.

SSH: Secure Remote Access

Secure Shell (SSH) is a protocol that allows us to securely access and manage remote systems over an encrypted connection. SSH is an essential tool for system administrators and SOC analysts, enabling secure communication with servers, transferring files, and executing commands remotely. SSH provides robust authentication methods, including password-based and key-based authentication, ensuring safe access to sensitive systems.

The SSH service on Linux is managed by the sshd daemon, which listens for incoming SSH connections on port 22 by default. Administrators can configure SSH by editing the /etc/ssh/sshd_config file, where options such as allowed authentication methods, permitted IPs, and port numbers can be customized to enhance security.

SSH is not only vital for routine server management but also serves as a secure foundation for tools like secure file transfer (SCP) and remote command execution, making it indispensable in Linux environments.

Device hardening

Device hardening involves securing a Linux system by minimizing vulnerabilities and configuring it to resist potential attacks. It is a crucial practice for protecting servers, endpoints, and other devices. Key steps in hardening a Linux system include:

Disabling unnecessary services: Turn off services and daemons that are not required to minimize the attack surface.
Configuring a firewall: Use tools like iptables or ufw to manage network traffic and block unauthorized access.
Setting strong passwords: Enforce complex password policies and consider multi-factor authentication.
Applying updates: Regularly update the operating system and installed software to patch security vulnerabilities.
File and directory permissions: Restrict access to critical files using proper ownership and permission settings.
Configuring SELinux or AppArmor: Use security modules to enforce strict access controls for applications and services.
Using secure SSH settings: Limit SSH access by disabling root login and using key-based authentication.
Monitoring system logs: Regularly review logs to detect suspicious activity or potential security incidents.

Popular log files

Linux maintains a variety of log files to record system, service, and application events. These logs are critical for monitoring, troubleshooting, and auditing purposes. Below is a table of commonly used Linux log files and their purposes:

/var/log/messages	General system messages and logs from various daemons.
/var/log/syslog	System log file for general logging and troubleshooting.
/var/log/auth.log	Authentication logs, including successful and failed login attempts.
/var/log/kern.log	Kernel logs for diagnosing kernel-level issues.
/var/log/dmesg	Boot and kernel ring buffer logs for hardware and system initialization.
/var/log/secure	Security-related logs, such as authentication attempts and sudo usage.
/var/log/boot.log	Logs related to the boot process.
/var/log/httpd/access_log	Logs for web server (Apache) access requests.
/var/log/httpd/error_log	Logs for web server (Apache) errors and issues.
/var/log/faillog	Failed login attempts for the system.
/var/log/cron	Logs for scheduled tasks and cron job execution details.

These log files are typically stored in the /var/log directory and can be analyzed using tools like grep, tail, or log management solutions to monitor system activity and identify potential threats.

Common file systems

Linux supports a variety of file systems, each with its own features and use cases. Below is a table of common Linux file systems and their characteristics:

ext2	An older version of the ext file system, ext2 is a non-journaling file system that was popular before ext3 and ext4. It is still used in some situations where journaling is not necessary.
ext3	An extension of ext2 with journaling support, providing increased reliability and recovery in case of system crashes. It was widely used before ext4 became more popular.
ext4	The most widely used file system in Linux, offering high performance, reliability, and support for large volumes. It's an evolution of the ext3 file system.
BTRFS	A modern copy-on-write file system designed for scalability and data integrity, providing features like snapshots, compression, and built-in RAID functionality.
XFS	A high-performance file system known for handling large files and high-capacity storage. Often used in enterprise environments.
NFS	Network File System, a protocol that allows files to be shared between Linux systems over a network. NFS is commonly used in distributed systems.
NTFS	The file system used by Windows. Linux can read and write to NTFS partitions using the ntfs-3g driver.
exFAT	A file system optimized for flash drives and external drives, offering compatibility between Windows and Linux systems for removable media.
FAT32	An older file system used primarily for removable storage like USB drives and SD cards. It has a 4GB file size limit and lacks advanced features like journaling.
ZFS	A high-performance file system developed by Sun Microsystems, known for its advanced features like data integrity, snapshots, and pooling of storage devices.
ReiserFS	A journaling file system designed for small files, offering high performance and space efficiency. It is less commonly used today but has historically been popular in some distributions.
CDFS	Compact Disc File System, used to access the contents of CD and DVD media. Linux supports CDFS for reading and writing to optical discs.
APFS	Apple File System, primarily used by macOS devices. Linux supports APFS through third-party tools for read-only access.
MBS	Multilevel Block Storage, used primarily for enterprise storage systems to manage large amounts of data with hierarchical and distributed storage blocks.

Hard links

A hard link in Linux refers to an inode, which is the data structure that stores metadata and pointers to the actual data blocks of a file. Hard links enable multiple directory entries to refer to the same inode. Essentially, a hard link is another name or alias for an existing file.

Characteristics of hard links

Indistinguishable from the original file: Hard links and the original file are treated equally by the system. There’s no "original" or "copy" in the case of hard links.
Independent deletion: Deleting one hard link does not affect the others. The file's data is only removed from the disk when the last hard link pointing to the inode is deleted.
Shared inode number: Files created as hard links to each other share the same inode number, as they refer to the same inode and, consequently, the same data blocks on the disk.
File system limitations: Hard links cannot span across different file systems because the inode reference is unique to each file system.
Directory restrictions: Hard links cannot be created for directories (except for . and .., which are system-generated hard links).

Hard links provide an efficient way to create multiple references to the same file without duplicating the file's content, which saves disk space.

Staying up-to-date

Regular updates are essential for ensuring security, performance, and stability. Below is a table of commonly used commands to keep an Ubuntu system up-to-date:

`sudo apt update`	Fetching the list of available updates from the repositories. It updates the local package database.
`sudo apt upgrade`	Upgrading all installed packages to the latest available versions based on the information from `apt update`.
`sudo apt dist-upgrade`	Performing an upgrade of the system, including changing dependencies between packages, removing obsolete packages, and installing new ones if needed.
`sudo apt full-upgrade`	Similar to `apt dist-upgrade`, but also removes any packages that are no longer needed.
`sudo apt remove`	Removing an installed package from the system but keeps its configuration files.
`sudo apt autoremove`	Removing unnecessary packages that were automatically installed to satisfy dependencies for other packages and are no longer needed.
`sudo apt clean`	Clearing out the local repository of downloaded package files, freeing up space on your system.
`sudo do-release-upgrade`	Upgrading the Ubuntu system to the next release. This command should be used to upgrade between different Ubuntu versions.
`sudo snap refresh`	Updating all installed snap packages to their latest versions.
`sudo apt list --upgradable`	Listing all installed packages that have updates available.
`sudo apt-get update && sudo apt-get upgrade`	A combined command that updates the package list and then upgrades all packages in a single step.

Processes

In Linux, processes are instances of running programs. Each process is assigned a unique Process ID (PID) and is managed by the kernel. When a program is executed, a new process is created, often through a mechanism called forking, where the current process creates a copy of itself.

Several commands help manage and monitor processes in Linux:

`ps`	Displaying a snapshot of the currently running processes, including the PID, terminal, and resource usage. It's commonly used with options like `-aux` to see all running processes.
`top`	Showing real-time information about system processes, including CPU and memory usage. It’s often used to monitor resource-hogging processes.
`kill`	Terminating processes by sending signals. The most common signal is `SIGKILL` (usually sent with PID) to forcefully stop a process.
`killall`	Terminating all processes with a specific name. For example, `killall firefox` would stop all Firefox processes.
`htop`	An interactive process viewer, similar to `top`, but with a more user-friendly interface and additional features like sorting by resource usage.
`nohup`	Running a command in the background, even after the user has logged out. It prevents the process from being terminated when the session ends.
`\| (pipe)`	The pipe operator allows you to send the output of one command as the input to another. For example, `ps aux \| grep firefox` will filter the list of processes to show only those related to Firefox.

Forks