07-active-connection-defense.md at main · dunkirk.sh/ncae-tools

dunkirk.sh / ncae-tools
this repo has no description
ncae-tools / 07-active-connection-defense.md
at main 6.2 kB view raw view rendered
  1# Active Connection Defense
  2
  3## Overview
  4Monitoring and managing active network connections is critical during competitions. This guide covers tools for identifying who's connected to your system and how to terminate malicious connections.
  5
  6## Core Monitoring Tools
  7
  8### netstat - Network Statistics
  9
 10**Most useful form**:
 11```bash
 12sudo netstat -tunap
 13```
 14
 15**Breakdown**:
 16- `-t` = TCP connections
 17- `-u` = UDP connections  
 18- `-n` = Show numeric ports (22 instead of "ssh")
 19- `-a` = Show listening and established connections
 20- `-p` = Show process IDs (requires sudo)
 21
 22**Output columns**:
 23```
 24Proto  Local Address      Foreign Address    State       PID/Program
 25tcp    192.168.195.100:22 192.168.195.2:51736 ESTABLISHED 265408/sshd
 26```
 27
 28**Common filters**:
 29```bash
 30netstat -tunap | grep ESTABLISHED   # Only active connections
 31netstat -tunap | grep :22           # Only SSH connections
 32netstat -tunap | less               # Scroll through output
 33```
 34
 35### ss - Socket Statistics
 36
 37Modern replacement for netstat. Similar syntax:
 38
 39```bash
 40ss                          # Basic output (lots of info)
 41ss | grep ESTAB             # Only established connections
 42ss -tunap                   # Same flags as netstat
 43```
 44
 45**Advantage**: ss is installed on more modern systems by default.
 46
 47### w - Who is logged in
 48
 49```bash
 50w
 51```
 52
 53**Shows**:
 54- Username
 55- From where (IP address or `:0` for local console)
 56- Login time
 57- What they're doing
 58
 59**Example output**:
 60```
 61USER     FROM             WHAT
 62sandbox  :0               -bash
 63bob      192.168.195.2    -bash
 64jenny    192.168.195.2    -bash
 65```
 66
 67**Key indicator**:
 68- `:0` = Local console (physically at the machine)
 69- IP address = Remote connection (SSH, etc.)
 70
 71## Finding Process Information
 72
 73### top - Interactive Process Viewer
 74
 75```bash
 76top
 77```
 78
 79- Shows CPU/memory usage
 80- Lists running processes
 81- Press `q` to quit
 82
 83### htop - Enhanced Process Viewer
 84
 85```bash
 86htop                 # If installed (not always available)
 87```
 88
 89More colorful and interactive than `top`.
 90
 91### ps - Process Status
 92
 93```bash
 94ps aux               # All processes, all users
 95ps aux | grep ssh    # Find SSH processes
 96```
 97
 98## Killing Connections
 99
100### Kill by Process ID (PID)
101
1021. **Find the PID**:
103```bash
104sudo netstat -tunap
105# Example output shows PID 265465 for jenny's SSH connection
106```
107
1082. **Kill the process**:
109```bash
110sudo kill 265465
111```
112
113**From the user's perspective**: Connection closes immediately
114```
115Connection to 192.168.195.100 closed by remote host.
116```
117
118### Kill by Username (pkill)
119
120```bash
121sudo pkill -kill -u jenny        # Kill all processes for user jenny
122sudo pkill -kill -u bob          # Kill all processes for user bob
123```
124
125**Warning**: This kills ALL processes for that user, including:
126- Active SSH sessions
127- Running programs
128- Background jobs
129
130### Kill Signal Types
131
132```bash
133sudo kill PID              # SIGTERM (graceful shutdown, default)
134sudo kill -9 PID           # SIGKILL (force kill immediately)
135sudo pkill -kill -u user   # -kill = SIGKILL
136```
137
138## Competition Workflow
139
140### Active Defense Pattern
141
1421. **Someone monitors connections**:
143```bash
144# Run periodically or in a loop
145sudo netstat -tunap
146```
147
1482. **Identify suspicious connections**:
149- Unknown IP addresses
150- Unexpected users logged in
151- Unusual ports
152
1533. **Kill immediately**:
154```bash
155sudo pkill -kill -u <suspicious_user>
156# or
157sudo kill <PID>
158```
159
1604. **Someone else hardens the system**:
161- Change passwords
162- Disable accounts
163- Configure firewall
164- Close unnecessary services
165
166### Example Monitoring Script
167
168```bash
169#!/bin/bash
170# Quick connection checker
171while true; do
172    clear
173    echo "=== Active SSH Connections ==="
174    sudo netstat -tunap | grep :22 | grep ESTABLISHED
175    sleep 5
176done
177```
178
179## Common Scenarios
180
181### Scenario 1: Unknown SSH Connection
182
183```bash
184# See who's connected
185w
186
187# Find their process ID
188sudo netstat -tunap | grep ESTABLISHED
189
190# Kill by PID
191sudo kill 265465
192```
193
194### Scenario 2: Brute Force Attempts
195
196```bash
197# See all connection attempts
198sudo netstat -tunap | grep :22
199
200# Check auth logs
201sudo tail -f /var/log/auth.log
202
203# Block the source IP with firewall
204sudo ufw deny from <attacker_ip>
205```
206
207### Scenario 3: Multiple Sessions from Same User
208
209```bash
210# Kill all sessions for a user
211sudo pkill -kill -u jenny
212
213# Disable the account
214sudo passwd -l jenny        # Lock password
215sudo usermod -s /bin/false jenny    # Disable shell
216```
217
218## Warnings and Gotchas
219
220### Don't Kill Yourself
221
222```bash
223# BAD - if you're logged in as sandbox:
224sudo pkill -kill -u sandbox
225# This kills YOUR session too!
226```
227
228**Better approach**: Kill by specific PID if you're using the same username.
229
230### Don't Kill Teammates
231
232- Check with team before killing connections
233- Look at FROM addresses to identify internal vs external
234- Local (`:0`) connections are usually teammates at the console
235
236### Shared Accounts
237
238If red team is using the same account as you:
239- Kill by PID (specific to their connection)
240- Don't kill by username (you'll disconnect yourself)
241
242## Process Information Fields
243
244**Understanding PID in netstat**:
245```bash
246sudo netstat -tunap
247```
248
249Output:
250```
251PID/Program name
252265408/sshd: sandbox
253265465/sshd: jenny
254```
255
256- PID: Process ID (unique number)
257- Program: Which service (sshd, apache2, etc.)
258- User context: Which user owns the process
259
260## Monitoring vs. Hardening
261
262**Active monitoring** (short-term):
263- Running netstat/ss repeatedly
264- Killing suspicious connections as they appear
265- Playing "whack-a-mole"
266
267**Hardening** (long-term):
268- Change passwords
269- Disable unused accounts
270- Configure firewall rules
271- Close unnecessary services
272- Update vulnerable software
273
274**Best practice**: Use monitoring to buy time while someone else hardens the system. You can't watch connections for 6 hours straight.
275
276## Tool Availability
277
278| Tool | Typical Availability |
279|------|---------------------|
280| netstat | Most systems (may need `net-tools` package) |
281| ss | Modern systems (usually pre-installed) |
282| w | All Unix/Linux systems |
283| top | All Unix/Linux systems |
284| htop | Optional (install with apt/yum) |
285| ps | All Unix/Linux systems |
286
287**If netstat is missing**:
288```bash
289sudo apt install net-tools       # Debian/Ubuntu
290sudo yum install net-tools       # CentOS/RHEL
291```
292
293Or just use `ss` instead.