LSAT output page
default init level is not set to 5. Good.
Consider placing: auth.* /var/log/secure
in your /etc/syslog.conf file.
Consider placing: authpriv.* /var/log/secure
in your /etc/syslog.conf file.
The last 100 (or less) failed login attempts on the system
Login Failures Maximum Latest On
root 0 0 12/31/69 18:00:00 -0600
daemon 0 0 12/31/69 18:00:00 -0600
bin 0 0 12/31/69 18:00:00 -0600
sys 0 0 12/31/69 18:00:00 -0600
sync 0 0 12/31/69 18:00:00 -0600
games 0 0 12/31/69 18:00:00 -0600
man 0 0 12/31/69 18:00:00 -0600
lp 0 0 12/31/69 18:00:00 -0600
mail 0 0 12/31/69 18:00:00 -0600
news 0 0 12/31/69 18:00:00 -0600
uucp 0 0 12/31/69 18:00:00 -0600
proxy 0 0 12/31/69 18:00:00 -0600
www-data 0 0 12/31/69 18:00:00 -0600
gnats 0 0 12/31/69 18:00:00 -0600
nobody 0 0 12/31/69 18:00:00 -0600
libuuid 0 0 12/31/69 18:00:00 -0600
syslog 0 0 12/31/69 18:00:00 -0600
messagebus 0 0 12/31/69 18:00:00 -0600
whoopsie 0 0 12/31/69 18:00:00 -0600
postfix 0 0 12/31/69 18:00:00 -0600
landscape 0 0 12/31/69 18:00:00 -0600
sshd 0 0 12/31/69 18:00:00 -0600
ntp 0 0 12/31/69 18:00:00 -0600
This is a list of .exrc files found
This is a list of .forward files found on the system:
This is a list of .rhosts files found on the system:
This is a list of .netrc files found on the system
This is a list of dotfiles found on the system
Please consider removing these system accounts.
Check to see if you need them for your system applications before removing.
Also, consult the securitylinks.txt file for more information.
sync
man
lp
news
uucp
The following accounts are UID 0 in /etc/passwd. Only root should be UID 0.
Remove if needed.
Remove the following entries (if any) from the
respective passwd/group file(s)
The following accounts have no/empty passwords
Output of pwck, note non existent directories, etc
user 'lp': directory '/var/spool/lpd' does not exist
user 'news': directory '/var/spool/news' does not exist
user 'uucp': directory '/var/spool/uucp' does not exist
user 'nobody': directory '/nonexistent' does not exist
user 'whoopsie': directory '/nonexistent' does not exist
user 'ntp': directory '/home/ntp' does not exist
Output of grpck, note groups it think should be deleted.
Checking default umask on system:
Default umask should be 022, 027 or 077. 002 is ok for RedHat.
Here are the filenames, and the umask number
found in each. Please read through the file and ensure that is what you want.
****************************************
While checking ftpusers...
/etc/ftpusers does not exist or is not readable.
This is ok if you are not root, not
running ftp or your ftp daemon
does not use /etc/ftpusers.
Please triple check your configuration
and ensure you do not need /etc/ftpusers.
*****************************************
Checking rc startup scripts:
These services were found in /etc/rc.d/init.d
Consider removing or disabling unneeded services.
****************************************
Default limits hashed out in limits.conf.
Check /etc/security/limits.conf for the default entry.
Make sure to set hard and soft limits for default "*",
or for individual users.
Output from ulimit, check to see if these are reasonable limits.
Resource limits can help prevent DOS attacks,
read up on them if you need to.
time(seconds) unlimited
file(blocks) unlimited
data(kbytes) unlimited
stack(kbytes) 8192
coredump(blocks) 0
memory(kbytes) unlimited
locked memory(kbytes) 64
process 47616
nofiles 1024
vmemory(kbytes) unlimited
locks unlimited
sshd config file entries
Make sure these are commented out.
Protcol 2 not found in sshd config, or you are doing 1,2.
Change to protcol 2 only.
This is the lsof output, diff this against a previous run.
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ntpd 1300 ntp 16u IPv4 9529 0t0 UDP *:ntp
ntpd 1300 ntp 17u IPv6 9530 0t0 UDP *:ntp
ntpd 1300 ntp 18u IPv4 9536 0t0 UDP localhost.localdomain:ntp
apache2 8662 www-data 3u IPv4 4202205 0t0 TCP *:http (LISTEN)
apache2 8662 www-data 4u IPv4 4202208 0t0 TCP *:https (LISTEN)
sshd 11033 root 3r IPv4 4202184 0t0 TCP *:22 (LISTEN)
sshd 11033 root 4u IPv6 4202186 0t0 TCP *:22 (LISTEN)
/etc/issue exists. Make sure it does not have any
system specific information in it.
/etc/issue.net exists. Make sure it does not have any
system specific information in it.
/etc/motd exists. Make sure it does not have any
system specific information in it.
/etc/banners dir not found.
Check securitylinks.txt for more info.
No ExecCGIs found. Good.
These are the kernel modules that are loaded on the system
as given by the output of modprobe -c -l
Check to see if they are really needed.
kernel/arch/x86/kernel/cpu/mcheck/mce-xeon75xx.ko
kernel/arch/x86/kernel/cpu/mcheck/mce-inject.ko
kernel/arch/x86/kernel/msr.ko
kernel/arch/x86/kernel/cpuid.ko
kernel/arch/x86/kernel/microcode.ko
kernel/arch/x86/crypto/aes-x86_64.ko
kernel/arch/x86/crypto/blowfish-x86_64.ko
kernel/arch/x86/crypto/twofish-x86_64.ko
kernel/arch/x86/crypto/twofish-x86_64-3way.ko
kernel/arch/x86/crypto/salsa20-x86_64.ko
kernel/arch/x86/crypto/aesni-intel.ko
kernel/arch/x86/crypto/ghash-clmulni-intel.ko
kernel/arch/x86/crypto/sha1-ssse3.ko
kernel/arch/x86/kvm/kvm.ko
kernel/arch/x86/kvm/kvm-intel.ko
kernel/arch/x86/kvm/kvm-amd.ko
kernel/fs/nfs_common/nfs_acl.ko
kernel/fs/quota/quota_v1.ko
kernel/fs/quota/quota_v2.ko
kernel/fs/quota/quota_tree.ko
kernel/drivers/pci/hotplug/cpcihp_zt5550.ko
kernel/drivers/pci/hotplug/cpcihp_generic.ko
kernel/drivers/pci/hotplug/shpchp.ko
kernel/drivers/pci/hotplug/acpiphp.ko
kernel/drivers/pci/hotplug/acpiphp_ibm.ko
kernel/drivers/pci/hotplug/fakephp.ko
kernel/drivers/pci/pci-stub.ko
-- deleted for brevity --
/etc/securetty has tty's over 6.
Consider disabeling all ttys over tty6 (console).
/etc/securetty has ttys other than the console.
Consider removing any lines in /etc/securetty other than tty[1-6].
This is a list of files in /etc/init.d whose permissions are not set to 700.
We recommend that you change the permissions of these files to 700.
/etc/init.d/apache2
/etc/init.d/bootlogd
/etc/init.d/skeleton
/etc/init.d/README
/etc/init.d/ntp
/etc/init.d/killprocs
/etc/init.d/reboot
/etc/init.d/umountfs
/etc/init.d/rc
/etc/init.d/single
/etc/init.d/halt
/etc/init.d/umountnfs.sh
Check these ports in /etc/services to see what they are.
Close all ports you do not need.
Ports listening on this system:
Protocol Port
tcp 22
tcp 80
tcp 25
tcp 443
Output from nmap run on local IP(s)
Check these services to see if they are critical.
Disable services you do not need.
Starting Nmap 5.21 ( http://nmap.org ) at 2014-04-26 20:52 CDT
Initiating Parallel DNS resolution of 1 host. at 20:52
Completed Parallel DNS resolution of 1 host. at 20:52, 0.04s elapsed
Initiating SYN Stealth Scan at 20:52
Scanning 192.168.169.69 [1000 ports]
Discovered open port 25/tcp on 192.168.169.69
Discovered open port 80/tcp on 192.168.169.69
Discovered open port 22/tcp on 192.168.169.69
Completed SYN Stealth Scan at 20:52, 0.01s elapsed (1000 total ports)
Nmap scan report for 192.168.169.69
Host is up (0.0000040s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
443/tcp open https
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
Raw packets sent: 1000 (44.000KB) | Rcvd: 2007 (84.308KB)
Output from arp -a.
If you have arp poisoning, it should show up here.
? (192.168.169.1) at FF:FF:FF:FF:FF:FF [ether] on eth0
Output from netstat -i showing Kernel interface statistics
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 7643542 0 71186 0 4631577 0 0 0 BMRU
lo 16436 0 203149 0 0 0 203149 0 0 0 LRU
Output from netstat -rn showing current routing
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.169.1 0.0.0.0 UG 0 0 0 eth0
192.168.169.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
These network interfaces found to be in promisc mode using /sbin/ip.
These network interfaces found to be in promisc mode using /sbin/ip.
Password keyword is not in grub configuration file, please check.
/proc/sys/net/ipv4/icmp_echo_ignore_all exists, but is off.
Consider placing a one in it to turn on.
You ignore all ICMP Echo broadcasts, good.
You are denying source routed packets. Good.
/proc/sys/net/ipv4/conf/all/accept_redirects exists, but its off.
You are ignoring bad err msgs in ipv4. Good.
Logging of spoofed, etc packets is off.
Consider turning on.
X seems to be listening for tcp connections.
Consider turning this off with
-nolisten tcp in your X startup file.
readlink is not installed on this system,
or it is not in the path,
or I just can not find it.
checklistening was not run.
This is a list of mount points currently mounted.
Make sure the permissions are reasonable (rw, ro, etc).
/dev/sda1 on / type ext4 (rw,errors=remount-ro)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
none on /sys/fs/fuse/connections type fusectl (rw)
none on /sys/kernel/debug type debugfs (rw)
none on /sys/kernel/security type securityfs (rw)
udev on /dev type devtmpfs (rw,mode=0755)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755)
none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880)
none on /run/shm type tmpfs (rw,nosuid,nodev)
This is a list of disk utilizations on the system, in kilobytes.
Chcek to see that filesystems are not near capacity, etc.
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda1 477999656 79109628 374964320 18% /
udev 3047456 4 3047452 1% /dev
tmpfs 1222496 300 1222196 1% /run
none 5120 0 5120 0% /run/lock
none 3056236 0 3056236 0% /run/shm
Checking services that start at boot.
object path "/com/ubuntu/Upstart/jobs/mountall_2dnet"
object path "/com/ubuntu/Upstart/jobs/rc"
object path "/com/ubuntu/Upstart/jobs/rsyslog"
object path "/com/ubuntu/Upstart/jobs/screen_2dcleanup"
object path "/com/ubuntu/Upstart/jobs/tty4"
object path "/com/ubuntu/Upstart/jobs/udev"
object path "/com/ubuntu/Upstart/jobs/upstart_2dudev_2dbridge"
object path "/com/ubuntu/Upstart/jobs/ureadahead_2dother"
object path "/com/ubuntu/Upstart/jobs/whoopsie"
object path "/com/ubuntu/Upstart/jobs/passwd"
object path "/com/ubuntu/Upstart/jobs/console_2dsetup"
object path "/com/ubuntu/Upstart/jobs/hwclock_2dsave"
object path "/com/ubuntu/Upstart/jobs/irqbalance"
object path "/com/ubuntu/Upstart/jobs/plymouth_2dlog"
object path "/com/ubuntu/Upstart/jobs/rpcbind_2dboot"
object path "/com/ubuntu/Upstart/jobs/tty5"
object path "/com/ubuntu/Upstart/jobs/apport"
object path "/com/ubuntu/Upstart/jobs/failsafe"
object path "/com/ubuntu/Upstart/jobs/atd"
object path "/com/ubuntu/Upstart/jobs/dbus"
object path "/com/ubuntu/Upstart/jobs/mounted_2dvar"
object path "/com/ubuntu/Upstart/jobs/plymouth"
object path "/com/ubuntu/Upstart/jobs/portmap"
object path "/com/ubuntu/Upstart/jobs/resolvconf"
object path "/com/ubuntu/Upstart/jobs/ssh"
object path "/com/ubuntu/Upstart/jobs/udev_2dfallback_2dgraphics"
object path "/com/ubuntu/Upstart/jobs/control_2dalt_2ddelete"
object path "/com/ubuntu/Upstart/jobs/hwclock"
object path "/com/ubuntu/Upstart/jobs/mounted_2dproc"
object path "/com/ubuntu/Upstart/jobs/module_2dinit_2dtools"
object path "/com/ubuntu/Upstart/jobs/setvtrgb"
object path "/com/ubuntu/Upstart/jobs/shutdown"
object path "/com/ubuntu/Upstart/jobs/cron"
object path "/com/ubuntu/Upstart/jobs/mountall"
object path "/com/ubuntu/Upstart/jobs/mounted_2ddebugfs"
object path "/com/ubuntu/Upstart/jobs/console"
object path "/com/ubuntu/Upstart/jobs/mounted_2drun"
object path "/com/ubuntu/Upstart/jobs/acpid"
object path "/com/ubuntu/Upstart/jobs/plymouth_2dstop"
object path "/com/ubuntu/Upstart/jobs/rcS"
object path "/com/ubuntu/Upstart/jobs/ufw"
object path "/com/ubuntu/Upstart/jobs/wait_2dfor_2dstate"
object path "/com/ubuntu/Upstart/jobs/flush_2dearly_2djob_2dlog"
object path "/com/ubuntu/Upstart/jobs/friendly_2drecovery"
object path "/com/ubuntu/Upstart/jobs/rc_2dsysinit"
object path "/com/ubuntu/Upstart/jobs/upstart_2dsocket_2dbridge"
object path "/com/ubuntu/Upstart/jobs/tty2"
object path "/com/ubuntu/Upstart/jobs/udevtrigger"
object path "/com/ubuntu/Upstart/jobs/container_2ddetect"
object path "/com/ubuntu/Upstart/jobs/mounted_2ddev"
object path "/com/ubuntu/Upstart/jobs/tty3"
object path "/com/ubuntu/Upstart/jobs/udev_2dfinish"
object path "/com/ubuntu/Upstart/jobs/dovecot"
object path "/com/ubuntu/Upstart/jobs/hostname"
object path "/com/ubuntu/Upstart/jobs/mountall_2dreboot"
object path "/com/ubuntu/Upstart/jobs/mysql"
object path "/com/ubuntu/Upstart/jobs/mountall_2dshell"
object path "/com/ubuntu/Upstart/jobs/mounted_2dtmp"
object path "/com/ubuntu/Upstart/jobs/network_2dinterface"
object path "/com/ubuntu/Upstart/jobs/plymouth_2dsplash"
object path "/com/ubuntu/Upstart/jobs/plymouth_2dupstart_2dbridge"
object path "/com/ubuntu/Upstart/jobs/tty1"
object path "/com/ubuntu/Upstart/jobs/udevmonitor"
object path "/com/ubuntu/Upstart/jobs/plymouth_2dready"
object path "/com/ubuntu/Upstart/jobs/portmap_2dwait"
object path "/com/ubuntu/Upstart/jobs/dmesg"
object path "/com/ubuntu/Upstart/jobs/network_2dinterface_2dsecurity"
object path "/com/ubuntu/Upstart/jobs/networking"
object path "/com/ubuntu/Upstart/jobs/procps"
object path "/com/ubuntu/Upstart/jobs/tty6"
object path "/com/ubuntu/Upstart/jobs/network_2dinterface_2dcontainer"
object path "/com/ubuntu/Upstart/jobs/ureadahead"