Linux Threat Mitigation and Incident Remediation (Hardened Edition)

This skill provides a structured, forensically-aware framework for analyzing and securing a Linux host during or after a security event.

It emphasizes:

• Non-destructive evidence collection
• Accurate threat detection
• Firewall-aware containment
• Integrity verification
• Controlled, reversible remediation
• Distribution-aware command usage

Environment Context

Supported Systems

• Debian / Ubuntu
• RHEL / CentOS / Rocky / Alma
• Fedora
• Arch Linux (limited package guidance)

Execution Assumptions

• Shell: bash or POSIX sh
• Privilege: Root or sudo
• Host-level access (NOT container-restricted environments)
• systemd-based systems preferred

⚠️ If running inside Docker, Kubernetes, LXC, or other containers, firewall, audit, and service commands may not reflect the host system.

Firewall Architecture Awareness

Modern Linux systems may use:

• iptables-legacy
• iptables-nft (compatibility wrapper)
• Native nftables
• firewalld (RHEL-family default)

Identify Firewall Backend

iptables --version
which nft
systemctl status firewalld

If nftables is active:

nft list ruleset

Do NOT assume iptables -L represents the full firewall state.

Logging Differences by Distribution

journalctl -xe

Operational Toolkit (Hardened)

1. Network Inspection

Listening Services

ss -tulpn

Active Connections

ss -antp | grep ESTABLISHED

Firewall State

#### iptables

iptables -L -n -v --line-numbers
iptables -S

#### nftables

nft list ruleset

Local Service Enumeration (Low Noise)

ss -lntup

Avoid unnecessary full scans of localhost unless required.

Conservative Network Scan

nmap -sV -T3 -p- localhost

Packet Capture (Short Snapshot)

tcpdump -i any -nn -c 100

2. Process & Runtime Analysis

Process Tree

ps auxww --forest

High CPU / Memory

top

Open File Handles

lsof -p <PID>

System Call Trace (Caution: Alters Timing)

strace -p <PID>

⚠️ strace may change process behavior. Use carefully during live compromise.

Kernel Modules

lsmod

Kernel Messages

dmesg | tail -50

3. Rootkit & Malware Scanning

Rootkit Scanners

rkhunter --check
chkrootkit

May produce false positives. Validate findings manually.

Antivirus Scan (Targeted)

clamscan -r /home

Use selectively; large scans increase I/O and may alter access timestamps.

Lynis System Audit

lynis audit system

4. File Integrity & Package Verification

AIDE (After Initialization)

Install:

apt install aide
# or
dnf install aide

Initialize:

aideinit
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Run Check:

aide --check

RHEL Package Verification

rpm -Va

Debian Package Verification

apt install debsums
debsums -s

5. Forensic Analysis (Didier Stevens Suite)

Install:

sudo mkdir -p /opt/forensics
sudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/base64dump.py
sudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/re-search.py
sudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/zipdump.py
sudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/1768.py
sudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/pdf-parser.py
sudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/oledump.py
sudo chmod +x /opt/forensics/*.py

Decode Base64

python3 /opt/forensics/base64dump.py file.txt

IOC Search

python3 /opt/forensics/re-search.py -n ipv4 logfile

Inspect ZIP (No Extraction)

python3 /opt/forensics/zipdump.py suspicious.zip

Extract Cobalt Strike Beacon Config

python3 /opt/forensics/1768.py payload.bin

Inspect Office/PDF Documents

python3 /opt/forensics/pdf-parser.py file.pdf
python3 /opt/forensics/oledump.py file.doc

Static inspection only. Never execute suspicious files.

6. Authentication & User Activity

Current Sessions

who -a

Login History

last -a

Failed SSH Logins

Ubuntu/Debian:

journalctl -u ssh.service | grep "Failed password"

RHEL/Fedora:

journalctl -u sshd.service | grep "Failed password"

Sudo Activity

journalctl _COMM=sudo

Audit Logs

ausearch -m USER_AUTH,USER_LOGIN,USER_CHAUTHTOK

Controlled Remediation

Blocking an IP

iptables (Immediate)

iptables -I INPUT 1 -s <IP> -j DROP

nftables

nft add rule inet filter input ip saddr <IP> drop

If firewalld is active:

firewall-cmd --add-rich-rule='rule family="ipv4" source address="<IP>" drop'

Persisting Firewall Rules

iptables (Debian):

netfilter-persistent save

iptables (manual save):

iptables-save > /etc/iptables/rules.v4

firewalld:

firewall-cmd --runtime-to-permanent

nftables:

nft list ruleset > /etc/nftables.conf

Process Containment Strategy

Preferred escalation:

• Observe
• kill -TERM
• If required: kill -STOP for analysis
• Use kill -KILL only if necessary

Service Isolation

systemctl stop <service>
systemctl disable <service>
systemctl mask <service>

Persistence & Backdoor Checks

Cron Jobs

crontab -l
ls -lah /etc/cron*

Systemd Persistence

ls -lah /etc/systemd/system/

Startup Scripts

cat /etc/rc.local

SELinux Awareness (RHEL/Fedora)

Check status:

getenforce

Review denials:

ausearch -m AVC

Forensic Hygiene

• Never execute suspicious binaries.
• Preserve evidence before deletion:

sha256sum file
mkdir -p /root/quarantine
mv file /root/quarantine/file.vir

• Log every remediation step:

date -u

Document:

• Timestamp
• Command executed
• Observed outcome

Usage Examples

Routine Audit

• Run lynis audit system
• Verify no unknown listening services
• Check for modified system binaries

Active Threat

• Identify high CPU process
• Capture short tcpdump
• Extract file hash
• Contain IP via firewall
• Preserve malicious artifact

Suspicious File

• Use zipdump
• Extract hash
• Move to quarantine
• Search logs for execution attempts

Safety Guardrails

These guardrails are mandatory and apply to all remediation activity. Their purpose is to prevent self-inflicted outages, preserve forensic integrity, and ensure reversible, controlled incident response.

1. State Verification (Pre- and Post-Change Validation)

Before executing any remediation command:

• Record timestamp (UTC):

date -u

• Run a discovery command to capture current state:
• Network: ss -tulpn
• Active connections: ss -antp
• Firewall (iptables): iptables -L -n -v
• Firewall (nftables): nft list ruleset
• firewalld: firewall-cmd --list-all

• Re-run the same discovery command.
• Compare state change and confirm:
• Intended effect achieved
• No unintended service disruption
• No management lockout (e.g., SSH access intact)

2. No Wildcards or Broad Termination

To prevent catastrophic system damage:

• NEVER use:
• rm -rf *
• rm -rf /
• killall
• Broad pkill patterns
• Unbounded globbing in sensitive directories
• Always:
• Use absolute file paths (e.g., /tmp/malware.bin)
• Target explicit PIDs (kill -TERM )
• Confirm file existence with ls -lah
• Hash suspicious files before modification:

sha256sum <file>

Wildcard deletions and pattern-based termination are prohibited during incident response.

3. Persistence & Re-Spawn Inspection

After containment of a malicious process or service, immediately inspect for persistence mechanisms.

Check:

#### Cron Jobs

crontab -l
ls -lah /etc/cron*

#### systemd Services & Timers

systemctl list-unit-files --type=service
systemctl list-timers --all
ls -lah /etc/systemd/system/

#### Init Scripts

ls -lah /etc/init.d/
cat /etc/rc.local

#### User-Level Persistence

ls -lah ~/.config/systemd/user/

#### SSH Backdoors

cat ~/.ssh/authorized_keys

After removal of malicious artifacts:

• Run integrity verification:

aide --check

• On RHEL-based systems:

rpm -Va

• On Debian-based systems:

debsums -s

Do not consider a threat eradicated until persistence mechanisms are eliminated.

4. Firewall Rule Safety & Persistence

A. Anti-Lockout Requirement

Before modifying firewall rules:

• Confirm SSH listening port:

ss -tulpn | grep ssh

• Confirm an explicit ACCEPT rule exists for:
• Current management IP
• SSH port

iptables -F

NEVER set a default DROP policy without verifying SSH access rule exists.

B. Immediate vs Persistent Rules

Firewall rule changes are runtime by default and may not survive reboot.

#### iptables (Debian/Ubuntu) Runtime only until saved:

iptables-save > /etc/iptables/rules.v4

If using netfilter-persistent:

netfilter-persistent save

#### RHEL (legacy iptables service)

service iptables save

#### firewalld Runtime-to-permanent:

firewall-cmd --runtime-to-permanent

#### nftables Persist ruleset:

nft list ruleset > /etc/nftables.conf

Document:

• Whether rule is temporary or permanent
• Location of saved configuration
• Verification after reboot (if applicable)

5. Forensic Preservation Before Destruction

Before deleting or killing:

• Hash the artifact:

sha256sum <file>

• Move to quarantine:

mkdir -p /root/quarantine
   mv <file> /root/quarantine/<file>.vir

• Record:
• Timestamp (UTC)
• Original path
• Hash value
• Reason for containment

• kill -TERM
• kill -STOP (if forensic inspection needed)
• kill -KILL only as last resort

6. Change Logging Requirement

Every remediation action must include:

• date -u
• Command executed
• Justification
• Observed outcome
• Updated risk level (if applicable)

7. Minimal-Impact Principle

All actions must follow:

• Smallest necessary change
• Reversible where possible
• No broad configuration resets
• No service restarts without justification
• No system-wide scans during active compromise unless scoped