Defensive Security (Blue Team)

Reverse Shell: Aniqlash + Himoya + Lab Sozlash & Monitoring (0 dan)

Bu sahifa hujum qilishni o‘rgatmaydi. Maqsad — ruxsatli lab muhitida xavfni aniqlash, oldini olish va kuzatish.

⚠️ Muhim: Har qanday tarmoq tekshiruvini faqat o‘zingizniki yoki ruxsat berilgan tizimlarda bajaring. Agar real tarmoqlarda ruxsatsiz sinov qilsangiz bu qonunbuzarlik bo‘lishi mumkin.
Tezkor menyu 1) Aniqlash: Linux + Windows 2) Himoyalanish: Firewall, ruxsatlar, hardening 3) Lab sozlash: VirtualBox/VMware, izolyatsiya, snapshot 4) Monitoring: loglar, tarmoq, jarayonlar 5) Incident Response: hujum bo‘lsa nima qilamiz?

1) Aniqlash (Detection)

Reverse shell odatda tashqi IP’ga chiqadigan (outbound) shubhali ulanish + shubhali jarayon kombinatsiyasi bilan bilinadi. Sizning vazifangiz: (a) ulanishni ko‘rish, (b) qaysi jarayon ekanini topish, (c) loglarda iz qoldimi tekshirish.

Linux’da tezkor tekshiruv

Ulanishlar:

ss -tunap # yoki netstat -plant

Qaysi jarayon ulangan?

lsof -i -n -P # ma’lum port bo‘lsa: lsof -i :4444 -n -P

Shubhali jarayonlar:

ps aux --sort=-%cpu | head ps aux --sort=-%mem | head # interaktiv: top # qulayroq: htop

SSH / autentifikatsiya loglari:

sudo tail -n 200 /var/log/auth.log sudo journalctl -u ssh -n 200 --no-pager

Windows’da tezkor tekshiruv

Ulanishlar + PID:

netstat -ano

PID → qaysi dastur?

tasklist /FI "PID eq 1234"

PowerShell orqali:

Get-NetTCPConnection | Sort-Object -Property State,LocalPort

Event Log (Security):

eventvwr # Windows Logs → Security

Shubhali belgilar (red flags)

  • Noma’lum IP’ga muntazam outbound ulanishlar
  • G‘alati portlar (odatdagi 80/443/22 bo‘lmagan) va uzoq “ESTABLISHED” sessiya
  • /tmp, /dev/shm kabi joylardan ishlayotgan fayl (Linux)
  • PowerShell’da g‘alati command line, noma’lum process parent-child zanjiri
  • Ko‘p marta muvaffaqiyatsiz login urinishlari (bruteforce izlari)

2) Himoyalanish (Hardening)

Himoya doim 3 qatlam: tarmoq (firewall), hisoblar (ruxsatlar), nazorat (log/monitoring).

Linux: bazaviy hardening

  • Keraksiz servislarni o‘chirish: systemctl
  • SSH’ni xavfsizlash: root login’ni yopish, kuchli parol/kalit
  • Firewall (UFW) yoqish
  • Fail2ban (bruteforce’ga qarshi)
# Servislar ro‘yxati sudo systemctl list-units --type=service --state=running # UFW bazaviy sudo ufw enable sudo ufw default deny incoming sudo ufw allow OpenSSH

Windows: bazaviy hardening

  • Firewall yoqilgan bo‘lsin
  • Keraksiz “Remote” funksiyalarni cheklash
  • Defender real-time himoya
  • Admin huquqlarini minimallashtirish
# Firewall holati netsh advfirewall show allprofiles # Defender holatini tekshirish (PowerShell) Get-MpComputerStatus
Eng katta xato: “hamma narsaga ruxsat” berish. Minimal ruxsat (least privilege) va faqat kerakli portlar (allow-list) — eng kuchli himoya.

3) Lab sozlash (Xavfsiz o‘quv muhit)

Lab — o‘rganish uchun eng yaxshi usul. Ammo u izolyatsiya qilingan bo‘lishi shart.

  1. 2 ta VM: (1) Kali Linux, (2) Windows yoki Ubuntu “Victim”
  2. Network: VirtualBox’da Internal Network yoki Host-only
  3. Snapshot: har katta o‘zgarishdan oldin snapshot oling
  4. Loglar: Linux’da journald, Windows’da Event Log yoqilgan bo‘lsin
Maslahat: Lab’ni internetdan uzib qo‘ying. Internet kerak bo‘lsa, faqat Kali’da “NAT” ni alohida adapter qilib qo‘ying, Victim esa Internal/Host-only’da qolsin.

4) Monitoring (Kuzatish)

Linux monitoring

# Tarmoq ss -tunap # Trafik (o‘rnatish kerak bo‘lishi mumkin) sudo apt install iftop -y sudo iftop # Jarayonlar htop # Logni “real-time” sudo tail -f /var/log/auth.log

Windows monitoring

  • Task Manager → Details (PID’lar)
  • Resource Monitor → Network
  • Event Viewer → Security/System
# Ulanishlar netstat -ano # PID → dastur tasklist /FI "PID eq 1234"

5) Incident Response (Hujum bo‘lsa)

Hujum bo‘ldi deganda “panic” emas — tartib bo‘yicha ishlang:

  1. Izolyatsiya: tarmoqdan uzing (agar kerak bo‘lsa)
  2. Dalil: loglar, ulanishlar, jarayonlar haqida ma’lumot saqlang
  3. Tozalash: shubhali jarayon/faylni aniqlang, servislarni tekshiring
  4. Recovery: parollarni almashtiring, patch qiling, konfiguratsiyani mustahkamlang

Linux’da tezkor “dalil” yig‘ish (minimal)

date whoami uname -a ss -tunap ps auxf sudo tail -n 200 /var/log/auth.log

Eslatma: bu minimal tekshiruv. Katta incident’larda forensics alohida jarayon bo‘ladi.

Aloqa

📞 +998 90 459 94 09   |   💬 t.me/otabekie