Open main menu

CDOT Wiki β

Changes

SEC520/labs/Lab 6

21,006 bytes added, 09:07, 1 February 2018
Created page with "<h1> <span class="mw-headline">Linux System Hardening (Part 1)</span></h1> <a name="Introduction" id="Introduction"></a><h2> <span class="mw-headline">Introduction</span></h2>..."
<h1> <span class="mw-headline">Linux System Hardening (Part 1)</span></h1>
<a name="Introduction" id="Introduction"></a><h2> <span class="mw-headline">Introduction</span></h2>
<dl><dd><ul><li>In this lab, students will learn how to make their Linux servers less vulnerable to attacks (i.e. <b>hardening</b> the Linux system). First, students will prevent users from booting into <b>run level 1 (super-user mode)</b> by creating a <b>grub boot password</b>.
</li></ul>
</dd></dl>
<dl><dd><ul><li>Students will also identify and <b>close unneccesary ports</b> (running services) on their Linux and Windows Virtual Machines in order to make those servers less vulnerable to attacks.
</li></ul>
</dd></dl>
<dl><dd><ul><li>Students will then <b>configure SSH</b> to
provide a safe "tunnel" for data to prevent from hacking, and to change
the port number to help to confuse (discourage) hackers.
</li></ul>
</dd></dl>
<dl><dd><ul><li>Finally, students will use <b>PAM</b>
(Plugable Authentication Modules) to further protect running
applications in their VMs.
</li></ul>
</dd></dl>
<br><br>
<a name="Objectives" id="Objectives"></a><h2> <span class="mw-headline">Objectives</span></h2>
<ol><li>Setup a <b>grub boot</b> password to prevent users from gaining access to super-user mode during Linux system bootup.
</li><li><b>Close unnecessary running ports</b> (services) to make server(s) less vulnerable to attack.
</li><li>Use <b>SSH tunnelling</b> to protect data from being picked up by hackers.
</li><li>Use <b>PAM</b> to provide authentication for APIs (application programming interfaces).
</li></ol>
<p><br>
</p>
<a name="Required_Materials_.28Bring_to_All_Labs.29" id="Required_Materials_.28Bring_to_All_Labs.29"></a><h2> <span class="mw-headline">Required Materials (Bring to All Labs)</span></h2>
<ul>
<li> <b>SATA Hard Disk</b> (in removable disk tray).
</li><li> <b>Lab Logbook (Lab4 Reference Sheet)</b> (to make notes and observations).
</li></ul>
<p><br>
</p>
<a name="Prerequisites" id="Prerequisites"></a><h2> <span class="mw-headline">Prerequisites</span></h2>
<ul><li> <a href="https://scs.senecac.on.ca/%7Efac/sec520/labs/SEC520_Lab_5.html">SEC520 Lab 5</a>
</li></ul>
<p><br>
</p>
<a name="Linux_Command_Online_Reference" id="Linux_Command_Online_Reference"></a><h2> <span class="mw-headline">Online Tools and References</span></h2>

<ul>
<li><a href="http://www.linuxhowtos.org/Network/netstat.htm" target="_new">netstat</a></li><a href="" target="_new">
</a><li><a href="http://www.hscripts.com/tutorials/linux-services/index.php">service</a> <b>or</b> <a href="http://www.linux.com/learn/tutorials/527639-managing-services-on-linux-with-systemd">systemctl</a> (on <u>newer</u> Linux distributions)</li>
<li><a href="http://www.ibm.com/developerworks/linux/library/l-pam/index.html" target="_new">PAM</a></li>
<li><a href="http://tommi.org/2008/08/automaticly-blacklisting-password-attempts/" target="_blank">Automatically Blacklist Password Attempts</a></li>
<li><a href="http://www.techcuriosity.com/resources/linux/advanced_file_permissions_in_linux.php" target="_blank">Advanced File Permissions</a></li>
<li><a href="http://www.cyberciti.biz/tips/howot-install-ubuntu-linux-ssh-server.html" target="_new">SSH</a></li>
<li><a href="http://linuxmanpages.com/" target="_new">Online Linux Manpages</a></li>
</ul>

<p><br>
</p>
<a name="Resources_on_the_web" id="Resources_on_the_web"></a><h2> <span class="mw-headline">Course Notes</span></h2>
<ul>
<li><a href="http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w3_l1.odp">odp</a> | <a href="http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w3_l1.pdf">pdf</a> | <a href="http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w3_l1.ppt">ppt</a> (Slides: Linux Hardening - part 1)</li>
<li><a href="http://www.linuxdoc.org/HOWTO/User-Authentication-HOWTO/x115.html" target="_new">Why Use PAM?</a></li>
<li><a href="http://www.ibm.com/developerworks/linux/library/l-pam/index.html" target="_new">Understanding and Configuring PAM</a></li>
<li><a href="http://lcweb.senecac.on.ca:2063/0596003919" target="_new">Linux Security Cookbook (E-book)</a> (Chapter 4)</li>
</ul>

<a name="Performing_Lab_2" id="Performing_Lab_2"></a><h1> <span class="mw-headline">Performing Lab 6</span></h1>
<p><br>
</p>
<a name="Task1" id="Investigation_1:_How_to_Perform_a_Fedora_DVD_Install_on_Your_Removable_Hard_Drive"></a><h2> <span class="mw-headline">Task #1: Locking Down Bootup / Performing System Updates</span></h2>
<br />
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
<div style="float: left; margin-left: -40px;"><a href="/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="35px-Idea.png" width="35" height="35" border="0" /></a></div>
<div><b>Locking Down the Server's BIOS</b><br />The system adminstrator should prevent the server's BIOS from booting from removable drives, and setup a BIOS password to limit access to editing the server's BIOS. Since you are using the college's computers, you are not able to lock down the BIOS, but it is worth mentioning when you are securing computers in the future.
</div>
</div>
<br>
This section will demonstrate how easy it is for a regular users to gain
<b>root</b> user access to a newly-booted Linux system. As a safe-guard,
the student will learn how to set a <b>grub password</b> to make the computer
system less vulnerable.
<br /><br />
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
<div style="float: left; margin-left: -40px;"><a href="https://scs.senecac.on.ca/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Important.png" height="35" border="0" width="35"></a></div>
<div><b>Vulnerabilities During Boot-up: Single User Mode</b><br>Although great attention is paid to securing a Linux system in terms of running services, upgrades, and setting passwords, very little attention can be paid to the boot-up process.<br /><br />The system administrator should configure the BIOS of their Linux servers to <b>prevent bootng from removeable media</b>, and assign a <b>boot password</b> to limit access to edit the Linux server's BIOS settings.<br /><br />In addition (by default) the <b>Grub Boot Loader</b> allows anyone with access to the computer at boot time to set the <b>runlevel, or change the boot parameters</b>, which can allow them to influence the <b><i>init</i></b> process and which kernel image is loaded. Anyone with access to the boot prompt can therefore bypass security controls and control which software is loaded. For example, rebooting to <b>runlevel </b> (known as <b>single user mode</b>), gives the user root priveleges without the need for a password!</b>
</div>
</div>
<br>
INSTRUCTIONS:

<ol>
<li>Boot your BrackTrack (host) system.</li>
<li>Open the VirtualBox manager window.</b>
<li>Prior to running your Vulnerable Linux VM, read the following link on how to enter into <b>single-user</b> mode:<br /><br /><a href="http://docs.fedoraproject.org/en-US/Fedora/13/html/Installation_Guide/s1-rescuemode-booting-single.html" target="_new">How to Enter Single User Mode (Fedora17 - also applies to Fedora Core 5)</a>.<br /><br /></li>
<li>Boot the Vulnerable Linux VM, press any key, then press the key <b>a</b> to append the word <b>single</b> at the end of the boot command.</li>
<li>After boot-up is complete, you should notice you are logged in as <b>root</b> (you can issue <b>whoami</b> to confirm.</li>
<li>Navigate throughout the file system. Check the unpriviledged users in the <b>/home</b> directory.</li>
<li>What are the consequences by NOT locking down the grub password? Record your observations in your lab log-book.</li>
<li>Issue the <b>shutdown -h</b> or <b>halt</b> command to shutdown your Vulnerable Linux VM.</b>
</ol>
<br />
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
<div style="float: left; margin-left: -40px;"><a href="/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="35px-Important.png" width="35" height="35" border="0" /></a></div>
<div><b>Installing a More Recent Linux Distribution</b><br />
One disadvantage of using <b>Fedora Core 5</b> is that this version is very old, and is no longer supported in terms of its software repositories (software, security patches, etc.). <br /><br />
Therefore, we will be creating another Linux VM (called <b>Hardened Linux</b> using the Fedora17 install image file that you should have downloaded to your Kali Linux (host) at the end of lab3.
</div>
</div>
<br />
<ol>
<li value="9">Launch the <b>Oracle VM VirtualBox</b> application, click on the <b>New</b> button, and click on <b>Next</b> to proceed.</li>
<li>Enter the name <b>Hardened Linux </b>for your VM name. Make certain that the OS Type is <b>Linux</b>, and the Version is <b>Fedora</b>, and then click on <b>Next</b> to proceed.</li>
<li>Accept the defaults (like you did in lab1, including <b>768 MB</b> RAM and set <b>10GB</b> for the VM's Hard Disk Size), and eventually click <b>Finish</b> to complete the VM setup.<br /><br /></li>
<li>Prior to starting your <b>Hardened Linux</b> VM, you will setup a <b>virtual disk</b> in order to boot from your saved <i>Fedora17 install image</i>.<br />Complete the following steps to prepare for installation:<br /><br /><ol type="a">
<li>Right-click on the VM called <b>Hardened Linux</b> in the VirtualBox application window, and select <b>Settings</b>.</li>
<li>Select <b>Network</b> and set to <b>Host-Only</b> adaptor.</li>
<li>Select <b>Storage</b> tab on the left-side of the application window.</li>
<li>Click on <b>IDE Controller</b> near the top of the <b>Storage Tree</b> window, click on the green plus sign to <b>add a new CD/DVD drive</b>. You will be required to specify the location of that Fedora install image (i.e. <b>Choose Disk</b>). The installation process should start (you may need to wait and ignore system errors). Make default install selections as you did with the previous
Linux installation. When completed, save your settings.</li>
<li>After you have changed your settings, double-click on <b>Hardened Linux</b> to start the installation process.<br /><br /></li>
<li>Make the following selections during the installation process:
<ul>
<li>In addition to the defaults, add the <b>Fedora F17</b> and <b>Fedora F17 - Updates</b> repository.</li>
<li>Select <b>Create a Grub Boot Password</b> near the end of the installation in the Grub Boot section; Otherwise, accept similar defaults like you did in lab1.<br /><br /><b>NOTE:</b> If you were unable to set the Grub password during the installation procedure, then as an option, you may search the Internet for a method to manually set the password after the installation process...<br /><br /></li>
</ul>
</li>
<li>After the installation is complete, shutdown the system, go into <b>Settings</b> and remove the virtual CD/DVD drive that links to your <b>Fedora17 image file</b>. Boot your <b>Hardened Linux</b> VM and try to enter <b>single-user</b> mode. Were you successful?<br />Record your findings in your lab log-book.</li>
<li>When booting your Hardened Linux system for the first time, fill out a regular user account, and <b>add to administrator's group</b>.</li>
<li>Finally, perform an update on your system by issuing: <b>yum update</b>.</li>
</ol>
<br />

<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
<div style="float: left; margin-left: -40px;"><a href="/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="35px-Important.png" width="35" height="35" border="0" /></a></div>
<div><b>Periodic Updates &amp; Upgrades</b><br />
It is important as a system administrator to periodically and consistently <b>update/upgrade the operating system and applications</b> to help harden the operating system from vulnerabilities.
<br /><br />
It is also important to perform <b>operating system upgrades</b> when officially released (stable) editions become available. Failing to perform upgrades to an operating system can eventually make operating systems obsolete and unsupported by the development community. Usually a Linux distribution provides time-lines regarding support (eg. <b>LTS: Long Term Support</b>).
</div>
</div>

<br />
<ol>
<li value="15">Record your observations in your lab log-book.</li>
<li>Proceed to Task #2.</li>
</ol>

<p><b>Answer the Task #1 observations / questions in your lab log book.</b>
</p>
<p><br>
</p>



<a name="Task2" id="Investigation_1:_How_to_Perform_a_Fedora_DVD_Install_on_Your_Removable_Hard_Drive"></a><h2> <span class="mw-headline">Task #2: Closing Unnecessary Ports / Using SSH</span></h2>
<br>
In this section, you will either close or prevent unnecessary ports (services) from running and <b>mask some running services</b> (such as SSH) in order to make your Linux system less vulnerable.
<br><br>
INSTRUCTIONS:

<ol>
<li>Tighten up your Hardened Linux VM to expose the <b>smallest possible number of services</b> running on your Linux system.</li>
<li>Verify that the minimum number of (essential) services are running on your Linux system.</li>
<li>Use the <b>Nessus</b> application and <b>Metasploit</b> framework to confirm that there are no vulnerable services running on your Hardened Linux VM.</li>
<li>Discuss with another classmate which software is <u>not</u> required to be installed. What is the minimum software configuration that
will work? Try to list at least 10 applications in your lab log-book. </li>
<li>With a classmate, discuss the information visible to users logged in to your system and whether the disclosure of that information presents any real security risk. For example, is it ok for users to view the information in <b>/proc</b>? or in <b>/etc</b>?<br /><br /></li>
<li>Refer to the following link to OPS235 Lab 7 (SSH): <a href="http://zenit.senecac.on.ca/wiki/index.php/OPS235_Lab_7#Investigation_1:_How_do_you_enable_the_sshd_service." target="_new">SSH Configuration</a><br />(Note: newer versions of Fedora Linux use <b>systemctl</b> instead of the <b>system</b> command).</li>
<li>Configure SSH to run for a different port number.</li>
<li>Use SSH to run the <b>gedit</b> command command from your Linux VM, but displayed on your host.</li>
<li>Have your group members view the open ports on your VM, and see if they can access this running port.</li>
<li>How does this technique make your Linux server less vulnerable?</li>
<li>Proceed to Task #3.</li>
</ol>
<p><b>Answer the Task #2 observations / questions in your lab log book.</b>
</p>
<br><br>
<a name="Task3" d="Investigation_2:_How_many_file_packages_and_files_are_installed_on_the_system.3F"></a><h2> <span class="mw-headline">Task #3: Using PAM</span></h2>
<br>
Fedora uses the Linux <b>Pluggable Authentication Modules (PAM)</b> system to perform <b>authentication (and some related activities, such as account environment initialization)</b>. As the name suggests, PAM is modular and permits various modules to be plugged in or removed at the system administrator's discretion.
<br><br>
INSTRUCTIONS:
<ol>
<li>Ensure that your Hardened Linux VM (i.e. Fedora17) system is running, and log-in as a user with administration priviledges.</li>
<li>Open a shell terminal in your Hardened Linux VM, and change to the directory <b>/etc/pam.d</b> and review the names of the existing files. What do you think these represent in terms of hardening this system? Record your answer in your lab log-book. Locate the file that contains the PAM configuration for <b>system-config-network</b>.</li>
<li>Access the <b>PAM System Administrator's Guide</b> in a web-browser (file pathname: <b>/usr/share/doc/pam-1.1.5/html/Linux-PAM_SAG.html</b></li>
<li>Make a brief list of line options for the <b>system-config-network</b> PAM configuration file, and record in your lab log-book.</li>
<li>How could you change this PAM configuration file so that a user logged in on the console would not need to enter the root password? (read the manual or perform a NetSearch to get the answer). Record your answer in your lab log-book.<br><br></li>
</ol>
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
<div style="float: left; margin-left: -40px;"><a href="https://scs.senecac.on.ca/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Idea.png" height="35" border="0" width="35"></a></div>
<div><b>Pam ABL</b><br><b>Pam ABL stands</b> for <b>Pam Auto Blacklist Module</b>. This module allows for the blacklisting of hosts (users) that repeatedly attempt to connect / authenticate with your server.<br><br></div>
</div>

<br>



<ol>
<li value="15">Install the <b>pam_abl</b> package by issuing the following command: <b>yum install pam_abl</b>.</li>
<li>Research on the Internet how to edit the pam_abl configuration file. Documentation for pam_abl (web-browser) is available by using the file pathname:<br /><b>/usr/share/doc/pam_abl-0.2.3/pam_abl.html</b></li>
<li>Configure the file <b>/etc/security/pam_abl.conf</b> to use the <b>pam_time</b> module to permit remote ssh access only during the daytime.</li>
<li>Configure your system <b>to deny access for 1 day</b> to any user or host who has <u><b>5</b> invalid password attempts in an hour</u>, or <u><b>12</b> invalid password attempts in a day</u> using the <b>pam_abl</b> module.<br /><br />Here is a approximate example: <a href="http://tommi.org/2008/08/automaticly-blacklisting-password-attempts/" target="_blank">Automatically Blacklist Password Attempts</a><br /><br /></li>
<li>Create a group named <b>development</b>.</li>
<li>Create the directory <b>/var/devel1</b> and <b>/var/devel2</b> and make them accessible to all users. Set the SGID permission bit on <b>/var/devel2</b> and make that directory owned by the group called <i>development</i>.<br /><br />Here is a link to setting SGID permissions: <a href="http://www.techcuriosity.com/resources/linux/advanced_file_permissions_in_linux.php" target="_blank">Advanced File Permissions</a><br /><br /></li>
<li>Create <b>three regular users</b>. Ensure that two users are in the <i>development</i> group and that the third user is not.</li>
<li>Have each user create a file in <b>/var/devel1</b> and <b>/var/devel2</b>.</li>
<li>Record the user and group permission for each file.</li>
<li>Attempt to access each of the six files using each user's account
by reading and then appending (two separate operations). What succeeds
and what fails? Why?</li>
<li>What would the development users have to do to make their files in <b>/var/devel1</b> accessible to each other?</li>
<li>Why is Fedora set up so that each user has their own group and the default umask is <b>0002</b>?</li>
<li>Record your findings in your lab log-book.</li>
<li>Proceed to "Completing The Lab".</li>
</ol>

<p><b>Answer Task #3 observations / questions in your lab log book.</b>
</p><p><br>
</p>



<a name="Completing_the_Lab" id="Completing_the_Lab"></a><h1> <span class="mw-headline"> Completing the Lab </span></h1>
<p><b>Arrange evidence for each of these items on your screen, then ask
your instructor to review them and sign off on the lab's completion:</b>
</p>
<ol>
<li>All unneccessary services <b>turned-off</b>.</li>
<li>SSH run on a <b>different port</b>.</li>
<li>Proof of <b>PAM</b> used to control access to directories. </li>
<li>Completed Lab 6 notes.</li>
</ol>
<p><br>
</p>
<a name="Preparing_for_Quizzes" id="Preparing_for_Quizzes"></a><h1> <span class="mw-headline"> Preparing for Quizzes </span></h1>

<ol>
<li>Briefly explain how to access the root account (in run-level 1) from an unprotected Linux system upon boot-up.</li>
<li>List the steps to setup a <b>grub password</b> to protect a Linux system upon boot-up.</li>
<li>Explain the consequences of running unneccesary services on a server.</li>
<li>List the steps to stop a running service, and describe 2 unique methods of confirming that a service is no longer running on the server?</li>
<li>What is the purpose of using SSH for tunnelling while using a different port number?</li>
<li>What does <b>PAM</b> stand for? What is the purpose of the <i>PAM</i> modules?</li>
<li>What is the purpose of the <b>pam_abl</b> modules?</li>
</ol>