Open main menu

CDOT Wiki β

Changes

SEC520/labs/Lab 6

3,045 bytes removed, 09:37, 1 February 2018
no edit summary
<h1> <span class="mw-headline">Linux System Hardening (Part 1)</span></h1>
<a name="Introduction" id="Introduction"></a><h2> <span class="mw-headline">Introduction</span></h2>
<dl><dd><ul><li>In this lab, students will learn how to make their Linux servers less vulnerable to attacks (i.e. <b>hardening</b> the Linux system). First, students will prevent users from booting into <b>run level 1 (super-user mode)</b> by creating a <b>grub boot password</b>.
</li></ul>
</dd></dl>
<dl><dd><ul><li>Students will then <b>configure SSH</b> to
provide a safe "tunnel" for data to prevent from hacking, and to change the port number to help to confuse (discourage) hackers.
</li></ul>
</dd></dl>
<dl><dd><ul><li>Finally, students will use <b>PAM</b>
(Plugable Authentication Modules) to further protect running applications in their VMs.
</li></ul>
</dd></dl>
<br><br>
<a name="Objectives" id="Objectives"></a><h2> <span class="mw-headline">Objectives</span></h2>
<ol><li>Setup a <b>grub boot</b> password to prevent users from gaining access to super-user mode during Linux system bootup.
</li><li><b>Close unnecessary running ports</b> (services) to make server(s) less vulnerable to attack. </li><li>Use <b>SSH tunnelling</b> to protect data from being picked up by hackers. </li><li>Use <b>PAM</b> to provide authentication for APIs (application programming interfaces).
</li></ol>
<p><br>
</p>
<a name="Required_Materials_.28Bring_to_All_Labs.29" id="Required_Materials_.28Bring_to_All_Labs.29"></a><h2> <span class="mw-headline">Required Materials (Bring to All Labs)</span></h2>
<ul>
<li> <b>SATA Hard Disk</b> (in removable disk tray). </li><li> <b>Lab Logbook (Lab4 Reference Sheet)</b> (to make notes and observations). </li></ul> <p><br> </p><a name="Prerequisites" id="Prerequisites"></a> <h2> <span class="mw-headline">Prerequisites</span></h2> <ul><li> <a href="[https://scswiki.senecaccdot.onsenecacollege.ca/%7Efacwiki/sec520SEC520/labs/SEC520_Lab_5.html">Lab_5 SEC520 Lab 5</a>] </li></ul> <p><br> </p> <a nameh2> <span class="Linux_Command_Online_Referencemw-headline" id="Linux_Command_Online_Reference"></a><h2> <span class="mw-headline">>Online Tools and References</span></h2> <ul> <li><a href="[http://www.linuxhowtos.org/Network/netstat.htm" target="_new">netstat]</ali> </li><a href="" target="_new"> </a><li><a href="http://www[http://www.hscripts.com/tutorials/linux-services/index.php">service</a> ] <b>or</b> <a href="[http://www.linux.com/learn/tutorials/527639-managing-services-on-linux-with-systemd">systemctl</a> ] (on <u>newer</u> Linux distributions)</li> <li><a href="[http://www.ibm.com/developerworks/linux/library/l-pam/index.html" target="_new">PAM]</a></lili> <li><a href="[http://tommi.org/2008/08/automaticly-blacklisting-password-attempts/" target="_blank">Automatically Blacklist Password Attempts</a>]</li> <li><a href="[http://www.techcuriosity.com/resources/linux/advanced_file_permissions_in_linux.php" target="_blank">Advanced File Permissions</a>]</li> <li><a href="[http://www.cyberciti.biz/tips/howot-install-ubuntu-linux-ssh-server.html" target="_new">SSH]</ali> </li> <li><a href="[http://linuxmanpages.com/" target="_new">Online Linux Manpages</a>]</li> </ul> <p><br> </p><a name="Resources_on_the_web" id="Resources_on_the_web"></a> <h2> <span class="mw-headline">Course Notes</span></h2> <ul> <li><a href="[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w3_l1.odp">odp</a> ] | <a href="[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w3_l1.pdf">pdf</a> ] | <a href="[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w3_l1.ppt">ppt</a> ] (Slides: Linux Hardening - part 1)</li> <li><a href="[http://www.linuxdoc.org/HOWTO/User-Authentication-HOWTO/x115.html" target="_new">Why Use PAM?</a>]</li> <li><a href="[http://www.ibm.com/developerworks/linux/library/l-pam/index.html" target="_new">Understanding and Configuring PAM</a>]</li> <li><a href="http[http://lcweb.senecac.on.ca:2063/0596003919" target="_new">Linux Security Cookbook (E-book)</a> ] (Chapter 4)</li> </ul> <a name="Performing_Lab_2" id="Performing_Lab_2"></a> <h1> <span class="mw-headline">Performing Lab 6</span></h1> <p><br> </p><a name="Task1" id="Investigation_1:_How_to_Perform_a_Fedora_DVD_Install_on_Your_Removable_Hard_Drive"></a> <h2> <span class="mw-headline">Task #1: Locking Down Bootup / Performing System Updates</span></h2> <br /><div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;"><div style="float: left; margin-left: -40px;">< {{Admon/tip|Locking Down the Server's BIOS|The system adminstrator should prevent the server's BIOS from booting from removable drives, and setup a href="/wiki/indexBIOS password to limit access to editing the server's BIOS.php/File:ImportantSince you are using the college's computers, you are not able to lock down the BIOS, but it is worth mentioning when you are securing computers in the future.png" class="image" title="Important.png" |}} <br><img alt="" src="35px-Idea.png" width="35" height="35" border="0" /></ This section will demonstrate how easy it is for a></div>regular users to gain <divb>root</b>Locking Down user access to a newly-booted Linux system. As a safe-guard, the Server's BIOSstudent will learn how to set a <b>grub password</b>to make the computer system less vulnerable. <br />The system adminstrator should prevent the server's BIOS from booting from removable drives<br /> {{Admon/important|Vulnerabilities During Boot-up: Single User Mode|Although great attention is paid to securing a Linux system in terms of running services, upgrades, and setup a BIOS password to limit access setting passwords, very little attention can be paid to editing the server's BIOSboot-up process. Since you are using <br /><br />The system administrator should configure the college's computers, you are not able BIOS of their Linux servers to lock down the BIOS, but it is worth mentioning when you are securing computers in the future.</divb>prevent bootng from removeable media</divb>, and assign a <brb>This section will demonstrate how easy it is for a regular users boot password</b> to limit access to gainedit the Linux server's BIOS settings.<br /><br />In addition (by default) the <b>rootGrub Boot Loader</b> user allows anyone with access to a newly-booted Linux system. As a safe-guard,the student will learn how computer at boot time to set a the <b>grub passwordrunlevel, or change the boot parameters</b> , which can allow them to make influence the computersystem less vulnerable.<br /b><i>init<br /i><div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;"/b>process and which kernel image is loaded. Anyone with access to the boot prompt can therefore bypass security controls and control which software is loaded. For example, rebooting to <div style="float: left; margin-left: -40px;"b>runlevel <a href="https://scs.senecac.on.ca/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Important.png" height="35" border="0" width="35"b> (known as <b>single user mode</b>), gives the user root priveleges without the need for a>password! |}} </divbr> INSTRUCTIONS: <divol> <bli>Vulnerabilities During Boot-up: Single User Modeyour BrackTrack (host) system.</bli> <li>Open the VirtualBox manager window.<br/li> <li>Although great attention is paid Prior to securing a running your Vulnerable Linux system in terms of running servicesVM, upgrades, and setting passwords, very little attention can be paid read the following link on how to the bootenter into <b>single-up process.user<br /b>mode:<br />The system administrator should configure the BIOS of their Linux servers to <bbr />prevent bootng from removeable media<[http:/b>, and assign a <b>boot password</b> to limit access to edit the Linux server's BIOS settingsdocs.fedoraproject.<br org/><br en-US/>In addition Fedora/13/html/Installation_Guide/s1-rescuemode-booting-single.html How to Enter Single User Mode (by defaultFedora17 - also applies to Fedora Core 5) the ].<bbr />Grub Boot Loader<br /b> allows anyone with access to </li> <li>Boot the computer at boot time to set Vulnerable Linux VM, press any key, then press the key <b>runlevel, or change the boot parametersa</b>, which can allow them to influence append the word <b>single<i/b>initat the end of the boot command.</ili> <li>After boot-up is complete, you should notice you are logged in as <b>root</b> process and which kernel image is loaded. Anyone with access to the boot prompt can therefore bypass security controls and control which software is loaded. For example, rebooting to (you can issue <b>runlevel whoami</b> (known as to confirm.<b/li>single user mode </bli>), gives Navigate throughout the file system. Check the user root priveleges without unpriviledged users in the need for a password!</b>/home</divb>directory.</div><brli>INSTRUCTIONS: <ol> <li>Boot your BrackTrack (host) systemWhat are the consequences by NOT locking down the grub password? Record your observations in your lab log-book.</li> <li>Open Issue the VirtualBox manager window.<b>shutdown -h</b> or <b>halt<li/b>Prior command to running shutdown your Vulnerable Linux VM, read the following link on how to enter into . <bbr />single-user {{Admon/important|Installing a More Recent Linux Distribution| One disadvantage of using </b> mode:Fedora Core 5<br /b><br /><a href="http://docsis that this version is very old, and is no longer supported in terms of its software repositories (software, security patches, etc.fedoraproject).org<br /en-US><br /Fedora> Therefore, we will be creating another Linux VM (called <b>Hardened Linux</13/html/Installation_Guide/s1-rescuemode-booting-single.html" target="_new"b>How to Enter Single User Mode (using the Fedora17 - also applies install image file that you should have downloaded to Fedora Core 5your Kali Linux (host)</a>at the end of lab3. |}} <br /><br /></li> <livalue="9">Boot Launch the Vulnerable Linux <b>Oracle VMVirtualBox</b> application, press any key, then press click on the key <b>aNew</b> to append the word button, and click on <b>singleNext</b> at the end of the boot commandto proceed.</li> <li>After boot-up is complete, you should notice you are logged in as Enter the name <b>rootHardened Linux </b> (you can issue for your VM name. Make certain that the OS Type is <b>whoamiLinux</b> to confirm., and the Version is </lib> Fedora<li/b>Navigate throughout the file system. Check the unpriviledged users in the , and then click on <b>/homeNext</b> directoryto proceed.</li> <li>What are Accept the consequences by NOT locking down the grub password? Record your observations defaults (like you did in your lab log-book.lab1, including </lib> 768 MB<li/b>Issue the RAM and set <b>shutdown -h10GB</b> or for the VM's Hard Disk Size), and eventually click <b>haltFinish</b> command to shutdown your Vulnerable Linux complete the VMsetup.<br /b><br /ol><br /li> <div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;"li>Prior to starting your <div style="float: left; margin-left: -40px;"b>Hardened Linux</b> VM, you will setup a href="/wiki/index.php/File:Important.png" class="image" title="Important.png"<b>virtual disk<img alt="" src="35px-Important.png" width="35" height="35" border="0" /b>in order to boot from your saved <i>Fedora17 install image</ai>.<br /div>Complete the following steps to prepare for installation:<divbr /><bbr />Installing <ol type="a More Recent Linux Distribution</b"> <br /li>One disadvantage of using Right-click on the VM called <b>Fedora Core 5Hardened Linux</b> is that this version is very oldin the VirtualBox application window, and is no longer supported in terms of its software repositories (software, security patches, etc.). select <b>Settings<br /b>.<br /li>Therefore, we will be creating another Linux VM (called <bli>Hardened LinuxSelect <b>Network</b> using the Fedora17 install image file that you should have downloaded and set to your Kali Linux (host) at the end of lab3.</divb>Host-Only</divb>adaptor.<br /li> <olli> <li value="9">Launch the Select <b>Oracle VM VirtualBoxStorage</b> application, click tab on the left-side of the application window.<b/li>New </bli> button, and click Click on <b>NextIDE Controller</b> to proceed.</li> <li>Enter near the top of the name <b>Hardened Linux Storage Tree</b>for your VM name. Make certain that window, click on the OS Type is green plus sign to <b>Linuxadd a new CD/DVD drive</b>, and . You will be required to specify the Version is <b>location of that Fedorainstall image (i.e. </b>, and then click on <b>NextChoose Disk</b> to proceed).</li>The installation process should start (you may need to wait and ignore system errors). Make default install selections as you did with the previous Linux installation. When completed, save your settings.</li>Accept the defaults (like you did in lab1, including <bli>768 MB</b> RAM and set <b>10GB</b> for the VM's Hard Disk Size)After you have changed your settings, and eventually double-click on <b>FinishHardened Linux</b> to complete start the VM setupinstallation process.<br /><br /></li> <li>Prior Make the following selections during the installation process: <ul> <li>In addition to starting your the defaults, add the <b>Hardened LinuxFedora F17</b> VM, you will setup a and <b>virtual diskFedora F17 - Updates</b> in order to boot from your saved repository.</li> <li>Select <ib>Fedora17 install imageCreate a Grub Boot Password</ib>near the end of the installation in the Grub Boot section; Otherwise, accept similar defaults like you did in lab1.<br />Complete the following steps to prepare for installation:<br /><<br /><ol type="a"> <li>Right-click on the VM called <b>Hardened LinuxNOTE:</b> in If you were unable to set the VirtualBox application windowGrub password during the installation procedure, then as an option, and select you may search the Internet for a method to manually set the password after the installation process...<bbr />Settings<br /b>.</li> <li/ul>Select </li> <li>After the installation is complete, shutdown the system, go into <b>NetworkSettings</b> and set remove the virtual CD/DVD drive that links to your <b>Host-OnlyFedora17 image file</b> adaptor.Boot your </lib> Hardened Linux<li/b>Select VM and try to enter <b>Storagesingle-user</b> tab on the leftmode. Were you successful?<br />Record your findings in your lab log-side of the application windowbook.</li> <li/ol>Click on <bli>IDE ControllerWhen booting your Hardened Linux system for the first time, fill out a regular user account, and </b> near the top of the add to administrator's group</b>Storage Tree.</bli> <li> windowFinally, click perform an update on the green plus sign to your system by issuing: <b>add a new CD/DVD driveyum update</b>. You will be required to specify the location of that Fedora install image (i.e. <b/li>Choose Disk <br /b>). The installation process should start (you may need {{Admon/important|Periodic Updates &amp; Upgrades| It is important as a system administrator to wait periodically and ignore consistently <b>update/upgrade the operating system errors)and applications</b> to help harden the operating system from vulnerabilities. Make default install selections as you did with the previous Linux installation. When completed, save your settings. <br /><br /li> It is also important to perform <lib>After you have changed your settings, double-click on <b>Hardened Linuxoperating system upgrades</b> when officially released (stable) editions become available. Failing to perform upgrades to start an operating system can eventually make operating systems obsolete and unsupported by the installation processdevelopment community. Usually a Linux distribution provides time-lines regarding support (eg.<br /b>LTS: Long Term Support<br /b>). |}} <br /li> <livalue="15">Make the following selections during the installation process: Record your observations in your lab log-book.<ul/li> <li>In addition Proceed to the defaults, add the Task #2.<b/li>Fedora F17 </bol> and <bp>Fedora F17 - Updates</b> repositoryAnswer the Task #1 observations / questions in your lab log book.</lib> </p> <lip>Select <bbr>Create a Grub Boot Password </bp> <h2> near the end of the installation in the Grub Boot section; Otherwise, accept similar defaults like you did in lab1.<br span class="mw-headline">Task #2: Closing Unnecessary Ports />Using SSH<br /span><b/h2>NOTE: </bbr> If you were unable to set the Grub password during the installation procedure, then as an option In this section, you may search the Internet for a method will either close or prevent unnecessary ports (services) from running and <b>mask some running services</b> (such as SSH) in order to manually set the password after the installation process..make your Linux system less vulnerable. <br /><br /></li> </ul> INSTRUCTIONS: </liol> <li>After the installation is complete, shutdown Tighten up your Hardened Linux VM to expose the system, go into <b>Settingssmallest possible number of services</b> and remove the virtual CD/DVD drive that links to running on your Linux system.<b/li>Fedora17 image file <li>Verify that the minimum number of (essential) services are running on your Linux system.</bli> <li>. Boot your Use the <b>Hardened LinuxNessus</b> VM application and try to enter <b>single-userMetasploit</b> mode. Were you successful?<br />Record framework to confirm that there are no vulnerable services running on your findings in your lab log-bookHardened Linux VM.</li> <li>When booting your Hardened Linux system for the first time, fill out a regular user account, and <bDiscuss with another classmate which software is <u>add to administrator's groupnot</bu>required to be installed.</li>What is the minimum software configuration that <li>Finally, perform an update on will work? Try to list at least 10 applications in your system by issuing: <b>yum update</b>lab log-book. </li> </olli><br /> <div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;"With a classmate, discuss the information visible to users logged in to your system and whether the disclosure of that information presents any real security risk. For example, is it ok for users to view the information in <b>/proc<div style="float: left; margin-left: -40px;"/b>? or in <a href="b>/wikietc</index.php/File:Important.png" class="image" title="Important.png">b>?<img alt="" src="35px-Important.png" width="35" height="35" border="0" br /><br /a></divli> <divli><b>Periodic Updates &amp; Upgrades<Refer to the following link to OPS235 Lab 7 (SSH): [http://zenit.senecac.on.ca/wiki/index.php/b>OPS235_Lab_7#Investigation_1:_How_do_you_enable_the_sshd_service. SSH Configuration]<br />It is important as a system administrator to periodically and consistently (Note: newer versions of Fedora Linux use <b>updatesystemctl</upgrade b> instead of the operating system and applications</b> to help harden the operating system from vulnerabilities.<br /b>command).<br /li>It is also important <li>Configure SSH to run for a different port number.</li> <li>Use SSH to perform run the <b>operating system upgradesgedit</b> when officially released (stable) editions become available. Failing to perform upgrades to an operating system can eventually make operating systems obsolete and unsupported by the development community. Usually a Linux distribution provides time-lines regarding support (egcommand command from your Linux VM, but displayed on your host. <b/li>LTS: Long Term Support <li>Have your group members view the open ports on your VM, and see if they can access this running port.</bli>). </divli>How does this technique make your Linux server less vulnerable?</divli<br /><ol> <li value="15">Record your observations in your lab log-book.</li> <li>Proceed to Task #23.</li> </ol>  <p><b>Answer the Task #1 2 observations / questions in your lab log book.</b> </p> <pbr><br> </ph2>   <a name="Task2" id="Investigation_1:_How_to_Perform_a_Fedora_DVD_Install_on_Your_Removable_Hard_Drive"></a><h2> <span span class="mw-headline">Task #23: Closing Unnecessary Ports / Using SSHPAM</span></h2> <br>In this section, you will either close or prevent unnecessary ports Fedora uses the Linux <b>Pluggable Authentication Modules (servicesPAM) from running and </b>mask some running servicessystem to perform </b> authentication (and some related activities, such as SSHaccount environment initialization) in order to make your Linux system less vulnerable.<br><br/b>. As the name suggests, PAM is modular and permits various modules to be plugged in or removed at the system administrator's discretion. <br><br> INSTRUCTIONS:  <ol> <li>Tighten up Ensure that your Hardened Linux VM to expose the <b>smallest possible number of services</b> (i.e. Fedora17) system is running on your Linux system, and log-in as a user with administration priviledges.</li> <li>Verify that the minimum number of (essential) services are running on your Linux system.</li> <li>Use Open a shell terminal in your Hardened Linux VM, and change to the directory <b>Nessus/etc/pam.d</b> application and <b>Metasploit</b> framework to confirm that there are no vulnerable services running on review the names of the existing files. What do you think these represent in terms of hardening this system? Record your answer in your Hardened Linux VMlab log-book.Locate the file that contains the PAM configuration for </b>system-config-network</b>.</li> <li>Discuss with another classmate which software is Access the <ub>notPAM System Administrator's Guide</ub> required to be installed. What is the minimum software configuration that will work? Try to list at least 10 applications in your lab login a web-browser (file pathname: <b>/usr/share/doc/pam-book1.1. <5/html/li>Linux-PAM_SAG.html</b></li> <li>With Make a classmate, discuss brief list of line options for the information visible to users logged in to your <b>system -config-network</b> PAM configuration file, and whether the disclosure of that information presents any real security riskrecord in your lab log-book. For example, is it ok for users to view the information in <b>/proc</bli>? or in <bli>/etc</b>?<br /><br /></li> <li>Refer How could you change this PAM configuration file so that a user logged in on the console would not need to enter the following link to OPS235 Lab 7 root password? (SSHread the manual or perform a NetSearch to get the answer): . Record your answer in your lab log-book.<br><br><a href="http:/li> </zenit.senecac.on.caol> {{Admon/wikitip|Pam ABL|<b>Pam ABL stands</index.php/OPS235_Lab_7#Investigation_1:_How_do_you_enable_the_sshd_service." target="_new"b>SSH Configurationfor </ab>Pam Auto Blacklist Module<br /b>(Note: newer versions of Fedora Linux use <b>systemctl</b> instead of the <b>system</b> command).</li> <li>Configure SSH to run for a different port number.</li> <li>Use SSH to run the <b>gedit</b> command command from your Linux VM, but displayed on your host.</li> <li>Have your group members view the open ports on your VM, and see if they can access this running port.</li> <li>How does this technique make your Linux server less vulnerable?</li> <li>Proceed to Task #3.</li> </ol><p><b>Answer the Task #2 observations / questions in your lab log book.</b></p><br><br><a name="Task3" d="Investigation_2:_How_many_file_packages_and_files_are_installed_on_the_system.3F"></a><h2> <span class="mw-headline">Task #3: Using PAM</span></h2><br>Fedora uses the Linux <b>Pluggable Authentication Modules (PAM)</b> system to perform <b>authentication (and some related activities, such as account environment initialization)</b>. As the name suggests, PAM is modular and permits various modules to be plugged in or removed at the system administrator's discretion.<br><br>INSTRUCTIONS:<ol> <li>Ensure that your Hardened Linux VM (i.e. Fedora17) system is running, and log-in as a user with administration priviledges.</li> <li>Open a shell terminal in your Hardened Linux VM, and change to the directory <b>/etc/pam.d</b> and review the names of the existing files. What do you think these represent in terms of hardening this system? Record your answer in your lab log-book. Locate the file that contains the PAM configuration for <b>system-config-network</b>.</li> <li>Access the <b>PAM System Administrator's Guide</b> in a web-browser (file pathname: <b>/usr/share/doc/pam-1.1.5/html/Linux-PAM_SAG.html</b></li> <li>Make a brief list of line options for the <b>system-config-network</b> PAM configuration file, and record in your lab log-book.</li> <li>How could you change this PAM configuration file so that a user logged in on the console would not need to enter the root password? (read the manual or perform a NetSearch to get the answer). Record your answer in your lab log-book.<br><br></li></ol><div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;"><div style="float: left; margin-left: -40px;"><a href="https://scs.senecac.on.ca/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Idea.png" height="35" border="0" width="35"></a></div><div><b>Pam ABL</b><br><b>Pam ABL stands</b> for <b>Pam Auto Blacklist Module</b>. . This module allows for the blacklisting of hosts (users) that repeatedly attempt to connect / authenticate with your server.<br><br></div></div>server.<br><br>|}} <br> <ol> <li value="15">Install the <b>pam_abl</b> package by issuing the following command: <b>yum install pam_abl</b>.</li> <li>Research on the Internet how to edit the pam_abl configuration file. Documentation for pam_abl (web-browser) is available by using the file pathname:<br /><b>/usr/share/doc/pam_abl-0.2.3/pam_abl.html</b></li> <li>Configure the file <b>/etc/security/pam_abl.conf</b> to use the <b>pam_time</b> module to permit remote ssh access only during the daytime.</li> <li>Configure your system <b>to deny access for 1 day</b> to any user or host who has <u><b>5</b> invalid password attempts in an hour</u>, or <u><b>12</b> invalid password attempts in a day</u> using the <b>pam_abl</b> module.<br /><br />Here is a approximate example: <a href="[http://tommi.org/2008/08/automaticly-blacklisting-password-attempts/" target="_blank">Automatically Blacklist Password Attempts</a>]<br /><br /></li> <li>Create a group named <b>development</b>.</li> <li>Create the directory <b>/var/devel1</b> and <b>/var/devel2</b> and make them accessible to all users. Set the SGID permission bit on <b>/var/devel2</b> and make that directory owned by the group called <i>development</i>.<br /><br />Here is a link to setting SGID permissions: <a href="[http://www.techcuriosity.com/resources/linux/advanced_file_permissions_in_linux.php" target="_blank">Advanced File Permissions</a>]<br /><br /></li> <li>Create <b>three regular users</b>. Ensure that two users are in the <i>development</i> group and that the third user is not.</li> <li>Have each user create a file in <b>/var/devel1</b> and <b>/var/devel2</b>.</li> <li>Record the user and group permission for each file.</li> <li>Attempt to access each of the six files using each user's account by reading and then appending (two separate operations). What succeeds and what fails? Why?</li> <li>What would the development users have to do to make their files in <b>/var/devel1</b> accessible to each other?</li> <li>Why is Fedora set up so that each user has their own group and the default umask is <b>0002</b>?</li> <li>Record your findings in your lab log-book.</li> <li>Proceed to "Completing The Lab".</li> </ol> <p><b>Answer Task #3 observations / questions in your lab log book.</b> </p><p><br> </p> <a name="Completing_the_Lab" id="Completing_the_Lab"></a> <h1> <span class="mw-headline"> Completing the Lab </span></h1> <p><b>Arrange evidence for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:</b> </p> <ol> <li>All unneccessary services <b>turned-off</b>.</li> <li>SSH run on a <b>different port</b>.</li> <li>Proof of <b>PAM</b> used to control access to directories. </li> <li>Completed Lab 6 notes.</li> </ol> <p><br> </p><a name="Preparing_for_Quizzes" id="Preparing_for_Quizzes"></a> <h1> <span class="mw-headline"> Preparing for Quizzes </span></h1> <ol> <li>Briefly explain how to access the root account (in run-level 1) from an unprotected Linux system upon boot-up.</li> <li>List the steps to setup a <b>grub password</b> to protect a Linux system upon boot-up.</li> <li>Explain the consequences of running unneccesary services on a server.</li> <li>List the steps to stop a running service, and describe 2 unique methods of confirming that a service is no longer running on the server?</li> <li>What is the purpose of using SSH for tunnelling while using a different port number?</li> <li>What does <b>PAM</b> stand for? What is the purpose of the <i>PAM</i> modules?</li> <li>What is the purpose of the <b>pam_abl</b> modules?</li> </ol>