<a name="Introduction" id="Introduction"></a><h2> <span class="mw-headline">Introduction</span></h2>

provide a safe "tunnel" for data to prevent from hacking, and to change the port number to help to confuse (discourage) hackers.

(Plugable Authentication Modules) to further protect running applications in their VMs.

<a name="Objectives" id="Objectives"></a><h2> <span class="mw-headline">Objectives</span></h2>

</li><li><b>Close unnecessary running ports</b> (services) to make server(s) less vulnerable to attack. </li><li>Use <b>SSH tunnelling</b> to protect data from being picked up by hackers. </li><li>Use <b>PAM</b> to provide authentication for APIs (application programming interfaces).

<a name="Required_Materials_.28Bring_to_All_Labs.29" id="Required_Materials_.28Bring_to_All_Labs.29"></a><h2> <span class="mw-headline">Required Materials (Bring to All Labs)</span></h2>

<li> <b>SATA Hard Disk</b> (in removable disk tray). </li><li> <b>Lab Logbook (Lab4 Reference Sheet)</b> (to make notes and observations). </li></ul> <p><br> </p><a name="Prerequisites" id="Prerequisites"></a> <h2> <span class="mw-headline">Prerequisites</span></h2> <ul><li> <a href="[https://scswiki.senecaccdot.onsenecacollege.ca/%7Efacwiki/sec520SEC520/labs/SEC520_Lab_5.html">Lab_5 SEC520 Lab 5</a>] </li></ul> <p><br> </p> <h2> <a namespan class="Linux_Command_Online_Referencemw-headline" id="Linux_Command_Online_Reference"></a><h2> <span class="mw-headline">>Online Tools and References</span></h2> <ul> <li><a href="[http://www.linuxhowtos.org/Network/netstat.htm" target="_new">netstat</a>]</li><a href="" target="_new"> </a> <li><a href="[http://www.hscripts.com/tutorials/linux-services/index.php">service</a> ] <b>or</b> <a href="[http://www.linux.com/learn/tutorials/527639-managing-services-on-linux-with-systemd">systemctl</a> ] (on <u>newer</u> Linux distributions)</li> <li><a href="[http://www.ibm.com/developerworks/linux/library/l-pam/index.html" target="_new">PAM</a>]</li> <!--DEAD LINK<li><a href="[http://tommi.org/2008/08/automaticly-blacklisting-password-attempts/" target="_blank">Automatically Blacklist Password Attempts]</ali></li--> <li><a href="[http://www.techcuriosity.com/resources/linux/advanced_file_permissions_in_linux.php" target="_blank">Advanced File Permissions</a>]</li> <li><a href="[http://www.cyberciti.biz/tips/howot-install-ubuntu-linux-ssh-server.html" target="_new">SSH</a>]</li> <!--DEAD LINK<li><a href="[http://linuxmanpages.com/" target="_new">Online Linux Online Linux Manpages]</ali></li--> </ul> <p><br> </p><a name="Resources_on_the_web" id="Resources_on_the_web"></a> <h2> <span class="mw-headline">Course Notes</span></h2> <ul> <li><a href="[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w3_l1.odp">odp</a> ] | <a href="[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w3_l1.pdf">pdf</a> | <a href="http:] | [http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w3_l1.ppt">ppt</a> ] (Slides: Linux Hardening - part 1)</li> <!--DEAD LINK<li><a href="[http://www.linuxdoc.org/HOWTO/User-Authentication-HOWTO/x115.html" target="_new">Why Use PAM?]</ali></li--> <li><a href="[http://www.ibm.com/developerworks/linux/library/l-pam/index.html" target="_new">Understanding and Configuring PAM]</ali> </li> !--<li><a href="[http://lcweb.senecac.on.ca:2063/0596003919" target="_new">Linux Security Cookbook (E-book)</a> ] (Chapter 4)</li>--> </ul> <a name="Performing_Lab_2" id="Performing_Lab_2"></a> <h1> <span class="mw-headline">Performing Lab 6</span></h1> <p><br> </p> <h2> <a namespan class="Task1" id="Investigation_1:_How_to_Perform_a_Fedora_DVD_Install_on_Your_Removable_Hard_Drive"></a><h2> <span class="mwmw-headline">Task #1: Locking Down Bootup / Performing System Updates</span></h2> <br /><div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;"><div style="float: left; margin-left: -40px;">< {{Admon/tip|Locking Down the Server's BIOS|The system adminstrator should prevent the server's BIOS from booting from removable drives, and setup a href="/wiki/indexBIOS password to limit access to editing the server's BIOS.php/File:Important.png" class="image" title="Important.png"><img alt="" src="35px-IdeaSince you are using the college's computers, you are not able to lock down the BIOS, but it is worth mentioning when you are securing computers in the future.png" width="35" height="35" border="0" /> |}} </a></divbr><div> This section will demonstrate how easy it is for a regular users to gain <b>Locking Down the Server's BIOSroot</b><br />The user access to a newly-booted Linux system adminstrator should prevent . As a safe-guard, the server's BIOS from booting from removable drives, and setup student will learn how to set a BIOS <b>grub password </b> to limit access to editing make the server's BIOScomputer system less vulnerable. Since you are using the college's computers, you are not able to lock down the BIOS, but it is worth mentioning when you are securing computers in the future.  <br /><br /div>< {{Admon/div><br>This section will demonstrate how easy it important|Vulnerabilities During Boot-up: Single User Mode|Although great attention is for a regular users to gain<b>root</b> user access paid to securing a newly-booted Linux system. As a safe-guardin terms of running services, upgrades,the student will learn how to set a <b>grub password</b> and setting passwords, very little attention can be paid to make the computersystem less vulnerableboot-up process.<br /><br /><div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;"The system administrator should configure the BIOS of their Linux servers to <b>prevent bootng from removeable media<div style="float: left; margin-left: -40px;"/b>, and assign a <b>boot password<a href="https://scsb> to limit access to edit the Linux server's BIOS settings.senecac.on.ca<br /wiki><br /index.php/File:Important.png" class="image" title="Important.png">>In addition (by default) the <img alt="" src="SEC520_Lab_1_files/35px-Important.png" height="35" border="0" width="35"b>Grub Boot Loader</ab>allows anyone with access to the computer at boot time to set the <b>runlevel, or change the boot parameters</divb>, which can allow them to influence the <divb><bi>Vulnerabilities During Boot-up: Single User Modeinit</bi><br/b>Although great attention process and which kernel image is paid to securing a Linux system in terms of running services, upgrades, and setting passwords, very little attention can be paid loaded. Anyone with access to the boot-up processprompt can therefore bypass security controls and control which software is loaded.<br /><br />The system administrator should configure the BIOS of their Linux servers For example, rebooting to <b>prevent bootng from removeable mediarunlevel </b>, and assign a (known as <b>boot passwordsingle user mode</b> to limit access to edit ), gives the user root priveleges without the Linux server's BIOS settings.need for a password! |}} <br /> INSTRUCTIONS: <br /ol>In addition (by default) the <bli>Grub Boot Loaderyour BrackTrack (host) system.</bli> allows anyone with access to the computer at boot time to set the <bli>runlevel, or change Open the boot parametersVirtualBox manager window.</bli>, which can allow them to influence the <li>Prior to running your Vulnerable Linux VM, read the following link on how to enter into <b>single-user<i/b>initmode:<br /i><br /b> process and which kernel image is loaded[http://docs.fedoraproject. Anyone with access to the boot prompt can therefore bypass security controls and control which software is loadedorg/en-US/Fedora/13/html/Installation_Guide/s1-rescuemode-booting-single. For example, rebooting html How to <b>runlevel </b> Enter Single User Mode (known as <b>single user modeFedora17 - also applies to Fedora Core 5)].<br /b>), gives the user root priveleges without the need for a password!<br /b></divli> </divli>Boot the Vulnerable Linux VM, press any key, then press the key <brb>INSTRUCTIONS: a<ol/b> to append the word <lib>Boot your BrackTrack (host) system.single</lib> <li>Open at the end of the VirtualBox manager windowboot command.</bli> <li>Prior to running your Vulnerable Linux VMAfter boot-up is complete, read the following link on how to enter into you should notice you are logged in as <b>single-userroot</b> mode:(you can issue <b>whoami<br /b>to confirm.<br /li> <li>Navigate throughout the file system. Check the unpriviledged users in the <a href="http:b>/home</docsb> directory.fedoraproject.org</enli> <li>What are the consequences by NOT locking down the grub password? Record your observations in your lab log-USbook.</Fedorali> <li>Issue the <b>shutdown -h</13/html/Installation_Guide/s1-rescuemode-booting-single.html" target="_new"b>How to Enter Single User Mode (Fedora17 - also applies to Fedora Core 5)or </ab>.halt<br /><br /b>command to shutdown your Vulnerable Linux VM. <br /li> <li>Boot the Vulnerable {{Admon/important|Installing a More Recent Linux VM, press any key, then press the key Distribution| One disadvantage of using <b>aFedora Core 5</b> to append the word <b>singleis that this version is very old, and is no longer supported in terms of its software repositories (software, security patches, etc.). <br /b> at the end of the boot command.<br /li> <li>After boot-up is complete Therefore, you should notice you are logged in as we will be creating another Linux VM (called <b>rootHardened Linux</b> (using the Fedora17 install image file that you can issue <b>whoami</b> should have downloaded to confirmyour Kali Linux (host) at the end of lab3. |}} <br /li> <livalue="9">Navigate throughout the file system. Check the unpriviledged users in Launch the <b>/homeOracle VM VirtualBox</b> directory.application, click on the <b>New</lib> button, and click on <b> Next<li/b>What are the consequences by NOT locking down the grub password? Record your observations in your lab log-bookto proceed.</li> <li>Issue Enter the name <b>shutdown -hHardened Linux </b> or for your VM name. Make certain that the OS Type is <b>haltLinux</b> command to shutdown your Vulnerable Linux VM., and the Version is <b>Fedora</b>, and then click on </olb>Next<br /b><div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;"to proceed.</li> <div style="float: left; margin-left: -40px;"li><a href="Accept the defaults (like you did in lab1, including <b>768 MB</wiki/index.php/File:Important.png" class="image" title="Important.png"b> RAM and set <b>10GB<img alt="" src="35px-Important.png" width="35" height="35" border="0" /b> for the VM's Hard Disk Size), and eventually click <b>Finish</ab>to complete the VM setup.<br /div><divbr /><b/li> <li>Installing a More Recent Linux DistributionPrior to starting your </b>Hardened Linux<br /b>One disadvantage of using VM, you will setup a <b>Fedora Core 5virtual disk</b> is that this version is very old, and is no longer supported in terms of its software repositories (software, security patches, etc.)in order to boot from your saved <i>Fedora17 install image</i>. <br />Complete the following steps to prepare for installation:<br />Therefore, we will be creating another Linux <br /><ol type="a"> <li>Right-click on the VM (called <b>Hardened Linux</b> using in the Fedora17 install image file that you should have downloaded to your Kali Linux (host) at the end of lab3.<VirtualBox application window, and select <b>Settings</divb>.</divli> <br /li>Select <olb> Network<li value="9"/b>Launch the and set to <b>Oracle VM VirtualBoxHost-Only</b> application, click on the adaptor.<b/li>New </bli> button, and click on Select <b>NextStorage</b> to proceedtab on the left-side of the application window.</li> <li>Enter the name Click on <b>Hardened Linux IDE Controller</b>for your VM name. Make certain that near the top of the OS Type is <b>LinuxStorage Tree</b>window, and click on the Version is green plus sign to <b>Fedora<add a new CD/b>, and then click on <b>NextDVD drive</b> to proceed.</li> <li>Accept You will be required to specify the defaults location of that Fedora install image (like you did in lab1, including i.e. <b>768 MBChoose Disk</b> RAM ). The installation process should start (you may need to wait and set ignore system errors). Make default install selections as you did with the previous Linux installation. When completed, save your settings.</li> <li>After you have changed your settings, double-click on <b>10GBHardened Linux</b> for to start the VM's Hard Disk Size), and eventually click <b>Finish</b> to complete the VM setupinstallation process.<br /><br /></li> <li>Prior to starting your Make the following selections during the installation process: <bul>Hardened Linux </bli> VMIn addition to the defaults, you will setup a add the <b>virtual diskFedora F17</b> in order to boot from your saved and <ib>Fedora17 install imageFedora F17 - Updates</ib>repository.<br /li> <li>Complete the following steps to prepare for Select <b>Create a Grub Boot Password</b> near the end of the installation:in the Grub Boot section; Otherwise, accept similar defaults like you did in lab1.<br /><br /><ol type="a"b> <li>Right-click on the VM called <b>Hardened LinuxNOTE:</b> in If you were unable to set the Grub password during the VirtualBox application windowinstallation procedure, then as an option, and select <b>Settings</b>you may search the Internet for a method to manually set the password after the installation process...<br /li> <li>Select <bbr />Network</bli> and set to <b>Host-Only </bul> adaptor. </li> <li>Select After the installation is complete, shutdown the system, go into <b>StorageSettings</b> tab on and remove the left-side of the application window.<virtual CD/li> <li>Click on DVD drive that links to your <b>IDE ControllerFedora17 image file</b> near the top of the . Boot your <b>Storage TreeHardened Linux</b> window, click on the green plus sign VM and try to enter <b>add a new CD/DVD drivesingle-user</b>mode. You will be required to specify the location of that Fedora install image (i.eWere you successful?<br />Record your findings in your lab log-book. <b/li>Choose Disk </bol> <li>). The installation process should start (you may need to wait and ignore system errors). Make default install selections as you did with When booting your Hardened Linux system for the previous Linux installation. When completedfirst time, fill out a regular user account, save your settings.and </lib> <add to administrator's group</b>.</li> <li>After you have changed your settingsFinally, double-click perform an update on your system by issuing: <b>Hardened Linuxyum update</b> to start the installation process.<br /li> <br />< {{Admon/li>important|Periodic Updates &amp; Upgrades| It is important as a system administrator to periodically and consistently <lib>Make update/upgrade the following selections during the installation process: operating system and applications<ul> <li/b>In addition to help harden the defaults, add the operating system from vulnerabilities. <bbr />Fedora F17<br /b> and It is also important to perform <b>Fedora F17 - Updatesoperating system upgrades</b> repositorywhen officially released (stable) editions become available. Failing to perform upgrades to an operating system can eventually make operating systems obsolete and unsupported by the development community. Usually a Linux distribution provides time-lines regarding support (eg.</li> <lib>Select LTS: Long Term Support</b>Create a Grub Boot Password</b> near the end of the installation in the Grub Boot section; Otherwise, accept similar defaults like you did in lab1.). |}} <br /> <br /li value="15"><bRecord your observations in your lab log-book.</li> <li>Proceed to Task #2.</li>NOTE: </ol> <p><b> If you were unable to set Answer the Grub password during the installation procedure, then as an option, you may search the Internet for a method to manually set the password after the installation process..Task #1 observations / questions in your lab log book.<br /b> <br /p> </lip> </ulbr> </lip> <lih2>After the installation is complete, shutdown the system, go into <bspan class="mw-headline">SettingsTask #2: Closing Unnecessary Ports / Using SSH</bspan> and remove the virtual CD/DVD drive that links to your <b</h2>Fedora17 image file </bbr>. Boot your In this section, you will either close or prevent unnecessary ports (services) from running and <b>Hardened Linuxmask some running services</b> VM and try (such as SSH) in order to enter <b>single-user</b> modemake your Linux system less vulnerable. Were you successful? <br />Record your findings in your lab log-book.</libr> INSTRUCTIONS: <ol> <li>When booting Tighten up your Hardened Linux system for VM to expose the first time, fill out a regular user account, and <b>add to administrator's groupsmallest possible number of services</b>running on your Linux system.</li> <li>Finally, perform an update Verify that the minimum number of (essential) services are running on your Linux system by issuing: .</li> <bli>yum updateUse the </b>.Nessus</lib>application and </olb>Metasploit<br /b> <div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;"framework to confirm that there are no vulnerable services running on your Hardened Linux VM.</li> <div style="float: left; margin-left: -40px;"li>Discuss with another classmate which software is <u>not<a href="/wiki/indexu> required to be installed.php/File:Important.png" class="image" title="Important.png"><img alt="" src="35pxWhat is the minimum software configuration that will work? Try to list at least 10 applications in your lab log-Importantbook.png" width="35" height="35" border="0" /> </ali> </divli>With a classmate, discuss the information visible to users logged in to your system and whether the disclosure of that information presents any real security risk. For example, is it ok for users to view the information in <divb>/proc</b>Periodic Updates &amp; Upgrades? or in </b>/etc<br />It is important as a system administrator to periodically and consistently <b>update/upgrade the operating system and applications?<br /b> to help harden the operating system from vulnerabilities.<br /><br /li>It is also important to perform <bli>operating system upgrades</b> when officially released Refer to the following link to OPS235 Lab 7 (stableSSH) editions become available: [http://zenit.senecac.on. Failing to perform upgrades to an operating system can eventually make operating systems obsolete and unsupported by the development communityca/wiki/index. Usually a Linux distribution provides time-lines regarding support (egphp/OPS235_Lab_7#Investigation_1:_How_do_you_enable_the_sshd_service. SSH Configuration]<bbr />LTS(Note: Long Term Supportnewer versions of Fedora Linux use </b>).systemctl</divb>instead of the </divb> system<br /b><ol> <li value="15">Record your observations in your lab log-bookcommand).</li> <li>Proceed Configure SSH to Task #2run for a different port number.</li> </ol> <pli>Use SSH to run the <b>Answer the Task #1 observations / questions in your lab log book.gedit</b></pcommand command from your Linux VM, but displayed on your host.</li> <pli>Have your group members view the open ports on your VM, and see if they can access this running port.<br/li> </pli>   How does this technique make your Linux server less vulnerable?</li> <a name="Task2" id="Investigation_1:_How_to_Perform_a_Fedora_DVD_Install_on_Your_Removable_Hard_Drive"li>Proceed to Task #3.</ali> <h2/ol> <span class="mw-headline"p>Task <b>Answer the Task #2: Closing Unnecessary Ports observations / Using SSHquestions in your lab log book.</spanb> </h2p> <br><br>In this section, you will either close or prevent unnecessary ports (services) from running and <bh2>mask some running services</bspan class="mw-headline"> (such as SSH) in order to make your Linux system less vulnerable.Task #3: Using PAM<br/span><br/h2>INSTRUCTIONS:  <olbr> <li>Tighten up your Hardened Fedora uses the Linux VM to expose the <b>smallest possible number of servicesPluggable Authentication Modules (PAM)</b> running on your Linux system.to perform </lib> <li>Verify that the minimum number of authentication (essentialand some related activities, such as account environment initialization) services are running on your Linux system.</lib> <li>Use . As the <b>Nessus</b> application name suggests, PAM is modular and <bpermits various modules to be plugged in or removed at the system administrator's discretion. <br><br> INSTRUCTIONS: <ol>Metasploit </bli> framework to confirm Ensure that there are no vulnerable services running on your Hardened Linux VM(i.</e. Fedora17) system is running, and log-in as a user with administration priviledges.</li> <li>Discuss with another classmate which software is Open a shell terminal in your Hardened Linux VM, and change to the directory <ub>not/etc/pam.d</ub> required to be installedand review the names of the existing files. What is do you think these represent in terms of hardening this system? Record your answer in your lab log-book. Locate the minimum software configuration file that will work? Try to list at least 10 applications in your lab logcontains the PAM configuration for <b>system-config-booknetwork</b>. </li> <li>With a classmate, discuss Access the information visible to users logged in to your system and whether the disclosure of that information presents any real security risk. For example, is it ok for users to view the information in <b>/proc<b>PAM System Administrator's Guide</b>? or in <a web-browser (file pathname: <b>/etc<usr/share/doc/pam-1.1.5/b>?<br html/>Linux-PAM_SAG.html<br /b></li> <li>Refer to Make a brief list of line options for the following link to OPS235 Lab 7 (SSH): <a href="http:b>system-config-network<//zenitb> PAM configuration file, and record in your lab log-book.senecac.on.ca</wiki/index.php/OPS235_Lab_7#Investigation_1:_How_do_you_enable_the_sshd_service." target="_new"li> <li>SSH Configuration</How could you change this PAM configuration file so that a><br />(Note: newer versions of Fedora Linux use <b>systemctluser logged in on the console would not need to enter the root password? (read the manual or perform a NetSearch to get the answer). Record your answer in your lab log-book.</bbr> instead of the <bbr>system</bli> command). </liol> {{Admon/tip|Pam ABL|<lib>Configure SSH to run for a different port number.Pam ABL stands</lib> <li>Use SSH to run the for <b>geditPam Auto Blacklist Module</b> command command from . This module allows for the blacklisting of hosts (users) that repeatedly attempt to connect / authenticate with your Linux VM, but displayed on your hostserver.</libr><br>|}} <libr>Have your group members view the open ports on your VM, and see if they can access this running port. </liol> <livalue="15">Install the <b>How does this technique make your Linux server less vulnerable?pam_abl</lib> package by issuing the following command: <lib>Proceed to Task #3.yum install pam_abl</lib> .</olli> <pli><b>Answer Research on the Internet how to edit the Task #2 observations / questions in your lab log bookpam_abl configuration file.Documentation for pam_abl (web-browser) is available by using the file pathname:<br /><b>/usr/share/doc/pam_abl-0.2.3/pam_abl.html</pb><br/li> <brli>Configure the file <a name="Task3" d="Investigation_2:_How_many_file_packages_and_files_are_installed_on_the_systemb>/etc/security/pam_abl.3F">conf</ab>to use the <h2b> pam_time<span class="mw-headline"/b>Task #3: Using PAMmodule to permit remote ssh access only during the daytime.</span></h2li> <brli>Fedora uses the Linux Configure your system <b>Pluggable Authentication Modules (PAM)to deny access for 1 day</b> system to perform <any user or host who has <u><b>authentication (and some related activities, such as account environment initialization)5</b>. As the name suggestsinvalid password attempts in an hour</u>, PAM is modular and permits various modules to be plugged in or removed at the system administrator's discretion.<bru><b>12</b>invalid password attempts in a day<br/u>INSTRUCTIONS:using the <olb> pam_abl<li/b>Ensure that your Hardened Linux VM (i.e. Fedora17) system is running, and log-in as a user with administration priviledgesmodule.<br /li> <li!--DEAD LINK<br />Open Here is a shell terminal in your Hardened Linux VM, and change to the directory <b>approximate example: [http://etc/pamtommi.d<org/b> and review the names of the existing files. What do you think these represent in terms of hardening this system? Record your answer in your lab log-book. Locate the file that contains the PAM configuration for <b>system-config-network</b>.</li> <li>Access the <b>PAM System Administrator's Guide</b> in a web-browser (file pathname: <b>/usr/share/doc/pam-1.1.5/html/Linux-PAM_SAG.html</b></li> <li>Make a brief list of line options for the <b>system-config-network</b> PAM configuration file, and record in your lab log-book.</li> <li>How could you change this PAM configuration file so that a user logged in on the console would not need to enter the root password? (read the manual or perform a NetSearch to get the answer). Record your answer in your lab log-book.<br><br></li></ol><div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;"><div style="float: left; margin-left: -40px;"><a href="https://scs.senecac.on.ca/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Idea.png" height="35" border="0" width="35"></a></div><div><b>Pam ABL</b><br><b>Pam ABL stands</b> for <b>Pam Auto Blacklist Module</b>. This module allows for the blacklisting of hosts (users) that repeatedly attempt to connect / authenticate with your server.<br><br></div></div> <br>   <ol> <li value="15">Install the <b>pam_abl</b> package by issuing the following command: <b>yum install pam_abl</b>.</li> <li>Research on the Internet how to edit the pam_abl configuration file. Documentation for pam_abl (web-browser) is available by using the file pathname:<br /><b>/usr/share/doc/pam_abl-0.2.3/pam_abl.html</b></li> <li>Configure the file <b>/etc/security/pam_abl.conf</b> to use the <b>pam_time</b> module to permit remote ssh access only during the daytime.</li> <li>Configure your system <b>to deny access for 1 day<2008/b> to any user or host who has <u><b>5<08/b> invalid automaticly-blacklisting-password -attempts in an hour</u>, or <u><b>12</b> invalid password attempts in a day</u> using the <b>pam_abl</b> module.<br />Automatically Blacklist Password Attempts]<br />Here is a approximate example: <a href="http://tommi.org/2008/08/automaticly-blacklisting-password-attempts/" target="_blank">Automatically Blacklist Password Attempts</a><br /><br /></li> <li>Create a group named <b>development</b>.</li> <li>Create the directory <b>/var/devel1</b> and <b>/var/devel2</b> and make them accessible to all users. Set the SGID permission bit on <b>/var/devel2</b> and make that directory owned by the group called <i>development</i>.<br /><br />Here is a link to setting SGID permissions: <a href="[http://www.techcuriosity.com/resources/linux/advanced_file_permissions_in_linux.php" target="_blank">Advanced File Permissions</a>]<br /><br /></li> <li>Create <b>three regular users</b>. Ensure that two users are in the <i>development</i> group and that the third user is not.</li> <li>Have each user create a file in <b>/var/devel1</b> and <b>/var/devel2</b>.</li> <li>Record the user and group permission for each file.</li> <li>Attempt to access each of the six files using each user's account by reading and then appending (two separate operations). What succeeds and what fails? Why?</li> <li>What would the development users have to do to make their files in <b>/var/devel1</b> accessible to each other?</li> <li>Why is Fedora set up so that each user has their own group and the default umask is <b>0002</b>?</li> <li>Record your findings in your lab log-book.</li> <li>Proceed to "Completing The Lab".</li> </ol> <p><b>Answer Task #3 observations / questions in your lab log book.</b> </p><p><br> </p> <a name="Completing_the_Lab" id="Completing_the_Lab"></a> <h1> <span class="mw-headline"> Completing the Lab </span></h1> <p><b>Arrange evidence for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:</b> </p> <ol> <li>All unneccessary services <b>turned-off</b>.</li> <li>SSH run on a <b>different port</b>.</li> <li>Proof of <b>PAM</b> used to control access to directories. </li> <li>Completed Lab 6 notes.</li> </ol> <p><br> </p><a name="Preparing_for_Quizzes" id="Preparing_for_Quizzes"></a> <h1> <span class="mw-headline"> Preparing for Quizzes </span></h1> <ol> <li>Briefly explain how to access the root account (in run-level 1) from an unprotected Linux system upon boot-up.</li> <li>List the steps to setup a <b>grub password</b> to protect a Linux system upon boot-up.</li> <li>Explain the consequences of running unneccesary services on a server.</li> <li>List the steps to stop a running service, and describe 2 unique methods of confirming that a service is no longer running on the server?</li> <li>What is the purpose of using SSH for tunnelling while using a different port number?</li> <li>What does <b>PAM</b> stand for? What is the purpose of the <i>PAM</i> modules?</li> <li>What is the purpose of the <b>pam_abl</b> modules?</li> </ol>