You can find the abstract below
Please Prepare for the Workshop
We wIll base our workshop on an ubuntu image, which I will link below. I recommend using VirtualBox VM - which is what I use.
This VM will have a basic OS, a web server and some files we would like to protect.
I am also using Ubuntu as my host, with ZSH - but will explain anything that looks funny :-)
I have included instruction to assist you with:
- Manually create a VM
- Use Vagrant to create the VM
- Download a prepared VM (lazy option, dont do this)
- I will post updates through email or twitter Follow @barnhartguy
- feel free to DM if you have any questions or issues
If you are not sure how to do the above, use the resources below.
If you need to install VirtualBox, use the following
sudo apt install virtualbox
Manual
- Download the Ubuntu 18.04.2 ISO
- validate the SHA256 checksum
ea6ccb5b57813908c006f42f7ac8eaa4fc603883a2d07876cf9ed74610ba2f53 *ubuntu-18.04.2-live-server-amd64.iso
- Create a new VirtualBox VM based on Ubuntu 18.04.2
- Test that you have an internet connection from the VM
- update your repositories
- upgrade packages
- install NGINX
- copy index.html to
/var/www/html
- browse to your VM (over port 80) and make sure you see the workshop webpage
# run commands under root prievleges
sudo apt install nginx
curl https://productsecurity.info/files/bsideslv-workshop.index.html > /var/www/html/index.html
Vagrant
- install vagrant and virtualbox
- save the script below as “Vagrantfile”
- run
vagrant validate
- run
vagrant up
Vagrant.configure("2") do |config|
config.vm.box = "ubuntu/bionic64"
config.vm.box_check_update = false
config.vm.network "forwarded_port", guest: 80, host: 10080
config.vm.network "private_network", ip: "192.168.33.10"
config.vm.provider "virtualbox" do |vb|
vb.gui = false
vb.name = "bsideslv-workshop"
vb.linked_clone = true
vb.customize ["modifyvm", :id, "--cpuexecutioncap", "25"]
vb.memory = 1024
vb.cpus = 1
end
config.vm.provision "shell", inline: <<-SHELL
apt-get update
apt-get upgrade -y --no-install-recommends
ifconfig
# sed -i -e "s/#PasswordAuthentication yes/PasswordAuthentication yes\nAuthenticationMethods publickey,password publickey,keyboard-interactive/g" /etc/ssh/sshd_config
SHELL
end
Prepared VM
wget https://www.dropbox.com/s/1abmcu15bip8t31/workshop.ova
wget https://www.dropbox.com/s/e5p1rij2glnz682/workshop.ova.sha512sum
sha512sum -c workshop.ova.sha512sum
Import the VM
“bsideslv-workshop” is the workshop VM name, replace it with whatever you have as needed
vboxmanage import workshop.ova
vboxmanage list vms | cut -d" " -f1 | sed 's/"//g'
export VM=bsideslv-workshop_1
vboxmanage modifyvm $VM --nic1 bridged --bridgeadapter1 eno1
vboxmanage startvm $VM --type headless
vboxmanage guestproperty get $VM "/VirtualBox/GuestInfo/Net/0/V4/IP"
#vboxmanage controlvm $VM natpf1 "SSH,tcp,,2222,,22"
#vboxmanage controlvm $VM natpf1 "NGINX,tcp,,2222,,22"
SSH into your VM
The VM has port-forwarding from the host on port 2222 to the guest on port 22. It is configured with a static address of: 192.168.33.10
Use the following credentials:
username: ubuntu
password: ubuntu
ssh -p 22 [email protected]
Test Internet
ping 8.8.8.8
Update your repositories
sudo apt-get update
sudo apt-upgrade -y --no-install-recommends
Abstract
You often hear that one of the first steps is to harden your servers and services – buy how exactly do you do that?
In this workshop, we will go through the various stages of hardening a Linux environment (Ubuntu) against attackers. During this workshop, we will consider common attack vectors and their mitigations, deploying security “feelers” and properly configuring the operating system and services against attacks.
This is an introductory level workshop (2-6 hours), hands-on, that allows participants to practice basic security hardening steps and customize their journey from that launch point.
Outline
- setting up the VM and the application
- determining the threat model
- taking inventory of the system
- updates
- packages
- versions
- users
- access
- prioritizing effort - what to harden first
- hardening the system, minding issues that can come up during the process
- assessing the hardening effort, did we accomplish our goals?
- assessing usability of the system, did we f*uck something up?
- summary and possible next steps
Resources