Linux Hardening - Made Easy

Guy Barnhart-Magen

August 8, 2019

You can find the abstract below

Please Prepare for the Workshop

We wIll base our workshop on an ubuntu image, which I will link below. I recommend using VirtualBox VM - which is what I use.

This VM will have a basic OS, a web server and some files we would like to protect.

I am also using Ubuntu as my host, with ZSH - but will explain anything that looks funny :-)

I have included instruction to assist you with:

If you are not sure how to do the above, use the resources below.

If you need to install VirtualBox, use the following

sudo apt install virtualbox

Manual

  1. Download the Ubuntu 18.04.2 ISO
  2. validate the SHA256 checksum ea6ccb5b57813908c006f42f7ac8eaa4fc603883a2d07876cf9ed74610ba2f53 *ubuntu-18.04.2-live-server-amd64.iso
  3. Create a new VirtualBox VM based on Ubuntu 18.04.2
  4. Test that you have an internet connection from the VM
  5. update your repositories
  6. upgrade packages
  7. install NGINX
  8. copy index.html to /var/www/html
  9. browse to your VM (over port 80) and make sure you see the workshop webpage
# run commands under root prievleges
sudo apt install nginx
curl https://productsecurity.info/files/bsideslv-workshop.index.html > /var/www/html/index.html

Vagrant

  1. install vagrant and virtualbox
  2. save the script below as “Vagrantfile”
  3. run vagrant validate
  4. run vagrant up
Vagrant.configure("2") do |config|
  config.vm.box = "ubuntu/bionic64"
  config.vm.box_check_update = false
  config.vm.network "forwarded_port", guest: 80, host: 10080
  config.vm.network "private_network", ip: "192.168.33.10"
  config.vm.provider "virtualbox" do |vb|
    vb.gui = false
    vb.name = "bsideslv-workshop"
    vb.linked_clone = true
    vb.customize ["modifyvm", :id, "--cpuexecutioncap", "25"]
    vb.memory = 1024
    vb.cpus = 1
  end

  config.vm.provision "shell", inline: <<-SHELL
    apt-get update
    apt-get upgrade -y --no-install-recommends
    ifconfig
    # sed -i -e "s/#PasswordAuthentication yes/PasswordAuthentication yes\nAuthenticationMethods publickey,password publickey,keyboard-interactive/g" /etc/ssh/sshd_config
  SHELL
end

Prepared VM

wget https://www.dropbox.com/s/1abmcu15bip8t31/workshop.ova
wget https://www.dropbox.com/s/e5p1rij2glnz682/workshop.ova.sha512sum
sha512sum -c workshop.ova.sha512sum

Import the VM

“bsideslv-workshop” is the workshop VM name, replace it with whatever you have as needed

vboxmanage import workshop.ova
vboxmanage list vms | cut -d" " -f1 | sed 's/"//g'

export VM=bsideslv-workshop_1
vboxmanage modifyvm $VM --nic1 bridged --bridgeadapter1 eno1

vboxmanage startvm $VM --type headless

vboxmanage guestproperty get $VM "/VirtualBox/GuestInfo/Net/0/V4/IP"

#vboxmanage controlvm $VM natpf1 "SSH,tcp,,2222,,22"
#vboxmanage controlvm $VM natpf1 "NGINX,tcp,,2222,,22"

SSH into your VM

The VM has port-forwarding from the host on port 2222 to the guest on port 22. It is configured with a static address of: 192.168.33.10

Use the following credentials:

username: ubuntu

password: ubuntu

ssh -p 22 [email protected]

Test Internet

ping 8.8.8.8

Update your repositories

sudo apt-get update
sudo apt-upgrade -y --no-install-recommends

Abstract

You often hear that one of the first steps is to harden your servers and services – buy how exactly do you do that?

In this workshop, we will go through the various stages of hardening a Linux environment (Ubuntu) against attackers. During this workshop, we will consider common attack vectors and their mitigations, deploying security “feelers” and properly configuring the operating system and services against attacks.

This is an introductory level workshop (2-6 hours), hands-on, that allows participants to practice basic security hardening steps and customize their journey from that launch point.

Outline

Resources

slides