You can find the abstract below
Please Prepare for the Workshop
We wIll base our workshop on an ubuntu image, which I will link below. I recommend using VirtualBox VM - which is what I use.
This VM will have a basic OS, a web server and some files we would like to protect.
I am also using Ubuntu as my host, with ZSH - but will explain anything that looks funny :-)
I have included instruction to assist you with:
- Manually create a VM
- Use Vagrant to create the VM
- Download a prepared VM (lazy option, dont do this)
- I will post updates through email or twitter
- feel free to DM if you have any questions or issues
If you are not sure how to do the above, use the resources below.
If you need to install VirtualBox, use the following
sudo apt install virtualbox
- Download the Ubuntu 18.04.2 ISO
- validate the SHA256 checksum
- Create a new VirtualBox VM based on Ubuntu 18.04.2
- Test that you have an internet connection from the VM
- update your repositories
- upgrade packages
- install NGINX
- copy index.html to
browse to your VM (over port 80) and make sure you see the workshop webpage
# run commands under root prievleges sudo apt install nginx curl https://productsecurity.info/files/bsideslv-workshop.index.html > /var/www/html/index.html
- install vagrant and virtualbox
- save the script below as “Vagrantfile”
Vagrant.configure("2") do |config| config.vm.box = "ubuntu/bionic64" config.vm.box_check_update = false config.vm.network "forwarded_port", guest: 80, host: 10080 config.vm.network "private_network", ip: "192.168.33.10" config.vm.provider "virtualbox" do |vb| vb.gui = false vb.name = "bsideslv-workshop" vb.linked_clone = true vb.customize ["modifyvm", :id, "--cpuexecutioncap", "25"] vb.memory = 1024 vb.cpus = 1 end config.vm.provision "shell", inline: <<-SHELL apt-get update apt-get upgrade -y --no-install-recommends ifconfig # sed -i -e "s/#PasswordAuthentication yes/PasswordAuthentication yes\nAuthenticationMethods publickey,password publickey,keyboard-interactive/g" /etc/ssh/sshd_config SHELL end
- Workshop VM (v1) VirtualBox OVA file
wget https://www.dropbox.com/s/1abmcu15bip8t31/workshop.ova wget https://www.dropbox.com/s/e5p1rij2glnz682/workshop.ova.sha512sum sha512sum -c workshop.ova.sha512sum
Import the VM
“bsideslv-workshop” is the workshop VM name, replace it with whatever you have as needed
vboxmanage import workshop.ova vboxmanage list vms | cut -d" " -f1 | sed 's/"//g' export VM=bsideslv-workshop_1 vboxmanage modifyvm $VM --nic1 bridged --bridgeadapter1 eno1 vboxmanage startvm $VM --type headless vboxmanage guestproperty get $VM "/VirtualBox/GuestInfo/Net/0/V4/IP" #vboxmanage controlvm $VM natpf1 "SSH,tcp,,2222,,22" #vboxmanage controlvm $VM natpf1 "NGINX,tcp,,2222,,22"
SSH into your VM
The VM has port-forwarding from the host on port 2222 to the guest on port 22. It is configured with a static address of: 192.168.33.10
Use the following credentials:
ssh -p 22 [email protected]
Update your repositories
sudo apt-get update sudo apt-upgrade -y --no-install-recommends
You often hear that one of the first steps is to harden your servers and services – buy how exactly do you do that?
In this workshop, we will go through the various stages of hardening a Linux environment (Ubuntu) against attackers. During this workshop, we will consider common attack vectors and their mitigations, deploying security “feelers” and properly configuring the operating system and services against attacks.
This is an introductory level workshop (2-6 hours), hands-on, that allows participants to practice basic security hardening steps and customize their journey from that launch point.
- setting up the VM and the application
- determining the threat model
- taking inventory of the system
- prioritizing effort - what to harden first
- hardening the system, minding issues that can come up during the process
- assessing the hardening effort, did we accomplish our goals?
- assessing usability of the system, did we f*uck something up?
- summary and possible next steps