OBJECTIVE 2.

1 LABS

Lab 1:Hardening a Linux system: (Do this on an Ubuntu system)

Scenario: You work as a system administrator for a small IT company that provides web hosting
services to clients. Your company uses a Linux server to host client websites and you've been
tasked with hardening the server to improve security.

Activities:

1. Disable unused services: Review the running services and disable any that are not
necessary. This will help reduce the attack surface of the server.
2. Enable a rewall: Set up a rewall to restrict incoming and outgoing traf c based on your
company's network security policies.
3. Update the system: Install any available security updates to ensure the latest patches are
applied and vulnerabilities are mitigated.
4. Con gure logging: Set up logging to track system activity, including authentication and
authorization attempts, as well as any potential security incidents.
5. Secure user accounts: Create strong passwords for all user accounts, disable any
unnecessary accounts, and con gure password policies to enforce password complexity
and expiration.
Lab:

Task 1: Disable Unused Services

1.Open a terminal and run the command systemctl list-unit-files --

state=enabled to list all enabled services.
2. Review the list of enabled services and determine which services are necessary for the
server to function.
3. Disable any unnecessary services using the command sudo systemctl disable
<service name>.
Task 2: Enable a Firewall

Install the ufw rewall using the command sudo apt-get install ufw.
1.
Run the command sudo ufw default deny incoming to deny all incoming
2.
traf c by default.
3. Allow incoming traf c on port 80 for HTTP using the command sudo ufw allow
80/tcp.
4. Allow incoming traf c on port 443 for HTTPS using the command sudo ufw
allow 443/tcp.
5. Run the command sudo ufw enable to enable the rewall.
Task 3: Update the System
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
 1. Run the command sudo apt-get update to update the package lists.
2. Run the command sudo apt-get upgrade to install available updates.
3. Run the command sudo apt-get autoremove to remove any unused packages.
Task 4: Con gure Logging

1. Open the le /etc/rsyslog.conf in a text editor.

2. Uncomment the line that starts with #module(load="imudp") to enable UDP
syslog reception.
3. Uncomment the line that starts with #input(type="imudp" port="514") to
listen for syslog messages on port 514.
4. Uncomment the line that starts with #module(load="imtcp") to enable TCP
syslog reception.
5. Uncomment the line that starts with #input(type="imtcp" port="514") to
listen for syslog messages on port 514.
6. Save and close the le.
7. Restart the syslog service using the command sudo systemctl restart
rsyslog.

Task 5: Secure User Accounts

1. Create a strong password for all user accounts using the command sudo passwd
<username>. Replace <username> with the username of the user account you
want to update. For example, to update the password for user "john", you would run the
command sudo passwd john. Follow the prompts to set a strong and secure
password.

2. Disable any unnecessary accounts using the command sudo usermod --

expiredate 1 <username>. Replace <username> with the username of the
account you want to disable. For example, to disable the user account "jane", you would
run the command sudo usermod --expiredate 1 jane. This will set the
account to expire one day after the current date, effectively disabling it.

3. Con gure password policies by editing the le /etc/pam.d/common-password

and adding the line password requisite pam_cracklib.so minlen=8
ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 to enforce
password complexity. You can use any text editor to edit the le, for example, nano or
vi. For example, to edit the le using nano, run the command sudo nano /etc/
pam.d/common-password. Add the line password requisite
pam_cracklib.so minlen=8 ucredit=-1 lcredit=-1
dcredit=-1 ocredit=-1 to the end of the le and save the changes. This will
enforce a password length of at least 8 characters and require at least one uppercase letter,
one lowercase letter, one digit, and one special character in the password.
fi
fi
fi
fi
fi
fi
fi
fi
 Lab 2: Authentication (You can do this on Amazon linux)

Scenario: You are working as a system administrator for a company that is implementing stricter
security measures for its Linux servers. You have been tasked with con guring the authentication
system to ensure only authorized users can access the servers. You will also set up multifactor
authentication and implement single sign-on (SSO) for easier user management.

Task 1: Install Required Packages

1. Launch a Linux server instance (e.g. Amazon Linux 2) on your preferred cloud provider
(e.g. AWS).
2. Connect to the instance using SSH.
3. Update the system packages by running the command: sudo yum update -y.
4. Install the required packages for authentication by running the command: sudo yum
install -y pam pam-devel pam_pkcs11 opensc.
Task 2: Con gure PAM for Password Authentication

1. Open the PAM con guration le for password authentication by running the command:
sudo vi /etc/pam.d/password-auth.
2. Add the following line to the top of the le: auth required pam_env.so.
3. Add the following line to the end of the le: auth suf cient pam_unix.so nullok
try_ rst_pass.
4. Save and exit the le.
5. Open the PAM con guration le for system authentication by running the command:
sudo vi /etc/pam.d/system-auth.
6. Add the following line to the top of the le: auth required pam_env.so.
7. Add the following line to the end of the le: auth suf cient pam_unix.so nullok
try_ rst_pass.
8. Save and exit the le.
Task 3: Con gure PAM for Multifactor Authentication

1. Install the Google Authenticator package by running the command: sudo yum install -y
google-authenticator.
2. Run the Google Authenticator setup wizard by running the command: google-
authenticator.
3. Answer "y" to all of the wizard's questions to enable multifactor authentication.
4. Con gure PAM to use Google Authenticator for authentication by running the command:
sudo vi /etc/pam.d/sshd.
5. Add the following line to the top of the le: auth required pam_google_authenticator.so.
6. Save and exit the le.
Task 4: Con gure LDAP Authentication

1. Install the OpenLDAP package by running the command: sudo yum install -y openldap
openldap-clients nss-pam-ldapd.
2. Con gure the LDAP client by running the command: sudo authcon g-tui.
3. Select "Use LDAP" and enter the LDAP server details.
4. Select "Use LDAP Authentication" and enter the LDAP authentication details.
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
 5. Save the con guration and exit the tool.
6. Test the LDAP authentication by running the command: getent passwd <ldap_username>.

Task 5: Con gure SSSD for LDAP Authentication

Install the SSSD package by running the command:

sudo yum install -y sssd sssd-client sssd-ldap

Con gure SSSD for LDAP authentication by running the command:

sudo vi /etc/sssd/sssd.conf
Add the following lines to the [sssd] section of the le:

config_file_version = 2
services = nss, pam
domains = LDAP

Add the following lines to the [domain/LDAP] section of the le:

id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://<ldap_server_address>
ldap_search_base = <ldap_search_base>
ldap_tls_reqcert = allow

Add the LDAP administrator's username and password to the SSSD con guration le by adding
the following lines to the [domain/LDAP] section of the le:

ldap_default_bind_dn = <ldap_admin_username>
ldap_default_authtok_type = password
ldap_default_authtok = <ldap_admin_password>

Note: Replace <ldap_admin_username> and <ldap_admin_password> with the

actual LDAP administrator's username and password.
fi
fi
fi
fi
fi
fi
fi
fi
 Set the appropriate ownership and permissions on the SSSD con guration le by running the
command:

sudo chown root:root /etc/sssd/sssd.conf && sudo chmod

600 /etc/sssd/sssd.conf

Test the SSSD con guration by running the command:

sudo authconfig --test | grep -i ldap

The output should include the LDAP server address, search base, and other con guration details.

Restart the SSSD service by running the command:

sudo systemctl restart sssd

Test LDAP authentication by running the command:

getent passwd <ldap_user_username>

This should return the LDAP user's information.

Note: Replace <ldap_user_username> with the actual LDAP user's username.

Lab 3: Certi cates Use Cases and Managing Public Key Infrastructure Certi cates

***You will need.a static Public IP to use. Create an amazon Elastic IP and assign it to your
AWS instance. This is an IP that will always be associated with your server even if you turn
the server off and back on. If you do not use an elastic IP, if you ever have to turn off your
server, it will get a different public IP when you turn it on again.

Assign the elastic IP and tell me what the public IP address is so I can associate that IP to a
domain name you can use for this lab.****

Scenario: You work as a system administrator for a company that provides online services. The
company has a web server that requires HTTPS communication to secure its clients' con dential
information. The server requires a valid SSL/TLS certi cate issued by a trusted Certi cate
Authority (CA).

NOTE: There should be two certi cates in this lab. One is a “self-signed” certi cate that anyone
can make but is not as trusted for a website. Then there is a “third party signed” certi cate you
get from an outside company that you can apply to your web server. By the time you nish this
lab you should have experience applying and then testing both.
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
 Task 1: Create a Web Server on Amazon Linux

1. Launch an Amazon EC2 instance running Amazon Linux.

2. SSH into the instance using your key pair.
3. Update the instance with the latest packages using the command: sudo yum
update -y.
4. Install Apache web server using the command: sudo yum install -y httpd.
5. Start the Apache web server using the command: sudo service httpd start.
6. Verify that the web server is running by entering the public IP address of your instance
into a web browser. You should see the default Apache page.

Task 2: Generate a Self-Signed SSL/TLS Certi cate

1. Install OpenSSL using the command: sudo yum install -y openssl.

2. Generate a private key using the command: sudo openssl genrsa -out /
etc/pki/tls/private/myserver.key 2048.
3. Generate a certi cate signing request (CSR) using the command: sudo openssl
req -new -key /etc/pki/tls/private/myserver.key -out /
etc/pki/tls/certs/myserver.csr.
4. Generate a self-signed certi cate using the command: sudo openssl x509
-req -days 365 -in /etc/pki/tls/certs/myserver.csr
-signkey /etc/pki/tls/private/myserver.key -out /etc/
pki/tls/certs/myserver.crt.

Task 3: Con gure Apache to Use SSL/TLS

1. Edit the Apache SSL/TLS con guration le using the command: sudo vi /etc/
httpd/conf.d/ssl.conf.
2. Update the SSLCerti cateFile directive to point to the path of the self-signed certi cate
generated in Task 2: SSLCertificateFile /etc/pki/tls/certs/
myserver.crt.
3. Update the SSLCerti cateKeyFile directive to point to the path of the private key
generated in Task 2: SSLCertificateKeyFile /etc/pki/tls/
private/myserver.key.
4. Save and exit the le.
5. Restart the Apache web server using the command: sudo service httpd
restart.

Task 4: Create a Web Page

1. Create a new le called index.html in the /var/www/html directory using the command:
sudo vi /var/www/html/index.html.
2. Add the text "Hello, world!" to the le.
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
 3. Save and exit the le.

Task 5: Test SSL/TLS Encryption

1. Open a web browser and enter your website's URL with "https://" at the beginning.
2. Ensure that the website loads correctly and that the SSL/TLS certi cate is valid and
issued by a trusted CA.
3. Verify that the "Hello, world!" text appears on the page.

Task 6:

1. Open a terminal window on your local machine.

2. If OpenSSL is not already installed, install it using the appropriate package manager for
your system. For example, on Ubuntu, you can use the command: sudo apt-get
install openssl.
3. Use the scp command to copy the self-signed certi cate from the EC2 instance to your
local machine. Replace <EC2 instance public IP> with the public IP address
of your EC2 instance. Enter the following command:

scp ec2-user@<EC2 instance public IP>:/etc/pki/tls/certs/

myserver.crt ~/Downloads/myserver.crt

4. Verify the authenticity of the certi cate using the openssl verify command. In the
terminal, navigate to the directory where you copied the certi cate (~/Downloads in
this example). Then enter the following command:

openssl verify -CAfile myserver.crt myserver.crt

5. Verify that the output shows "myserver.crt: OK". This indicates that the certi cate is valid
and has been issued by a trusted CA.
6. Open a web browser and enter the URL of your website with "https://" at the beginning.
7. Ensure that the website loads correctly and that the SSL/TLS certi cate is valid and
issued by a trusted CA.
8. Verify that the "Hello, world!" text appears on the page.

Task 7: Con gure Apache to use the valid certi cate and enable HTTPS

1. Copy the SSL/TLS certi cate les from the trusted CA to the Amazon Linux instance.
You will typically receive these les in an email or through the CA's website.
2. Move the certi cate les to the appropriate directory using the following commands:

sudo mkdir /etc/pki/tls/certs

sudo mkdir /etc/pki/tls/private
sudo chmod 700 /etc/pki/tls/private
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
 sudo cp <path_to_certificate_file> /etc/pki/tls/certs/
sudo cp <path_to_private_key_file> /etc/pki/tls/private/

3. Con gure Apache to use the valid certi cate by editing the SSL con guration le with
the command:

sudo vi /etc/httpd/conf.d/ssl.conf

4. In the SSL con guration le, locate the SSLCerti cateFile and SSLCerti cateKeyFile
directives, and update their values with the paths to the certi cate and private key les,
respectively.

SSLCertificateFile /etc/pki/tls/certs/<certificate_file>
SSLCertificateKeyFile /etc/pki/tls/private/
<private_key_file>

5. Save and exit the le.

6. Restart the Apache service with the command:

sudo systemctl restart httpd

Task 8: Test the website to ensure that it loads correctly and that the SSL/TLS certi cate is valid
and issued by a trusted CA.

1. Open a web browser and enter your website's URL with "https://" at the beginning.

2. Ensure that the website loads correctly and that the SSL/TLS certi cate is valid and
issued by a trusted CA.

3. Verify the certi cate's authenticity using the command:

openssl s_client -showcerts -connect

<website_domain_name>:443

4. Look for the "Verify return code" section in the output. If the code is "0 (ok)", then the
certi cate is valid and issued by a trusted CA.

5. Verify that the "Hello, world!" text appears on the page.

fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi