### Fill-in-the-Blank Questions

1. To generate a new SSH key pair, the command used is `_ssh-keygen_______`.

2. The public key file generated by `ssh-keygen` is typically stored in
`__~/.ssh/id_rsa.pub______`.
3. To copy your public key to a remote server, you can use the command `____ssh-copy-id
user@hostname.____`.
4. Disabling root login can be done by editing the `____/etc/ssh/sshd_config____` file.
5. In the `sshd_config` file, the directive to disable root login is `__PermitRootLogin______`.
6. Password authentication can be disabled by setting `PasswordAuthentication` to
`__PasswordAuthentication______` in the `sshd_config` file.
7. To apply changes made in the `sshd_config` file, you need to restart the SSH service using
the command `_____sudo systemctl restart ssh or sudo systemctl restart
sshd.___`.
8. Two-factor authentication on Ubuntu can be implemented using the `___libpam-google-
authenticator_____` package.
9. The configuration file for Google Authenticator is located at
`_~/.google_authenticator_______`.
10. To enable Google Authenticator for SSH login, you need to add `auth required ____auth
required pam_google_authenticator.so____` in the PAM configuration.
11. The command to install the Google Authenticator PAM module is `___sudo apt-get
install libpam-google-authenticator_____`.
12. To check the status of the SSH service, you can use `sudo systemctl status ssh or
sudo systemctl status sshd_______`.
13. SSH keys are used primarily to enhance the security of `_____SSH___` connections.
14. The `PermitRootLogin` directive can have values such as `no`, `yes`, and `_prohibit-
password___`.
15. Two-factor authentication adds an extra layer of security by requiring something you know
(password) and something you ____have____ (token).
16. Weak SSH encryption algorithms can be disabled by modifying the
`____/etc/ssh/sshd_config____` file.
17. To disable weak ciphers, you can set the `___Ciphers_____` directive in the `sshd_config`
file.
18. The command to list supported ciphers for SSH on a server is `__ssh -Q cipher______`.
19. Verbose SSH logging can be enabled by setting the `LogLevel` directive to
`___VERBOSE_____` in `sshd_config`.
20. To apply changes in `sshd_config`, you need to restart the SSH service using the command
`___sudo systemctl restart ssh or sudo systemctl restart sshd_____`.
21. Whitelists in `sshd_config` are configured using the `___AllowUsers or
AllowGroups_____` directive.
22. The command to find all SUID files on a system is `__find / -perm -4000 -type
f______`.
23. SUID stands for `___Set User ID_____`.
24. The command to find all SGID files on a system is `__find / -perm -2000 -type
f______`.
25. SGID stands for `___Set Group ID_____`.
26. To set extended file attributes, you can use the `______chattr__` command.
27. The extended attribute to make a file immutable is `_____i___`.
 28. To view extended file attributes, you can use the `____lsattr____` command.
29. The configuration file for SSH server settings is `___/etc/ssh/sshd_config_____`.
30. To check the current SSH logging level, you can inspect the `____LogLevel____` directive in
`sshd_config`.
31. The command to view the current status of the SSH service is `___sudo systemctl
status sshd_____`.
32. To disable a specific encryption algorithm, you can add it to the `__Ciphers______`
directive in `sshd_config`.
The `AllowGroups` directive in `sshd_config` restricts SSH access to specific
___groups_____.
33. The command to list all SGID files in the `/usr` directory is `___find /usr -perm -2000
-type f_____`.
34. The extended attribute to prevent a file from being deleted is `___u_____`.

### Multiple-Choice Questions

1. Which command is used to generate a new SSH key pair?

a) `ssh-copy-id`

b) `ssh-keygen`

c) `scp`

d) `ssh-add`

2. Where is the private key file stored by default when generating SSH keys?

a) `~/.ssh/id_rsa`

b) `~/.ssh/id_rsa.pub`

c) `/etc/ssh/ssh_config`

d) `/var/ssh/private`

3. To copy your public key to a remote server, you use:

a) `ssh-copy-id`

b) `scp`

c) `rsync`

d) `ssh-agent`

4. In which file would you disable root login for SSH?

a) `/etc/ssh/ssh_config`

b) `/etc/ssh/sshd_config`

c) `/etc/hosts`
 d) `/etc/passwd`

5. To disable root login, you would set the `PermitRootLogin` directive to:

a) `yes`

b) `no`

c) `prohibit-password`

d) `without-password`

6. Which command is used to restart the SSH service on Ubuntu?

a) `systemctl start ssh`

b) `systemctl stop ssh`

c) `systemctl restart ssh`

d) `systemctl enable ssh`

7. What package is used to set up two-factor authentication on Ubuntu?

a) `authy`

b) `google-authenticator`

c) `pam-google-authenticator`

d) `duo`

8. The configuration file for Google Authenticator on Ubuntu is:

a) `~/.google_authenticator`

b) `/etc/google_authenticator`

c) `/var/google_authenticator`

d) `/etc/pam.d/google_authenticator`

9. To disable password authentication, you set `PasswordAuthentication` to:

a) `yes`

b) `no`

c) `optional`

d) `enabled`

10. In the PAM configuration file, to enable Google Authenticator, you add:

a) `auth required pam_google_authenticator.so`

b) `auth sufficient pam_google_authenticator.so`

c) `auth optional pam_google_authenticator.so`

d) `auth include pam_google_authenticator.so`

11. Which command would you use to view the SSH configuration file?

a) `nano /etc/ssh/ssh_config`

b) `nano /etc/ssh/sshd_config`

c) `vim /etc/ssh/ssh_config`

d) `vim /etc/ssh/sshd_config`

12. Which of the following is a common method for two-factor authentication?

a) Password and CAPTCHA

b) Password and SMS code

c) Password and security questions

d) Password and email verification

13. The `sshd_config` file is used to configure:

a) SSH client settings

b) SSH server settings

c) Firewall rules

d) Network interfaces

14. To restrict SSH access to a specific user, you can use the directive:

a) `AllowUsers`

b) `DenyUsers`

c) `PermitUsers`

d) `BlockUsers`

15. The command `ssh-add` is used to:

a) Generate a new SSH key

b) Copy the SSH key to a remote server

c) Add an SSH private key to the SSH agent

d) Restart the SSH service

16. Which directive in `sshd_config` is used to disable weak ciphers?

a) `DisableCiphers`

b) `WeakCiphers`

c) `Ciphers`

d) `AllowedCiphers`

17. To restart the SSH service on Ubuntu, you use the command:
 a) `systemctl restart sshd`

b) `systemctl restart ssh`

c) `service sshd restart`

d) `service ssh restart`

18. The `LogLevel` directive can be set to which of the following for more verbose logging?

a) `QUIET`

b) `FATAL`

c) `INFO`

d) `DEBUG3`

The `AllowUsers` directive in `sshd_config` is used to:

a) Allow specific IP addresses

b) Allow specific users to log in via SSH

c) Deny specific users from logging in via SSH

d) Set the maximum number of users

19. Which command will find all files with the SUID bit set?

a) `find / -perm /4000`

b) `find / -perm /2000`

c) `find / -perm /1000`

d) `find / -perm /3000`

20. SUID stands for:

a) Set User Interactive Directory

b) Set User ID

c) Secure User ID

d) Super User ID

21. The SGID bit allows:

a) Users to execute a file with the group permissions of the file owner

b) Groups to execute a file with the user permissions of the file owner

c) Files to be read-only

d) Directories to be immutable

22. Which command sets the immutable attribute on a file?

a) `chattr +i filename`
 b) `lsattr +i filename`

c) `chmod +i filename`

d) `setattr +i filename`

23. To view extended file attributes, you use the command:

a) `lsattr`

b) `chattr`

c) `getattr`

d) `setattr`

24. The `sshd_config` file is typically located in:

a) `/etc/ssh/sshd_config`

b) `/usr/local/ssh/sshd_config`

c) `/etc/sshd/sshd_config`

d) `/var/ssh/sshd_config`

Lab 4: Applying Hardened Linux File System Security Controls

6.1 - Creating and transferring SSH keys
6.2 - Disabling root login and password authentication
6.3 - Setting up two-factor authentication on Ubuntu 22.04
6.4 - Using Google Authenticator with key exchange on Ubuntu

Lab 4: Applying Hardened Linux File System Security Controls (cont)

6.6 - Disabling weak SSH encryption algorithms – Ubuntu 22.04
6.9 - Configuring more verbose SSH logging
6.10 - Configuring whitelists within sshd_config
7.1 - Searching for SUID and SGID files
7.2 - Setting security-related extended file attributes

### Lab 4: Applying Hardened Linux File System Security Controls

#### 6.1 - Creating and transferring SSH keys

1. **Generate SSH Key Pair**

- Run the command to generate an SSH key pair:

- Follow the prompts to save the key to the default location and provide a passphrase.

2. **Copy Public Key to Remote Server**

- Use the following command to copy your public key to a remote server:

#### 6.2 - Disabling root login and password authentication

1. **Edit sshd_config File**

- Open the SSH daemon configuration file:

```

2. **Disable Root Login**

- Find the line with `PermitRootLogin` and change it to:

3. **Disable Password Authentication**

- Find the line with `PasswordAuthentication` and change it to:

4. **Restart SSH Service**

 - Apply changes by restarting the SSH service:

#### 6.3 - Setting up two-factor authentication on Ubuntu 22.04

1. **Install Google Authenticator**

- Install the Google Authenticator PAM module:

2. **Configure Google Authenticator**

- Run the following command and follow the prompts:

3. **Update PAM Configuration**

#### 6.4 - Using Google Authenticator with key exchange on Ubuntu

1. **Combine SSH Key and Google Authenticator**

- Ensure the following line exists in `/etc/ssh/sshd_config`:

#### Lab 4: Applying Hardened Linux File System Security Controls (cont)

#### 6.6 - Disabling weak SSH encryption algorithms – Ubuntu 22.04

1. **Edit sshd_config File**

- Open the SSH daemon configuration file:

2. **Disable Weak Ciphers**

- Add or modify the `Ciphers` line to disable weak ciphers:

3. **Restart SSH Service**

- Apply changes by restarting the SSH service:

#### 6.9 - Configuring more verbose SSH logging

1. **Edit sshd_config File**

- Open the SSH daemon configuration file:

2. **Set LogLevel to DEBUG3**

- Find the `LogLevel` line and change it to:

3. **Restart SSH Service**

- Apply
changes by
restarting the
SSH service:

#### 6.10 - Configuring whitelists within sshd_config

1. **Edit sshd_config File**

- Open the SSH daemon configuration file:

2. **Configure AllowUsers or AllowGroups**

3. **Restart SSH Service**

- Apply changes by restarting the SSH service:

#### 7.1 - Searching for SUID and SGID files

1. **Find SUID Files**

- Run the command to find all SUID files:

2. **Find SGID Files**

- Run the command to find all SGID files:

#### 7.2 - Setting security-related extended file attributes

1. **Set Immutable Attribute**

- Use `chattr` to set the immutable attribute:

2. **Remove Immutable Attribute**

- Use `chattr` to remove the immutable attribute:

3. **View Extended Attributes**

- Use `lsattr` to view the attributes of a file: