Lesson Plans/Ubuntu/Lesson 1
Jump to navigation
Jump to search
- When connecting to a system command line interface (CLI) remotely, you will need to use a SSH client. I recommend installing PuTTY for Windows and using the native Terminal client for Mac. Josh will spin up an AWS EC2 host for you. These hosts will be spun up exclusively for practice and shut down once practice has concluded. The IP address will change with each practice. The default username is “cyberpatriot” with password “UAXj3a4vcFwGLTYpupF3”.
- The best way to generate and remember complex passwords is to use a password vault. I highly recommend using KeePass for Windows and KeePassX for Mac. The first time you log in to a new instance, you should always set a proper password. NIST guidelines for passwords is a minimum length of 8 characters, with passwords consisting of upper case letters, lower case letters, numbers, and special characters. That said, we are CyberPatriots so we’ll do better. Use your password vault to generate a 20 character password with upper, lower, numeric, and special characters. Save it so that you’ll remember it for next time. Since this instance is uniquely generated for you, go ahead and set a new password for the “cyberpatriot” user.
- When an operating system is first installed on a system, the image is usually a base image from whatever point in time it was created. What this means is that any software and security updates rolled out since the image was created have not been applied. You will need to run the package updates to ensure that there are no lingering security issues before bringing any services online. On Ubuntu, we use the “apt” package manager to update the packages, but you can’t run these as your regular user account as it doesn’t have enough permissions. You’ll need to use the “sudo” command to run any other commands as the root user. Go ahead and download and install the most recent updates onto this system.
- Security researchers are constantly finding new vulnerabilities on different systems so while you just installed all of the updates available currently, how do we ensure that the system stays up-to-date? Ubuntu has a concept called unattended upgrades to handle this. Go ahead and install the unattended upgrades package and make sure to turn on unattended security updates.
- Often times there are large gaps of time between when a vulnerability is discovered and when a patch gets developed and released for it. In the meantime, if the vulnerability is in a web-facing service, an attacker on the Internet could exploit it to compromise your system. This is why we want to limit what is referred to as the “attack surface”. In other words, we want to restrict how much of our system is exposed to a potential attacker. Firewalls are one way that we can do this and they can be applied at either the network level or the system level. Because these systems are running in the AWS cloud, I’ve already applied a default security group that provides only inbound SSH connectivity to them. These security groups are a form of a network firewall, but what would happen if somebody accidentally changed the security group to allow additional traffic. Perhaps they were troubleshooting a connectivity issue and forgot to turn it off? That could expose a vulnerable service to an attacker. This is why security experts like to utilize a military concept called “defense in depth”. The idea is that where having a single layer of security could fail you, having multiple layers of defenses means that you are no longer exposed should one layer fail. Let’s practice defense in depth on our new system by installing a host-based firewall. There are many to choose from, but my personal favorite is the Uncomplicated Firewall aka UFW. Go ahead and download and install ufw. You’ll need to configure rules to allow SSH access (port 22) so that you don’t lock yourself out of the system. You shouldn’t need to allow anything else at this time. Once you’ve got the rules right, you are ready to enable the firewall.