Lesson Plans/Ubuntu/Lesson 2

From Vista Ridge Cyberpatriot
Jump to navigation Jump to search

REVIEW

  1. When connecting to a system command line interface (CLI) remotely, you will need to use a SSH client. I recommend installing PuTTY for Windows and using the native Terminal client for Mac. Josh will spin up an AWS EC2 host for you. These hosts will be spun up exclusively for practice and shut down once practice has concluded. The IP address will change with each practice. The default username is “cyberpatriot” with password “UAXj3a4vcFwGLTYpupF3”.
  2. The best way to generate and remember complex passwords is to use a password vault. I highly recommend using KeePass for Windows and KeePassX for Mac. The first time you log in to a new instance, you should always set a proper password. NIST guidelines for passwords is a minimum length of 8 characters, with passwords consisting of upper case letters, lower case letters, numbers, and special characters. That said, we are CyberPatriots so we’ll do better. Use your password vault to generate a 20 character password with upper, lower, numeric, and special characters. Save it so that you’ll remember it for next time. Since this instance is uniquely generated for you, go ahead and set a new password for the “cyberpatriot” user.
  3. When an operating system is first installed on a system, the image is usually a base image from whatever point in time it was created. What this means is that any software and security updates rolled out since the image was created have not been applied. You will need to run the package updates to ensure that there are no lingering security issues before bringing any services online. On Ubuntu, we use the “apt” package manager to update the packages, but you can’t run these as your regular user account as it doesn’t have enough permissions. You’ll need to use the “sudo” command to run any other commands as the root user. Go ahead and download and install the most recent updates onto this system.
  4. Security researchers are constantly finding new vulnerabilities on different systems so while you just installed all of the updates available currently, how do we ensure that the system stays up-to-date? Ubuntu has a concept called unattended upgrades to handle this. Go ahead and install the unattended upgrades package and make sure to turn on unattended security updates.
  5. Often times there are large gaps of time between when a vulnerability is discovered and when a patch gets developed and released for it. In the meantime, if the vulnerability is in a web-facing service, an attacker on the Internet could exploit it to compromise your system. This is why we want to limit what is referred to as the “attack surface”. In other words, we want to restrict how much of our system is exposed to a potential attacker. Firewalls are one way that we can do this and they can be applied at either the network level or the system level. Because these systems are running in the AWS cloud, I’ve already applied a default security group that provides only inbound SSH connectivity to them. These security groups are a form of a network firewall, but what would happen if somebody accidentally changed the security group to allow additional traffic. Perhaps they were troubleshooting a connectivity issue and forgot to turn it off? That could expose a vulnerable service to an attacker. This is why security experts like to utilize a military concept called “defense in depth”. The idea is that where having a single layer of security could fail you, having multiple layers of defenses means that you are no longer exposed should one layer fail. Let’s practice defense in depth on our new system by installing a host-based firewall. There are many to choose from, but my personal favorite is the Uncomplicated Firewall aka UFW. Go ahead and download and install ufw. You’ll need to configure rules to allow SSH access (port 22) so that you don’t lock yourself out of the system. You shouldn’t need to allow anything else at this time. Once you’ve got the rules right, you are ready to enable the firewall.

NEW'

  1. The default password policy on an Ubuntu 18.04 LTS system is not very good at all. Passwords are good for 99,999 day. As Cyberpatriots, we can do much better. Change the maximum number of days a password can be used (PASS_MAX_DAYS) from 99999 to something more reasonable like 90 days.
  2. The minimum number of days for a password is also important as it prevents a user from bypassing restrictions on ensuring that the same password isn’t re-used by simply iterating through enough passwords that the system forgets about the original password that was set. Just underneath where you set the maximum number of days a password can be used, you can also set the minimum number of days (PASS_MIN_DAYS).
  3. The number of characters used for a password will significantly affect how easily it is guessed. Imagine how easy it would be to guess a password if I told you it could only be 4 numeric characters. There would literally be only 10,000 (10^4) possible combinations of numbers. Computers are super fast and if there aren’t proper controls in place, it would only take a few seconds to guess every possible combination. If we increase it to 12 characters, we now have 10,000,000,000,000 (10^12) possible combinations. The Linux system for handling authentication is called the “Pluggable Authentication Modules” or “PAM” for short. Update the PAM password configuration to ensure passwords have a minimum length (minlen) of 12 characters.
  4. The size of the set of characters used for a password also has a huge impact on how easily they can be brute force guessed. If instead of just numbers we were to also add in the 26 upper case characters, 26 lower case characters, and just the 16 special characters in the top row on your keyboard and you have 78^12 possible combinations. That’s an awful lot of guessing for an attacker to do. There is a PAM module called pam_pwquality, that you will need to install, which can help us to enforce complex passwords on our system. Use this module to set the minimum number of required classes of characters (minclass) to 3 of the 4 possible. You should also set the minimum acceptable size for the new password (minlen) in the pam_pwquality configuration.
  5. The final biggest control in preventing password brute force attacks is limiting the speed at which someone can guess our passwords. The PAM module called common-auth can help us with this. Here we can use the “deny” parameter to specify the number of allowed failed login attempts before locking a user out as well as the “unlock_time” parameter to set the account lockout duration. Set the number of failed login attempts to 5 and the lockout duration to 10 minutes. This will limit them to at most 30 guesses of a password each hour.
Retrieved from "https://cypat.rainbowunicorn.org/index.php?title=Lesson_Plans/Ubuntu/Lesson_2&oldid=93"