LAB 4 – Applying Hardened Linux File System Security

Controls 6.1 – Creating and transferring SSH keys

1. On the client machine, create a pair of 384-bit elliptic curve keys. Accept the
default filename and location and create a passphrase:
2. Add your private key to your session keyring. Enter your passphrase when prompted:
3. Transfer the public key to the server VM. When prompted, enter the password for
your user account on the server VM.

4. Observe the authorized_keys file that was created on the server VM

5. Open another terminal window and try to log in to the server again. This time,
you should be prompted to enter the passphrase for your private key

6.2 – Disabling root login and password authentication

1. On either an Ubuntu, CentOS, or AlmaLinux 8 server VM, look for this line in
the sshd_config file:
2. Remove the comment symbol, change the parameter value to no , and reload the SSH
daemon. The line should now look like this:

4. Look for either of these two lines, depending on whether the server is an Ubuntu or
a CentOS 7/AlmaLinux VM:
Uncomment the line and change it to the following:
5. Reload the SSH daemon so that it will read in the new changes.

7. Attempt to log in to the server VM from the client that you used in the previous lab.

6.3 – Setting up two-factor authentication on Ubuntu 22.04

1. Install Google Authenticator on your smart phone.
2. On your Ubuntu VM, install the libpam-google-authenticator package
3. Now, from this GUI type terminal, run the google-authenticator app
4. Next, you’ll be asked a series of questions. Just enter y for everything.

In this step, you’ll set up two-factor authentication for logging in at the local terminal
and for using sudo . Open the /etc/pam.d/common-auth file in your favorite text editor
At the local terminal of the Ubuntu VM, log out and then log back in. When
prompted, enter the verification code from your smart phone app.

7. Open the /etc/pam.d/sshd file in your text editor, and add that line just under the
@include common-auth line at the top of the file. The top portion of the file should
now look like this:
You should now be able to log in to the local terminal and perform sudo actions
without having to enter a verification code. Instead, you should only have to enter a
verification code when logging in remotely.
6.4 – Using Google Authenticator with key exchange on Ubuntu
2. On the Ubuntu VM, open the /etc/ssh/sshd_config file in your text editor. This
time, instead of changing the #PasswordAuthentication yes line, add this line below
the KbdInteractiveAuthentication yes line :
6.6 – Disabling weak SSH encryption algorithms – Ubuntu 22.04
1. If you haven’t done so already, scan the Ubuntu 22.04 VM and save the output to
a file:
2. Count the number of lines in the file by doing:

3. On the target Ubuntu 22.04 VM, open the /etc/ssh/sshd_config file in your
preferred text editor. Toward the top of the file, find these two lines:
# Ciphers and keying
#RekeyLimit default none
4. Beneath those two lines, insert these three lines:
6 Save the file and restart the SSH daemon. Verify that it started correctly:

7. Scan the Ubuntu 22.04 VM again, sav

ing the output to a different file:

8. Count the number of lines in the new file:

9. On the scanner VM, use diff to compare the two files. You should see fewer
algorithms than you saw previously:
6.9 – Configuring more verbose SSH logging
1. Open the main log file and scroll down to where you see the entry that was made due
to your login and observe what it says. For Ubuntu, do:
sudo less /var/log/auth.log
6.10 – Configuring whitelists within sshd_config
1. On the VM that you wish to configure, create user accounts for Frank, Charlie, and
Maggie. ( password : 123456 )

3. Create the webadmins group and add Frank to it:

4. From either your host machine or from another VM, have the three users log in.
Then, log them back out
5. Open the /etc/ssh/sshd_config file in your favorite text editor. At the bottom of the
file, add an AllowUsers line with your own username, like so:
6. Then, restart or reload the SSH service and verify that it has started correctly:

7. Open another cmd and ssh by user frank, this time, the user shouldn’t be able to log in.
Add an AllowGroups line to the bottom of the file for the webadmins group, like so:
7.1 – Searching for SUID and SGID files
1. Search through the entire filesystem for all the files that have either SUID or SGID
set before saving the output to a text file:

2. Log into any other user account that you have on the system and create a dummy shell
script file.

3. Run the find command again, saving the output to a different text file:
4. View the difference between the two files:

7.2 – Setting security-related extended file attributes

You’ll need to create a perm_demo.txt file with some text of your choice.

1. Using your preferred text editor, create the perm_demo.txt file with a line of text.

2. View the extended attributes of the file:

3. Add the a attribute:

4. Try to overwrite and delete the file:

5. Now, append something to the file:

6. Remove the a attribute and add the i attribute: