Lab VM description and purpose

For this course, we will use a prebuilt and configured Ubuntu Linux server running on a Virtual Machine. It is a machine built as part of another college course and was not set up with security in mind. It has several services running, a firewall enabled, and lives on multiple networks. Treat this as if it were an existing server running in the business of your new employer. It is supposed to be providing:

• custom internal DNS service only to the internal network
• web pages on hostname www in the private domain
• pages and webapps on hostname secure in the private domain
• various web apps for administrative purposes
• personal web pages for staff who have accounts on the machine
• database services to local applications
• SSH access to clients on the internal network
• VPN access to the internal network from the outside world
• email services to the internal network
• file sharing services to Windows machines on the internal networks
• PDF file printing services for the internal networks

Obtaining and configuring your lab VM

Follow these steps to download a suitable VM for our course and customize it so that your VM is specific to you for the purpose of grading.

1. In your Virtualization software (VMware or VirtualBox) create two virtual networks
   1. NAT network (provides access to the Internet through your host PC)
   2. A host-only network (DHCP service is optional), is used to simulate a private network
2. Download the course VM OVA File and import it into your virtualisation software as a VM.
   1. Download NETS1028_LabVM_v2.ova
   2. There are 2 network interfaces in the VM:
      1. The first should be connected to NAT
      2. The second should be connected to the host-only virtual network.
3. Boot the VM, and log in as student with the password Password123. The student user has sudo privileges.
4. Create a user account for your use during the semester:
   1. Use your first name for the username and give it a password you can remember.
   2. Add it to the sudo group so that you can use sudo from that account.
   3. Log out of the student account and log into your own personal account
5. Test that sudo works properly, and only use your own personal account on the lab VM for the rest of the semester unless explicitly instructed otherwise in the lab instructions.
6. Take note of your LAN address for the VM. You will need to know it for remote access from your laptop. The VM has an SSH server enabled and using SSH (Putty, Bitvise, terminal or any other ssh client) is the recommended method to access the machine for command line use.
7. Run apt-get update and apt-get upgrade to bring the base system up to current software versions.

This video is an old session recording guiding you through the instructions provided above.

NETS1028 - 2022-05-011-03 - Lab 1 - Preparing the VM environment using VirtualBoxNETS1028 - 2022-05-011-03 - Lab 1 - Preparing the VM environment using VirtualBoxScreencast-O-Matic

Security Design Exercises

These exercises will help you to become familiar with some of the security features and limitations of your installation. All of these are to be investigated for the previously downloaded pre-built VM running Ubuntu 20.04.

Physical Security

1. Describe command(s) or configuration file(s) which may be used to disable ctrl-alt-del reboot.
2. Describe how to prevent removable media filesystems from being automatically mounted.

Boot Security

1. Identify how to add a password to your boot loader so that it is required before a user can alter the boot parameters.
2. Identify the utility and configuration that will automatically remove old kernel versions from your lab VM periodically or after an automatic update.

Service Availability

1. What command(s) are used to start, stop, and check the status of installed services? Give examples of starting stopping, and status-checking at least 2 services that are running on your VM.
2. Other than service control commands as you used in the previous step (not using systemctl and service utilities), describe at least one other way to determine what services your server may be providing.

User Access

1. What Linux user accounts are on your server now? For each account you found, describe its purpose. (for example, you can list them in a table and group them if you like)
2. Which accounts can be used to log in by end users (i.e. they have a user-oriented general-purpose shell and are not locked)? (list all of such accounts)

Grading

Visit Blackboard for the latest instructions.

Links and Resources

• Grab a copy of Ubuntu Server Docs, Make sure to grab the correct version for your OS (use hostnamectl to find out what version of the OS is running in your VM)
• Documentation on udisks2 package:
  • https://manpages.ubuntu.com/manpages/xenial/man8/udisks.8.html
  • https://github.com/storaged-project/udisks
• GRUB Bootloader Documentation,
  • For Lab 1 pay special attention to the chapter on “Security” and look for tools under "User Space utilities".
• Ubuntu documentation on Removing Old Kernels
• The Linux Document Project (TLDP.org)
  • Linux HOWTO-INDEX
  • Security Quick-Start HOWTO for Linux
    • For Lab 1: read “3. Step 1: Which services do we really need?”
• Man pages for the /etc/passwd and /etc/shadow files (included in your Linux system, use man 5 passwd and man 5 shadow commands
• Debian documentation on system groups and their description: wiki.debian.org/SystemGroups