L4. Configuration Services. Answers

# L4. Configuration Services. Answers ## Exercise 1 – System Services 1. Check the status of the current active services 2. Check the system log (journalctl) :::spoiler ```bash= service --status-all journalctl --system ``` ::: --- ## Exercise 2 – SSH 1. Start the SSH service, then check the service status 3. From a different Linux machine, try SSH to root user 5. Go to the SSH configuration file to modify the option to SSH to root 7. Try to SSH root once again :::spoiler ```bash= service ssh status service ssh start nano /etc/ssh/sshd_config ``` >PermitRootLogin yes ```bash= service ssh restart ssh root@ip ``` ::: --- ## Exercise 3 – Security SSH Config* 1. Disable Root Logins 3. Use Another Port 4. Configure Idle Timeout Interval 5. Limit Users’ SSH Access (user1, user2) 6. Disable Empty Passwords 7. Only Use SSH Protocol 2 :::spoiler ```bash= nano /etc/ssh/sshd_config ``` >PermitRootLogin no >ClientAliveInterval 360 >ClientAliveCountMax 0 >AllowUsers user1 user2 >Protocol 2 >Port 2025 ::: ```bash= service ssh restart ``` 9. Allow Only Specific Clients (IP + iptables) :::spoiler ```bash= iptables -A INPUT -p tcp -s YourIP --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name ssh –rsource iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent ! --rcheck --seconds 90 --hitcount 3 --name ssh --rsource -j ACCEPT ``` ::: --- ## Exercise 4 – Security SSH Config 2* 1. Task from "Exercise 3 – Security SSH Config*" (1-6), but use only "sed" command :::spoiler ```bash= sed -i 's/#\?$PerminRootLogin\s*$.*$/\1 no/' /etc/ssh/sshd_config sed -i 's/#\?$ClientAliveInterval\s*$.*$/\1 360/' /etc/ssh/sshd_config sed -i 's/#\?$ClientAliveCountMax\s*$.*$/\1 0/' /etc/ssh/sshd_config sed -i 's/#\?$AllowUsers\s*$.*$/\1 user1/' /etc/ssh/sshd_config sed -i 's/#\?$Port\s*$.*$/\1 2/' /etc/ssh/sshd_config sed -i 's/#\?$Protocol\s*$.*$/\1 2025/' /etc/ssh/sshd_config service ssh restart ``` ::: --- ## Exercise 5 – Public/Private Keys for Authentication* 1. Use Public/Private Keys for SSH Authentication :::spoiler ```bash= ssh-keygen -b 4096 cat ~/.ssh/id_rsa.pub ssh user@ip mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys echo public_key_string >> ~/.ssh/authorized_keys chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys ssh user@ip sudo nano /etc/ssh/sshd_config ``` >PasswordAuthentication no ```bash= sudo service ssh restart ``` ::: :::spoiler >For Windows: https://system.cs.kuleuven.be/cs/system/security/ssh/setupkeys/putty-with-key.html ::: --- ## Exercise 6 – FTP 1. Install the VSFTPD service 1. From a different machine, try to connect to the FTP service via CLI with a username and password, and capture the network traffic with Wireshark to observe the non-encrypted credentials :::spoiler ```bash= apt install vsftpd service vsftpd start ftp ip ``` ::: --- ## Exercise 7 – tFTP 1. Start the "tftp" service with atftpd package :::spoiler ```bash= service atftpd start ``` ::: --- ## Exercise 8 – Samba 1. Install the Samba service 1. Create a folder and assign it every permission possible 1. Edit the Samba configuration file, and add the shared folder location and settings 1. Start the “smbd” service 1. Connect from a Windows machine to the shared folder with credentials :::spoiler ```bash= apt install samba mkdir dir chmod -R 777 dir nano /etc/samba/smb.conf ``` >[test] >path = /home/user1/dir >browsable = yes >read only = no ```bash= add user1 smbpasswd -a user1 service smbd start \\ip ``` ::: --- ## Exercise 9 – sFTP* 1. Make sure the SSH and FTP services are both installed and active 1. Navigate to SSH config file 1. Add the necessary configurations to allow and sFTP connection 1. Create a group to match the configuration and add a user to that group 1. Open the Wireshark listener 1. Connect with the user in sFTP group to sFTP service from another machine, and try to fetch the credentials via Wireshark :::spoiler ```bash= service --status-all | grep -E 'ssh|vsftpd' nano /etc/ssh/sshd_config ``` >Match group sftp >X11Forwarding no >AllowTCPForwarding no >ForceCommand internal-sftp >ChrootDirectory /home ```bash= addgroup sftp adduser user sftp sftp user@ip ``` ::: ---