Securing SSH Lab Walkthrough

STEP 1

I ssh-ed into my DHCP02-kerry through Powershell on my WKS02-kerry VM. After doing this, I elevated my access from my default user to my root user by performing sudo -i. After being elevated into root access, I then performed the command "nano /etc/ssh/sshd_config".

Doing this opens up the main SSH configuration file which allows you to modify what happens when you ssh into the desired workstation.

STEP 2

After performing this command and opening up the configuration file, you are prompted with a list of prompts that could be modified. The prompt we want to modify is "PermitRootLogin yes". We want to make the "yes" a "no" which will prevent you from performing a root login.

For the action to take effect we must also remove the "#" from the prompt as well. If we don't, then this prompt will act as a comment within the file. MAKE SURE TO WRITE OUT THE FILE AS IT WON'T SAVE!

STEP 3

Next, we must restart the SSH daemon service by performing the command "systemctl restart sshd".

If we do not perform this command, the ssh services will not be updated and the changes we put in will not work.

STEP 4

Finally, when I try to log in as a root user into my DHCP server, I will get a "Permission Denied" error.

To now log into root, you MUST first log in into your normal account, in this case, it's "kerry" for me. This is used for extra security and to limit who can access your account in the first place as they now must know the name of your user.

If this change is something you do not like after you're done with the lab, all you have to do is go back into the ssh config file and change the "no" to "yes" on the "PermitRootLogin" option and then restart the sshd service.

DELIVERABLES

Deliverable 1. Once you are convinced that root can no longer login, provide a screenshot that shows how this failure was captured in the logs:

This screenshot shows my attempt at ssh-ing into my DHCP server with root access once. Putting the command “cat /var/log/secure | grep “not met” inside will display the logs of trying to SSH using a root login. This shows my attempt to login once with root access and it says that it wasn’t met.

Deliverable 2. Figure out how to determine what root’s uid (user id) is. What is it and based on the logs, what logic is used to prevent root's login?

I presume the root's user ID is below the number "1000" as it is displayed with "requirement "uid >=". An account with a user ID of 1000 or above is a non-administrative (non-rooted) account. THE first created root user account would have a user ID of below 1000. This parameter of having a required UID of 1000 or greater prevents an immediate login with a root account, which also increases the system's security.