TC407-001
Test Case ID | TC407-001 |
Autohor/Designer | Niko Satejeff & Noora Kuikka |
Date of creation | 08.03.2024 |
Class | Acceptance |
Test description / objective
This test case verifies that only authorized users have access to the frontend/backend servers. Additionally, a Lynis scan will check for internal configuration vulnerabilities.
Links to requirements or other sources
Test pre-state
- The servers are up and running and have been pre-configured with the recommended settings.
- Server updates have been downloaded and installed.
Test steps
# | Action | Expected Result |
---|---|---|
1 | Open a terminal or Putty connection and SSH into the frontend server using username@server-ip | The frontend login screen appears and asks for a password |
2 | Try to do the same with the default root account (e.g. ubuntu) | The authentication fails, as root login is denied |
3 | As a regular user account try to run the sudo su command within the servers or make configuration changes to root documents/directories | Permission denied |
4 | As a regular user account try to cd into the project directory folder and make changes within (e.g. touch newfile.txt) | The changes should come into effect, as authorized users have full access to files within the project directory |
5 | As an administrator account, create a new user, then try to ssh into the server as the user | SSH access is denied, as the user account has not been whitelisted in the sshd_config file |
6 | As an administrator account, create a new user with an empty password and add them to the SSH whitelist | Authorization failure, as empty passwords are not allowed |
7 | Using the pentesting tool Hydra, try to brute-force user account login via SSH | Fail2Ban detects multiple failed login accounts and bans the IP address |
Additional tests:
- Scan the server IP addresses using Nikto and Nessus
- Perform an internal scan on the servers using Lynis
- Document all vulnerabilities found via the scans
Test end-state
- Based on test results, fix all issues and re-run the tests until no serious vulnerabilities are found
To be taken into account during test
- Fail2Ban will ban any IP addresses that it detects attempting brute-force attacks - do not run tests using your regular network IP. Otherwise you will need to whitelist the IP again from within the server.
Test result (Pass/Fail Criteria)
CATEGORY | PASS | FAIL |
---|---|---|
Authorization | All unauthorized user accounts are denied access via SSH, authorized accounts gain access | Unauthorized accounts (e.g. root login) manage to access the servers |
Vulnerabilities | Vulnerability scanners show no serious warnings or errors | Multiple warnings and errors are detected via vulnerability scanners |