FEA407: Control Access to the server
Test Result ID | TC407-001 |
Autohor/Designer | Ali Muneeb, Markus Suonio, Andreas Kjersheim |
Date of creation | 15.03.2024 |
Class | Testing & Acceptance |
Login
Could login from user as intended. Could not log in or ssh as root or ubuntu users.
As a regular user I tried to run the sudo su command within the server and as a result my permission was denied since I didn't have the permits for that.
Navigation restrictions
Could not cd into ubuntu directory
Could cd into other root directories
Could view all the conf files in the root directories
As a regular user account, I tried to cd into the project directory folder and make changes within and as a result I was able to cd into the project directory folder but wasn't allowed to make changes to a txt file.
Changing files
Could not change the files Could not create a new file
Could view /etc/passwd
Could not change contents of /etc/passwd Could not change permissions of psswd using chmod
Could create new file in project dir
Created new user as root and set passwd
Tried ssh from new user
Permission denied
I was able to create a user with no password by interrupting the process when it asked me for a password by using ctrl+d
Could create a file from test user
Using hydra to attempt to bruteforce login
I used the pentesting tool Hydra to try and brute-force user account login via SSH and after multiple failed login attempts, I got my IP address banned and couldn't attempt logging in anymore.
Censored IP addresses for privacy reasons
Used lynis auditing tool to audit front end server
The hardening index was 66
We need to harden a lot of stuff and use a malware scanner as well
Ali did another scan with Lynis 15.03.2024. The output file can be found here: link
Acceptance Criterias:**
- Unwanted user tries to access the server
- Unwanted user puts the username and password
- Gets a notification that username or the password is wrong, and all the activity is logged
- Unwanted user tries to brute force logging in as root
- Unwanted user get ip banned
Working as intended. PASSED
- User wants to log in to the server
- User puts username and password
- User get notification that login was successful
- Inactivity of 3 hours
- The user receives a notification of session timeout
Working as intended. PASSED
- User logs into the server
- User tries to create a new directory in root folder
- User receives permission denied error
- User tries to create a file in the development directory they have group permission for
- The file is successfully created
Working as intended. PASSED