Skip to content

FEA407: Control Access to the server
Test Result ID TC407-001
Autohor/Designer Ali Muneeb, Markus Suonio, Andreas Kjersheim
Date of creation 15.03.2024
Class Testing & Acceptance

Login

Could login from user as intended. Could not log in or ssh as root or ubuntu users.

Image

Image

As a regular user I tried to run the sudo su command within the server and as a result my permission was denied since I didn't have the permits for that.

Image

Could not cd into ubuntu directory

Image

Could cd into other root directories

Could view all the conf files in the root directories

Image

As a regular user account, I tried to cd into the project directory folder and make changes within and as a result I was able to cd into the project directory folder but wasn't allowed to make changes to a txt file.

Image

Changing files

Could not change the files Could not create a new file

Image

Could view /etc/passwd

Image

Could not change contents of /etc/passwd Could not change permissions of psswd using chmod

Image

Could create new file in project dir

Created new user as root and set passwd

Tried ssh from new user

Image

Permission denied

I was able to create a user with no password by interrupting the process when it asked me for a password by using ctrl+d

Image

Could create a file from test user

Image

Using hydra to attempt to bruteforce login

I used the pentesting tool Hydra to try and brute-force user account login via SSH and after multiple failed login attempts, I got my IP address banned and couldn't attempt logging in anymore.

Image

Censored IP addresses for privacy reasons

Used lynis auditing tool to audit front end server

Image

The hardening index was 66

We need to harden a lot of stuff and use a malware scanner as well

Ali did another scan with Lynis 15.03.2024. The output file can be found here: link

Acceptance Criterias:**

  1. Unwanted user tries to access the server
  2. Unwanted user puts the username and password
  3. Gets a notification that username or the password is wrong, and all the activity is logged
  4. Unwanted user tries to brute force logging in as root
  5. Unwanted user get ip banned

Working as intended. PASSED

  1. User wants to log in to the server
  2. User puts username and password
  3. User get notification that login was successful
  4. Inactivity of 3 hours
  5. The user receives a notification of session timeout

Working as intended. PASSED

  1. User logs into the server
  2. User tries to create a new directory in root folder
  3. User receives permission denied error
  4. User tries to create a file in the development directory they have group permission for
  5. The file is successfully created

Working as intended. PASSED