Building a Pentest Server
In this 5 part series from our blog, i will be running through how to go about building a pentest server. This is one of the modules I cover with students and interns and I often find myself surprised at how uneasy people feel when they have no GUI. So, why would you be building a pentest server? The most obvious answer is when you want something on the internet. Possibly hosted in a cloud environment, to help you with engagements.
First things first. It does not matter which provider you use. Some are better, some are cheaper. I user Digital Ocean. Find one you like. In this series, we are using Ubuntu 20.04 LTS. It is our base operating system and we join this series with a fresh install.
Building a Pentest Server – The Steps
Step 1 – Get up to date
When building a pentest server we want everything up to date. So the very first thing we want to do is bring the server up to date. We can do this very simply, by running the update function:
apt update apt upgrade
Next we set the hostname. This is because we like to keep things logical. For our server, it is called bumblebee.
hostname bumblebee echo "bumblebee" > /etc/hostname
Step 2 – Adding user groups
We are going to have some users who can use sudo to run with root permissions and we are going to have some users who can not. All users will need to be able to SSH onto the server, so the easy way to facilite this is to have a SSH group. We shall create that group very easily with the addgroup command:
addgroup sshusers
Of course, you can use whatever group name you like.
Step 3 – Add the users
This is really important. You do not want to be connecting with the root user, as we will be effectively disabling root in a moment. So, we add our users. Add yours as you wish, just change thing to the right name.
adduser thing
You will be prompted through the user setup and will be asked to enter the password twice. Be darn sure to add a very strong password.
With the user set up, we need to add that user to the sudoers file. We can do this very easily with usermod. While we do this we can add the user to the ssh users group too:
usermod -a -G sudo thing usermod -a -G sshusers thing
Now would be a great time to SSH to your server with your new user, use sudo -s to gain root permissions and then continue with this Building a Pentest Server guide.
Step 4 – Adding a webserver
Next step is to add a web server. We wont be using the webserver all the time but it can be helpful for people you are testing to know that the server belongs to you. We install apache2 on our systems. To do this is simplicity. Simply use the following command to install it:
apt install apache2
And that is it. When building a pentest server, we will always add an explanatory splash page. This is ours:
Building a Pentest Server
Building a Pentest Server – Adding Security
Our server will be exposed on the internet. This means that it will certainly be probed by automated scripts and curious people. So lets make it nice and secure.
Security Step 1 – Secure SSH
To secure SSH, first backup the sshd_config that is within the /etc/ssh directory:
cp sshd_config sshd_config.orig
Now you can replace the sshd_config file with the following:
Port 22 KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers aes256-ctr MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256 Protocol 2 HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_rsa_key UsePrivilegeSeparation sandbox KeyRegenerationInterval 3600 ServerKeyBits 1024 SyslogFacility AUTH LogLevel INFO LoginGraceTime 60 PermitRootLogin no AllowGroups sshusers StrictModes yes RSAAuthentication yes PubkeyAuthentication yes IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no X11Forwarding no X11DisplayOffset 10 PrintMotd yes PrintLastLog yes TCPKeepAlive yes AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server
Now, make very sure that you update the line AllowGroups sshusers with the name of the usergroup you created for all your ssh users. If you do not then when you come to log back in you will find you cant. Following this, it is a very good idea to restart ssh. Then log in using a different terminal. If it works, you are good to continue.
Security Step 2 – Kill root
We dont like root. Root is evil. Lets disable root. So the best way to do this is to reset the root password. While we are at it, lets have the root password change every day. That sounds difficult to do but it is in fact very simple.
To do this, simple run the following command:
RPASSWD=`openssl rand -base64 32` echo "root:$RPASSWD"|chpasswd
To make the root password update every day, we need to add this to root’s crontab. We do this by using the crontab command when we are root or using sudo. As with the last time, use your favourate editor when prompted.
0 2 * * * RPASSWD=<code>openssl rand -base64 32</code> && echo "root:$RPASSWD"|chpasswd > /dev/null 2>&1
What we have done above is set the root password to change to a 32 character password at 2am every day.
Security Step 3 – Add a firewall
You all know that someone at somepoint will try an break in, so lets use UFW. UFW is the Uncomplicated Firewallwall.
ufw default deny incoming ufw default allow outgoing ufw allow ssh ufw allow http ufw enable
We it comes to test time, all you need to do is open the inbound ports you want. It is very easy:
ufw allow 2222
Replacing 2222 with the port you want to allow inbound.
Finish
There we go, a server all set up on the internet ready for you to test from. Our next article will be on installing Metasploit. Enjoy.