Building a Pentest Server

Building a Pentest Server

Posted by Peter Bassill on 05/10/2020


In this 5 part series, I will be running through how to go about building a pentest server. This is one of the modules I cover with students and interns and I often find myself surprised at how uneasy people feel when they have no GUI.



So, why would you be building a pentest server? The most obvious answer is when you want something on the internet. Possibly hosted in a cloud environment, to help you with engagements.



First things first. It does not matter which provider you use. Some are better, some are cheaper. I user Digital Ocean. Find one you like. In this series, we are using Ubuntu 20.04 LTS. It isour base operating system and we join this series with a fresh install.



Building a Pentest Server - The Steps



Step 1 - Get up to date



When building a pentest server we want everything up to date. So the very first thing we want to do is bring the server up to date. We can do this very simply, by running the update function:



apt update
apt upgrade



Next we set the hostname. This is because we like to keep things logical. For our server, it is called bumblebee.



hostname bumblebee
echo "bumblebee" > /etc/hostname



Step 2 - Adding user groups



We are going to have some users who can use sudo to run with root permissions and we are going to have some users who can not. All users will need to be able to SSH onto the server, so the easy way to facilite this is to have a SSH group. We shall create that group very easily with the addgroup command:



addgroup sshusers



Of course, you can use whatever group name you like.



Step 3 - Add the users



This is really important. You do not want to be connecting with the root user, as we will be effectively disabling root in a moment. So, we add our users. Add yours as you wish, just change thing to the right name.



adduser thing



You will be prompted through the user setup and will be asked to enter the password twice. Be darn sure to add a very strong password.



With the user set up, we need to add that user to the sudoers file. We can do this very easily with usermod. While we do this we can add the user to the ssh users group too:



usermod -a -G sudo thing
usermod -a -G sshusers thing



Now would be a great time to SSH to your server with your new user, use sudo -s to gain root permissions and then continue with this Building a Pentest Server guide.



Step 4 - Adding a webserver



Next step is to add a web server. We wont be using the webserver all the time but it can be helpful for people you are testing to know that the server belongs to you. We install apache2 on our systems. To do this is simplicity. Simply use the following command to install it:



apt install apache2



And that is it. When building a pentest server, we will always add an explanatory splash page. This is ours:



Building a Pentest Server



Building a Pentest Server - Adding Security



Our server will be exposed on the internet. This means that it will certainly be probed by automated scripts and curious people. So lets make it nice and secure.



Security Step 1 - Secure SSH



To secure SSH, first backup the sshd_config that is within the /etc/ssh directory:



cp sshd_config sshd_config.orig



Now you can replace the sshd_config file with the following:



Port 22
KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_rsa_key
UsePrivilegeSeparation sandbox
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 60
PermitRootLogin no
AllowGroups sshusers
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server



Now, make very sure that you update the line AllowGroups sshusers with the name of the usergroup you created for all your ssh users. If you do not then when you come to log back in you will find you cant. Following this, it is a very good idea to restart ssh. Then log in using a different terminal. If it works, you are good to continue.



Security Step 2 - Kill root



We dont like root. Root is evil. Lets disable root. So the best way to do this is to reset the root password. While we are at it, lets have the root password change every day. That sounds difficult to do but it is in fact very simple.



To do this, simple run the following command:



RPASSWD=`openssl rand -base64 32`
echo "root:$RPASSWD"|chpasswd



To make the root password update every day, we need to add this to root's crontab. We do this by using the crontab command when we are root or using sudo. As with the last time, use your favourate editor when prompted.



0 2 * * * RPASSWD=<code>openssl rand -base64 32</code> &amp;&amp; echo "root:$RPASSWD"|chpasswd > /dev/null 2>&amp;1



What we have done above is set the root password to change to a 32 character password at 2am every day.



Security Step 3 - Add a firewall



You all know that someone at somepoint will try an break in, so lets use UFW. UFW is the Uncomplicated Firewallwall.



ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow http
ufw enable



We it comes to test time, all you need to do is open the inbound ports you want. It is very easy:



ufw allow 2222



Replacing 2222 with the port you want to allow inbound.



Finish



There we go, a server all set up on the internet ready for you to test from. Our next article will be on installing Metasploit. Enjoy.



Remember, for all your Penetration Testing requirements, Hedgehog Security is here to help.

Contact us



  • Worklab, Europort, Gibraltar

  • +350 540 73836

  • hello@wearehedgehog.com