Building a Pentest Server

In this 5 part series, I will be running through how to go about building a pentest server. This is one of the modules I cover with students and interns and I often find myself surprised at how uneasy people feel when they have no GUI.

So, why would you be building a pentest server? The most obvious answer is when you want something on the internet. Possibly hosted in a cloud environment, to help you with engagements.

First things first. It does not matter which provider you use. Some are better, some are cheaper. I user Digital Ocean. Find one you like. In this series, we are using Ubuntu 20.04 LTS. It isour base operating system and we join this series with a fresh install.

Building a Pentest Server – The Steps

Step 1 – Get up to date

When building a pentest server we want everything up to date. So the very first thing we want to do is bring the server up to date. We can do this very simply, by running the update function:

apt update
apt upgrade

Next we set the hostname. This is because we like to keep things logical. For our server, it is called bumblebee.

hostname bumblebee
echo "bumblebee" > /etc/hostname

Step 2 – Adding user groups

We are going to have some users who can use sudo to run with root permissions and we are going to have some users who can not. All users will need to be able to SSH onto the server, so the easy way to facilite this is to have a SSH group. We shall create that group very easily with the addgroup command:

addgroup sshusers

Of course, you can use whatever group name you like.

Step 3 – Add the users

This is really important. You do not want to be connecting with the root user, as we will be effectively disabling root in a moment. So, we add our users. Add yours as you wish, just change thing to the right name.

adduser thing

You will be prompted through the user setup and will be asked to enter the password twice. Be darn sure to add a very strong password.

With the user set up, we need to add that user to the sudoers file. We can do this very easily with usermod. While we do this we can add the user to the ssh users group too:

usermod -a -G sudo thing
usermod -a -G sshusers thing

Now would be a great time to SSH to your server with your new user, use sudo -s to gain root permissions and then continue with this Building a Pentest Server guide.

Step 4 – Adding a webserver

Next step is to add a web server. We wont be using the webserver all the time but it can be helpful for people you are testing to know that the server belongs to you. We install apache2 on our systems. To do this is simplicity. Simply use the following command to install it:

apt install apache2

And that is it. When building a pentest server, we will always add an explanatory splash page. This is ours:

Building a Pentest Server
Building a Pentest Server

Building a Pentest Server – Adding Security

Our server will be exposed on the internet. This means that it will certainly be probed by automated scripts and curious people. So lets make it nice and secure.

Security Step 1 – Secure SSH

To secure SSH, first backup the sshd_config that is within the /etc/ssh directory:

cp sshd_config sshd_config.orig

Now you can replace the sshd_config file with the following:

Port 22
KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_rsa_key
UsePrivilegeSeparation sandbox
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 60
PermitRootLogin no
AllowGroups sshusers
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server

Now, make very sure that you update the line AllowGroups sshusers with the name of the usergroup you created for all your ssh users. If you do not then when you come to log back in you will find you cant. Following this, it is a very good idea to restart ssh. Then log in using a different terminal. If it works, you are good to continue.

Security Step 2 – Kill root

We dont like root. Root is evil. Lets disable root. So the best way to do this is to reset the root password. While we are at it, lets have the root password change every day. That sounds difficult to do but it is in fact very simple.

To do this, simple run the following command:

RPASSWD=`openssl rand -base64 32`
echo "root:$RPASSWD"|chpasswd

To make the root password update every day, we need to add this to root’s crontab. We do this by using the crontab command when we are root or using sudo. As with the last time, use your favourate editor when prompted.

0 2 * * * RPASSWD=<code>openssl rand -base64 32</code> &amp;&amp; echo "root:$RPASSWD"|chpasswd > /dev/null 2>&amp;1

What we have done above is set the root password to change to a 32 character password at 2am every day.

Security Step 3 – Add a firewall

You all know that someone at somepoint will try an break in, so lets use UFW. UFW is the Uncomplicated Firewallwall.

ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow http
ufw enable

We it comes to test time, all you need to do is open the inbound ports you want. It is very easy:

ufw allow 2222

Replacing 2222 with the port you want to allow inbound.

Finish

There we go, a server all set up on the internet ready for you to test from. Our next article will be on installing Metasploit. Enjoy.

Remember, for all your Penetration Testing requirements, Hedgehog Security is here to help.