In a previous post I explained how to attack and gain access to the vulnerable virtual machine known as Raven Security. In this post I explain how to create an ansible playbook that will harden the server, addressing a few key security vulnerabilities, to prevent future attacks.
The key vulnerabilities to be found on the Raven server were
- An exposed WordPress configuration file containing the mysql database name, user and password information. With this information the attacker can find the WordPress users table and dump the user’s password hashes to be cracked with a variety of tools. This file should not be readable by all users.
- Weak WordPress passwords, the WordPress user passwords were easy to crack because they did not adhere to basic security best practices. The users should be forced to create strong passwords so that an attacker can not log in to the WordPress admin interface and potentially find sensitive information or take over the site.
- In addition to weak user password, the SSH passwords for access to the server were the same as the weak WordPress passwords and thus access could be obtained by guessing or become evident after the WordPress passwords were guessed. The server can be locked down so that SSH password authentication is disabled and the users would need to use an authorized public key to SSH into the sever.
Let’s break these down one by one:
Hardening Against exposed wp-config.php file
Change permissions of the wp-config.php file so it can only be read by the owner
- This prevents a user logged into the server from seeing the wp-config.php file and seeing the site’s mysql login information.
#This command will change the permissions on the server so that the file can only be read by the owner/group
$ chmod 440 /var/www/html/wordpress/wp-config.php
This can also be done with an ansible playbook as follows;
- name: Change permission of wp-config.php
file:
path: /var/www/html/wordpress/wp-config.php
mode: 440
Hardening Against Weak WP User passwords
Install a WordPress plugin to enforce strong passwords by users of WordPress
- A plugin can make sure that passwords meet required length and complexity as well as locking out users after failed login attempts
- Install plugin within the WordPress admin interface
- ex: Password Policy Manager for WordPress
Hardening Against weak ssh passwords
Remove ssh password authentication on the server and require public key login.
- This will ensure that the user is coming from a trusted account because the public key needs to be present on the machine using ssh to access the server remotely
To copy a user’s public key from the workstation to the server
$ ssh-copy-id [email protected]
To remove password authentication on the server:
$ nano /etc/ssh/sshd_config
Then, change ‘PasswordAuthentication’ to ‘no’
These can also be done with an ansible playbook, as follows:
- name: Copy SSH key to target host
authorized_key:
user: michael
state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
authorized_key:
user: steven
state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
- name: Disable SSH Password Authentication
lineinfile:
dest=/etc/ssh/sshd_config
regexp='^PasswordAuthentication'
line="PasswordAuthentication no"
state=present
backup=yes
- name: restart ssh
service:
name: sshd
state: restarted
Here is an example of a complete ansible playbook.
In order to run this you need to make sure that ansible and sshpass are installed on the host where you are running the playbook.
Then edit the /etc/ansible/hosts file to add the IP address of the target machine. Edit /etc/ansbile/ansible.cfg as well to add the remote user for the target machine (in this case the username is ‘vagrant’)
You should also copy over the SSH public key for the user you are running the playbook as with the ‘ssh-copy-id user@192.168.1.110′ command. Since this playbook disables password authentication on the server you won’t be able to add this key later so copy it over before running the playbook.
---
- name: Harden SSH and WordPress config
hosts: all
become: true
tasks:
- name: Change permission of wp-config.php
file:
path: /var/www/html/wordpress/wp-config.php
mode: 440
- name: Copy SSH key to target host
authorized_key:
user: michael
state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
authorized_key:
user: steven
state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
- name: Disable SSH Password Authentication
lineinfile:
dest=/etc/ssh/sshd_config
regexp='^PasswordAuthentication'
line="PasswordAuthentication no"
state=present
backup=yes
- name: restart ssh
service:
name: sshd
state: restarted