CYBR/ISA 4220

SELF-Services checklist

YOU NEED TO MAKE BOTH an “All Labs” and “Vuln Assessment” Reservation types as a TEAM
reservation to see scan your partner’s server!!
Login ----> username: root
Password: infosec

Purpose
This checklist is to certify that your scanning partner’s systems are configured with the required services and
applications. You will use this document for each server check assignment.

Deliverables
You should enter answers in this document, and submit via D2L in .DOCX format. For each services listed
below, enter “Yes” in the cell if the service is showing as OPEN on zenmap/nmap, or “No” if results do not
show it at all or FILTERED. To certify that the firewalls and AppArmor are installed and running, you must
log in to their system and verify manually that there are rules present to enter Yes otherwise enter No. You will
use your inserted screencaps in this document to help you fill out the checklist with the appropriate answers. All
cells in the table should have Yes or No entered.

(5 points) Scanning partner’s name: _____________________

(2 points) Linux IP address scanned: ____________________
(2 points) Windows IP address scanned: _________________

Service Windows Linux Required Application(s)

Firewall Windows Firewall / IPTables.

AppArmor AppArmor

HTTP **unnecessary
HTTPS IIS / Apache

POP **unnecessary
POP3S Dovecot

SMTP **unnecessary
SMTPS IIS / Postfix

IMAP **unnecessary
IMAPS Dovecot
DNS IIS / BIND
Database Postgres
SSH OpenSSH
Other Enter “YES” if zenmap shows other ports as OPEN that do NOT
 correspond to any of the above listed services
Otherwise enter “NO”
(15-40 points depending on Module)

On this page, provide screencap of your nmap/zenmap scan from Netlab Kali server for your partner’s
Windows system showing recent (e.g. within one week of assignment due date) scan. If using zenmap then use
“quick scan” and NOT “intense scan” option. If using nmap, be sure that the provided screencaps show results
for ALL ports needed for the appropriate server check assignment. You must use either zenmap or nmap tool
from the provided Kali server when scanning your partner's servers. (5-10 points depending on Module)

For Verifying the Linux Services:

1. iptables = iptables --version
2. AppArmor = apparmor_parser –version
3. Apache2 = apache2ctl -v
4. Dovecot = dovecot –version
5. Postfix = postconf -d mail_version NOTE: when installing this, select the “Local” option
6. BIND = named -v
7. Postgres = psql –version
8. OpenSSH = apt show oppssh-server NOTE: this shows a lot more but it will show you the
version still
Yes (successful): 6/6 !!!
*OPEN ports are ordered: HTTPS (443), SMTPS (465), IMAPS (993), DNS (53), Database (5432), SSH (22)
No (filtered, not showing up): 5/5 !! *UNFILTERED DOES COUNT for those that are supposed to be
“No”! ONLY those that are supposed to show up as “Open” CANNOT have that (closed/filtered)
*The order of the rules to be rejected: HTTP (80), POP (110), POP3S (995), SMTP (25), IMAP (143)
Also need to DROP/REJECT 587 (Submission protocol for SMTPS)

The How-To

Service (11 total,

+2 if adding the
1st two here) Windows (#86) Linux (#85) Required Application(s)

Windows Firewall / IPTables.

Linux
*you need to also install iptables-persistent via
Sudo apt-get install iptables-persistent

Then go to: /etc/iptables/rules.v4

**To SAVE YOUR CHANGES:
Firewall YES YES
AppArmor YES AppArmor

HTTP X **unnecessary

HTTPS YES IIS / Apache (you can use systemctl reload apache2)

Linux:
Install the SSL Module for Apache via:
sudo a2enmod ssl

Apply changes via:

sudo systemctl restart apache2

If needed, go to:
/etc/apache2/ports.conf file and comment out “Listen
80”? Or change the 80 to 443.

Same thing for the (if needed)

/etc/apache2/sites-available/000-default.conf file

*I’ve tried the following to disable HTTP..

 sudo a2dissite 000-default
And it still didn’t work..
POP (port 110) X **unnecessary

POP3S (port 995) X Dovecot

SMTP (port 25) X **unnecessary

SMTPS (port YES IIS / Postfix

465)
*do not use 587 Linux:
as in nmap it will Enable the SMTPS protocol in the /etc/postfix/master.cf
show up as “Sub- file and find the line that says:
mission” smtps inet n - y - - smtpd
and uncomment it.

Then, generate a self-signed certificate by:

1. generating a private key:
openssl genrsa -out /etc/ssl/private/smtpd.key 2048
2. Generate a certificate signing request (CSR)
openssl req -new -key /etc/ssl/private/smtpd.key -
out /etc/ssl/private/smtpd.csr
3. Generate a self-signed certificate using the CSR
and private key:
openssl x509 -req -days 365 -in /etc/ssl/private/smt-
pd.csr -signkey /etc/ssl/private smtpd.key -out /etc/
ssl/certs/smtpd.crt
4. Set the appropriate permissions for the private key
chmod 600 /etc/ssl/private/smtpd.key
5. Go into the Postfix MAIN configuration to use the
generated certificate and key via /etc/postfix/
main.cf , THEN go to (or add these lines some-
where):
smtpd_tls_cert_file = /etc/ssl/certs/your-cert.pem
smtpd_tls_key_file = /etc/ssl/private/your-key.pem

and now scroll down till you see “inet_interfaces =

loopback-only” (it should say loopback here) and
change it to:
inet_interfaces = all
*alternatively you can set it to localhost

6. Apply the changes:

sudo systemctl restart postfix

*the new cert.pem that was made should be called

“ssl-cert-snakeoil.pem”. And the respective
should be “ssl-cert-snakeoil.key”.
 *When you go into the main.cf file, it should be al-
ready automatically configured for you.
IMAP (port 143) X **unnecessary

IMAPS (port 993) YES Dovecot

DNS (port 53) YES IIS / BIND *easy

Postgres *easy
To view the conf file for Postgres
Database (port sudo nano /etc/postgresql/12/main/postgresql.conf
5432) YES

SSH (port 22) YES OpenSSH

Enter “YES” if zenmap shows other ports as OPEN that do NOT
correspond to any of the above listed services
Other X Otherwise enter “NO”

Linux: My Configurations as follows (in order of the checklist; going down)

1. Apache (I don’t think everything else except installing a2enmod was necessary..)
*need to install: sudo a2enmod ssl This is the SSL cert mod for Apache
*followed by: sudo systemctl restart apache2 OR systemctl reload apache2 (should work)

2. Postfix
You need to enable the SMTPS protocol in the /etc/postfix/master.cf file. Do this by: sudo nano
/etc/postfix/master.cf
Find the line that says: smtps inet n - y - - smtpd and uncomment it.
Now here comes the process... You need a private key and a certificate signing request (CSR). Once gathered
everything should be installed automatically. HOWEVER, you need to check that. The new stuff is called
“snakeoil” -- that is what you’ll be searching for.
a) Generate a private key
openssl genrsa -out /etc/ssl/private/smtpd.key 2048

b) Generate a self-signed certificate using the CSR and private key:

openssl x509 -req -days 365 -in /etc/ssl/private/smtpd.csr -signkey /etc/ssl/private smtpd.key -out
/etc/ssl/certs/smtpd.crt
c) Set the appropriate permissions for the private key
chmod 600 /etc/ssl/private/smtpd.key

d) Go into the Postfix MAIN configuration to use the generated certificate and key via /etc/postfix/main.cf ,
THEN go to (or add these lines somewhere):
smtpd_tls_cert_file = /etc/ssl/certs/your-cert.pem
smtpd_tls_key_file = /etc/ssl/private/your-key.pem

and now scroll down till you see “inet_interfaces = loopback-only” (it should say loopback here) and change it
to: inet_interfaces = all *alternatively you can set it to localhost

3. Dovecot
Check the file:
/etc/dovecot/conf.d/10-master.conf
a) Find the line that says “protocols = ” and set it to “imaps”
b) Restart Dovecot --> sudo systemctl restart dovecot
c) Add port 993 to iptables
d) Check again in nmap

4. BIND (to make DNS show up, port 53)

**can’t recall if it needed configuration, but I don’t think so. Just tell iptables to allow port 53.

5. Postgres (the Database port, 5432)

view the conf file for Postgres:
sudo nano /etc/postgresql/12/main/postgresql.conf
Then find the line that says “listen_addresses”. It should be commented out OR set to “localhost”. Uncomment
it (if needed) and change whatever the value is to ‘*’. It should look like this:
listen_addresses = '*'
Apply changes afterwards via: sudo service postgresql restart
Done.

6. OpenSSH
*this one should already be open by default, thus showing up automatically in the nmap scan (from what I
remember)

Everything else is left for iptables and should be easy to config, especially for
blocking stuff out.

Windows Configuration
Yes: 3/3!! [443, 465, 53] (HTTPS, SMTPS, DNS)

No: 5/5 [80, 110, 995, 25, 143,] (HTTP, POP, POP3S, SMTP, IMAP)
**Additional ports from Windows that need to be blocked: 0/4 [135, 139, 445, 5357] (msrpc, netbios-ssn,
microsoft-ds, wsdapi)
No (total): 9/9

Service (11 total,

+2 if adding the
1st two here) Windows (#86) Linux (#85) Required Application(s)

Firewall X X Windows Firewall / IPTables.

AppArmor X AppArmor

HTTP X X **unnecessary

IIS / Apache

Windows: https://www.youtube.com/watch?v=MFikeLC-
Ed4
HTTPS YES YES *very helpful 2min video!!!!

POP (port 110) X **unnecessary

POP3S (port 995) X Dovecot

SMTP (port 25) X X **unnecessary

IIS / Postfix

Windows https://www.youtube.com/watch?
v=vEU7TCXgOzI
**USEFUL video as well!!

When you are in the properties section of your SMTP vir-

tual server, configure the following tabs:
a) General > Advanced > “Add” *you need 2 “addresses”
here, but leave both as unassigned. You are only chang-
ing the TCP port > 1 will have TCP port 587, 1 will have
port 465 > Click OK
b) Access > “Secure Communication” > Check the box for
“Require TLS encryption”.
For both “Connection Control” and “Relay Restrictions”,
set it to “All except the list below” – no further configura-
tion needed.
c) DONE --temporary, need to make sure server starts
up on every session --> go to step d)
*if the STMP(S) server wasn’t running before, now it
should be.
**Configure Windows Defender Firewall Advanced
Settings Accordingly (to the Checklist).
SMTPS (port d) Go to “Services” > scroll down to Simple Mail Trans-
465) fer Protocol (SMTP) > “Properties” > Startup Type (de-
*do not use 587 fault is manual) & change it to Automatically
as in nmap it will restart your VM and make sure to check that it says Run-
show up as “Sub- ning and not Stopped. -- now nmap will show smtps ev-
mission” YES YES ery time you boot Windows :)

IMAP (port 143) X **unnecessary

IMAPS (port 993) YES Dovecot

DNS (port 53) YES YES IIS / BIND

Database (port
5432) YES Postgres

SSH (port 22) YES OpenSSH

Enter “YES” if zenmap shows other ports as OPEN that do NOT
correspond to any of the above listed services
Other NO NO Otherwise enter “NO”
 Windows Steps of Configuration
1. HTTPS (in IIS)
a) Create a Self-Signed Certificate
Open IIS and click on your domain name server (it’s the 1st option right beneath the “Start Page” option) on the
tab on the left.
In the IIS category select “Server Certificates”. Then, on the Right-hand side (tab) select “Create Self-Signed
Certificate” and create a name for it.
Now, on the Left-tab menu: Sites/Default Web Site, then on the Right-tab menu select “Bindings”. Do “Add”,
Type “HTTPS”, LEAVE IP address alone AND the Port number too, no need for a hostname either, under
“SSL certificate” select the self-signed certificate you just made. And you are done.
*Personally I selected the “Disable HTTP/2” option to see if that affects the nmap scan.

2. SMTPS (in IIS)

*you need to have the SMTPS server feature installed; head on over to the Server Manager…that’ll in-
stall the packages needed to use it in IIS as well.
*this installs: Remote Server Administration Tools, Feature Administration Tools, SMTP Server Tools, SMTP
Server, Web Server (IIS), Management Tools, IIS 6: Management Compatibility, Management Console, and
Metabase Compatibility

**You now have “IIS 6.0”** – you have to search for and use this one instead of the regular IIS. OR, go to
Server Manager and under “Tools” IIS 6.0 should be right beneath the regular IIS (launch 6.0 from there).
When you are in the properties section of your SMTP virtual server, configure the following tabs:

a) General > Advanced > “Add” *you need 2 “addresses” here, but leave both as unassigned. You are only
changing the TCP port > 1 will have TCP port 587, 1 will have port 465 > Click OK
b) Access > “Secure Communication” > Check the box for “Require TLS encryption”.
For both “Connection Control” and “Relay Restrictions”, set it to “All except the list below” – no further con-
figuration needed.
c) DONE --temporary, need to make sure server starts up on every session --> go to step d)
*if the STMP(S) server wasn’t running before, now it should be.
**Configure Windows Defender Firewall Advanced Settings Accordingly (to the Checklist).
d) Go to “Services” > scroll down to Simple Mail Transfer Protocol (SMTP) > “Properties” > Startup Type (de-
fault is manual) & change it to Automatically
restart your VM and make sure to check that it says Running and not Stopped.

3. DNS (acquired from Server Manager; called “DNS Server” role)

In Server Manager > “Add Roles” > Server Roles > “DNS Server” > get it done…
*To find the New role:
a) Server Manager > “Tools” > DNS > you will see the “DNS” app
b) Windows Start Menu (Search) > type “DNS” > you will see the “DNS” app

**ALL DONE**
Don’t worry, the Startup Type is automatic so it should appear now regardless.
On this page, provide screencap of your nmap/zenmap scan for your partner’s Linux system showing recent
(e.g. within one week of due date) scan. If using zenmap then use “quick scan” and NOT “intense scan” option.
If using nmap, be sure that the provided screencaps show results for ALL ports needed for the appropriate
server check assignment. You must use either zenmap or nmap tool from the provided Kali server when
scanning your partner's servers. (5-10 points depending on Module)

[INSERT SCREEN CAP HERE]

On this page, provide screencap of your command line verification for your partner’s Linux system firewall
listing the rules and showing recent (e.g. within one week of due date) check. You must Log into your
partner’s server. If you do not have the appropriate permission to run the appropriate command, you must still
include a screencap showing you attempted running the command. (5-10 points depending on Module)

[INSERT SCREEN CAP HERE]

On this page, provide screencap of your command line verification for your partner’s Linux system Apparmor
status showing recent (e.g. within one week of due date) check that shows number of profiles in respective
modes. You must log into your partner’s server. If you do not have the appropriate permission to run the
command, you must still include a screencap showing you attempted running the command. (5-10 points
depending on Module)

[INSERT SCREEN CAP HERE]

Informational with nothing you need to provide on this page.

For the 50% part of the grade is for the state of your own servers with 2 points deducted for EACH
unnecessary/other ports showing as open on nmap scan from Kali server when they should not be AND 5 point
deductions for EACH required service missing/filtered/no firewall rules. Additionally, 10 point deductions for
any GUI installed on Linux, 5 points deducted each for partner/jlesueu1 accounts not created with having
necessary sudo access, and 5 points each for not having assigned static IP addresses set correctly.