ELEC S425F Computer and Network Security
Mini-Project (20% out of total marks)
Released on 25 March 2022
Submission deadline: Thursday, 27 April 2022
Contents
Task 1: Set up a HTTPS Web Server ............................................................... 2
Step 1. Download Lubuntu pre-installed disk-image from osboxes.org .... 2
Step 2. Create a new Virtual Machine....................................................... 3
Step 3. Switch on the Lubuntu Virtual Machine ........................................ 4
Task 2: Set up a HTTPS website with self-signed certificate ........................... 7
Step 1. Generate a CSR (Certificate Signing Request) ............................ 7
Step 2. Copy the certificate and the private key to suitable folders......... 12
Step 3. Start Web Server and enable SSL module ................................. 12
Step 4. Add Virtual Host .......................................................................... 12
Step 5. Create folders and HTML for website ......................................... 14
Step 6. Enable the new site .................................................................... 14
Step 7. Add entries in the Hosts file ........................................................ 14
Task 3: Install Kali Linux ................................................................................. 16
Step 1. Download Kali VirtualBox image and import into VirtualBox ....... 16
Task 4: Access the HTTPS Web Server from Kali .......................................... 18
Step 1. Set the network configuration of the HTTPS Web Server
(Lubuntu) installed in Project Part One. .................................................. 18
Step 2. Establish HTTPS connection to the Web Sever. ........................ 18
Task 5: Denial of Server DOS Attack ............................................................. 19
Step 1. Install attack tools on the Kali system ......................................... 19
Step 2. Attack in slow message body mode:........................................... 19
Step 3. Attack in Slowloris mode. ............................................................ 21
Step 4. Try accessing the Web Server when it is under DOS attack using
Firefox. .................................................................................................... 22
Task 6: Firewall to mitigate DOS Attack ......................................................... 23
Step 1. Check iptables ............................................................................ 23
Step 2. Implement iptables rule(s) to mitigate the slowhttptest Slowloris
mode attack. ........................................................................................... 23
Task 7: Firewall to block website access ........................................................ 24
Task 8. Demo another DoS attack tool ........................................................... 24
Task 1: Set up a HTTPS Web Server
Step 1. Download Lubuntu pre-installed disk-image from
osboxes.org
Download and Lubuntu_21.10_osboxes.7z
(https://www.osboxes.org/lubuntu/#lubuntu-21-10-vbox)
Unzip the file (e.g.Desktop\Security Project - Lubuntu\)
Step 2. Create a new Virtual Machine
Go to https://www.virtualbox.org/
Download and install VirtualBox 6.1, Open VirtualBox, create a new Linux Virtual
Machine
Choose ‘Use an existing virtual hard disk file’ and select the unzipped vdi file
as hard disk.
Step 3. Switch on the Lubuntu Virtual Machine
Switch on the Lubuntu VM and login with the following account
Login: osboxes
Password: osboxes.org
Install Guest Additions CD image
In terminal:
sudo apt install dkms build-essential
cd /media/osboxes/VBox_Gas_6.1.32/
sudo ./VBoxLinuxAdditions.run
Restart the system.
reboot
Hint: You can enable Bidirectional Shared Clipboard after installing VB Guest
Additions.
Question 1.3 Use the ‘date’ command to show the time and date
when you finish Task 1 and capture the screen in your report
Task 2: Set up a HTTPS website with self-signed
certificate
!Note: when you do the following steps, you must replace
"s1234567" with your HKMU email ID. Otherwise no marks will be
given.
Step 1. Generate a CSR (Certificate Signing Request)
Open a new terminal and run the following command
sudo openssl req -new -newkey rsa:2048 -nodes -keyout
s1234567.key -out s1234567.csr
Question 2.1
a) The file "s1234567.key" contains the server private key.
List all information that is contained in the private key, including the modulus,
exponent, etc. (Please provide screen-capture(s) including the command(s)
you used)
Sample:
b) The file "s1234567.csr" is the CSR (Certificate Signing
Request) that will be used later for creating the certificate.
List all information that is contained in a CSR. (Please provide screen-capture(s)
including the command(s) you used)
Sample:
Generate the Certificate
Run the following commands in a terminal:
sudo openssl x509 -in s1234567.csr -out s1234567.crt -req -signkey s1234567.key -days 365
c) The file s1234567.crt is the digital certificate.
List all information that is contained in the certificate.
(Please provide screen-capture(s) including the command(s) you used)
Sample:
Step 2. Copy the certificate and the private key to suitable folders
Copy the certificate and the private key to suitable folders by running the following
commands:
sudo cp s1234567.crt /etc/ssl/certs/server.crt
sudo cp s1234567.key /etc/ssl/private/server.key
Step 3. Start Web Server and enable SSL module
Run the following commands:
sudo apt-get install apache2
sudo a2enmod ssl
sudo service apache2 restart
sudo service apache2 status
Step 4. Add Virtual Host
Use an editor to create a file named "s1234567.hk.conf" with the following content.
Save it in folder: /etc/apache2/sites-available/
ServerAdmin admin@s1234567.hk
ServerName s1234567.hk
ServerAlias www.s1234567.hk
DocumentRoot /var/www/s1234567.hk/html/
ErrorLog /var/www/s1234567.hk/logs/http.error.log
CustomLog /var/www/s1234567.hk/logs/http.access.log combined
ServerAdmin admin@s1234567.hk
ServerName s1234567.hk
ServerAlias www.s1234567.hk
DocumentRoot /var/www/s1234567.hk/html/
ErrorLog /var/www/s1234567.hk/logs/https.error.log
CustomLog /var/www/s1234567.hk/logs/https.access.log combined
SSLEngine on
SSLOptions +StrictRequire
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
Step 5. Create folders and HTML for website
Run the following commands:
sudo mkdir /var/www/s1234567.hk
sudo mkdir /var/www/s1234567.hk/html
sudo mkdir /var/www/s1234567.hk/logs
Add a sample HTML in the folder: /var/www/s1234567.hk/html/ Name it "index.html".
Your full name must be included in the html file.
Sample:
Step 6. Enable the new site
Run the following commands:
sudo a2ensite s1234567.hk
Sudo systemctl reload apache2
Step 7. Add entries in the Hosts file
Add entries in the file /etc/hosts so that the domain name will be mapped to the IP
address of the web server.
Question 2.7 Report your result
a) Use your browser to visit the website with https.
Provide screen shot(s) to show that the SSL/TLS site has been set up
successfully.
Sample:
b) Provide screen shot(s) to show the details of the certificate
via the browser.
created by chantaiman
Sample:
Task 3: Install Kali Linux
Step 1. Download Kali VirtualBox image and import into VirtualBox
https://www.kali.org/get-kali/#kali-virtual-machines
Download Kali Linux Virtulbox image, the file name is like kali-linux-2021.4a-
virtualbox-amd64.ova.
Set up ‘NAT Network’ in VirtualBox
File > Preferences
Network > Adds new NAT network
Set up network configuration of the Kali system
Shutdown the Kali system properly.
Kali virtual machine Network setting:
Attached to: NAT Network
Name: NatNetwork (the newly created NAT network)
Switch on the Kali system.
Question 3.1 What is the IP address of your Kali system?
(Please provide screen-capture(s) including the command(s) you
used)
Task 4: Access the HTTPS Web Server from Kali
Step 1. Set the network configuration of the HTTPS Web Server
(Lubuntu) installed in Project Part One.
Shutdown the HTTPS Web Server properly.
Web Server (Lubuntu) virtual machine Network setting:
Attached to: NAT Network
Name: NatNetwork (the newly created NAT network)
Switch on the Web Server virtual machine.
Question 4.1 What is the IP address of your Web Server?
(Please provide screen-capture(s) including the command(s) you
used)
Step 2. Establish HTTPS connection to the Web Sever.
On Kali, open a web browser. Show that you can establish HTTPS connection
from Kali to the Web Server.
Hint: If you encounter security warning regarding the SSL certificate, ignore it and
continue.
Question 4.2 Can you establish the HTTPS connection from Kali to
the Web Server?
(Please provide screen-capture(s) including the command(s) you
used)
Task 5: Denial of Server DOS Attack
Step 1. Install attack tools on the Kali system
sudo apt-get update
sudo apt install libssl-dev
(press enter to use default options)
cd ~
git clone https://github.com/shekyan/slowhttptest
cd slowhttptest
./configure
make
Step 2. Attack in slow message body mode:
slowhttptest -c 65539 -B -g -o my_body_stats -i 110 -r 200 -s 8192 -t FAKEVERB -u
https://IP_WEB_SERVER/index.html -x 10 -p 3 -l 6000
(WEB_SERVER_IP is the IP address of your webserver)
You can see the status of the DOS attack. The webserver is disabled when ‘service
available = no’.
Ctrl+C to stop the DOS attack.
Question 5.2 Show the attack HTML report (my_body_stats.html).
Sample
xdg-open ./my_body_stats.html
Step 3. Attack in Slowloris mode.
https://en.wikipedia.org/wiki/Slowloris_(computer_security)
slowhttptest -c 65539 -H -i 10 -r 100 -t GET -u https://IP_WEB_SERVER/index.html -x 24 -p 3
-g -o my_header_stats -l 6000
Try accessing the Web Server when it is under DOS attack using wget.
On Kali:
wget https://10.0.2.5/index.html --no-check-certificate
Question 5.3: Explain the wget result when the Web Server is
under DOS attack. Provide screen capture(s) if necessary.
Step 4. Try accessing the Web Server when it is under DOS attack
using Firefox.
On Kali, close all existing Firefox sessions and open a ‘New Private Window’.
Try accessing the HTTPS index page (https://IP_WEB_SERVER/index.html)
You can find that the Firefox keep loading but the page cannot be accessed (in the
period when slowhttptest ‘service available: NO’).
Note 1: Close all existing Firefox and open a ‘New Private Window’ to avoid showing
a cached result.
Note 2: You can use another virtual machine to test that the availability of the Web
Server under DOS attack.
Ctrl+C to stop the DOS attack.
Question 5.4 : Show the attack HTML report again.
Task 6: Firewall to mitigate DOS Attack
Linux kernels come with a packet-filtering framework named Netfilter. Netfilter
enables the dropping and modifying traffic coming in and going out of a system, and
can be used as a powerful firewall. The iptables is the user-space command-line tool
builds upon this functionality. Iptables is installed by default on all many Linux
distributions, including Ubuntu, Lubuntu etc.
Step 1. Check iptables
On the Web Server, check the current Firewall setting.
sudo iptables -L
Step 2. Implement iptables rule(s) to mitigate the slowhttptest
Slowloris mode attack.
Using iptables to limit the number of connections from the Kali machine to 20.
Hint 1: While slowhttptest still reports that the service is unavailable, in fact, it is only
unavailable to the Kali machine.
Your resolution will be evaluated by both effectiveness and efficiency (in short, the
simpler solution, the better. Bonus will be given if it could be demonstrated with
another virtual machine that your iptables implementation works.
Note: Before setting iptables on the Web Server machine, start the slowloris attack
on Kali.
Question 6.2
Screen captures:1) the commands you used; 2) access the website before
applying the iptables 3) access the website after applying the iptables
Task 7: Firewall to block website access
Many companies have firewall configuration to prevent staff accessing some
websites unrelated to work.
Question 7: You are requested to config the iptables firewall on the
Web Server to block the access of Facebook from the Web Server
machine.
Screen captures:1) the commands you used; 2) access the facebook before
applying the iptables 3) access the facebook after applying the iptables
Task 8. Demo another DoS attack tool
Question 8. Demo another DoS attack tool and write down the
detailed steps.
END