4. Create a 'admin' non-root user, use root to force a weak password.

To create a new user account, invoke the useradd command followed by the name of the user. For this example, I created a new user called john.

sudo useradd john

With the new user created, we will now give it administrative rights. For this we'll use the usermod command like so:

sudo usermod -aG wheel john

To be able to log in as the newly created user, you need to set the user password. To do that run the passwd command followed by the username:

sudo passwd john

You will be prompted to enter and confirm the password. For this example, we will use a weak password i.e. admin.

Through sudo, we were able to force a weak password for the user john.

This experiment shows that it is very easy for attackers to take over the server once he/she is able to successfully login into a user. Once inside, the attacker can easily obtain administrative rights and proceed to extract data from the server. Hence, it is very important that unique and strong passwords are set for all users especially root to minimize the chances of a successful brute-force attack. Having a basic system hardening policy that ensures vendor default credentials are disabled or changed before the system goes live can help prevent the occurrences of breaches. Therefore, system hardening is a requirement in every best practice security framework or compliance requirement.

This experiment also showcases a flaw to the Pushbullet alert mechanism. The pushbullet alert mechanism is only able to notify the user about the SSH login but not what happens inside i.e. what the attacker is doing. Even with Pushbullet, it is unable to provide a clear signal that the system has been compromised. Recording every command/action that occurs in the server is also not feasible as it would be inefficient and resource-wasting during peacetime. A better and more efficient solution would be to have known fixed whitelisted IP that can access the server via SSH. This will help limit and control access to the server only to trusted users, thus preventing attacks from external sources via SSH. Organizations can also implement privileged access management (PAM) to protect against the threats posed by credential theft and privilege misuse. PAM refers to a comprehensive cybersecurity strategy – comprising people, processes and technology – to control, monitor, secure and audit all human and non-human privileged identities and activities across an enterprise IT environment.