IR Practice VM

A Fedora CoreOS VM configured for incident response training, specifically brute force attack simulation.

Quick Start

1. Generate Ignition Config

podman run --rm -i quay.io/coreos/butane:release < ir-practice.bu > ir-practice.ign

2. Create VM in Proxmox

1. Download Fedora CoreOS QEMU image from https://fedoraproject.org/coreos/download?stream=stable

2. Create new VM in Proxmox:

   • Name: ir-practice
   • OS: Linux 6.x - 2.6 kernel
   • CPU: 2 cores
   • Memory: 2048 MB
   • Storage: Import the QCOW2 image
   • Network: vmbr0 (bridge)

3. Upload ir-practice.ign to Proxmox storage (e.g., /var/lib/vz/snippets/ir-practice.ign)

4. Configure Ignition in VM settings:

   qm set <VMID> --args "-fw_cfg name=opt/com.coreos/config,file=/var/lib/vz/snippets/ir-practice.ign"

5. Configure static IP in your DHCP server or router for the VM's MAC address:

   • IP: 172.16.1.20
   • Hostname: ir-practice.home.lab

3. First Boot

The VM will:

1. Boot with Fedora CoreOS
2. Install tcpdump, wireshark-cli, and audit tools (requires reboot)
3. Be ready for IR practice

Users

User	Auth Method	Password	Purpose
core	SSH key	N/A	Admin access
victim	Password	Summer2024	Brute force target (dictionary-crackable)

SSH Access

# Admin access (SSH key)
ssh core@172.16.1.20
ssh core@ir-practice.home.lab

# Victim user (password)
ssh victim@172.16.1.20
# Password: Summer2024

Fedora CoreOS Secure-by-Default Note

Fedora CoreOS ships with password authentication disabled by default - this is a security best practice for production systems. The default configuration at /etc/ssh/sshd_config.d/40-disable-passwords.conf sets PasswordAuthentication no.

For this IR practice VM, we intentionally override this secure default to enable password-based SSH for brute force attack simulation. The ignition config places our settings in 20-ir-practice.conf which is processed before the default 40-disable-passwords.conf.

Why the prefix number matters: OpenSSH processes config files alphabetically and uses the first matching directive it encounters (not the last). So 20- takes precedence over 40-.

In production: Keep password authentication disabled. Use SSH keys, and consider:

• fail2ban for brute force protection
• Firewall rules limiting SSH access
• VPN or bastion hosts for remote access

Reference: Fedora CoreOS SSH hardening

IR Practice Tools Available

• tcpdump - Network packet capture
• wireshark-cli (tshark) - Network protocol analyzer
• auditd - System auditing
• rsyslog - Configured to forward logs to Wazuh (installed on first boot; FCOS uses journald by default)

Wazuh Integration

Logs are forwarded to wazuh.home.lab:514 via syslog. This includes:

• Authentication logs via TCP (reliable delivery)
• All system logs via UDP (broader visibility)

Wazuh Server Configuration Required

The Wazuh server (172.16.1.33) currently only accepts Wazuh agent connections on port 1514. To accept syslog, add these <remote> blocks to /var/ossec/etc/ossec.conf on wazuh.home.lab (after the existing <remote> block):

  <!-- Syslog listener for IR practice VM -->
  <remote>
    <connection>syslog</connection>
    <port>514</port>
    <protocol>tcp</protocol>
    <allowed-ips>172.16.1.20</allowed-ips>
  </remote>
  <remote>
    <connection>syslog</connection>
    <port>514</port>
    <protocol>udp</protocol>
    <allowed-ips>172.16.1.20</allowed-ips>
  </remote>

Then restart Wazuh manager:

ssh root@wazuh.home.lab "systemctl restart wazuh-manager"

Reference: Wazuh Syslog Configuration

Verify Syslog Forwarding

# Check rsyslog status on IR practice VM
sudo systemctl status rsyslog

# Test log forwarding
logger -p auth.info "Test IR practice log message"

# Check Wazuh dashboard for the log

Alternative: Full Wazuh Agent (Recommended for Production)

For richer integration with file integrity monitoring, rootkit detection, and more:

# Download and install Wazuh agent
curl -so wazuh-agent.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.7.0-1.x86_64.rpm
sudo rpm-ostree install ./wazuh-agent.rpm

# Copy the template config
sudo cp /var/ossec/etc/ossec.conf.template /var/ossec/etc/ossec.conf

# After reboot, start the agent
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Reference: Wazuh Rsyslog Client Configuration

Monitoring During Practice

Capture Network Traffic

# On IR practice VM (as core user)
sudo tcpdump -i any port 22 -w /tmp/ssh-brute.pcap

Watch Auth Logs

# Real-time auth log monitoring
sudo journalctl -u sshd -f

# Or tail secure log
sudo tail -f /var/log/secure

Audit Logs

# Search audit logs for authentication events
sudo ausearch -k authentication

Security Warning

This VM is intentionally configured with weak security for training purposes:

• Password authentication enabled
• Weak password on victim user
• High MaxAuthTries limit

DO NOT expose this VM to the internet or untrusted networks.

Remediation (Post-Attack)

After completing the attack simulation and documenting findings, run the remediation script:

# SSH in as core user
ssh core@ir-practice.home.lab

# Run remediation
bash /usr/local/bin/remediation.sh
# Or if you have the script locally:
# scp remediation.sh core@ir-practice.home.lab:/tmp/ && ssh core@ir-practice.home.lab 'bash /tmp/remediation.sh'

# Reboot to apply changes
sudo systemctl reboot

The remediation script will:

1. Install fail2ban to block repeated failed login attempts
2. Configure SSH to disable password authentication
3. Provide instructions to remove the victim user

Network Info

• IP: 172.16.1.20 (configure in DHCP/router)
• Subnet: 172.16.1.0/24
• Gateway: 172.16.1.1
• DNS: 172.16.1.8 (Pi-hole)