mirror of https://github.com/01-edu/public.git
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
196 lines
8.6 KiB
196 lines
8.6 KiB
2 years ago
|
# deep-in-system
|
||
2 years ago
|
|
||
|
![sysadmin](https://assets.01-edu.org/devops-branch/DeepInSystem/sysadmin.jpeg)
|
||
|
|
||
|
In this project you will learn how to administer a Linux server, You will set up security and network for a ubuntu server, and will install some popular services.
|
||
|
### Objectives
|
||
|
|
||
|
Implement some learned skills from the scripting pool in a real-life project.
|
||
|
|
||
|
Having a first experience in a ubuntu server setup.
|
||
|
|
||
|
Discovering some network and security implementations in Linux.
|
||
|
|
||
|
Discovering some popular services in Linux.
|
||
|
### Advice
|
||
|
|
||
|
Read the entire project before starting implementation!
|
||
|
|
||
|
Try to understand all the commands that you will use in your setup.
|
||
|
|
||
|
Save any command you entered, it will be useful if you want to reinstall the server or do some debugging.
|
||
|
|
||
|
Create a backup file for each config file you will modify, this will be useful if you broke the config.
|
||
|
|
||
|
> In this project we have put some passwords and private keys exposed, It is not recommended to do this in any way!
|
||
|
> And don't use these passwords and private keys outside this learning project!
|
||
|
### Instructions
|
||
|
|
||
|
#### The Virtual Machine Part:
|
||
|
|
||
|
Install a ubuntu server's latest LTS as a virtual machine.
|
||
|
|
||
|
- The VM disk size must be 30GB.
|
||
|
|
||
|
- You must divide your VM disk into these partitions:
|
||
|
`swap:` 4G
|
||
|
`/`: 15G
|
||
|
`/home`: 5G
|
||
|
`/backup`: 6G
|
||
|
|
||
|
- Your username must be your login name.
|
||
|
|
||
|
- You have to set your hostname with the format of `{username}-host`.
|
||
|
if your login is `potato`, then your hostname must be `potato-host`.
|
||
|
#### The Network Part:
|
||
|
|
||
|
Set a static private IP address, you are free to choose which netmask to use.
|
||
|
|
||
|
You must be able to connect to the Internet!, you can test with:
|
||
|
```console
|
||
|
$> ping -c 5 google.com
|
||
|
```
|
||
|
#### The Security Part:
|
||
|
|
||
|
> You do not have to use the root user in your setup process!
|
||
|
You won't need it when you have `sudo`.
|
||
|
##### Sudo provides fine-grained access control. It grants elevated permissions to only a particular program that requires it. You know which program is running with elevated privileges, rather than working with a root shell (running every command with root privileges).
|
||
|
|
||
|
- You have to disable remote root login via ssh.
|
||
|
|
||
|
- Change the ssh port to: `2222`.
|
||
|
|
||
|
- Configure the Firewall, and close all incoming ports, only used ports must be opened.
|
||
|
> All open ports must be justified in the audit!
|
||
|
#### User Management Part:
|
||
|
|
||
|
You have to create 2 users in your server as follows:
|
||
|
##### 1- *luffy*:
|
||
|
|
||
|
- SSH authentication Method: Public key-based authentication
|
||
|
- Home directory: `/home/luffy`
|
||
|
- Sudoer: yes
|
||
|
- Public key:
|
||
|
```
|
||
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9NYZT5ueK+2JupNLOAg3xTSd117NwrPgVN15S2gXfijJlpmO1dBgR+ro6N2yngoLTLi2QGUU53xRj0p/SJf+9GOdlkt55ePxs2GNKxACJcrZLPiyOBbb5VRyyRn3ie84qdw7EUSnWROTBWVIqkcxE+YFP9e06gQCuUxm7FyjwUfEMSXEaWCLMC2qREz8H92ZtEcXqQNKotG0CtIuuFsVX1CQdEh86v+SVN6pVbVaXLWFKkpZSubAvGe5g4ffiLjTSMfzmZ+Ayley0DmX+7nsV0OXgIpixMmW1KV8NNo5oxTQFPG3z5v7AgCUM8Hc1R2dj2AjbmDRlh9amTjQd1dPR99TJ84Nu1fIwsar5eG5u/oIA3cUTT028gcAL85GLy7YERUyXpbbaap1QgsJGViCYETflUcvwfdxrDetLBbnQ2aKqo/KxyXFDXt7uR618p2hrotWE9nWZnIQ90FRFUhEIcoq1Gg1on/0G+4M9WIqlChh6qUAq/Gi3IHURXlTBP9M= luffy@luffy
|
||
|
```
|
||
|
- Private key:
|
||
|
```
|
||
|
-----BEGIN OPENSSH PRIVATE KEY-----
|
||
|
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
|
||
|
NhAAAAAwEAAQAAAYEAvTWGU+bnivtibqTSzgIN8U0nddezcKz4FTdeUtoF34oyZaZjtXQY
|
||
|
Efq6Ojdsp4KC0y4tkBlFOd8UY9Kf0iX/vRjnZZLeeXj8bNhjSsQAiXK2Sz4sjgW2+VUcsk
|
||
|
Z94nvOKncOxFEp1kTkwVlSKpHMRPmBT/XtOoEArlMZuxco8FHxDElxGlgizAtqkRM/B/dm
|
||
|
bRHF6kDSqLRtArSLrhbFV9QkHRIfOr/klTeqVW1Wly1hSpKWUrmwLxnuYOH34i400jH85m
|
||
|
fgMpXstA5l/u57FdDl4CKYsTJltSlfDTaOaMU0BTxt8+b+wIAlDPB3NUdnY9gI25g0ZYfW
|
||
|
pk40HdXT0ffUyfODbtXyMLGq+Xhubv6CAN3FE09NvIHAC/ORi8u2BEVMl6W22mqdUILCRl
|
||
|
YgmBE35VHL8H3caw3rSwW50NmiqqPysclxQ17e7ketfKdoa6LVhPZ1mZyEPdBURVIRCHKK
|
||
|
tRoNaJ/9BvuDPViKpQoYeqlAKvxotyB1EV5UwT/TAAAFkJiggtqYoILaAAAAB3NzaC1yc2
|
||
|
EAAAGBAL01hlPm54r7Ym6k0s4CDfFNJ3XXs3Cs+BU3XlLaBd+KMmWmY7V0GBH6ujo3bKeC
|
||
|
gtMuLZAZRTnfFGPSn9Il/70Y52WS3nl4/GzYY0rEAIlytks+LI4FtvlVHLJGfeJ7zip3Ds
|
||
|
RRKdZE5MFZUiqRzET5gU/17TqBAK5TGbsXKPBR8QxJcRpYIswLapETPwf3Zm0RxepA0qi0
|
||
|
bQK0i64WxVfUJB0SHzq/5JU3qlVtVpctYUqSllK5sC8Z7mDh9+IuNNIx/OZn4DKV7LQOZf
|
||
|
7uexXQ5eAimLEyZbUpXw02jmjFNAU8bfPm/sCAJQzwdzVHZ2PYCNuYNGWH1qZONB3V09H3
|
||
|
1Mnzg27V8jCxqvl4bm7+ggDdxRNPTbyBwAvzkYvLtgRFTJelttpqnVCCwkZWIJgRN+VRy/
|
||
|
B93GsN60sFudDZoqqj8rHJcUNe3u5HrXynaGui1YT2dZmchD3QVEVSEQhyirUaDWif/Qb7
|
||
|
gz1YiqUKGHqpQCr8aLcgdRFeVME/0wAAAAMBAAEAAAGATKVGCO7clNxIf3GdQ35pj3olpg
|
||
|
L+2YH37QBE4WMYRfmBeNPySCsDJSVgEv0osqKXxFxMcLcL5+mKJPXJcCOceUmBUxAvtx1f
|
||
|
g+gUMNE9NnCVj91bxxxhhpcHzN/pVrm4RlN8U+JdBENcN0arljsBeF9qFq4Ur0JauENJhR
|
||
|
RYrSFEeCm3+2gAkI9/V81oFx4NC9nLRp2DuHt+PT5N5vOqdW2mQ3B33iClxByMj5Z/ITZs
|
||
|
1vySkGhQCoSCoBRpieIVKUuJ8Hhh4/uStDRb6NaZZJt8r9W74j5A1qZGJJ1Znt4FaoeFSB
|
||
|
z9tFEnybJvvrASDgVh1GV9iCi5odV8/HfMQX75bxiOOb6CyOxLYkWL/L9rsg3EiFoaYRT4
|
||
|
gPNRFC1UzanccesHg5IOcLFYTed3REnaSTP0YX5XDahDYjstDAIHXuAQOnqGFQ2eOls3Al
|
||
|
hrOnSbxWTpt4Lla19tctwHB/XcnC3zMDuD2TGrX7HJwsXsOLF0JlfhJdfw8o5kNmaBAAAA
|
||
|
wBKJ+BeJxzqko1NEBEC3d1W4CYQu3EdPGKlunRIZi/m6l35Xdgo9qPntSr1L56lhtNo5XZ
|
||
|
77OkKJE2YCCUt82Wp9o0cEBaVKhLWL7EjWEyYVkD23Snvaszg0BUwcK9u46+nS+8ob7+pa
|
||
|
6Qo1JG9iRqgtb5M61f5aBnxd6TiAHXd7/1z7JRtDZrjjGd3XWbxyF0dL/VlNzn9V2qXrEX
|
||
|
DupS0Lyy+I+BfUvKznggY/eySJ4lbGhbB5FvfeHcWxyI2R0AAAAMEA37n+g1u4ntYPyelW
|
||
|
CfzMbSMSJokzAEjskjwFdb2QnTRQUYIawY8y4384n/98o7hCXONW5M1d5XyGiWX5WOUHYG
|
||
|
LaLs/IUVMqfF+TmR6EMrpa55eHPbW9zDByVaNpAvoh1O6awBpDxFbAIU8j9CqbxZySGQ83
|
||
|
WG+i0LuuXDHffjMiTRk5LSknU79dDdbDFCaqDLunmrYnAXdxJ+9EyJfm0wrxpH8u+lr9Im
|
||
|
1V7Jvm49gLBG8gfPq/zA3zpSmuUuERAAAAwQDYgNWAOUyaNyOeXEu7N3m1KvDkRlEOMjpp
|
||
|
BTfaKvpcNo1L2GmmHPUBsjyC59yqK24F63pdegL+9jJtOMdONaRa8qQloZPTwTj0yGM42E
|
||
|
rfszI7Uawg+2RmMuTRPOQ6nFcsnOnPwiFdzkLo7RmQiuUtKlV2VuR2PZXxf+90/l2g69IX
|
||
|
CdOvB0UKoEkjWVXQsMAKR0dGn6ooyFbfXoawq0ILxvrmxMOGd2l04Dai9d2vEeS+VwF65h
|
||
|
YFVD5IsAOc0qMAAAAUemFtYXp6YWxAMTkyLjE2OC4xLjcBAgMEBQYH
|
||
|
-----END OPENSSH PRIVATE KEY-----
|
||
|
```
|
||
|
##### 2- *zoro*:
|
||
|
|
||
|
- SSH authentication Method: Password authentication
|
||
|
- Home directory: `/home/zoro`
|
||
|
- password: `^wb@92Sq&ls644@5*Je0`
|
||
|
- sudoer: no
|
||
|
#### Services Part:
|
||
|
|
||
|
- Install an FTP server and create a user `nami`.
|
||
|
The user `nami` can access via FTP only to `/backup` with read-only access.
|
||
|
`nami` user password: `mYdb6HA^5W4o`
|
||
|
|
||
|
> Don't enable anonymous access!
|
||
|
This will be risky!
|
||
|
#### The Database Part:
|
||
|
|
||
|
- You have to install MySQL Server
|
||
|
|
||
|
- Disable the remote connection to the root user.
|
||
|
|
||
|
- Do not allow connection to MySQL from outside the server!
|
||
|
To improve the security of your website, you should keep your MySQL server accessible only by applications in the server, As long as it does not affect your solution.
|
||
|
|
||
|
- You must create a MySQL user, which has the only required access to the WordPress database.
|
||
|
> Don't use the root user in your WordPress website!
|
||
|
#### WordPress Part:
|
||
|
|
||
|
- You have to install WordPress
|
||
|
|
||
|
- WordPress must be in your web server root directory: `http://{host}/`
|
||
|
|
||
|
- Your WordPress must work in a normal way, try to post something or create another user, any way you are free to do anything.
|
||
|
|
||
|
> The configuration file must not be public accessible!, try `http://{host}/wp-config.php`
|
||
|
#### Backup Part:
|
||
|
Backups protect against human errors, hardware failure, virus attacks, power failures, and natural disasters. Backups can help save time and money if these failures occur.
|
||
|
|
||
|
In this exercise, you will set up a simple backup method by using cron jobs.
|
||
|
|
||
|
- Set up a cron job that starts every Day At 00:00, it must create a tar file of the WordPress database.
|
||
|
|
||
|
- The backup files must be created in the `/backup` folder.
|
||
|
|
||
|
- The backup file name must contain the creation date.
|
||
|
|
||
|
- You must add a line to a log file (`/var/log/backup.log`) This line should contain a message informing you that the backup was successful and the timing of the backup.
|
||
|
|
||
|
- Your backup files must be downloadable from the `nami` FTP user.
|
||
|
|
||
|
### Bonus Part
|
||
|
|
||
|
If you complete the mandatory part perfectly, you can move to this part.
|
||
|
You can add anything you feel deserves to be a bonus, some of the suggested ideas:
|
||
|
|
||
|
- Install the Minecraft server, It must be always running even if you reboot your server.
|
||
|
|
||
|
- Automate all instructions with ansible, so you can remake this long process in more than 1 server in a short time.
|
||
|
|
||
|
- Set up the SSL in the web server and FTP server, you can use self-signed SSL.
|
||
|
|
||
|
*Challenge yourself!*
|
||
|
### Submission and audit
|
||
|
You must export your VM to a safe place, you will need it in the audit.
|
||
|
You will use your exported VM to run a new VM for each audit.
|
||
|
Push the shasum of your exported VM, you can get it this way:
|
||
|
```console
|
||
2 years ago
|
user:~$ sha1sum deep-in-system.ova > deep-in-system.sha1
|
||
|
user:~$ cat deep-in-system.sha1 | cat -e
|
||
|
<...>255bfef9560<...> deep-in-system.ova$
|
||
2 years ago
|
user:~$
|
||
|
```
|
||
|
|
||
|
Files that must be inside your repository:
|
||
|
|
||
2 years ago
|
- deep-in-system.sha1
|
||
2 years ago
|
|
||
|
> It's Forbidden to use external scripts!
|
||
|
> Any use of external scripts or use of commands without understanding their jobs is considered cheating!
|