mirror of https://github.com/01-edu/public.git
Zouhair AMAZZAL
2 years ago
committed by
Zouhair AMAZZAL
2 changed files with 195 additions and 0 deletions
@ -0,0 +1,195 @@
|
||||
# DeepInSystem |
||||
|
||||
![sysadmin](https://assets.01-edu.org/devops-branch/DeepInSystem/sysadmin.jpeg) |
||||
|
||||
In this project you will learn how to administer a Linux server, You will set up security and network for a ubuntu server, and will install some popular services. |
||||
### Objectives |
||||
|
||||
Implement some learned skills from the scripting pool in a real-life project. |
||||
|
||||
Having a first experience in a ubuntu server setup. |
||||
|
||||
Discovering some network and security implementations in Linux. |
||||
|
||||
Discovering some popular services in Linux. |
||||
### Advice |
||||
|
||||
Read the entire project before starting implementation! |
||||
|
||||
Try to understand all the commands that you will use in your setup. |
||||
|
||||
Save any command you entered, it will be useful if you want to reinstall the server or do some debugging. |
||||
|
||||
Create a backup file for each config file you will modify, this will be useful if you broke the config. |
||||
|
||||
> In this project we have put some passwords and private keys exposed, It is not recommended to do this in any way! |
||||
> And don't use these passwords and private keys outside this learning project! |
||||
### Instructions |
||||
|
||||
#### The Virtual Machine Part: |
||||
|
||||
Install a ubuntu server's latest LTS as a virtual machine. |
||||
|
||||
- The VM disk size must be 30GB. |
||||
|
||||
- You must divide your VM disk into these partitions: |
||||
`swap:` 4G |
||||
`/`: 15G |
||||
`/home`: 5G |
||||
`/backup`: 6G |
||||
|
||||
- Your username must be your login name. |
||||
|
||||
- You have to set your hostname with the format of `{username}-host`. |
||||
if your login is `potato`, then your hostname must be `potato-host`. |
||||
#### The Network Part: |
||||
|
||||
Set a static private IP address, you are free to choose which netmask to use. |
||||
|
||||
You must be able to connect to the Internet!, you can test with: |
||||
```console |
||||
$> ping -c 5 google.com |
||||
``` |
||||
#### The Security Part: |
||||
|
||||
> You do not have to use the root user in your setup process! |
||||
You won't need it when you have `sudo`. |
||||
##### Sudo provides fine-grained access control. It grants elevated permissions to only a particular program that requires it. You know which program is running with elevated privileges, rather than working with a root shell (running every command with root privileges). |
||||
|
||||
- You have to disable remote root login via ssh. |
||||
|
||||
- Change the ssh port to: `2222`. |
||||
|
||||
- Configure the Firewall, and close all incoming ports, only used ports must be opened. |
||||
> All open ports must be justified in the audit! |
||||
#### User Management Part: |
||||
|
||||
You have to create 2 users in your server as follows: |
||||
##### 1- *luffy*: |
||||
|
||||
- SSH authentication Method: Public key-based authentication |
||||
- Home directory: `/home/luffy` |
||||
- Sudoer: yes |
||||
- Public key: |
||||
``` |
||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9NYZT5ueK+2JupNLOAg3xTSd117NwrPgVN15S2gXfijJlpmO1dBgR+ro6N2yngoLTLi2QGUU53xRj0p/SJf+9GOdlkt55ePxs2GNKxACJcrZLPiyOBbb5VRyyRn3ie84qdw7EUSnWROTBWVIqkcxE+YFP9e06gQCuUxm7FyjwUfEMSXEaWCLMC2qREz8H92ZtEcXqQNKotG0CtIuuFsVX1CQdEh86v+SVN6pVbVaXLWFKkpZSubAvGe5g4ffiLjTSMfzmZ+Ayley0DmX+7nsV0OXgIpixMmW1KV8NNo5oxTQFPG3z5v7AgCUM8Hc1R2dj2AjbmDRlh9amTjQd1dPR99TJ84Nu1fIwsar5eG5u/oIA3cUTT028gcAL85GLy7YERUyXpbbaap1QgsJGViCYETflUcvwfdxrDetLBbnQ2aKqo/KxyXFDXt7uR618p2hrotWE9nWZnIQ90FRFUhEIcoq1Gg1on/0G+4M9WIqlChh6qUAq/Gi3IHURXlTBP9M= luffy@luffy |
||||
``` |
||||
- Private key: |
||||
``` |
||||
-----BEGIN OPENSSH PRIVATE KEY----- |
||||
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn |
||||
NhAAAAAwEAAQAAAYEAvTWGU+bnivtibqTSzgIN8U0nddezcKz4FTdeUtoF34oyZaZjtXQY |
||||
Efq6Ojdsp4KC0y4tkBlFOd8UY9Kf0iX/vRjnZZLeeXj8bNhjSsQAiXK2Sz4sjgW2+VUcsk |
||||
Z94nvOKncOxFEp1kTkwVlSKpHMRPmBT/XtOoEArlMZuxco8FHxDElxGlgizAtqkRM/B/dm |
||||
bRHF6kDSqLRtArSLrhbFV9QkHRIfOr/klTeqVW1Wly1hSpKWUrmwLxnuYOH34i400jH85m |
||||
fgMpXstA5l/u57FdDl4CKYsTJltSlfDTaOaMU0BTxt8+b+wIAlDPB3NUdnY9gI25g0ZYfW |
||||
pk40HdXT0ffUyfODbtXyMLGq+Xhubv6CAN3FE09NvIHAC/ORi8u2BEVMl6W22mqdUILCRl |
||||
YgmBE35VHL8H3caw3rSwW50NmiqqPysclxQ17e7ketfKdoa6LVhPZ1mZyEPdBURVIRCHKK |
||||
tRoNaJ/9BvuDPViKpQoYeqlAKvxotyB1EV5UwT/TAAAFkJiggtqYoILaAAAAB3NzaC1yc2 |
||||
EAAAGBAL01hlPm54r7Ym6k0s4CDfFNJ3XXs3Cs+BU3XlLaBd+KMmWmY7V0GBH6ujo3bKeC |
||||
gtMuLZAZRTnfFGPSn9Il/70Y52WS3nl4/GzYY0rEAIlytks+LI4FtvlVHLJGfeJ7zip3Ds |
||||
RRKdZE5MFZUiqRzET5gU/17TqBAK5TGbsXKPBR8QxJcRpYIswLapETPwf3Zm0RxepA0qi0 |
||||
bQK0i64WxVfUJB0SHzq/5JU3qlVtVpctYUqSllK5sC8Z7mDh9+IuNNIx/OZn4DKV7LQOZf |
||||
7uexXQ5eAimLEyZbUpXw02jmjFNAU8bfPm/sCAJQzwdzVHZ2PYCNuYNGWH1qZONB3V09H3 |
||||
1Mnzg27V8jCxqvl4bm7+ggDdxRNPTbyBwAvzkYvLtgRFTJelttpqnVCCwkZWIJgRN+VRy/ |
||||
B93GsN60sFudDZoqqj8rHJcUNe3u5HrXynaGui1YT2dZmchD3QVEVSEQhyirUaDWif/Qb7 |
||||
gz1YiqUKGHqpQCr8aLcgdRFeVME/0wAAAAMBAAEAAAGATKVGCO7clNxIf3GdQ35pj3olpg |
||||
L+2YH37QBE4WMYRfmBeNPySCsDJSVgEv0osqKXxFxMcLcL5+mKJPXJcCOceUmBUxAvtx1f |
||||
g+gUMNE9NnCVj91bxxxhhpcHzN/pVrm4RlN8U+JdBENcN0arljsBeF9qFq4Ur0JauENJhR |
||||
RYrSFEeCm3+2gAkI9/V81oFx4NC9nLRp2DuHt+PT5N5vOqdW2mQ3B33iClxByMj5Z/ITZs |
||||
1vySkGhQCoSCoBRpieIVKUuJ8Hhh4/uStDRb6NaZZJt8r9W74j5A1qZGJJ1Znt4FaoeFSB |
||||
z9tFEnybJvvrASDgVh1GV9iCi5odV8/HfMQX75bxiOOb6CyOxLYkWL/L9rsg3EiFoaYRT4 |
||||
gPNRFC1UzanccesHg5IOcLFYTed3REnaSTP0YX5XDahDYjstDAIHXuAQOnqGFQ2eOls3Al |
||||
hrOnSbxWTpt4Lla19tctwHB/XcnC3zMDuD2TGrX7HJwsXsOLF0JlfhJdfw8o5kNmaBAAAA |
||||
wBKJ+BeJxzqko1NEBEC3d1W4CYQu3EdPGKlunRIZi/m6l35Xdgo9qPntSr1L56lhtNo5XZ |
||||
77OkKJE2YCCUt82Wp9o0cEBaVKhLWL7EjWEyYVkD23Snvaszg0BUwcK9u46+nS+8ob7+pa |
||||
6Qo1JG9iRqgtb5M61f5aBnxd6TiAHXd7/1z7JRtDZrjjGd3XWbxyF0dL/VlNzn9V2qXrEX |
||||
DupS0Lyy+I+BfUvKznggY/eySJ4lbGhbB5FvfeHcWxyI2R0AAAAMEA37n+g1u4ntYPyelW |
||||
CfzMbSMSJokzAEjskjwFdb2QnTRQUYIawY8y4384n/98o7hCXONW5M1d5XyGiWX5WOUHYG |
||||
LaLs/IUVMqfF+TmR6EMrpa55eHPbW9zDByVaNpAvoh1O6awBpDxFbAIU8j9CqbxZySGQ83 |
||||
WG+i0LuuXDHffjMiTRk5LSknU79dDdbDFCaqDLunmrYnAXdxJ+9EyJfm0wrxpH8u+lr9Im |
||||
1V7Jvm49gLBG8gfPq/zA3zpSmuUuERAAAAwQDYgNWAOUyaNyOeXEu7N3m1KvDkRlEOMjpp |
||||
BTfaKvpcNo1L2GmmHPUBsjyC59yqK24F63pdegL+9jJtOMdONaRa8qQloZPTwTj0yGM42E |
||||
rfszI7Uawg+2RmMuTRPOQ6nFcsnOnPwiFdzkLo7RmQiuUtKlV2VuR2PZXxf+90/l2g69IX |
||||
CdOvB0UKoEkjWVXQsMAKR0dGn6ooyFbfXoawq0ILxvrmxMOGd2l04Dai9d2vEeS+VwF65h |
||||
YFVD5IsAOc0qMAAAAUemFtYXp6YWxAMTkyLjE2OC4xLjcBAgMEBQYH |
||||
-----END OPENSSH PRIVATE KEY----- |
||||
``` |
||||
##### 2- *zoro*: |
||||
|
||||
- SSH authentication Method: Password authentication |
||||
- Home directory: `/home/zoro` |
||||
- password: `^wb@92Sq&ls644@5*Je0` |
||||
- sudoer: no |
||||
#### Services Part: |
||||
|
||||
- Install an FTP server and create a user `nami`. |
||||
The user `nami` can access via FTP only to `/backup` with read-only access. |
||||
`nami` user password: `mYdb6HA^5W4o` |
||||
|
||||
> Don't enable anonymous access! |
||||
This will be risky! |
||||
#### The Database Part: |
||||
|
||||
- You have to install MySQL Server |
||||
|
||||
- Disable the remote connection to the root user. |
||||
|
||||
- Do not allow connection to MySQL from outside the server! |
||||
To improve the security of your website, you should keep your MySQL server accessible only by applications in the server, As long as it does not affect your solution. |
||||
|
||||
- You must create a MySQL user, which has the only required access to the WordPress database. |
||||
> Don't use the root user in your WordPress website! |
||||
#### WordPress Part: |
||||
|
||||
- You have to install WordPress |
||||
|
||||
- WordPress must be in your web server root directory: `http://{host}/` |
||||
|
||||
- Your WordPress must work in a normal way, try to post something or create another user, any way you are free to do anything. |
||||
|
||||
> The configuration file must not be public accessible!, try `http://{host}/wp-config.php` |
||||
#### Backup Part: |
||||
Backups protect against human errors, hardware failure, virus attacks, power failures, and natural disasters. Backups can help save time and money if these failures occur. |
||||
|
||||
In this exercise, you will set up a simple backup method by using cron jobs. |
||||
|
||||
- Set up a cron job that starts every Day At 00:00, it must create a tar file of the WordPress database. |
||||
|
||||
- The backup files must be created in the `/backup` folder. |
||||
|
||||
- The backup file name must contain the creation date. |
||||
|
||||
- You must add a line to a log file (`/var/log/backup.log`) This line should contain a message informing you that the backup was successful and the timing of the backup. |
||||
|
||||
- Your backup files must be downloadable from the `nami` FTP user. |
||||
|
||||
### Bonus Part |
||||
|
||||
If you complete the mandatory part perfectly, you can move to this part. |
||||
You can add anything you feel deserves to be a bonus, some of the suggested ideas: |
||||
|
||||
- Install the Minecraft server, It must be always running even if you reboot your server. |
||||
|
||||
- Automate all instructions with ansible, so you can remake this long process in more than 1 server in a short time. |
||||
|
||||
- Set up the SSL in the web server and FTP server, you can use self-signed SSL. |
||||
|
||||
*Challenge yourself!* |
||||
### Submission and audit |
||||
You must export your VM to a safe place, you will need it in the audit. |
||||
You will use your exported VM to run a new VM for each audit. |
||||
Push the shasum of your exported VM, you can get it this way: |
||||
```console |
||||
user:~$ sha1sum DeepInSystem.ova > DeepInSystem.sha1 |
||||
user:~$ cat DeepInSystem.sha1 | cat -e |
||||
<...>255bfef9560<...> DeepInSystem.ova$ |
||||
user:~$ |
||||
``` |
||||
|
||||
Files that must be inside your repository: |
||||
|
||||
- DeepInSystem.sha1 |
||||
|
||||
> It's Forbidden to use external scripts! |
||||
> Any use of external scripts or use of commands without understanding their jobs is considered cheating! |
Loading…
Reference in new issue