Zouhair AMAZZAL
a8e4b56e84
|
2 years ago | |
---|---|---|
.. | ||
audit | 2 years ago | |
pictures | 2 years ago | |
README.md | 2 years ago |
README.md
deep-in-system
In this project you will learn how to administer a Linux server, You will set up security and network for a ubuntu server, and will install some popular services.
Objectives
Implement some learned skills from the scripting pool in a real-life project.
Having a first experience in a ubuntu server setup.
Discovering some network and security implementations in Linux.
Discovering some popular services in Linux.
Advice
Read the entire project before starting implementation!
Try to understand all the commands that you will use in your setup.
Save any command you entered, it will be useful if you want to reinstall the server or do some debugging.
Create a backup file for each config file you will modify, this will be useful if you broke the config.
In this project we have put some passwords and private keys exposed, It is not recommended to do this in any way! And don't use these passwords and private keys outside this learning project!
Instructions
The Virtual Machine Part:
Install a ubuntu server's latest LTS as a virtual machine.
-
The VM disk size must be 30GB.
-
You must divide your VM disk into these partitions:
swap:
4G/
: 15G/home
: 5G/backup
: 6G -
Your username must be your login name.
-
You have to set your hostname with the format of
{username}-host
, if your login ispotato
, then your hostname must bepotato-host
.
The Network Part:
Set a static private IP address, you are free to choose which netmask to use.
You must be able to connect to the Internet!, you can test with:
$> ping -c 5 google.com
You should not have any internet interface with dynamic ip assignment.
The Security Part:
You do not have to use the root user in your setup process! You won't need it when you have
sudo
. Sudo provides fine-grained access control. It grants elevated permissions to only a particular program that requires it. You know which program is running with elevated privileges, rather than working with a root shell (running every command with root privileges).
-
You have to disable remote root login via ssh.
-
Change the ssh port to:
2222
. -
Configure the Firewall, and close all incoming ports, only used ports must be opened.
All open ports must be justified in the audit!
User Management Part:
You have to create 2 users in your server as follows:
1- luffy:
- SSH authentication Method: Public key-based authentication
- Home directory:
/home/luffy
- Sudoer: yes
- Public key:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9NYZT5ueK+2JupNLOAg3xTSd117NwrPgVN15S2gXfijJlpmO1dBgR+ro6N2yngoLTLi2QGUU53xRj0p/SJf+9GOdlkt55ePxs2GNKxACJcrZLPiyOBbb5VRyyRn3ie84qdw7EUSnWROTBWVIqkcxE+YFP9e06gQCuUxm7FyjwUfEMSXEaWCLMC2qREz8H92ZtEcXqQNKotG0CtIuuFsVX1CQdEh86v+SVN6pVbVaXLWFKkpZSubAvGe5g4ffiLjTSMfzmZ+Ayley0DmX+7nsV0OXgIpixMmW1KV8NNo5oxTQFPG3z5v7AgCUM8Hc1R2dj2AjbmDRlh9amTjQd1dPR99TJ84Nu1fIwsar5eG5u/oIA3cUTT028gcAL85GLy7YERUyXpbbaap1QgsJGViCYETflUcvwfdxrDetLBbnQ2aKqo/KxyXFDXt7uR618p2hrotWE9nWZnIQ90FRFUhEIcoq1Gg1on/0G+4M9WIqlChh6qUAq/Gi3IHURXlTBP9M= luffy@luffy
- Private key:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAvTWGU+bnivtibqTSzgIN8U0nddezcKz4FTdeUtoF34oyZaZjtXQY
Efq6Ojdsp4KC0y4tkBlFOd8UY9Kf0iX/vRjnZZLeeXj8bNhjSsQAiXK2Sz4sjgW2+VUcsk
Z94nvOKncOxFEp1kTkwVlSKpHMRPmBT/XtOoEArlMZuxco8FHxDElxGlgizAtqkRM/B/dm
bRHF6kDSqLRtArSLrhbFV9QkHRIfOr/klTeqVW1Wly1hSpKWUrmwLxnuYOH34i400jH85m
fgMpXstA5l/u57FdDl4CKYsTJltSlfDTaOaMU0BTxt8+b+wIAlDPB3NUdnY9gI25g0ZYfW
pk40HdXT0ffUyfODbtXyMLGq+Xhubv6CAN3FE09NvIHAC/ORi8u2BEVMl6W22mqdUILCRl
YgmBE35VHL8H3caw3rSwW50NmiqqPysclxQ17e7ketfKdoa6LVhPZ1mZyEPdBURVIRCHKK
tRoNaJ/9BvuDPViKpQoYeqlAKvxotyB1EV5UwT/TAAAFkJiggtqYoILaAAAAB3NzaC1yc2
EAAAGBAL01hlPm54r7Ym6k0s4CDfFNJ3XXs3Cs+BU3XlLaBd+KMmWmY7V0GBH6ujo3bKeC
gtMuLZAZRTnfFGPSn9Il/70Y52WS3nl4/GzYY0rEAIlytks+LI4FtvlVHLJGfeJ7zip3Ds
RRKdZE5MFZUiqRzET5gU/17TqBAK5TGbsXKPBR8QxJcRpYIswLapETPwf3Zm0RxepA0qi0
bQK0i64WxVfUJB0SHzq/5JU3qlVtVpctYUqSllK5sC8Z7mDh9+IuNNIx/OZn4DKV7LQOZf
7uexXQ5eAimLEyZbUpXw02jmjFNAU8bfPm/sCAJQzwdzVHZ2PYCNuYNGWH1qZONB3V09H3
1Mnzg27V8jCxqvl4bm7+ggDdxRNPTbyBwAvzkYvLtgRFTJelttpqnVCCwkZWIJgRN+VRy/
B93GsN60sFudDZoqqj8rHJcUNe3u5HrXynaGui1YT2dZmchD3QVEVSEQhyirUaDWif/Qb7
gz1YiqUKGHqpQCr8aLcgdRFeVME/0wAAAAMBAAEAAAGATKVGCO7clNxIf3GdQ35pj3olpg
L+2YH37QBE4WMYRfmBeNPySCsDJSVgEv0osqKXxFxMcLcL5+mKJPXJcCOceUmBUxAvtx1f
g+gUMNE9NnCVj91bxxxhhpcHzN/pVrm4RlN8U+JdBENcN0arljsBeF9qFq4Ur0JauENJhR
RYrSFEeCm3+2gAkI9/V81oFx4NC9nLRp2DuHt+PT5N5vOqdW2mQ3B33iClxByMj5Z/ITZs
1vySkGhQCoSCoBRpieIVKUuJ8Hhh4/uStDRb6NaZZJt8r9W74j5A1qZGJJ1Znt4FaoeFSB
z9tFEnybJvvrASDgVh1GV9iCi5odV8/HfMQX75bxiOOb6CyOxLYkWL/L9rsg3EiFoaYRT4
gPNRFC1UzanccesHg5IOcLFYTed3REnaSTP0YX5XDahDYjstDAIHXuAQOnqGFQ2eOls3Al
hrOnSbxWTpt4Lla19tctwHB/XcnC3zMDuD2TGrX7HJwsXsOLF0JlfhJdfw8o5kNmaBAAAA
wBKJ+BeJxzqko1NEBEC3d1W4CYQu3EdPGKlunRIZi/m6l35Xdgo9qPntSr1L56lhtNo5XZ
77OkKJE2YCCUt82Wp9o0cEBaVKhLWL7EjWEyYVkD23Snvaszg0BUwcK9u46+nS+8ob7+pa
6Qo1JG9iRqgtb5M61f5aBnxd6TiAHXd7/1z7JRtDZrjjGd3XWbxyF0dL/VlNzn9V2qXrEX
DupS0Lyy+I+BfUvKznggY/eySJ4lbGhbB5FvfeHcWxyI2R0AAAAMEA37n+g1u4ntYPyelW
CfzMbSMSJokzAEjskjwFdb2QnTRQUYIawY8y4384n/98o7hCXONW5M1d5XyGiWX5WOUHYG
LaLs/IUVMqfF+TmR6EMrpa55eHPbW9zDByVaNpAvoh1O6awBpDxFbAIU8j9CqbxZySGQ83
WG+i0LuuXDHffjMiTRk5LSknU79dDdbDFCaqDLunmrYnAXdxJ+9EyJfm0wrxpH8u+lr9Im
1V7Jvm49gLBG8gfPq/zA3zpSmuUuERAAAAwQDYgNWAOUyaNyOeXEu7N3m1KvDkRlEOMjpp
BTfaKvpcNo1L2GmmHPUBsjyC59yqK24F63pdegL+9jJtOMdONaRa8qQloZPTwTj0yGM42E
rfszI7Uawg+2RmMuTRPOQ6nFcsnOnPwiFdzkLo7RmQiuUtKlV2VuR2PZXxf+90/l2g69IX
CdOvB0UKoEkjWVXQsMAKR0dGn6ooyFbfXoawq0ILxvrmxMOGd2l04Dai9d2vEeS+VwF65h
YFVD5IsAOc0qMAAAAUemFtYXp6YWxAMTkyLjE2OC4xLjcBAgMEBQYH
-----END OPENSSH PRIVATE KEY-----
2- zoro:
- SSH authentication Method: Password authentication
- Home directory:
/home/zoro
- password:
^wb@92Sq&ls644@5*Je0
- sudoer: no
Services Part:
- Install an FTP server and create a user
nami
. The usernami
can access via FTP only to/backup
with read-only access.nami
user password:mYdb6HA^5W4o
Don't enable anonymous access! This will be risky!
The Database Part:
-
You have to install MySQL Server
-
Disable the remote connection to the root user.
-
Do not allow connection to MySQL from outside the server! To improve the security of your website, you should keep your MySQL server accessible only by applications in the server, As long as it does not affect your solution.
-
You must create a MySQL user, which has the only required access to the WordPress database.
Don't use the root user in your WordPress website!
WordPress Part:
-
You have to install WordPress
-
WordPress must be in your web server root directory:
http://{host}/
-
Your WordPress must work in a normal way, try to post something or create another user, any way you are free to do anything.
The configuration file must not be public accessible!, try
http://{host}/wp-config.php
Backup Part:
Backups protect against human errors, hardware failure, virus attacks, power failures, and natural disasters. Backups can help save time and money if these failures occur.
In this exercise, you will set up a simple backup method by using cron jobs.
-
Set up a cron job that starts every Day At 00:00, it must create a tar file of the WordPress database.
-
The backup files must be created in the
/backup
folder. -
The backup file name must contain the creation date.
-
You must add a line to a log file (
/var/log/backup.log
) This line should contain a message informing you that the backup was successful and the timing of the backup. -
Your backup files must be downloadable from the
nami
FTP user.
Bonus Part
If you complete the mandatory part perfectly, you can move to this part. You can add anything you feel deserves to be a bonus, some of the suggested ideas:
-
Install the Minecraft server, It must be always running even if you reboot your server.
-
Automate all instructions with ansible, so you can remake this long process in more than 1 server in a short time.
-
Set up the SSL in the web server and FTP server, you can use self-signed SSL.
Challenge yourself!
Submission and audit
You must export your VM to a safe place, you will need it in the audit. You will use your exported VM to run a new VM for each audit. Push the shasum of your exported VM, you can get it this way:
user:~$ sha1sum deep-in-system.ova > deep-in-system.sha1
user:~$ cat deep-in-system.sha1 | cat -e
<...>255bfef9560<...> deep-in-system.ova$
user:~$
Files that must be inside your repository:
- deep-in-system.sha1
It's Forbidden to use external scripts! Any use of external scripts or use of commands without understanding their jobs is considered cheating!