In this project you will learn how to administer a Linux server, You will set up security and network for a ubuntu server, and will install some popular services.
In this project you will learn how to administer a Linux server, You will set up security and network for a ubuntu server, and will install some popular services.
### Objectives
### Objectives
Implement some learned skills from the scripting pool in a real-life project.
Implement some learned skills from the scripting pool in a real-life project.
@ -12,6 +13,7 @@ Having a first experience in a ubuntu server setup.
Discovering some network and security implementations in Linux.
Discovering some network and security implementations in Linux.
Discovering some popular services in Linux.
Discovering some popular services in Linux.
### Advice
### Advice
Read the entire project before starting implementation!
Read the entire project before starting implementation!
@ -24,6 +26,7 @@ Create a backup file for each config file you will modify, this will be useful i
> In this project we have put some passwords and private keys exposed, It is not recommended to do this in any way!
> In this project we have put some passwords and private keys exposed, It is not recommended to do this in any way!
> And don't use these passwords and private keys outside this learning project!
> And don't use these passwords and private keys outside this learning project!
### Instructions
### Instructions
#### The Virtual Machine Part:
#### The Virtual Machine Part:
@ -33,49 +36,58 @@ Install a ubuntu server's latest LTS as a virtual machine.
- The VM disk size must be 30GB.
- The VM disk size must be 30GB.
- You must divide your VM disk into these partitions:
- You must divide your VM disk into these partitions:
`swap:` 4G
`swap:` 4G
`/`: 15G
`/`: 15G
`/home`: 5G
`/home`: 5G
`/backup`: 6G
`/backup`: 6G
- Your username must be your login name.
- Your username must be your login name.
- You have to set your hostname with the format of `{username}-host`.
- You have to set your hostname with the format of `{username}-host`.
if your login is `potato`, then your hostname must be `potato-host`.
if your login is `potato`, then your hostname must be `potato-host`.
#### The Network Part:
#### The Network Part:
Set a static private IP address, you are free to choose which netmask to use.
Set a static private IP address, you are free to choose which netmask to use.
You must be able to connect to the Internet!, you can test with:
You must be able to connect to the Internet!, you can test with:
```console
```console
$> ping -c 5 google.com
$> ping -c 5 google.com
```
```
> You should not have any internet interface with dynamic ip assignment.
> You should not have any internet interface with dynamic ip assignment.
#### The Security Part:
#### The Security Part:
> You do not have to use the root user in your setup process!
> You do not have to use the root user in your setup process!
You won't need it when you have `sudo`.
> You won't need it when you have `sudo`.
Sudo provides fine-grained access control. It grants elevated permissions to only a particular program that requires it. You know which program is running with elevated privileges, rather than working with a root shell (running every command with root privileges).
> Sudo provides fine-grained access control. It grants elevated permissions to only a particular program that requires it. You know which program is running with elevated privileges, rather than working with a root shell (running every command with root privileges).
- You have to disable remote root login via ssh.
- You have to disable remote root login via ssh.
- Change the ssh port to: `2222`.
- Change the ssh port to: `2222`.
- Configure the Firewall, and close all incoming ports, only used ports must be opened.
- Configure the Firewall, and close all incoming ports, only used ports must be opened.
> All open ports must be justified in the audit!
> All open ports must be justified in the audit!
#### User Management Part:
#### User Management Part:
You have to create 2 users in your server as follows:
You have to create 2 users in your server as follows:
##### 1- *luffy*:
##### 1- _luffy_:
- SSH authentication Method: Public key-based authentication
- SSH authentication Method: Public key-based authentication
The user `nami` can access via FTP only to `/backup` with read-only access.
The user `nami` can access via FTP only to `/backup` with read-only access.
`nami` user password: `mYdb6HA^5W4o`
`nami` user password: `mYdb6HA^5W4o`
> Don't enable anonymous access!
> Don't enable anonymous access!
This will be risky!
> This will be risky!
#### The Database Part:
#### The Database Part:
- You have to install MySQL Server
- You have to install MySQL Server
@ -137,10 +152,11 @@ This will be risky!
- Disable the remote connection to the root user.
- Disable the remote connection to the root user.
- Do not allow connection to MySQL from outside the server!
- Do not allow connection to MySQL from outside the server!
To improve the security of your website, you should keep your MySQL server accessible only by applications in the server, As long as it does not affect your solution.
To improve the security of your website, you should keep your MySQL server accessible only by applications in the server, As long as it does not affect your solution.
- You must create a MySQL user, which has the only required access to the WordPress database.
- You must create a MySQL user, which has the only required access to the WordPress database.
> Don't use the root user in your WordPress website!
> Don't use the root user in your WordPress website!
#### WordPress Part:
#### WordPress Part:
- You have to install WordPress
- You have to install WordPress
@ -150,7 +166,9 @@ To improve the security of your website, you should keep your MySQL server acces
- Your WordPress must work in a normal way, try to post something or create another user, any way you are free to do anything.
- Your WordPress must work in a normal way, try to post something or create another user, any way you are free to do anything.
> The configuration file must not be public accessible!, try `http://{host}/wp-config.php`
> The configuration file must not be public accessible!, try `http://{host}/wp-config.php`
#### Backup Part:
#### Backup Part:
Backups protect against human errors, hardware failure, virus attacks, power failures, and natural disasters. Backups can help save time and money if these failures occur.
Backups protect against human errors, hardware failure, virus attacks, power failures, and natural disasters. Backups can help save time and money if these failures occur.
In this exercise, you will set up a simple backup method by using cron jobs.
In this exercise, you will set up a simple backup method by using cron jobs.
@ -176,11 +194,14 @@ You can add anything you feel deserves to be a bonus, some of the suggested idea
- Set up the SSL in the web server and FTP server, you can use self-signed SSL.
- Set up the SSL in the web server and FTP server, you can use self-signed SSL.
*Challenge yourself!*
_Challenge yourself!_
### Submission and audit
### Submission and audit
You must export your VM to a safe place, you will need it in the audit.
You must export your VM to a safe place, you will need it in the audit.
You will use your exported VM to run a new VM for each audit.
You will use your exported VM to run a new VM for each audit.
Push the shasum of your exported VM, you can get it this way:
Push the shasum of your exported VM, you can get it this way:
###### Is the student able to connect to the machine with the "luffy" user by using the private key and without using any password?
###### Is the student able to connect to the machine with the "luffy" user by using the private key and without using any password?
##### Try to execute a command with sudo:
##### Try to execute a command with sudo:
```console
```console
luffy:$ sudo cat /etc/shadow
luffy:$ sudo cat /etc/shadow
root:*:<...>
root:*:<...>
luffy:~$
luffy:~$
```
```
##### Check the groups of luffy user:
##### Check the groups of luffy user:
```console
```console
luffy:~$ groups luffy
luffy:~$ groups luffy
luffy : luffy sudo
luffy : luffy sudo
luffy:~$
luffy:~$
```
```
##### Check the home directory of luffy user:
##### Check the home directory of luffy user:
```console
```console
luffy:~$ echo ~
luffy:~$ echo ~
/home/luffy
/home/luffy
@ -202,27 +264,37 @@ luffy:~$ echo $HOME
/home/luffy
/home/luffy
luffy:~$
luffy:~$
```
```
###### Is the "luffy" user can perform a command with sudo?
###### Is the "luffy" user can perform a command with sudo?
###### Is the "luffy" user assigned to the sudo group?
###### Is the "luffy" user assigned to the sudo group?
###### Is the home directory of "lufy" user: /home/luffy?
###### Is the home directory of "lufy" user: /home/luffy?
##### Check zoro user
##### Check zoro user
The student should connect to the machine with the "zoro" user by using this password: `^wb@92Sq&ls644@5*Je0`
The student should connect to the machine with the "zoro" user by using this password: `^wb@92Sq&ls644@5*Je0`
###### Is the student able to connect to the machine with the "zoro" user by the mentioned password?
###### Is the student able to connect to the machine with the "zoro" user by the mentioned password?
##### Try to execute a command with sudo:
##### Try to execute a command with sudo:
```console
```console
zoro:$ sudo cat /etc/shadow
zoro:$ sudo cat /etc/shadow
zoro is not in the sudoers file. This incident will be reported.
zoro is not in the sudoers file. This incident will be reported.
zoro:~$
zoro:~$
```
```
##### Check the groups of zoro user:
##### Check the groups of zoro user:
```console
```console
zoro:~$ groups zoro
zoro:~$ groups zoro
zoro : zoro
zoro : zoro
zoro:~$
zoro:~$
```
```
##### Check the home directory of zoro user:
##### Check the home directory of zoro user:
```console
```console
zoro:~$ echo ~
zoro:~$ echo ~
/home/zoro
/home/zoro
@ -230,34 +302,48 @@ zoro:~$ echo $HOME
/home/zoro
/home/zoro
zoro:~$
zoro:~$
```
```
###### Is the "zoro" user can't perform a command with sudo?
###### Is the "zoro" user can't perform a command with sudo?
###### Is the "zoro" user not assigned to the sudo group?
###### Is the "zoro" user not assigned to the sudo group?
###### Is the home directory of "zoro" user: /home/zoro?
###### Is the home directory of "zoro" user: /home/zoro?
#### Services Part:
#### Services Part:
##### Ask the student to:
##### Ask the student to:
In less than 10 minutes the student must create a user called "kratos" this user must be a sudoer and must be able to connect with a private key.
In less than 10 minutes the student must create a user called "kratos" this user must be a sudoer and must be able to connect with a private key.
The private ssh key must be created by the student during this exam.
The private ssh key must be created by the student during this exam.
After the student finishes creating and setting up the user, the student must show that the user can be connected with the private key and can perform a sudo command.
After the student finishes creating and setting up the user, the student must show that the user can be connected with the private key and can perform a sudo command.
>If the student can't solve this exam, he must directly fail in this project.
> If the student can't solve this exam, he must directly fail in this project.
>If did not pass this exam and was able to succeed in this project, a temporal crater will open and the world will be destroyed!
> If did not pass this exam and was able to succeed in this project, a temporal crater will open and the world will be destroyed!
###### Does the student can create a private key?
###### Does the student can create a private key?
###### Does the student can create the user?
###### Does the student can create the user?
###### Does the student assign the public key to the user?
###### Does the student assign the public key to the user?
###### Does the student add the user to the sudo group?
###### Does the student add the user to the sudo group?
###### Is user "kratos" can connect with the private key?
###### Is user "kratos" can connect with the private key?
###### Is user "kratos" can perform a sudo command?
###### Is user "kratos" can perform a sudo command?
#### Services Part:
#### Services Part:
##### Check nami user:
##### Check nami user:
##### By using SSH create a file inside /backup:
##### By using SSH create a file inside /backup:
```console
```console
$ sudo touch /backup/audit-check
$ sudo touch /backup/audit-check
```
```
##### Try to connect to the "nami" user via FTP:
##### Try to connect to the "nami" user via FTP:
```console
```console
user:~$ ftp {vm-ip}
user:~$ ftp {vm-ip}
Connected to {vm-ip}.
Connected to {vm-ip}.
@ -278,14 +364,19 @@ ftp> get audit-check
226 Transfer complete.
226 Transfer complete.
ftp>
ftp>
```
```
- "nami" user password: `mYdb6HA^5W4o`
- "nami" user password: `mYdb6HA^5W4o`
###### Can connect with user "nami" and mentioned password to the FTP Server properly?
###### Can connect with user "nami" and mentioned password to the FTP Server properly?
###### Is the created file exist in the FTP Server?
###### Is the created file exist in the FTP Server?
###### Can get the audit-check file from the FTP Server?
###### Can get the audit-check file from the FTP Server?
##### Check anonymous user:
##### Check anonymous user:
##### Try to connect with an anonymous user and a blank password:
##### Try to connect with an anonymous user and a blank password:
```console
```console
user:~$ ftp {vm-ip}
user:~$ ftp {vm-ip}
Connected to {vm-ip}.
Connected to {vm-ip}.
@ -297,34 +388,49 @@ Password:
ftp: Login failed
ftp: Login failed
ftp>
ftp>
```
```
###### Can't connect to FTP Server with an anonymous user and blank password?
###### Can't connect to FTP Server with an anonymous user and blank password?
###### Does the student can explain what is FTP Server and what the role of it?
###### Does the student can explain what is FTP Server and what the role of it?
#### WordPress Part:
#### WordPress Part:
##### From your browser, enter "http://{vm-ip}/"
##### From your browser, enter "http://{vm-ip}/"
> it can be https instead of http if the student installs an SSL certificate!
> it can be https instead of http if the student installs an SSL certificate!
##### Ask the student to log in with the admin user.
##### Ask the student to log in with the admin user.
WordPress must be installed.
WordPress must be installed.
##### Try to post something, any way you are free to do anything.
##### Try to post something, any way you are free to do anything.
###### Is WordPress installed and working properly?
###### Is WordPress installed and working properly?
##### Try to access to "http://{vm-ip}/wp-config.php"
##### Try to access to "http://{vm-ip}/wp-config.php"
###### The WordPress config file content is not displayed?
###### The WordPress config file content is not displayed?
#### Backup Part:
#### Backup Part:
##### Check the cronjob:
##### Check the cronjob:
The student must show created cronjob.
The student must show created cronjob.
###### Is they are a cron job that starts every Day At 00:00 (0 0 * * *)?
###### Is they are a cron job that starts every Day At 00:00 (0 0 \* \* \*)?
###### Is the cronjob command creating a tar file of the WordPress database in /backup?
###### Is the cronjob command creating a tar file of the WordPress database in /backup?
##### Check the FTP system functionality:
##### Check the FTP system functionality:
> Before starting this test you have to remove all WordPress backup files in "/backup" and delete the logs file "/var/log/backup.log".
> Before starting this test you have to remove all WordPress backup files in "/backup" and delete the logs file "/var/log/backup.log".
##### In the crontab, you have to change the scheduling to :
##### In the crontab, you have to change the scheduling to :
`* * * * *`
`* * * * *`
##### After 1 minute, check the FTP Server with the "nami" user:
##### After 1 minute, check the FTP Server with the "nami" user:
```console
```console
user:~$ ftp {vm-ip}
user:~$ ftp {vm-ip}
Connected to {vm-ip}.
Connected to {vm-ip}.
@ -345,17 +451,23 @@ ftp> get audit-check
226 Transfer complete.
226 Transfer complete.
ftp>
ftp>
```
```
###### Does a WordPress database backup file with the date of today exists in the FTP Server?
###### Does a WordPress database backup file with the date of today exists in the FTP Server?
##### Is the student create
##### Is the student create
##### Check the backup logs file:
##### Check the backup logs file:
```console
```console
user:~$ cat /var/log/backup.log
user:~$ cat /var/log/backup.log
<...>wordpress backup created!, date: <...>
<...>wordpress backup created!, date: <...>
user:~$
user:~$
```
```
###### Is the backup logs file existing and contains a message informing you that the backup was successful and the timing of the backup?
###### Is the backup logs file existing and contains a message informing you that the backup was successful and the timing of the backup?
###### Does the student can explain what is cronjob and what the role of it?
###### Does the student can explain what is cronjob and what the role of it?
###### Does the student can explain why backup is important?
###### Does the student can explain why backup is important?