forked from root/public
![zouhair.amazzal@01talent.com](/git/assets/img/avatar_default.png)
![Zouhair AMAZZAL](/git/assets/img/avatar_default.png)
2 changed files with 195 additions and 0 deletions
@ -0,0 +1,195 @@ |
|||||||
|
# DeepInSystem |
||||||
|
|
||||||
|
![sysadmin](https://assets.01-edu.org/devops-branch/DeepInSystem/sysadmin.jpeg) |
||||||
|
|
||||||
|
In this project you will learn how to administer a Linux server, You will set up security and network for a ubuntu server, and will install some popular services. |
||||||
|
### Objectives |
||||||
|
|
||||||
|
Implement some learned skills from the scripting pool in a real-life project. |
||||||
|
|
||||||
|
Having a first experience in a ubuntu server setup. |
||||||
|
|
||||||
|
Discovering some network and security implementations in Linux. |
||||||
|
|
||||||
|
Discovering some popular services in Linux. |
||||||
|
### Advice |
||||||
|
|
||||||
|
Read the entire project before starting implementation! |
||||||
|
|
||||||
|
Try to understand all the commands that you will use in your setup. |
||||||
|
|
||||||
|
Save any command you entered, it will be useful if you want to reinstall the server or do some debugging. |
||||||
|
|
||||||
|
Create a backup file for each config file you will modify, this will be useful if you broke the config. |
||||||
|
|
||||||
|
> In this project we have put some passwords and private keys exposed, It is not recommended to do this in any way! |
||||||
|
> And don't use these passwords and private keys outside this learning project! |
||||||
|
### Instructions |
||||||
|
|
||||||
|
#### The Virtual Machine Part: |
||||||
|
|
||||||
|
Install a ubuntu server's latest LTS as a virtual machine. |
||||||
|
|
||||||
|
- The VM disk size must be 30GB. |
||||||
|
|
||||||
|
- You must divide your VM disk into these partitions: |
||||||
|
`swap:` 4G |
||||||
|
`/`: 15G |
||||||
|
`/home`: 5G |
||||||
|
`/backup`: 6G |
||||||
|
|
||||||
|
- Your username must be your login name. |
||||||
|
|
||||||
|
- You have to set your hostname with the format of `{username}-host`. |
||||||
|
if your login is `potato`, then your hostname must be `potato-host`. |
||||||
|
#### The Network Part: |
||||||
|
|
||||||
|
Set a static private IP address, you are free to choose which netmask to use. |
||||||
|
|
||||||
|
You must be able to connect to the Internet!, you can test with: |
||||||
|
```console |
||||||
|
$> ping -c 5 google.com |
||||||
|
``` |
||||||
|
#### The Security Part: |
||||||
|
|
||||||
|
> You do not have to use the root user in your setup process! |
||||||
|
You won't need it when you have `sudo`. |
||||||
|
##### Sudo provides fine-grained access control. It grants elevated permissions to only a particular program that requires it. You know which program is running with elevated privileges, rather than working with a root shell (running every command with root privileges). |
||||||
|
|
||||||
|
- You have to disable remote root login via ssh. |
||||||
|
|
||||||
|
- Change the ssh port to: `2222`. |
||||||
|
|
||||||
|
- Configure the Firewall, and close all incoming ports, only used ports must be opened. |
||||||
|
> All open ports must be justified in the audit! |
||||||
|
#### User Management Part: |
||||||
|
|
||||||
|
You have to create 2 users in your server as follows: |
||||||
|
##### 1- *luffy*: |
||||||
|
|
||||||
|
- SSH authentication Method: Public key-based authentication |
||||||
|
- Home directory: `/home/luffy` |
||||||
|
- Sudoer: yes |
||||||
|
- Public key: |
||||||
|
``` |
||||||
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9NYZT5ueK+2JupNLOAg3xTSd117NwrPgVN15S2gXfijJlpmO1dBgR+ro6N2yngoLTLi2QGUU53xRj0p/SJf+9GOdlkt55ePxs2GNKxACJcrZLPiyOBbb5VRyyRn3ie84qdw7EUSnWROTBWVIqkcxE+YFP9e06gQCuUxm7FyjwUfEMSXEaWCLMC2qREz8H92ZtEcXqQNKotG0CtIuuFsVX1CQdEh86v+SVN6pVbVaXLWFKkpZSubAvGe5g4ffiLjTSMfzmZ+Ayley0DmX+7nsV0OXgIpixMmW1KV8NNo5oxTQFPG3z5v7AgCUM8Hc1R2dj2AjbmDRlh9amTjQd1dPR99TJ84Nu1fIwsar5eG5u/oIA3cUTT028gcAL85GLy7YERUyXpbbaap1QgsJGViCYETflUcvwfdxrDetLBbnQ2aKqo/KxyXFDXt7uR618p2hrotWE9nWZnIQ90FRFUhEIcoq1Gg1on/0G+4M9WIqlChh6qUAq/Gi3IHURXlTBP9M= luffy@luffy |
||||||
|
``` |
||||||
|
- Private key: |
||||||
|
``` |
||||||
|
-----BEGIN OPENSSH PRIVATE KEY----- |
||||||
|
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn |
||||||
|
NhAAAAAwEAAQAAAYEAvTWGU+bnivtibqTSzgIN8U0nddezcKz4FTdeUtoF34oyZaZjtXQY |
||||||
|
Efq6Ojdsp4KC0y4tkBlFOd8UY9Kf0iX/vRjnZZLeeXj8bNhjSsQAiXK2Sz4sjgW2+VUcsk |
||||||
|
Z94nvOKncOxFEp1kTkwVlSKpHMRPmBT/XtOoEArlMZuxco8FHxDElxGlgizAtqkRM/B/dm |
||||||
|
bRHF6kDSqLRtArSLrhbFV9QkHRIfOr/klTeqVW1Wly1hSpKWUrmwLxnuYOH34i400jH85m |
||||||
|
fgMpXstA5l/u57FdDl4CKYsTJltSlfDTaOaMU0BTxt8+b+wIAlDPB3NUdnY9gI25g0ZYfW |
||||||
|
pk40HdXT0ffUyfODbtXyMLGq+Xhubv6CAN3FE09NvIHAC/ORi8u2BEVMl6W22mqdUILCRl |
||||||
|
YgmBE35VHL8H3caw3rSwW50NmiqqPysclxQ17e7ketfKdoa6LVhPZ1mZyEPdBURVIRCHKK |
||||||
|
tRoNaJ/9BvuDPViKpQoYeqlAKvxotyB1EV5UwT/TAAAFkJiggtqYoILaAAAAB3NzaC1yc2 |
||||||
|
EAAAGBAL01hlPm54r7Ym6k0s4CDfFNJ3XXs3Cs+BU3XlLaBd+KMmWmY7V0GBH6ujo3bKeC |
||||||
|
gtMuLZAZRTnfFGPSn9Il/70Y52WS3nl4/GzYY0rEAIlytks+LI4FtvlVHLJGfeJ7zip3Ds |
||||||
|
RRKdZE5MFZUiqRzET5gU/17TqBAK5TGbsXKPBR8QxJcRpYIswLapETPwf3Zm0RxepA0qi0 |
||||||
|
bQK0i64WxVfUJB0SHzq/5JU3qlVtVpctYUqSllK5sC8Z7mDh9+IuNNIx/OZn4DKV7LQOZf |
||||||
|
7uexXQ5eAimLEyZbUpXw02jmjFNAU8bfPm/sCAJQzwdzVHZ2PYCNuYNGWH1qZONB3V09H3 |
||||||
|
1Mnzg27V8jCxqvl4bm7+ggDdxRNPTbyBwAvzkYvLtgRFTJelttpqnVCCwkZWIJgRN+VRy/ |
||||||
|
B93GsN60sFudDZoqqj8rHJcUNe3u5HrXynaGui1YT2dZmchD3QVEVSEQhyirUaDWif/Qb7 |
||||||
|
gz1YiqUKGHqpQCr8aLcgdRFeVME/0wAAAAMBAAEAAAGATKVGCO7clNxIf3GdQ35pj3olpg |
||||||
|
L+2YH37QBE4WMYRfmBeNPySCsDJSVgEv0osqKXxFxMcLcL5+mKJPXJcCOceUmBUxAvtx1f |
||||||
|
g+gUMNE9NnCVj91bxxxhhpcHzN/pVrm4RlN8U+JdBENcN0arljsBeF9qFq4Ur0JauENJhR |
||||||
|
RYrSFEeCm3+2gAkI9/V81oFx4NC9nLRp2DuHt+PT5N5vOqdW2mQ3B33iClxByMj5Z/ITZs |
||||||
|
1vySkGhQCoSCoBRpieIVKUuJ8Hhh4/uStDRb6NaZZJt8r9W74j5A1qZGJJ1Znt4FaoeFSB |
||||||
|
z9tFEnybJvvrASDgVh1GV9iCi5odV8/HfMQX75bxiOOb6CyOxLYkWL/L9rsg3EiFoaYRT4 |
||||||
|
gPNRFC1UzanccesHg5IOcLFYTed3REnaSTP0YX5XDahDYjstDAIHXuAQOnqGFQ2eOls3Al |
||||||
|
hrOnSbxWTpt4Lla19tctwHB/XcnC3zMDuD2TGrX7HJwsXsOLF0JlfhJdfw8o5kNmaBAAAA |
||||||
|
wBKJ+BeJxzqko1NEBEC3d1W4CYQu3EdPGKlunRIZi/m6l35Xdgo9qPntSr1L56lhtNo5XZ |
||||||
|
77OkKJE2YCCUt82Wp9o0cEBaVKhLWL7EjWEyYVkD23Snvaszg0BUwcK9u46+nS+8ob7+pa |
||||||
|
6Qo1JG9iRqgtb5M61f5aBnxd6TiAHXd7/1z7JRtDZrjjGd3XWbxyF0dL/VlNzn9V2qXrEX |
||||||
|
DupS0Lyy+I+BfUvKznggY/eySJ4lbGhbB5FvfeHcWxyI2R0AAAAMEA37n+g1u4ntYPyelW |
||||||
|
CfzMbSMSJokzAEjskjwFdb2QnTRQUYIawY8y4384n/98o7hCXONW5M1d5XyGiWX5WOUHYG |
||||||
|
LaLs/IUVMqfF+TmR6EMrpa55eHPbW9zDByVaNpAvoh1O6awBpDxFbAIU8j9CqbxZySGQ83 |
||||||
|
WG+i0LuuXDHffjMiTRk5LSknU79dDdbDFCaqDLunmrYnAXdxJ+9EyJfm0wrxpH8u+lr9Im |
||||||
|
1V7Jvm49gLBG8gfPq/zA3zpSmuUuERAAAAwQDYgNWAOUyaNyOeXEu7N3m1KvDkRlEOMjpp |
||||||
|
BTfaKvpcNo1L2GmmHPUBsjyC59yqK24F63pdegL+9jJtOMdONaRa8qQloZPTwTj0yGM42E |
||||||
|
rfszI7Uawg+2RmMuTRPOQ6nFcsnOnPwiFdzkLo7RmQiuUtKlV2VuR2PZXxf+90/l2g69IX |
||||||
|
CdOvB0UKoEkjWVXQsMAKR0dGn6ooyFbfXoawq0ILxvrmxMOGd2l04Dai9d2vEeS+VwF65h |
||||||
|
YFVD5IsAOc0qMAAAAUemFtYXp6YWxAMTkyLjE2OC4xLjcBAgMEBQYH |
||||||
|
-----END OPENSSH PRIVATE KEY----- |
||||||
|
``` |
||||||
|
##### 2- *zoro*: |
||||||
|
|
||||||
|
- SSH authentication Method: Password authentication |
||||||
|
- Home directory: `/home/zoro` |
||||||
|
- password: `^wb@92Sq&ls644@5*Je0` |
||||||
|
- sudoer: no |
||||||
|
#### Services Part: |
||||||
|
|
||||||
|
- Install an FTP server and create a user `nami`. |
||||||
|
The user `nami` can access via FTP only to `/backup` with read-only access. |
||||||
|
`nami` user password: `mYdb6HA^5W4o` |
||||||
|
|
||||||
|
> Don't enable anonymous access! |
||||||
|
This will be risky! |
||||||
|
#### The Database Part: |
||||||
|
|
||||||
|
- You have to install MySQL Server |
||||||
|
|
||||||
|
- Disable the remote connection to the root user. |
||||||
|
|
||||||
|
- Do not allow connection to MySQL from outside the server! |
||||||
|
To improve the security of your website, you should keep your MySQL server accessible only by applications in the server, As long as it does not affect your solution. |
||||||
|
|
||||||
|
- You must create a MySQL user, which has the only required access to the WordPress database. |
||||||
|
> Don't use the root user in your WordPress website! |
||||||
|
#### WordPress Part: |
||||||
|
|
||||||
|
- You have to install WordPress |
||||||
|
|
||||||
|
- WordPress must be in your web server root directory: `http://{host}/` |
||||||
|
|
||||||
|
- Your WordPress must work in a normal way, try to post something or create another user, any way you are free to do anything. |
||||||
|
|
||||||
|
> The configuration file must not be public accessible!, try `http://{host}/wp-config.php` |
||||||
|
#### Backup Part: |
||||||
|
Backups protect against human errors, hardware failure, virus attacks, power failures, and natural disasters. Backups can help save time and money if these failures occur. |
||||||
|
|
||||||
|
In this exercise, you will set up a simple backup method by using cron jobs. |
||||||
|
|
||||||
|
- Set up a cron job that starts every Day At 00:00, it must create a tar file of the WordPress database. |
||||||
|
|
||||||
|
- The backup files must be created in the `/backup` folder. |
||||||
|
|
||||||
|
- The backup file name must contain the creation date. |
||||||
|
|
||||||
|
- You must add a line to a log file (`/var/log/backup.log`) This line should contain a message informing you that the backup was successful and the timing of the backup. |
||||||
|
|
||||||
|
- Your backup files must be downloadable from the `nami` FTP user. |
||||||
|
|
||||||
|
### Bonus Part |
||||||
|
|
||||||
|
If you complete the mandatory part perfectly, you can move to this part. |
||||||
|
You can add anything you feel deserves to be a bonus, some of the suggested ideas: |
||||||
|
|
||||||
|
- Install the Minecraft server, It must be always running even if you reboot your server. |
||||||
|
|
||||||
|
- Automate all instructions with ansible, so you can remake this long process in more than 1 server in a short time. |
||||||
|
|
||||||
|
- Set up the SSL in the web server and FTP server, you can use self-signed SSL. |
||||||
|
|
||||||
|
*Challenge yourself!* |
||||||
|
### Submission and audit |
||||||
|
You must export your VM to a safe place, you will need it in the audit. |
||||||
|
You will use your exported VM to run a new VM for each audit. |
||||||
|
Push the shasum of your exported VM, you can get it this way: |
||||||
|
```console |
||||||
|
user:~$ sha1sum DeepInSystem.ova > DeepInSystem.sha1 |
||||||
|
user:~$ cat DeepInSystem.sha1 | cat -e |
||||||
|
<...>255bfef9560<...> DeepInSystem.ova$ |
||||||
|
user:~$ |
||||||
|
``` |
||||||
|
|
||||||
|
Files that must be inside your repository: |
||||||
|
|
||||||
|
- DeepInSystem.sha1 |
||||||
|
|
||||||
|
> It's Forbidden to use external scripts! |
||||||
|
> Any use of external scripts or use of commands without understanding their jobs is considered cheating! |
Loading…
Reference in new issue