Giters

0x0584 / roger-skyline-1

Roger Skyline 1

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

About

This is a guide to do all the things described in Roger Skyline 1. This might not take so much time, or let me say it otherwise, I DON’T HAVE MUCH TIME! I NEED TO GET OUT OF THE BLACK HOLE AS SOON AS POSSIBLE!

A Debian VM

Here’s a link to Debian 10.0 Net Install for latest packages + minimum download/install time. Also VirtualBox 6.0. Important thing is to allocate exactly 8 GB with no partitioning!

Disk partitioning

Choose manual disk, and create three primary partitions:

  • the / partition, has 4.5 GB, ext4
  • the /swap haS 1GB ext4
  • the /home has the rest

Network and Security

Initial Configuration

The netinstall version install frsh updates by default, but we can update the system using apt-get update -y && apt-get upgrade -y to ensure that the latest version is available. Install essential tools using.

apt-get install -y sudo vim git gpg2 \
                    fail2ban portsentry \
                    apache2 mailutils \
                    dnsutils net-tools

User configuration

We create a new user using useradd <USER> instead of /usr/sbin/adduser. Also we need to add <USER> to sudoers. Either using usermod -aG sudo <USER> to add <USER> to sudo group. Or manually by updating the user’s previlege specification in /etc/sudoers

# User privilege specification
<USER>    ALL=(ALL:ALL) NOPASSWD:ALL

we can check that using groups <USER>.

Configure a static IP

/One things which is required here and could not be done internally, is to change the NAT to Bridge[fn:8] so taht we can use the local network IP system.

we need to get the machine’s IP and gateway addresses using

$ ifconfig enp0s3 | grep 'inet ' | awk '{print $2}'
$ traceroute 8.8.8.8 | head -3 | grep 'traceroute' -A 1 | grep -v 'traceroute' | awk '{print $2}'

and adding address and it’s netmask. as well as the gateway too, this is done by script: stati-ip.sh.

Configure SSH

Configure default port

SSH could be configured by editing the default port (22) in the file /etc/ssh/sshd_config, The port should not be chosen arbitrary (or it might be so. but, it must not be already used as it would create conflicts). We can check that using lsof -i -P -n | grep LISTEN | grep <PORT>.

However, IANA – The Internet Assigned Numbers Authority is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources. Their port assignment guidelines said the following:

Port numbers are divided into three ranges: Well Known Ports, Registered Ports, and Dynamic and/or Private Ports.

  • The Well Known Ports are those from 0 through 1023 and SHOULD NOT be used.
  • Registered Ports are those from 1024 through 49151 should also be avoided too.
  • Dynamic and/or Private Ports are those from 49152 through 65535 and can be used.

Though nothing is stopping you from using reserved port numbers, but it’s better to avoid technical issues with port allocation in the future.

I have chosen 63845 as a SSH port, after that we need to modify the port in /etc/ssh/sshd_config/. Then, restart sshd daemon

Setup access with public keys

NOTE:

The process of creating public/private key pair is done on the Host machine. Where we’re going to send the public key to the server to know our identity when interacting without a need of a password.

The command ssh-copy-id might not be available on Mac OS X by default, install it via brew install ssh-copy-id

To generate a public/private (RSA) key pair we need to execute ssh-keygen -t rsa where -t rsa specifies the type of encryptation to RSA – Rivest–Shamir–Adleman Encryptaion Algorithm. Two files will be generated, id_rsa and id_rsa.pub, which are private and public key respectively.

Next step is to copy the id_rsa.pub to the server using ssh-copy-id (WHAT! THEY HAVE COMMAND FOR THAT TOO!) as ssh-copy-id -i id_rsa.pub <USER>@<IP> -p <PORT>. This result the addition of the key to the server’s ~/.ssh/authorized_keys

Now, we need to remove root login permit, public key authuntification and password authentification by editing /etc/ssh/sshd_config which is done by uncommenting lines 32, 37 and 56 respectively.

Finally, restarting SSH daemon service using service ssh restart.

Configure Firewall and Banlist

Configuring iptables

To configure a firewall using iptables, we need to add the fw to /etc/network/if-pre-up.d/ so that the firewall loads up at every boot.

It contains configuration to block anything but SSH HTTP/HTTPS. Rejecting Smurf attack, blocking the attacking IP addresses for a day, limiting the number of connections per minute to reduce bruteforce changes.

Also, we need to allow DNS queries for things like ping and apt-get

Configuring fail2ban

We need to protect the server against DOS – Denail Of Service with fail2ban, which is done by editing /etc/fail2ban/jail.conf we need to edit jail.local. A basic settings is in the file jail.local

Finally, restaring the service using service fail2ban restart

Configure ports

First thing to do, is ot switch into auto mode for TCP and UDP. By editing the file /etc/default/portsentry as follows:

TCP_MODE="atcp"
UDP_MODE="audp"

Next, edit portsentry.conf to configure blocking and killing route. Comment the current KILL_ROUTE and replace it with the following

KILL_ROUTE="/sbin/iptables -I INPUT -s $TAGETS -j DROP"
# Comment KILL_HOSTS_DENY
KILL_HOSTS_DENY="ALL: $TARGET$ : DENY

Manage Services and Packages

Disabling unwanted services

Services that we don’t need are apt-dialy and apt-upgrade and keyboard/console setup nor the syslog

systemctl disable console-setup.service
systemctl disable keyboard-setup.service
systemctl disable apt-daily.timer
systemctl disable apt-daily-upgrade.timer
systemctl disable syslog.service

Scheduling an update

Next, create a the repo /var/scripts and write in the file update.sh. Then, we need to add the task to cron by executing crontab -e (as root)

@reboot /var/scripts/update.sh
0 4 * * 6 /var/scirpts/update.sh  # WTF IS THIS SYNTAX

Monitor crontab file

create a template mail file /var/mail/change and add watch.sh to /var/scripts/. Also we need to create a checksum of crontab and save it at /var/log/shasum/

PENDING Web Deployment

Deploying a webpage

deploy using deploy.sh

SSL Certificates

we generate ssl certificate using gencert.sh and add include snippets/self-signed.conf and snippets/self-params.conf to /etc/nginx/sites-available/site.com, but only for port 443 (https). we need to add server_name 10.11.16.6 (our domain)

Footnotes

[fn:8] I can’t tell whic this but yeah

[fn:7] Since if we didn’t, there would be no home directory.

[fn:6] it’s possible to change it at place but it’s not recommended. this is a good article

[fn:5] this seems like a good documentation

[fn:4] good luck reading any GNU documentation

[fn:3] good article comparison between many web servers including NGINX and TOMCAT

[fn:2] this debian blog has a some good documentation. also here!

[fn:1] here’s a good place to document about fail2ban for serve, and this one is to secure SSH

About

Roger Skyline 1

License:GNU General Public License v2.0

Languages

Language:Shell 100.0%