Giters

teresa-chow / 42-Born2beRoot

Born2beRoot is a System Administration related exercise from 42 School core curriculum.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

4242born2code42cursus42porto42schoolborn2berootdebian-linuxlinuxssh

Born2beRoot

42 School: Rank 1

Born2beRoot is a System Administration exercise from 42 School core curriculum. The task at hand is to create a machine using VirtualBox, complying with strict rules.

1. Virtual Machine · creation

A Virtual Machine (VM) is a computer file, commonly referred to as an image, that behaves like an actual computer: that is, a virtual computer within a computer.


💡 Advantages and disadvantages of using VMs
Advantages Disadvantages
✔️ Agility and speed ❌ Unintended server sprawl
✔️ Lowered downtime: if backup and redundancy mechanisms are in place, since VMs are portable and easy to move from one hypervisor to another on a different machine Single point of failure: unless backup and redundancy mechanisms are in place, if the host computer fails, all VMs running on that machine will also fail
✔️ Scalability ❌ Hardware limitations
✔️ Security benefits: ability to run apps of questionable security, study computer viruses, while protecting host OS Security risks: if VMs are not properly isolated from each other or/and from the host machine, virtualization can introduce additional security risks
✔️ Cost savings: reduced physical infrastructure footprint License cost: some software licenses may not allow installation on VMs or require an additional license fee per VM

⚠️ Pre-requisites

Steps

  1. Open VirtualBox
  2. Click New
  3. Name the VM
  4. Choose destination folder for the VM
    • /sgoinfre/ in this case
  5. Type: Linux
  6. Version: Debian (64-bit)
  7. Select the amount of memory (RAM) toe allocated to the VM
    • set as default – the recommended memory size is 1024 MB
  8. Create a virtual hard disk now
  9. Choose VDI (VirtualBox Disk Image) as the type of file to use for the new virtual hard disk
  10. Choose storage on physical hard disk as being dynamically allocated
  11. Select the size of the virtual hard disk
    • 30.8 GB to account for subject bonus requirements
  12. Click Create
  13. Head to SettingsStorageEmpty → 💿 icon (Attributes: Optical Drive) → Choose a disk fileDebian ISOOk
  14. Start the VM


2. Operating System (Debian) · installation
💡 Debian vs. Rocky Linux
Debian Rocky Linux
Developer The Debian Project Rocky Enterprise Software Foundation
OS Family Linux (Unix-like) Linux (Unix-like)
Source model Open source Open source
Repository deb.debian.org git.rockylinux.org
Package manager Advanced Package Tool (APT) Dandified YUM / DNF
Release cycle 2 years 1 year
Long Term Support (LTS) 5 years 10 years
Comments Red Hat Enterprise Linux (RHEL) compatibility

note: Here, the choice for Debian over Rocky Linux was based on the first being generally regarded as a more user-friendly and accessible OS, especially for beginners.


Steps

  1. Select Install from the Debian GNU/Linux installer menu;
  2. Settings
    • Language: English
    • Location: other
    • Continent: Europe
    • Country: Portugal
    • Locale: United States
    • Keymap: American English
    • Hostname: <username>42
    • Domain name: (blank)
    • Set up root password ﹡
    • User full name: <username>
    • Username: <username>
    • Set up user password ﹡
    • Clock: Lisbon

⚠️ see subject requirements


3. VM · setup

3.1. Partitioning the Disk
  1. Partioning method: Manual
  2. Select the available volume
  3. Create new empty partition on the selected device: Yes

3.1.1. Create Primary Partition
One has to create at least one primary partition on the disk.
  1. Select a partition to modify its settings: FREE SPACE
  2. How to use this free space: Create a new partition
  3. Enter new partition size in Bytes: 525336576 B
    1 B × 1024 = 1 KB
    1 KB × 1024 = 1 MB (1024 × 1024)
    1 MB × 1024 = 1 GB (1024 × 1024 × 1024)


    500 MB = 524 288 000 B
    + 2048 × 512 (1 048 576B)a
    anote to future self: check boot sector size, disk sector size,... (?)
  4. New partition type: Primary
  5. Location for the new partition: Beginning
  6. Mount point for this partition: /boot
  7. Partition settings: Done setting up the partition

⚠️ see subject bonus requirements

3.1.2. Create Logical Partition
One can create an unlimited number of logical partitions on the disk.
  1. Select a partition to modify its settings: FREE SPACE
  2. How to use this free space: Create a new partition
  3. Set new partition size to max
  4. New partition type: Logical
  5. Mount point for this partition: Do not mount it
  6. Partition settings: Done setting up the partition

3.2. Encrypting Volumes
  1. Configure encrypted volumes
  2. Write the changes to disk and configure encrypted volumes? Yes
  3. Create encrypted volumes
  4. Select the devices to be encrypted:/dev/sda5
  5. Partition settings: Done setting up the partition
  6. Encryption configuration actions: Finish
  7. (Confirmation message to encryption:) Yes
  8. (Optional) Cancelsince there is nothing to actually encrypt
  9. Set encryption passphrase ﹡

⚠️ see subject bonus requirements

3.3. Logical Volume Manager (LVM) · configuration
  1. Configure Logical Volume Manager
  2. (Confirmation message:) Yes

Create Volume Group

  1. Create volume group
  2. Enter volume group name: LVMGroup
  3. Select partition to store the group: /dev/mapper/sda5_crypt

Create Logical Partitions

  1. LVM configuration action: Create logical volume
  2. Select the volume group where the new logical volume should be created: LVMGroup
  3. Enter logical volume name
  4. Enter the size of the new logical volume
  5. Repeat the steps above for each of the following volumes:
    Logical volume name Logical volume size Conversion / Calculation Logical volume size in Bytes
    root 10G 10 × 1024 × 1024 × 1024 10737418240 B
    swap 2.3G 2.3 × 1024 × 1024 × 1024 (2469606195.2 B)

    512 → 2469606400 (?)
    2048 → 2469607424 (?)    		 2465607424 B
    home 5G 5 × 1024 × 1024 × 1024 5368709120 B
    var 3G 3 × 1024 × 1024 × 1024 3221225472 B
    srv 3G 3 × 1024 × 1024 × 1024 3221225472 B
    tmp 3G 3 × 1024 × 1024 × 1024 3221225472 B
    var-log 4G 4 × 1024 × 1024 × 1024 4294967296 B
  6. LVM configuration action: Finish

Setting Mount Points

  1. Select volume
  2. Partition settings > set Use as:
  3. Set mount point
  4. Done setting up the partition
  5. Repeat the steps above for each of the following volumes:
    Partition Volume name Use Mount point Enter
    #1 home Ext4 /home
    #1 root Ext4 /
    #1 srv Ext4 /srv
    #1 swap swap area
    #1 tmp Ext4 /tmp
    #1 var Ext4 /var
    #1 var-log Ext4 Enter manually /var/log
    Ext4 (fourth extended file system) is arguably the most stable and well tested file system supported in Linux.
  6. Finish partitioning and write changes to disk
  7. (Confirmation message:) Yes

3.4. Additional packages & bootloader · setup & installation
  1. Additional packages: No
  2. Country: Portugal
  3. Set Debian archive mirror package manager: deb.debian.org
  4. HTTP proxy: (blank)
  5. Continue
  6. Popularity contest: No
  7. Remove all software options and Continue
  8. Installation of GRUB bootloader: Yes
  9. Select device to install the bootloader: /dev/sda (ata_VBOX_HARDDISK)
  10. Continue

3.5. Login into the System
  1. Enter <encryption-password>
  2. Enter <username>
  3. Enter <user-password>

3.6. sudo · installation & configuration
sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy

Installation

  1. su --login
    • su execute a command with substitute user and group ID
    • -, -l, --login start the shell as a login shell with an environment similar to a real login
  2. apt-get update -y
    • apt-get APT package handling utility -- command-line interface
    • update update is used to resynchronize the package index files from their sources
    • -y automatic yes to prompts
  3. apt-get upgrade -y
    • upgrade upgrade is used to install the newest versions of all packages currently installed on the system from the sources enumerated in /etc/apt/sources.list
  4. apt install sudo
    • apt command-line interface
    • install performs the requested action on one or more packages
  5. dpkg -l | grep sudo verify whether the sudo package was installed successfully
    • dpkg -l list packages matching given pattern ('dpkg', package manager for Debian)
    • grep print lines that match patterns

Configuration

  1. usermod -aG sudo <username>
      usermod modify a user account
      -a, --append add the user to the supplementary group(s); use only with the -G option
      -G, --groups a list of supplementary groups which the user is also a member of
  2. visudo edit the sudoers file
  3. Add <username> ALL=(ALL) ALL under #User Privilege section
  4. Save and close
  5. reboot

3.7. Vim · installation
Vi Improved (Vim) is a highly configurable text editor built to make creating and changing any kind of text very efficient; it is upwards compatible to Vi
sudo apt install vim

3.8. Groups and Users · creation & configuration
  • sudo groupadd <group-name> create a group with specified <group-name>
  • sudo usermod -aG <group-name> <username> add user to group
  • getent group <group-name>check group users
    • getent group check groups

3.9. Secure Shell (SSH) · installation & configuration
  1. sudo apt install openssh-server
  2. sudo vim /etc/ssh/sshd_config
  3. edit the text, replacing
    • # Port 22 with Port 4242
    • and #PermitRootLogin prohibit-password with PermitRootLogin no to prohibit SSH login as root, regardless of authentication mechanism
  4. sudo vim /etc/ssh/ssh_config
  5. edit the text, replacing # Port 22 by Port 4242
  6. sudo service ssh restart

⚠️ see subject requirements

3.10. Uncomplicated Firewall (UFW) · installation & configuration
  1. sudo apt-get install ufw
  2. sudo ufw enable
  3. sudo ufw allow <service/port>
  4. sudo ufw status numbered


Port forwarding

  1. Go to VirtualBox interface
  2. Select chosen VM
  3. Go to SettingsNetworkAdapter 1AdvancedPort Forwarding+
    • Name: SSH
    • Protocol: TCP
    • Host Port: 4242
    • Guest Port: 4242
    OkOk

3.11. SSH · connection to a physical machine

VM

  1. Start VM
  2. Login into the system
  3. hostname -I check IP address
    • hostname show or set the system's host name
    • -I, --all-ip-addresses display the IP address(es) of the host
  4. Execute sudo vim /etc/network/interfaces
  5. Edit text
    • Change allow-hotplug enp0s3 to auto enp0s3
      • allow-hotplug manage interface on various condition changes
      • auto bring up interface with provided configuration during boot time or interface link up event
    • Change iface enp0s3 inet dhcp to iface enp0s3 inet static
      • dhcp Dynamic Host Configuration Protocol
    • Add
      address <ip-address>
      netmask 255.255.0.0
      gateway 10.11.254.254
      dns 10.11.254.254

Physical machine

  1. Open terminal on physical machine and execute
    ssh <VM-username>@<VM-ip-address> -p 4242
  2. logout to terminate an SSH session, or, alternatively, exit to close the connection

3.12. sudo policy & log · configuration
  1. sudo visudo
    • visudo edit the sudoers file
  2. Add the following Defaults to the file
    • Defaults passwd_tries=3
      • passwd_tries total ammount of tries for entering 'sudo' password
    • Defaults badpass_message="Wrong password. Try again:"
      • badpass_message message to be printed on wrong password scenario
    • Defaults logfile="/var/log/sudo/sudo.log"
      • logfile set custom log file for 'sudo'
    • Defaults log_input, log_output
      • log_input, log_output what will be logged
    • Defaults requiretty
      • requiretty enables 'sudo' invocation from a real TTY but not through methods such as 'cron' or 'cgi-bin'
    • Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
      • secure_path the path used for every command run with 'sudo'

3.13. Password policy · setup & configuration

Configure shadow password suite

  1. sudo vim /etc/login.defs
  2. Set
    PASS_MAX_DAYS to 30
    PASS_MIN_DAYS to 2
    PASS_WARN_AGE to 7
  3. Save and close

⚠️ see subject requirements


Update password policy for already created user

  • chage -M 30 -m 2 -W 7 <username>
    • chage change user password expiry information
    • -M, --maxdays set the maximum number of days during which a password is valid
    • -m, --mindays set the minimum number of days between password changes
    • -W, --warndays set the number of days of warning before a password change is required

  • or, alternatively, passwd -x 30 -n 2 -w 7 <username>
    • passwd change user password
    • -x, --maxdays set the maximum number of days a password remains valid
    • -n, --mindays set the minimum number of days between password changes
    • -w, --warndays set the number of days of warning before a password change is required

Install pwquality

pwquality is a PAM module to perform password quality checking

sudo apt-get install libpam-pwquality


Configure pwquality

  1. sudo vim /etc/pam.d/common-password
  2. Edit the pam_pwquality.so line, by adding
    retry=3 minlen=10 ucredit=-1 dcredit=-1 lcredit=-1 maxrepeat=3 reject_username difok=7 enforce_for_root next to it
    • retry number of retries
    • minlen minimum number of characters a password must contain
    • ucredit (upper credit) password must contain at least/at most 'n' uppercase characters
      • - defines the lower bound
      • + defines the upper bound
    • dcredit (digit credit) password must contain at least/at most 'n' digits
    • lcredit (lower credit) password must contain at least/at most 'n' lowercase characters
    • maxrepeat password must not repeat same character consecutively more than 'n' number of times
    • reject_username password must not contain username
    • difok the minimum number of characters that must be different from the old password
    • enforce_for_root implement password policy to root
  3. Save and exit

4. Monitoring script

Crontab

Crontab stands for crontable, and consists of a list of commands that are to be run on a regular schedule
  1. Check whether Crontab is installed
    • ls /var/spool/cron/ should display crontabs, since that is where crontab files are stored

monitoring.sh & sleep.sh

  1. cd /usr/local/bin/ this is the default installation location when a user builds and installs an executable application independently
  2. sudo vim monitoring.sh create and edit 'monitoring.sh' file
  3. sudo vim sleep.sh create and edit 'sleep.sh' file
  4. sudo chmod 744 monitoring.sh sleep.sh
  5. sudo visudo open sudoers config file
  6. Add the following lines, that will allow corresponding scripts to run when the user's session starts:
    <username> ALL=(ALL) NOPASSWD: /usr/local/bin/sleep.sh
    <username> ALL=(ALL) NOPASSWD: /usr/local/bin/monitoring.sh
  7. Save and exit
  8. sudo reboot
  9. sudo /usr/local/bin/monitoring.sh

Crontab

  1. sudo crontab -u root -e open crontab config file
  2. Add the following line to the end of the file:
    */10 * * * * /usr/local/bin/sleep.sh; /usr/local/bin/monitoring.sh,
    to sequencially run 'sleep.sh' and 'monitoring.sh' every 10 minutes
  3. sudo crontab -u root -l view the list of scheduled cron jobs for the root user

5. WordPress · website setup

5.1. Lighttpd · installation and setup
Lighttpd (pronounced /lighty/) is a web server that has been optimized for high-performance environments
  1. sudo apt install lighttpd
  2. dpkg -l | grep lighttpd
  3. sudo ufw allow 80
    • Port 80 is the port number assigned to commonly used internet communication protocol, Hypertext Transfer Protocol (HTTP); it is the default network port used to send and receive unencrypted web pages
  4. sudo ufw status


Port forwarding

  1. Go to VirtualBox interface
  2. Select chosen VM
  3. Go to SettingsNetworkAdapter 1AdvancedPort Forwarding+
    • Name: UFW
    • Protocol: TCP
    • Host Port: 80
    • Guest Port: 80
    OkOk

5.2. MariaDB · installation and configuration
MariaDB is an open-source relational database
  1. sudo apt install mariadb-server
  2. dpkg -l | grep mariadb-server
  3. sudo mysql_secure_installation launch the interactive script for removing insecure default settings
    • Enter current password for root (enter for none): Enter⚠️ do not confuse database root with system root
    • Switch to unix_socket authentification [Y/n] n
    • Change root password? [Y/n] n
    • Remove anonymous users? [Y/n] Y
    • Disallow root login remotely? [Y/n] Y
    • Remove test database and access to it? [Y/n] Y
    • Reload privilege tables now? [Y/n] Y
  4. sudo mariadb access the MariaDB console
  5. CREATE DATABASE <database-name> ;
  6. GRANT ALL ON <database-name>.* TO '<username-2>'@'localhost' IDENTIFIED BY '<password-2>' WITH GRANT OPTION; create a new database user and grant them full privileges on the database
  7. FLUSH PRIVILEGES; apply changes and reload privileges
  8. exit exit MariaDB shell

Check

  • mariadb -u <username-2> -p confirm whether the database user was successfully created
    • Enter password: <password-2>
  • SHOW DATABASES; check whether the database user has access to the database
  • exit

5.3. PHP · installation
PHP is a general-purpose scripting language that is especially suited to web development
  1. sudo apt install php-cgi php-mysql
  2. dpkg -l | grep php

5.4. WordPress · download and configuration
WordPress is an open-source content management system
  1. sudo apt install wget
  2. sudo wget http://wordpress.org/latest.tar.gz -P /var/www/html
  3. sudo tar -xzvf /var/www/html/latest.tar.gz
  4. sudo rm /var/www/html/latest.tar.gz
  5. sudo cp -r wordpress/* /var/www/html
  6. sudo rm -rf wordpress
  7. sudo cp /var/www/html/wp-config-sample.php /var/www/html/wp-config.php
  8. sudo vim /var/www/html/wp-config.php
    • Fill in the following fields with specified information
      • define( 'DB_NAME', '<database-name>' );
      • define( 'DB_USER', '<username-2>' );
      • define( 'DB_PASSWORD', '<password-2>' );
  9. Save and exit

5.5. Lighttpd · configuration
  1. sudo lighty-enable-mod fastcgi
  2. sudo lighty-enable-mod fastcgi-php
  3. sudo service lighttpd force-reload

5.6. WordPress · installation
  1. Open a browser window
  2. Enter localhost or 127.0.0.1 on the URL bar
  3. Name the site
  4. Add a <password> and <email address>
  5. Click on Install Wordpress
  6. Login and configure WordPress


References & further reading


Born2beRoot Guides

  • mota494's Born2beRoot (Mandatory) accessed 25 Jan. 2024
  • PedroZappa's Born2beRoot (Mandatory + Bonus: UnrealIRCd + Weechat) accessed 25 Jan. 2024
  • rphlr's Born2beRoot (Mandatory + Bonus: FTP + Fail2ban) accessed 25 Jan. 2024



License

This work is published under the terms of 42 Unlicense.


⬆ back to top

About

Born2beRoot is a System Administration related exercise from 42 School core curriculum.

4242born2code42cursus42porto42schoolborn2berootdebian-linuxlinuxssh

License:Other

Languages

Language:Shell 100.0%