Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/teresa-chow/42-born2beroot

Born2beRoot is a System Administration related exercise from 42 School core curriculum.
https://github.com/teresa-chow/42-born2beroot

42 42born2code 42cursus 42porto 42school born2beroot debian-linux linux ssh

Last synced: about 1 month ago
JSON representation

Born2beRoot is a System Administration related exercise from 42 School core curriculum.

Host: GitHub
URL: https://github.com/teresa-chow/42-born2beroot
Owner: teresa-chow
License: other
Created: 2024-01-22T23:25:32.000Z (10 months ago)
Default Branch: main
Last Pushed: 2024-09-24T22:36:47.000Z (about 2 months ago)
Last Synced: 2024-10-12T17:42:01.423Z (about 1 month ago)
Topics: 42, 42born2code, 42cursus, 42porto, 42school, born2beroot, debian-linux, linux, ssh
Language: Shell
Homepage:
Size: 371 KB
Stars: 2
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Born2beRoot
[![42 School: Rank 1](https://img.shields.io/badge/42%20School-Rank%201-%2315bbbb)](https://www.42network.org/)

_Born2beRoot is a System Administration exercise from 42 School core curriculum. The task at hand is to create a machine using VirtualBox, complying with strict rules._
___

1. Virtual Machine · creation

> _A Virtual Machine (VM) is a computer file, commonly referred to as an image, that behaves like an actual computer: that is, a virtual computer within a computer._

:bulb: Advantages and disadvantages of using VMs

Advantages
Disadvantages

:heavy_check_mark: Agility and speed
:x: Unintended server sprawl

:heavy_check_mark: Lowered downtime: if backup and redundancy mechanisms are in place, since VMs are portable and easy to move from one hypervisor to another on a different machine
:x: Single point of failure: unless backup and redundancy mechanisms are in place, if the host computer fails, all VMs running on that machine will also fail

:heavy_check_mark: Scalability
:x: Hardware limitations

:heavy_check_mark: Security benefits: ability to run apps of questionable security, study computer viruses, while protecting host OS
:x: Security risks: if VMs are not properly isolated from each other or/and from the host machine, virtualization can introduce additional security risks

:heavy_check_mark: Cost savings: reduced physical infrastructure footprint
:x: License cost: some software licenses may not allow installation on VMs or require an additional license fee per VM

:warning: Pre-requisites

have [VirtualBox](https://www.virtualbox.org/) installed;

have [the ISO (Optical Disc Image) installer file for the Debian GNU/Linux OS](https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/) downloaded.

___

Steps

Open VirtualBox

Click New

Name the VM

Choose destination folder for the VM
- /sgoinfre/ in this case

Type: Linux

Version: Debian (64-bit)

Select the amount of memory (RAM) toe allocated to the VM
- set as default – the recommended memory size is 1024 MB

Create a virtual hard disk now

Choose VDI (VirtualBox Disk Image) as the type of file to use for the new virtual hard disk

Choose storage on physical hard disk as being dynamically allocated

Select the size of the virtual hard disk
- 30.8 GB to account for subject bonus requirements

Click Create

Head to Settings → Storage → Empty → 💿 icon (Attributes: Optical Drive) → Choose a disk file → Debian ISO → Ok

Start the VM

___

2. Operating System (Debian) · installation

:bulb: Debian vs. Rocky Linux

Debian
Rocky Linux

Developer
The Debian Project
Rocky Enterprise Software Foundation

OS Family
Linux (Unix-like)
Linux (Unix-like)

Source model
Open source
Open source

Repository
deb.debian.org
git.rockylinux.org

Package manager
Advanced Package Tool (APT)
Dandified YUM / DNF

Release cycle
2 years
1 year

Long Term Support (LTS)
5 years
10 years

Comments

Red Hat Enterprise Linux (RHEL) compatibility

note: Here, the choice for Debian over Rocky Linux was based on the first being generally regarded as a more user-friendly and accessible OS, especially for beginners.

### Steps

1. Select `Install` from the Debian GNU/Linux installer menu;
2. Settings
- Language: `English`
- Location: `other`
- Continent: `Europe`
- Country: `Portugal`
- Locale: `United States`
- Keymap: `American English`
- Hostname: `42` ﹡
- Domain name: `(blank)`
- Set up root password ﹡
- User full name: `` ﹡
- Username: `` ﹡
- Set up user password ﹡
- Clock: `Lisbon`

﹡ :warning: _see subject requirements_
___

3. VM · setup

3.1. Partitioning the Disk

Partioning method: Manual

Select the available volume

Create new empty partition on the selected device: Yes

3.1.1. Create Primary Partition

One has to create at least one primary partition on the disk.

Select a partition to modify its settings: FREE SPACE

How to use this free space: Create a new partition

Enter new partition size in Bytes: 525336576 B﹡

1 B × 1024 = 1 KB
1 KB × 1024 = 1 MB (1024 × 1024)
1 MB × 1024 = 1 GB (1024 × 1024 × 1024)

500 MB = 524 288 000 B
+ 2048 × 512 (1 048 576B)^a
^a – note to future self: check boot sector size, disk sector size,... (?)

New partition type: Primary

Location for the new partition: Beginning

Mount point for this partition: /boot

Partition settings: Done setting up the partition

﹡ :warning: _see subject bonus requirements_

3.1.2. Create Logical Partition

One can create an unlimited number of logical partitions on the disk.

Select a partition to modify its settings: FREE SPACE

How to use this free space: Create a new partition

Set new partition size to max

New partition type: Logical

Mount point for this partition: Do not mount it

Partition settings: Done setting up the partition

3.2. Encrypting Volumes

Configure encrypted volumes

Write the changes to disk and configure encrypted volumes? Yes

Create encrypted volumes

Select the devices to be encrypted:/dev/sda5

Partition settings: Done setting up the partition

Encryption configuration actions: Finish

(Confirmation message to encryption:) Yes

(Optional) Cancel – since there is nothing to actually encrypt

Set encryption passphrase ﹡

﹡ :warning: _see subject bonus requirements_

3.3. Logical Volume Manager (LVM) · configuration

Configure Logical Volume Manager

(Confirmation message:) Yes

Create Volume Group

Create volume group

Enter volume group name: LVMGroup

Select partition to store the group: /dev/mapper/sda5_crypt

Create Logical Partitions

LVM configuration action: Create logical volume

Select the volume group where the new logical volume should be created: LVMGroup

Enter logical volume name

Enter the size of the new logical volume

Repeat the steps above for each of the following volumes:

Logical volume name
Logical volume size
Conversion / Calculation
Logical volume size in Bytes

root
10G
10 × 1024 × 1024 × 1024
10737418240 B

swap
2.3G
2.3 × 1024 × 1024 × 1024 (2469606195.2 B)512 → 2469606400 (?)2048 → 2469607424 (?)
2465607424 B

home
5G
5 × 1024 × 1024 × 1024
5368709120 B

var
3G
3 × 1024 × 1024 × 1024
3221225472 B

srv
3G
3 × 1024 × 1024 × 1024
3221225472 B

tmp
3G
3 × 1024 × 1024 × 1024
3221225472 B

var-log
4G
4 × 1024 × 1024 × 1024
4294967296 B

LVM configuration action: Finish

Setting Mount Points

Select volume

Partition settings > set Use as:

Set mount point

Done setting up the partition

Repeat the steps above for each of the following volumes:

Partition
Volume name
Use
Mount point
Enter

#1
home
Ext4
/home

#1
root
Ext4
/

#1
srv
Ext4
/srv

#1
swap
swap area

#1
tmp
Ext4
/tmp

#1
var
Ext4
/var

#1
var-log
Ext4
Enter manually
/var/log

Ext4 (fourth extended file system) is arguably the most stable and well tested file system supported in Linux.

Finish partitioning and write changes to disk

(Confirmation message:) Yes

3.4. Additional packages & bootloader · setup & installation

Additional packages: No

Country: Portugal

Set Debian archive mirror package manager: deb.debian.org

HTTP proxy: (blank)

Continue

Popularity contest: No

Remove all software options and Continue

Installation of GRUB bootloader: Yes

Select device to install the bootloader: /dev/sda (ata_VBOX_HARDDISK)

Continue

3.5. Login into the System

Enter &ltencryption-password&gt

Enter &ltusername&gt

Enter &ltuser-password&gt

3.6. sudo · installation & configuration

sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy

Installation

su --login
- su execute a command with substitute user and group ID
- -, -l, --login start the shell as a login shell with an environment similar to a real login

apt-get update -y
- apt-get APT package handling utility -- command-line interface
- update update is used to resynchronize the package index files from their sources
- -y automatic yes to prompts

apt-get upgrade -y
- upgrade upgrade is used to install the newest versions of all packages currently installed on the system from the sources enumerated in /etc/apt/sources.list

apt install sudo
- apt command-line interface
- install performs the requested action on one or more packages

dpkg -l | grep sudo verify whether the sudo package was installed successfully
- dpkg -l list packages matching given pattern ('dpkg', package manager for Debian)
- grep print lines that match patterns

Configuration

usermod -aG sudo &ltusername&gt

visudo edit the sudoers file

Add &ltusername&gt ALL=(ALL) ALL under #User Privilege section

Save and close

reboot

3.7. Vim · installation

Vi Improved (Vim) is a highly configurable text editor built to make creating and changing any kind of text very efficient; it is upwards compatible to Vi

sudo apt install vim

3.8. Groups and Users · creation & configuration

sudo groupadd &ltgroup-name&gt create a group with specified &ltgroup-name&gt

sudo usermod -aG &ltgroup-name&gt &ltusername&gt add user to group

getent group &ltgroup-name&gtcheck group users
- getent group check groups

3.9. Secure Shell (SSH) · installation & configuration

sudo apt install openssh-server

sudo vim /etc/ssh/sshd_config

edit the text, replacing
- # Port 22 with Port 4242 ﹡
- and #PermitRootLogin prohibit-password with PermitRootLogin no to prohibit SSH login as root, regardless of authentication mechanism

sudo vim /etc/ssh/ssh_config

edit the text, replacing # Port 22 by Port 4242 ﹡

sudo service ssh restart

﹡ :warning: see subject requirements

3.10. Uncomplicated Firewall (UFW) · installation & configuration

sudo apt-get install ufw

sudo ufw enable

sudo ufw allow &ltservice/port&gt

sudo ufw status numbered

Port forwarding

Go to VirtualBox interface

Select chosen VM

Go to Settings → Network → Adapter 1 → Advanced → Port Forwarding → +
- Name: SSH
- Protocol: TCP
- Host Port: 4242
- Guest Port: 4242
→ Ok → Ok

3.11. SSH · connection to a physical machine

Start VM

hostname -I check IP address
- hostname show or set the system's host name
- -I, --all-ip-addresses display the IP address(es) of the host

Execute sudo vim /etc/network/interfaces

Edit text
- Change allow-hotplug enp0s3 to auto enp0s3
  - allow-hotplug manage interface on various condition changes
  - auto bring up interface with provided configuration during boot time or interface link up event
- Change iface enp0s3 inet dhcp to iface enp0s3 inet static
  - dhcp Dynamic Host Configuration Protocol
- Add
  
  address &ltip-address&gtnetmask 255.255.0.0gateway 10.11.254.254dns 10.11.254.254

Physical machine

Open terminal on physical machine and execute

ssh &ltVM-username&gt@&ltVM-ip-address&gt -p 4242

logout to terminate an SSH session, or, alternatively, exit to close the connection

3.12. sudo policy & log · configuration

sudo visudo
- visudo edit the sudoers file

Add the following Defaults to the file
- Defaults passwd_tries=3
  - passwd_tries total ammount of tries for entering 'sudo' password
- Defaults badpass_message="Wrong password. Try again:"
  - badpass_message message to be printed on wrong password scenario
- Defaults logfile="/var/log/sudo/sudo.log"
  - logfile set custom log file for 'sudo'
- Defaults log_input, log_output
  - log_input, log_output what will be logged
- Defaults requiretty
  - requiretty enables 'sudo' invocation from a real TTY but not through methods such as 'cron' or 'cgi-bin'
- Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
  - secure_path the path used for every command run with 'sudo'

3.13. Password policy · setup & configuration

Configure shadow password suite

sudo vim /etc/login.defs

Set
PASS_MAX_DAYS to 30﹡
PASS_MIN_DAYS to 2﹡
PASS_WARN_AGE to 7﹡

Save and close

﹡ :warning: see subject requirements

Update password policy for already created user

chage -M 30 -m 2 -W 7 &ltusername&gt
- chage change user password expiry information
- -M, --maxdays set the maximum number of days during which a password is valid
- -m, --mindays set the minimum number of days between password changes
- -W, --warndays set the number of days of warning before a password change is required

or, alternatively, passwd -x 30 -n 2 -w 7 &ltusername&gt
- passwd change user password
- -x, --maxdays set the maximum number of days a password remains valid
- -n, --mindays set the minimum number of days between password changes
- -w, --warndays set the number of days of warning before a password change is required

Install pwquality

pwquality is a PAM module to perform password quality checking

sudo apt-get install libpam-pwquality

Configure pwquality

sudo vim /etc/pam.d/common-password

Edit the pam_pwquality.so line, by addingretry=3 minlen=10 ucredit=-1 dcredit=-1 lcredit=-1 maxrepeat=3 reject_username difok=7 enforce_for_root next to it
- retry number of retries
- minlen minimum number of characters a password must contain
- ucredit (upper credit) password must contain at least/at most 'n' uppercase characters
  - - defines the lower bound
  - + defines the upper bound
- dcredit (digit credit) password must contain at least/at most 'n' digits
- lcredit (lower credit) password must contain at least/at most 'n' lowercase characters
- maxrepeat password must not repeat same character consecutively more than 'n' number of times
- reject_username password must not contain username
- difok the minimum number of characters that must be different from the old password
- enforce_for_root implement password policy to root

Save and exit

4. Monitoring script

Crontab

Crontab stands for crontable, and consists of a list of commands that are to be run on a regular schedule

Check whether Crontab is installed
- ls /var/spool/cron/ should display crontabs, since that is where crontab files are stored

monitoring.sh & sleep.sh

cd /usr/local/bin/ this is the default installation location when a user builds and installs an executable application independently

sudo vim monitoring.sh create and edit 'monitoring.sh' file
- monitoring.sh

sudo vim sleep.sh create and edit 'sleep.sh' file
- sleep.sh

sudo chmod 744 monitoring.sh sleep.sh

sudo visudo open sudoers config file

Add the following lines, that will allow corresponding scripts to run when the user's session starts:
&ltusername&gt ALL=(ALL) NOPASSWD: /usr/local/bin/sleep.sh
&ltusername&gt ALL=(ALL) NOPASSWD: /usr/local/bin/monitoring.sh

Save and exit

sudo reboot

sudo /usr/local/bin/monitoring.sh

Crontab

sudo crontab -u root -e open crontab config file

Add the following line to the end of the file: */10 * * * * /usr/local/bin/sleep.sh; /usr/local/bin/monitoring.sh,to sequencially run 'sleep.sh' and 'monitoring.sh' every 10 minutes

sudo crontab -u root -l view the list of scheduled cron jobs for the root user

5. WordPress · website setup

5.1. Lighttpd · installation and setup

Lighttpd (pronounced /lighty/) is a web server that has been optimized for high-performance environments

sudo apt install lighttpd

dpkg -l | grep lighttpd

sudo ufw allow 80
- Port 80 is the port number assigned to commonly used internet communication protocol, Hypertext Transfer Protocol (HTTP); it is the default network port used to send and receive unencrypted web pages

sudo ufw status

Port forwarding

Go to VirtualBox interface

Select chosen VM

Go to Settings → Network → Adapter 1 → Advanced → Port Forwarding → +
- Name: UFW
- Protocol: TCP
- Host Port: 80
- Guest Port: 80
→ Ok → Ok

5.2. MariaDB · installation and configuration

MariaDB is an open-source relational database

sudo apt install mariadb-server

dpkg -l | grep mariadb-server

sudo mysql_secure_installation launch the interactive script for removing insecure default settings
- Enter current password for root (enter for none): Enter – :warning: do not confuse database root with system root
- Switch to unix_socket authentification [Y/n] n
- Change root password? [Y/n] n
- Remove anonymous users? [Y/n] Y
- Disallow root login remotely? [Y/n] Y
- Remove test database and access to it? [Y/n] Y
- Reload privilege tables now? [Y/n] Y

sudo mariadb access the MariaDB console

CREATE DATABASE &ltdatabase-name&gt ;

GRANT ALL ON &ltdatabase-name&gt.* TO '&ltusername-2&gt'@'localhost' IDENTIFIED BY '&ltpassword-2&gt' WITH GRANT OPTION; create a new database user and grant them full privileges on the database

FLUSH PRIVILEGES; apply changes and reload privileges

exit exit MariaDB shell

Check

mariadb -u &ltusername-2&gt -p confirm whether the database user was successfully created
- Enter password: &ltpassword-2&gt

SHOW DATABASES; check whether the database user has access to the database

exit

5.3. PHP · installation

PHP is a general-purpose scripting language that is especially suited to web development

sudo apt install php-cgi php-mysql

dpkg -l | grep php

5.4. WordPress · download and configuration

WordPress is an open-source content management system

sudo apt install wget

sudo wget http://wordpress.org/latest.tar.gz -P /var/www/html

sudo tar -xzvf /var/www/html/latest.tar.gz

sudo rm /var/www/html/latest.tar.gz

sudo cp -r wordpress/* /var/www/html

sudo rm -rf wordpress

sudo cp /var/www/html/wp-config-sample.php /var/www/html/wp-config.php

sudo vim /var/www/html/wp-config.php
- Fill in the following fields with specified information
  - define( 'DB_NAME', '&ltdatabase-name&gt' );
  - define( 'DB_USER', '&ltusername-2&gt' );
  - define( 'DB_PASSWORD', '&ltpassword-2&gt' );

Save and exit

5.5. Lighttpd · configuration

sudo lighty-enable-mod fastcgi

sudo lighty-enable-mod fastcgi-php

sudo service lighttpd force-reload

5.6. WordPress · installation

Open a browser window

Enter localhost or 127.0.0.1 on the URL bar

Name the site

Add a &ltpassword&gt and &ltemail address&gt

Click on Install Wordpress

___

References & further reading

Linux man pages

debian website accessed 23 Jan. 2024

Rocky Linux website accessed 23 Jan. 2024

sudo accessed 25 Jan. 2024

Born2beRoot Guides

mota494's Born2beRoot (Mandatory) accessed 25 Jan. 2024

PedroZappa's Born2beRoot (Mandatory + Bonus: UnrealIRCd + Weechat) accessed 25 Jan. 2024

rphlr's Born2beRoot (Mandatory + Bonus: FTP + Fail2ban) accessed 25 Jan. 2024

### License
This work is published under the terms of [42 Unlicense](./LICENSE).

[⬆ back to top](#born2beroot)