-
4.1 Installing sudo & configuration of users and groups 👤
4.2 Installing & configuring SSH 📶
4.3 Installing & configuring UFW 🔥🧱
4.4 Setting up the sudo policies 🔒
-
8.1 Manual partition
CLICK HERE for the URL of the debian ISO. Ths is a direct link to debian.org/download.
A virtualization software is required to perform the installation. In this tutorial we will use Virtual Box. If you already have installed this software and you have the Debian ISO we can proceed.
1 ◦ We need to open VirtualBox and click New
2 ◦ We must choose a name for the machine and the folder which will locate it. IMPORTANT Store the machine created inside the sgoinfre folder located in your campus server; this is important because we will run out of memory space in our session and the installation will fail. (Ask your staff if you can't find it)
3 ◦ Select the total RAM memory which we will reserve for the machine.
4 ◦ Select the second option so we can create a virtual disk now.
5 ◦ Choose the first option VDI
since we downloaded a ISO.
6 ◦ Select the first option Dynamically allocated
so it will allocate the memory of the fisical machine as it feels necessary while using the virtual machine until we reach the available limit.
7 ◦ One we established the recommended 12 GB
we must click on Create
. If we are doing the bonus we might set 30 GB
.
8 ◦ It might seem that we have already finish the installation , but there's still some steps to do. Click on Settings
.
9 ◦ Now click on Storage
, again click on the 💿 that we find on the right and click on Choose a disk file
.
10 ◦ Select the ISO that we just downloaded and click Open
, then click on Ok
.
- ◦ Once all this steps have been completed we can
Start
our new virtual machine.
➤ You there, wait❗️ Your eyesight is important 👀❗️ Making the window bigger will help:
Use the command
key so the machine capture your mouse and vice versa.
1 ◦ We will choose the version without graphic interface Install
size the subject says so. Any time we want to confirm something Enter key
must be pressed, and the Arrow keys
must be used any time to move around.
2 ◦ Now lenguage must be choosed for the machine that will be present during the installation and the default setting. Select English
.
3 ◦ It's time to select the country. If yours no on the pressent list go to Other
.
4 ◦ Time to select continent. In our case we will select Europe
🇪🇺.
5 ◦ Now select the country. In our case we will select Spain
🇪🇸.
6 ◦ Choose United States
.
7 ◦ This time it's turn for selecting a keymap. Our keyboard follows the ANSI standard so American English
. If you don't know what keyboard standard is yours we higly recommend you to ask your staff.
8 ◦ Now we must set a Host Name
of the machine, which must be your login followed by a 42.
9 ◦ This section will be left blank since the subject doesn't requiere it.
10 ◦ We have to set a password for the root user. IMPORTANT Save this password since we need to use the root user. If you want to check the password is correct, try going to Show Pawssword in Clear and then press the Space bar
.
11 ◦ Repeat the process as you need to confirm the password we just set.
12 ◦ Set up the user name. As is in the subject, we need a new user that isn't the root user, and the name for that user have to be your student login.
Repeat you user name.
13 ◦ And now we have to set our new user password. Just as before, repeat te process; save this password too because it will be used later.
14 ◦ Select your time zone.
15 ◦ Select Guied - use entire disk and set up encrypted LVM
. Manual
and then click here ❗️
16 ◦ We choose the disk wich we wish to create the partition (it only have to show one disk).
17 ◦ Once we choosed the disk we must make the partition as is in the subject. To do it properly we select the second option Separate /home partition
.
18 ◦ We choose option Yes
so the changes will be writen in the disk and so we can set the logical volume manager (LVM).
19 ◦ We click on Cancel
; the erasing of the data is not required.
20 ◦ Again, we must choose desired password for the LVM encrypt. As is mention before we must repite the process and I advice you to write it down.
21 ◦ In this step we must input the required amount of volume group to use during the guided partitioning. We can write down max
or the total avalaible memory, in this case being 12.4 GB
.
22 ◦ To wrap the partitioning and write the changes in the disk we choose the option Finish partitioning and write changes to disk
.
23 ◦ We choose the option Yes
and then we confirm that we do not want more changes.
24 ◦ We select the option No
as is not required addicional packages.
25 ◦ We choose our Country.
26 ◦ We choose deb.debian.org
as is the recommended by debian itself.
27 ◦ We will left this option blank and we click on Continue
.
28 ◦ We select the option No
as we want to remain out of the stadistics.
29 ◦ We will left in blank all software choises (with the space bar) and click on Continue
.
30 ◦ We select Yes
for install GRUB boot in the hard disk.
31 ◦ We will choose the device /dev/sda (ata_VBOX_HARDDISK)
for the installation for boot loader.
32 ◦ To finish the installation we click on Continue
.
➤ First of all, we must select Debian GNU/Linux
.
➤ Now we must introduce the encryptation password that we previously set. In my case Hello42bcn
.
➤ After that we must introduce the user and password that we created. In my case the user is gemartin
and the password is Hola42spain
.
1 ◦ The beginning of the installation starts with changing user to root so we can install sudo, for this purpouse we write su
in the bash prompt and introduce the root password, in my case Hola42bcn
. Once we are done we write down the command apt install sudo
so the package manager install the required packages for sudo.
2 ◦ We must reboot machine so the changes can be applied. For that porpouse we will use the commando sudo reboot
.
3 ◦ Once the machine is rebooted we have to input the encryptation password and the login again. To check if sudo have been installed correctly we must switch to root user and then use the command sudo -V
; this command will show the sudo version (it will show extra info like the plugins installed). OPTIONAL ➤ In case of the output being too large we can redirect the command output to a file via sudo -V > file.txt
and then edit the file using nano file.txt
. Other option would be putting | more
after the command.
4 ◦ Now, this step is for the everyone that didn't put his user as the other user asked by the subject during the installation of the system. Still in the root user we will create an aditional user with sudo adduser <login>
. If you had already done it will show the same message as is the image.
5 ◦ We will create a new group called user42
. For that we must use sudo addgroup user42
.
🧠 What is GID❓ It's the group identifier, in short, Group 🆔.
🤔 Was the group created without problems? Truth is that there is no sign of one, still we can check it using getent group <groupname>
or we can also use cat /etc/group
and see all groups and the users in any of them.
6 ◦ With sudo adduser <user> <groupname>
we can include a user to a group. We mst include out user in the groups sudo
and user42
.
7 ◦ Once we are done with that we can check it using getent group <groupname>
or editing the /etc/group file using nano /etc/group
; the groups sudo
and user42
must be present with our user.
🧠 What is SSH❓ The acronym SSH stands for "Secure Shell." The SSH protocol was designed as a secure alternative to unsecured remote shell protocols. It utilizes a client-server paradigm, in which clients and servers communicate via a secure channel.
1 ◦ First thing, we should update the system using sudo apt update
.
2 ◦ Following up we will install the main tool for remote access with the SSH protocol, using OpenSSH. The installation requieres the package sudo apt install openssh-server
. When we are asked for confirmation we will write y
, and just then the installation will proceed.
Anywan curious that the installation have been realices without problems we can use sudo service ssh status
and it will show how is the state of it. Active must be show to continue.
3 ◦ Going on, some files have been created and we need to configur them. For that we will use Nano or VIM (we will need to install vim since it's not preinstalled using sudo apt install vim
) or any other text editor. First file that we will edit will be /etc/ssh/sshd_config
. If you are not on root you will not be able to edit the file; as you know, for switching to root we use su
.
4 ◦ The #
means that line it is commented; the lines that we will be edit have to be uncommented. Once we are editing the file we need to update the following lines:
➤ #Port 22 -> Port 4242
➤ #PermitRootLogin prohibit-password -> PermitRootLogin no
When finish we have to save the changes and leave the file.
5 ◦ Now with the file /etc/ssh/ssh_config
. (not sshd_config
)
Edit the following line:
➤ #Port 22 -> Port 4242
6 ◦ Finally we must restart the ssh service so it can be updated. For that purpuse we will use sudo service ssh restart
and once it is done we will check the service state with sudo service ssh status
and confirm that everything is alright.
🧠 What is UFW❓ It is a firewall which use the command line for setting up iptables using a small number of easy commands.
1 ◦ First things first, we need to install the packages for UFW, for that we will use sudo apt install ufw
, then when we are asked for confirmation type y
and the installation will proceed
2 ◦ When we are done with it, we want to start it using the command sudo ufw enable
and then it have to show us the the firewall is ative.
3 ◦ Then we must allow our firewall to accept the connections that will happens in the 4242 port. What we will do is use sudo ufw allow 4242
.
4 ◦ Lastly we will check if everything done here is correct checking the actual state of our firewall. For that we will use sudo ufw status
. Alternatively sudo ufw status verbose
or sudo ufw status numbered
can be used.
1 ◦ Begining with this section, we will create a file in /etc/sudoerd.d/. The file will serve the purpouse of storing our sudo policy. The command that we will use will be touch /etc/sudoers.d/sudo_config
.
2 ◦ Then we must create a directory as is asked in the subject in /var/log/ because each commands need to be logged, the input and output. We will use mkdir /var/log/sudo
for our folder.
3 ◦ We must edit the file that we created in the first step of this section. Use any text editor, but for this guide as is in every screenshot we will use nano. Use nano /etc/sudoers.d/sudo_config
.
4 ◦ Once we are editing the file we must set it up with the following commands.
Defaults passwd_tries=3
Defaults badpass_message="Mensaje de error personalizado"
Defaults logfile="/var/log/sudo/sudo_config"
Defaults log_input, log_output
Defaults iolog_dir="/var/log/sudo"
Defaults requiretty
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
➤ As it should be on the file.
🤔 What does each command❓
🟩 GREEN -> Total tries for entering the sudo password.
🟥 RED -> The message that will show when the password failed.
🟨 YELLOW -> Path where will the sudo logs will be stored.
🟦 BLUE -> What will be logged.
🟫 BROWN -> TTY is required lol.
🟪 PURPLE -> Folders that will be excluded of sudo
1 ◦ First step will be editing the login.defs file.
2 ◦ Once we are done editing the file, we will set the next parameters:
➤ PASS_MAX_DAYS 99999 -> PASS_MAX_DAYS 30
➤ PASS_MIN_DAYS 0 -> PASS_MIN_DAYS 2
PASS_MAX_DAYS: It's the max days till password expiration.
PASS_MIN_DAYS: It's the min days till password change.
PASS_WARN_AGE: It's the days till password warning.
3 ◦ For continuing the installation we must install the next packages with the following commandsudo apt install libpam-pwquality
, then we wrute Y
so we can continue; we wait till it finish.
4 ◦ Next thing we must do is is edit a file and change itś content. We will use nano /etc/pam.d/common-password
.
5 ◦ After retry=3 we must add the following commands:
minlen=10
ucredit=-1
dcredit=-1
lcredit=-1
maxrepeat=3
reject_username
difok=7
enforce_for_root
➤ This is how the line must be
➤ This is how the file must look
🤔 What does each command❓
minlen=10 ➤ The minimun characters a password must contain.
ucredit=-1 ➤ The password at least have to contain a capital letter. We must write it with a - sign, as is how it knows that's refering to minumum caracters; if we put a + sign it will refer to maximum characters.
dcredit=-1 ➤ The passworld at least have to containt a digit.
lcredit=-1 ➤ The password at least have to contain a lowercase letter.
maxrepeat=3 ➤ The password can not have the same character repited three contiusly times.
reject_username ➤ The password can not contain the username inside itself.
difok=7 ➤ The password it have to containt at least seven diferent characters from the last password ussed.
enforce_for_root ➤ We will implement this password policy to root.
1 ◦ If we want to connect via SSH we must close the machine and go to settings.
2 ◦ Once there we will click on Network
, click on Advanced
so it shows more options, then we click on Port fowarding
.
3 ◦ Click on the emoji for adding a new rule.
4 ◦ Lastly we will add the 4242
port to host and client. The IP's are not required. We will click accept so changes can be saved.
➤ To connect via ssh from the machine to the virstual machine using and the use the command ssh <user>@localhost -p 4242
; it will ask for the password of the user that we are trying to log in. Once the password is introduced it will show or login in green, that will mean that the connections has been successfully.
Going into this part, you need to take special atention to everything, as is important to learn all that is here. Do not cheat this part! You will be asked how the script works during the evaluation, or as the evaluator sees.
🧠 What is a script❓ It is a sequence of commands stored in a file that when executed will do the function of each command.
For the architecture of the SO to be shown, you will use the command uname -a
("-a" == "--all"). What this command does is print all information, except if the CPU is unknow or the platform hardware.
For the number of fisical cores to be shown we will use the file /proc/cpuinfo, which give us information about the CPU: its type, brand, model, performance, etc. We will use grep "physical id" /proc/cpuinfo | wc -l
with the command grep looking inside the file "physical id" and with wc -l to count the line of the grep output.
To show the number of virtual cores is very similar to the previous one. We will again use the file /proc/cpuinfo, but in this case we will use the command grep processor /proc/cpuinfo | wc -l
. The usage is practically the same as before, only that instead of counting the lines of "physical id" we will do it with "processor". We do it this way for the same reason as before, the way of quantifying marks 0 if there is a processor.
To show the RAM memory we will use the command free
to see at the moment information about the RAM, the used part, free, reserved for other resources, etc. For more info about the command we will put free --help. We will use free --mega since that unit of measure appears in the subject.
Once we have run this command, we must filter our search since we do not need all the information that it provides. The first thing we need to show is the used memory, for which we will use the command awk
, which processes data based on text files, that is, we can use the data that interests us from a file. Finally, what we will do is compare if the first word of a row is equal to "Mem:" we will print the third word of that row, which will be the used memory. The whole command together would be free --mega | awk '$1 == "Mem:" {print $3}'
. In the script the return value of this command will be assigned to a variable that will be concatenated with other variables so that everything is the same as specified in the subject.
To obtain the total memory, the command is practically the same as the previous one, the only thing we must change is that instead of printing the third word of the row, we want the second one free --mega | awk '$1 == "Mem:" {print $2}'
.
Finally, we must calculate the % of used memory. The command is again similar to the previous ones, the only modification we will make is in the printing part. As the operation to get the percentage is not exact, it can give us many decimals and in the subject only 2 appear, so we will do the same, that is why we use %.2f
so that only 2 decimals are shown. Another thing you may not know is that in printf to show a %
you have to put %%
. The whole command free --mega | awk '$1 == "Mem:" {printf("(%.2f%%)\n", $3/$2*100)}'
.
To view the occupied and available memory of the disk, we will use the df
command, which stands for "disk filesystem", it is used to get a complete summary of the use of disk space. As indicated in the subject, the used memory is shown in MB, so we will then use the -m flag. Next, we will do a grep to only show us the lines that contain "/dev/" and then we will do another grep with the -v flag to exclude lines that contain "/boot". Finally, we will use the awk command and sum the value of the third word of each line to once all the lines are summed, print the final result of the sum. The entire command is as follows: df -m | grep "/dev/" | grep -v "/boot" | awk '{memory_use += $3} END {print memory_use}'
.
To obtain the total space, we will use a very similar command. The only differences will be that the values we will sum will be $2 instead of $3 and the other difference is that in the subject the total size appears in Gb, so as the result of the sum gives us the number in Mb we must transform it to Gb, for this we must divide the number by 1024 and remove the decimals.
Finally, we must show a percentage of the used memory. To do this, again, we will use a command very similar to the previous two. The only thing we will change is that we will combine the two previous commands to have two variables, one that represents the used memory and the other the total. Once we have done this, we will perform an operation to obtain the percentage use/total*100
and the result of this operation will be printed as it appears in the subject, between parentheses and with the % symbol at the end. The final command is this: df -m | grep "/dev/" | grep -v "/boot" | awk '{use += $3} {total += $2} END {printf("(%d%%)\n"), use/total*100}'
.
To view the percentage of CPU usage, we will use the vmstat
command, which shows system statistics, allowing us to obtain a general detail of the processes, memory usage, CPU activity, system status, etc. We could put no option but in my case I will put an interval of seconds from 1 to 4. We will also use the tail -1
command, which will allow us to produce the output only on the last line, so of the 4 generated, only the last one will be printed. Finally, we will only print word 15, which is the available memory usage. The entire command is as follows: vmstat 1 4 | tail -1 | awk '{print $15}'
. The result of this command is only part of the final result since there is still some operation to be done in the script for it to be correct. What should be done is to subtract the amount returned by our command from 100, the result of this operation will be printed with one decimal and a % at the end and the operation would be finished.
To see the date and time of our last restart, we will use the who
command with the -b
flag, as this flag will display the time of the last system boot on the screen. As has happened to us before, it shows us more information than we want, so we will filter it and only show what we are interested in, for this we will use the awk command and compare if the first word of a line is "system", the third word of that line will be printed on the screen, a space, and the fourth word. The entire command would be as follows: who -b | awk '$1 == "system" {print $3 " " $4}'
.
To check if LVM is active or not, we will use the lsblk
command, which shows us information about all block devices (hard drives, SSDs, memories, etc) among all the information it provides, we can see lvm in the type of manager. For this command we will do an if because we will print Yes or No. Basically, the condition we are looking for will be to count the number of lines in which "lvm" appears and if there are more than 0 we will print Yes, if there are 0 we will print No. The entire command would be: if [ $(lsblk | grep "lvm" | wc -l) -gt 0 ]; then echo yes; else echo no; fi
.
To check the number of established TCP connections, we will use the ss
command replacing the now obsolete netstat. We will filter with the -ta
flag so that only TCP connections are shown. Finally, we will do a grep to see those that are established as there are also only listening and close with wc -l to count the number of lines. The command is as follows: ss -ta | grep ESTAB | wc -l
.
We will use the users
command which will show us the names of the users there are, knowing this, we will put wc -w
to count the number of words in the command output. The entire command is as follows: users | wc -w
.
To obtain the host address, we will use the hostname -I
command and to obtain the MAC, we will use the ip link
command which is used to show or modify the network interfaces. As more than one interface, IP's etc. appear, we will use the grep command to search for what we want and thus be able to print only what is requested. To do this, we will put ip link | grep "link/ether" | awk '{print $2}'
and in this way we will only print the MAC.
To obtain the number of commands executed with sudo, we will use the journaclctl
command, which is a tool that is responsible for collecting and managing the system logs. Next, we will put _COMM=sudo
in order to filter the entries by specifying its path. In our case we put _COMM
because it refers to an executable script. Once we have filtered the search and only the sudo logs appear, we still need to filter a bit more as when you start or close the root session it also appears in the log, so to finish filtering we will put a grep COMMAND
and this will only show the command lines. Finally, we will put wc -l
so that the lines are numbered. The entire command is as follows: journalctl _COMM=sudo | grep COMMAND | wc -l)
. To check that it works correctly, we can run the command in the terminal, put a command that includes sudo and run the command again and it should increase the number of sudo executions.
#!/bin/bash
# ARCH
arch=$(uname -a)
# CPU PHYSICAL
cpuf=$(grep "physical id" /proc/cpuinfo | wc -l)
# CPU VIRTUAL
cpuv=$(grep "processor" /proc/cpuinfo | wc -l)
# RAM
ram_total=$(free --mega | awk '$1 == "Mem:" {print $2}')
ram_use=$(free --mega | awk '$1 == "Mem:" {print $3}')
ram_percent=$(free --mega | awk '$1 == "Mem:" {printf("%.2f"), $3/$2*100}')
# DISK
disk_total=$(df -m | grep "/dev/" | grep -v "/boot" | awk '{disk_t += $2} END {printf ("%.1fGb\n"), disk_t/1024}')
disk_use=$(df -m | grep "/dev/" | grep -v "/boot" | awk '{disk_u += $3} END {print disk_u}')
disk_percent=$(df -m | grep "/dev/" | grep -v "/boot" | awk '{disk_u += $3} {disk_t+= $2} END {printf("%d"), disk_u/disk_t*100}')
# CPU LOAD
cpul=$(vmstat 1 2 | tail -1 | awk '{printf $15}')
cpu_op=$(expr 100 - $cpul)
cpu_fin=$(printf "%.1f" $cpu_op)
# LAST BOOT
lb=$(who -b | awk '$1 == "system" {print $3 " " $4}')
# LVM USE
lvmu=$(if [ $(lsblk | grep "lvm" | wc -l) -gt 0 ]; then echo yes; else echo no; fi)
# TCP CONNEXIONS
tcpc=$(ss -ta | grep ESTAB | wc -l)
# USER LOG
ulog=$(users | wc -w)
# NETWORK
ip=$(hostname -I)
mac=$(ip link | grep "link/ether" | awk '{print $2}')
# SUDO
cmnd=$(journalctl _COMM=sudo | grep COMMAND | wc -l)
wall " Architecture: $arch
CPU physical: $cpuf
vCPU: $cpuv
Memory Usage: $ram_use/${ram_total}MB ($ram_percent%)
Disk Usage: $disk_use/${disk_total} ($disk_percent%)
CPU load: $cpu_fin%
Last boot: $lb
LVM use: $lvmu
Connections TCP: $tcpc ESTABLISHED
User log: $ulog
Network: IP $ip ($mac)
Sudo: $cmnd cmd"
Script viewed from nano
Result after executing the script
🧠 What is crontab?It is a background process manager. The specified processes will be executed at the time you specify in the crontab file.
To properly configure crontab, we must edit the crontab file with the following command sudo crontab -u root -e
.
In the file, we must add the following command for the script to execute every 10 minutes */10 * * * * sh /ruta del script
.
Operation of each crontab parameter:
m ➤ Corresponds to the minute at which the script will be executed, the value ranges from 0 to 59.
h ➤ The exact hour, the 24-hour format is used, the values range from 0 to 23, with 0 being 12:00 midnight. dom ➤ refers to the day of the month, for example, you can specify 15 if you want to execute every day 15.
dow ➤ means the day of the week, it can be numeric (0 to 7, where 0 and 7 are Sunday) or the first three letters of the day in English: mon, tue, wed, thu, fri, sat, sun.
user ➤ Defines the user who will execute the command, it can be root, or another user as long as it has permission to execute the script.
command ➤ Refers to the command or the absolute path of the script to be executed.
To obtain the signature, the first thing we must do is shut down the virtual machine, since once you turn it on or modify something, the signature will change.
The next step will be to locate ourselves in the path where we have the .vdi of our virtual machine.
Finally, we will run shasum machinename.vdi
and this will give us the signature. The result of this signature is what we will need to add to our signature.txt file and subsequently upload the file to the intra repository. It is very important not to reopen the machine since the signature will be modified. For corrections, remember to clone the machine so you can turn it on without fear of changing the signature.
🧠 What is shasum❓ It is a command that allows you to identify the integrity of a file using the SHA-1 hash check sum of a file.
1 ◦ When choosing disk partitioning, we will select manual. This way we can edit the partitions one by one.
2 ◦ In this section, it shows us a general description of our partitions and mount points. Currently, we do not have any partitions. To create a new partition table, we must choose the device where we want to create them. In our case, we will choose the only one available.
3 ◦ We accept the confirmation message. Basically, it warns us that if there are already partitions on the device, they will be deleted and that if we are sure to create a new empty partition table.
4 ◦ Once we have completed the previous step, we can see how our partition table appears empty. Now we must configure it, for this we must select it.
5 ◦ We will create a new partition.
We will start by creating this:
6 ◦ As the subject indicates, the size of the partition must be 500 megabytes.
7 ◦ We choose the type of partition. We choose primary because it will be the partition where the Operating System will be installed.
Brief description of all types of partitions:
◦ Primary: The only partition on which an OS can be installed. There can only be 4 primary partitions per hard drive or 3 primary and one extended.
◦ Secondary/Extended: It was designed to break the 4 primary partition limitation on a single physical disk. There can only be one partition of this type per disk, and it only serves to contain logical partitions.
◦ Logical: It occupies a portion of the primary/extended partition or the whole of it, which has been formatted with a specific type of file system (in our case we will use ext4) and has been assigned a unit, so the operating system recognizes the logical partitions or its file system. There can be a maximum of 23 logical partitions in an extended partition, however, Linux, the OS we are currently working with, reduces it to 15, more than enough for this project.
8 ◦ We will select beginning because we want the new partition to be created at the beginning of the available space.
9 ◦ In the following screenshot it shows the details of the partition. We will modify the mount point as specified in the subject.
10 ◦ We choose boot as the mount point for our partition.
11 ◦ We finish configuring the current partition.
12 ◦ Once we have completed the previous step, the partition should already appear. Now we must create a logical partition with all the available space on the disk, which has no mount point and is encrypted. To do this, we select the free space where we want to create it.
13 ◦ We create a new partition.
14 ◦ We select the maximum size.
15 ◦ We select the type of partition, in this case logical.
16 ◦ We will modify the mount point.
17 ◦ We will choose the option not to mount it.
18 ◦ We finish configuring the current partition.
19 ◦ We will configure encrypted volumes. This way we can encrypt our partition.
20 ◦ We accept the confirmation message.
21 ◦ We create the encrypted volumes.
22 ◦ We select which partition we want to encrypt.
23 ◦ We finish configuring the current partition.
24 ◦ We finish because we don't want to create more encrypted volumes.
25 ◦ We accept the confirmation message. It tells us that everything inside the partition will be encrypted and it should not take long to finish.
26 ◦ We don't care if it takes a long time or not, we cancel it because there is nothing to encrypt since the partition is empty.
27 ◦ Again we must enter a password, this time it will be the encryption phrase. As I previously mentioned, you must repeat the process and write it down as it will be important in the future.
28 ◦ We repeat the encryption phrase.
29 ◦ We will configure the logical volume manager.
30 ◦ We will accept the confirmation message as we agree to save the changes to the disk.
31 ◦ We will create a new volume group. Volume groups group partitions.
32 ◦ We will enter the name we want to give it. LVMGroup
as indicated in the subject.
33 ◦ We will select the partition where we want to create the group.
34 ◦ Now we must create all the logical partitions. As we have to repeat the same actions several times, there are captures that will not be documented.
35 ◦ We will start by choosing the group where we want them to be created. We select the only one available (the one we just created).
36 ◦ The order of creation of the logical units will be the same as indicated in the subject, so we will start with root and end with var-log. Then we will select the name of the logical volume.
37 ◦ Size, as indicated in the subject, will be 10g.
38 ◦ We repeat the process for swap
. We only change the name and size.
39 ◦ We repeat the process for home
. We only change the name and size.
40 ◦ We repeat the process for var
. We only change the name and size.
41 ◦ We repeat the process for srv
. We only change the name.
42 ◦ We repeat the process for tmp
. We only change the name.
43 ◦ Finally, we repeat the process for var-log
. We only change the name and size.
44 ◦ Once we have completed all the previous steps, we will finish the configuration of the logical volume manager.
45 ◦ Now we can see how in the section where it shows us all our partitions and free space, all the logical partitions that we just created are already appearing. Good, we must configure all of them to select the file system that we want and the mount point indicated in the subject. Again we will go in order and select the first one that appears, which is home
.
46 ◦ Show us the configuration of the partition. We must choose a file system as it currently does not have one.
47 ◦ Choose the Ext4 file system, it is the most commonly used file system in Linux distributions.
48 ◦ Now we need to select the mount point.
49 ◦ We select home
as indicated in the subject.
50 ◦ Once we have selected it, we will finish the configuration of the partition.
51 ◦ Again, these steps can become very repetitive so I won't comment much. We repeat everything the same way (except for the mount point) for root
.
52 ◦ Repeat the process for srv
and change the mount point.
53 ◦ For swap
, we will make an exception because the file system will be different. We select swap
.
54 ◦ At the time of selecting the file system, we leave it on swap area
.
55 ◦ Once the previous step is completed, we will finish the partition configuration.
56 ◦ Now we will do the same thing as before, but now we will do it with tmp
and changing the mount point.
57 ◦ We repeat the process again for var
, changing the mount point.
58 ◦ Finally, we repeat the process again for var-log
. In this case, we will have to manually enter the mount point..
59 ◦ Once we have completed all of the previous steps, we are almost finished. We must click 'finish partitioning' to save all of the changes to the disk.
60 ◦ We accept the message and the changes will be saved. Make sure that all of the partitions look the same as in the screenshot.
61 ◦ We select the option No
because we do not need additional packages.
62 ◦ We choose our Country.
63 ◦ We choose deb.debian.org
because, considering our region, it is where we will have the best connection.
64 ◦ We will leave this option empty and click directly on Continue
.
65 ◦ We selected the option No
because we do not want developers to see our statistics even though they are anonymous.
66 ◦ We will remove all the software options (using the spacebar) and press Continue
.
67 ◦ We will select Yes
to install GRUB boot on the hard drive.
68 ◦ We will choose the device for the bootloader installation /dev/sda (ata_VBOX_HARDDISK)
.
69 ◦ We will press Continue
to finish the installation.
70 ◦ Once we have finished with the installation of Debian, we must set up our virtual machine.
Click here to navigate to the virtual machine settings ⚙️
🧠 What is Lighttpd❓ Lighttpd is a web server designed to be fast, secure, flexible, and standards-compliant. It is optimized for environments where speed is a top priority because it consumes less CPU and RAM than other servers.
1 ◦ Installation of Lighttpd packages.
2 ◦ We allow connections through port 80 with the command sudo ufw allow 80
.
3 ◦ We check that we have actually allowed it. Port 80 and allow should appear.
4 ◦ We add the rule that includes port 80. If you don't remember how to add rules in port forwarding. Machine configuration → Network → Port forwarding → Replicate the capture
🧠 What is Wordpress❓ It is a content management system focused on the creation of any type of website.
1 ◦ To install the latest version of WordPress we must first install wget and zip. To do this we will use the following command sudo apt install wget zip
.
🧠 What is wget❓ It is a command line tool used to download files from the web.
🧠 What is zip❓ It is a command line utility for compressing and decompressing files in ZIP format.
2 ◦ Once we have installed the packages we must locate ourselves in the folder /var/www/ with the command cd we will access it cd /var/www/
.
3 ◦ Once we are in the path /var/www/ we must download the latest version of WordPress. As my native language is Spanish I will select the latest version in Spanish. We will use the following command: sudo wget https://es.wordpress.org/latest-es_ES.zip
.
4 ◦ Unzip the file you just downloaded with the command sudo unzip latest-en_US.zip
.
5 ◦ We will rename the folder html and call it html_old. sudo mv html/ html_old/
.
6 ◦ Now we will rename the wordpress folder and call it html. sudo mv wordpress/ html
.
7 ◦ Finally we will set these permissions on the html folder. We will use the command sudo chmod -R 755 html
. The number 7 indicates that the owner has read, write and execute permissions. The number 5 indicates that the group and others only have read and execute permissions.
🧠 What is MariaDB❓ It is a database. It is used for various purposes, such as data warehousing, e-commerce, enterprise-level functions, and logging applications.
1 ◦ We will install the packages with the command sudo apt install mariadb-server
2 ◦ Because the default configuration leaves your MariaDB installation unsecure, we will use a script provided by the mariadb-server package to restrict access to the server and remove unused accounts. We will run the script with the following command sudo mysql_secure_installation
. It will ask if we want to switch to Unix socket authentication. Since we already have a protected root account we will type N
.
Switch to unix_socket autentication? → N
Change the root password? → N
Remove anonymous users? → Y
Disallow root login remotely? → Y
Remove test database and acces to it? → Y
Reaload privilege tables now? → Y
Switch to unix_socket authentication? We choose N
because we don't want it to switch to Unix socket authentication because we already have a protected root account.
Change the root password? We choose N
. We do not want to change the root password. By default we have no password but in mariadb he is not really root as we must give him administrator permissions.
Remove anonymous users? We choose Y
. By default when you install mariadb it has an anonymous user, which allows anyone to log into mariadb without having to create their own user account. This is designed for testing purposes and to make the installation smoother. When we leave the development environment and want to move to a production environment we must remove the anonymous users.
Disallow root login remotely? Choose Y
. Disabling root login remotely will prevent anyone from guessing the root password. We will only be able to connect to root from localhost.
Remove test database and access to it? Choose Y
. This will remove the test database and any users who have access to it.
Reaload privilege tables now? Choose Y
. This will reload the MySQL permission tables so that the changes to the security settings will take effect immediately.
1 ◦ Once we have finished with the installation of mariadb we must create the database and the user for the WordPress. First we must access mariadb.
2 ◦ We create a database for the WordPress. In my case I'm going to call it wp_database. I will do all this with the command CREATE DATABASE wp_database;
.
3 ◦ To make sure that the database for WordPress has been created we can view all existing databases with the command SHOW DATABASES;
.
4 ◦ Next we need to create a user inside the database. We will use the command CREATE USER 'gemartin'@'localhost' IDENTIFIED BY '12345';
.
5 ◦ We bind the new user to our database so that we grant him the necessary permissions to be able to work. We will use the command GRANT ALL PRIVILEGES ON wp_database.* TO 'gemartin'@'localhost';
.
6 ◦ We update the permissions for the changes to take effect with the command FLUSH PRIVILEGES;
.
7 ◦ Once we have completed the previous step, we can exit mariadb.
🧠 What is PHP❓ It is a programming language. It is mainly used to develop dynamic web applications and interactive websites. PHP runs on the server side.
1 ◦ We install the necessary packages to be able to run web applications written in PHP language and that need to connect to a MySQL database. Run the following command sudo apt install php-cgi php-mysql
.
1 ◦ Access the /var/www/html directory with the command: cd /var/www/html
.
2 ◦ Copy the file wp-config-sample.php and rename it wp-config.php
3 ◦ Once we have renamed it we will edit the file wp-config.php nano wp-config.php
and modify the following values.
You have to replace them with the values that we have previously set when we created the database and the user so that WordPress can connect and make use of it.
4 ◦ We enabled the fastcgi-php module in Lighttpd to improve the performance and speed of web applications on the server. sudo lighty-enable-mod fastcgi
5 ◦ We enabled the fastcgi-php module in Lighttpd to improve the performance and speed of PHP-based web applications on the server. sudo lighty-enable-mod fastcgi-php
6 ◦ We update and apply the changes in the configuration with the command sudo service lighttpd force-reload
.
7 ◦ Once we have completed the previous steps we can go back to our browser and type localhost
. You should see the following:
8 ◦ We must fill in all the fields. In my case I have put the following:
9 ◦ Once we have filled in all the fields we must click on Install WordPress
and we will have finished the installation. You will see the next tab. Now WordPress can create the tables and dump all the data it needs to work in the database we have assigned to it.
10 ◦ If we access again to our localhost from the browser we can see our functional page.
11 ◦ If we want to access the admin panel to make changes to our site we will have to put in the browser localhost/wp-admin
and log in with our account.
12 ◦ Once you have logged in, you can modify whatever you like. Customizing the page is optional, as it is not specified in the subject of this guide, we will not deal with it.
🧠 What is LiteSpeed❓ It is a proprietary web server software. It is the fourth most popular web server, and is estimated to be used by 10% of websites.
1 ◦ Before installing any software, it is important to ensure that the system is up to date.
sudo apt update
sudo apt upgrade
2 ◦ By default, OpenLiteSpeed is available in the Debian 11 base repository. So, you must run the following command to add the OpenLiteSpeed repository to your Debian system:
wget -O - https://repo.litespeed.sh | sudo bash
As the command is long, I connected via ssh.
3 ◦ Again, we update the packages and install OpenLiteSpeed.
sudo apt update
sudo apt install openlitespeed
4 ◦ The default password for OpenLiteSpeed is 123456. We will change the password to something more secure with the following command.
sudo /usr/local/lsws/admin/misc/admpass.sh
5 ◦ We configure the firewall to allow connections through ports 8088 and 7080. We then add the rules in the port forwarding.
sudo ufw allow 8088/tcp
sudo ufw allow 7080/tcp
sudo ufw reload
Port forwarding rules.
6 ◦ Once we have completed the previous step we can connect. We will put in the search engine of our browser localhost:7080
we provide our login credentials and we will have access to everything.
This tutorial has taken a lot of work, if you think it has been useful I would greatly appreciate a starred 🌟 so that it can be shared and help more students 👨🏻🎓❤️
It is software that simulates a computer system and can run programs as if it were a real computer. It allows the creation of multiple simulated environments or dedicated resources from a single physical hardware system.
This is a personal thing for everyone, my opinion: The subject itself explains that it is easier to do it in Debian and if you look for documentation/tutorials there are many and all of them have been done in debian.
Their purpose is to provide a hardware platform and operating system independent execution environment, which hides the details of the underlying platform and allows a program to always run the same way on any platform.
Aptitude is an enhanced version of apt. APT is a lower-level package manager and aptitude is a high-level package manager. Another big difference is the functionality offered by both tools. Aptitude offers better functionality compared to apt-get. Both are able to provide the necessary means to perform package management. However, if you are looking for a more feature-rich approach, Aptitude should be it.
A security module in the Linux kernel that allows the system administrator to restrict the capabilities of a program.
It is a logical volume manager. It provides a method for allocating space on mass storage devices, which is more flexible than conventional partitioning schemes for storing volumes.
1 ◦ Verify that no graphical interface is in use.
We will use the command ls /usr/bin/*session
and it should give the same result as in the screenshot. If anything different appears, a graphical interface is being used.
2 ◦ Check that the UFW service is in use.
sudo ufw status
sudo service ufw status
3 ◦ Check that the SSH service is in use.
sudo service ssh status
4 ◦ Check that you are using the Debian or Centos operating system.
uname -v
o uname --kernel-version
5 ◦ Check that your user is within the "sudo" and "user42" groups.
getent group sudo
getent group user42
6 ◦ Create a new user and show that it follows the password policy we have created.
sudo adduser name_user
and enter a password that follows the policy.
7 ◦ We create a new group named "evaluating".
sudo addgroup evaluating
8 ◦ We add the new user to the new group.
sudo adduser name_user evaluating
To verify that it has been entered correctly.
9 ◦ Check that the machine's hostname is correct login42.
10 ◦ Modify hostname to replace your login with the evaluator's. In this case, we will replace it with student42.
sudo nano /etc/hostname
and replace our login with the new one.
sudo nano /etc/hosts
and replace our login with the new one.
Reboot the machine.
Once we have logged in again, we can see how the hostname has been changed correctly.
11 ◦ Check that all partitions are as indicated in the subject.
lsblk
12 ◦ Check that sudo is installed.
which sudo
Using which is not actually a good practice as not all packages are found in the paths where which searches. However, for the evaluation it is better as it is a simple and easy-to-learn command. For better use, we will use the following command:
dpkg -s sudo
13 ◦ Add the new user to the sudo group.
sudo adduser name_user sudo
We check that it is within the group.
14 ◦ Show the application of the rules imposed for sudo by the subject.
15 ◦ Show that the path /var/log/sudo/ exists and contains at least one file, in this we should see a history of the commands used with sudo.
Run a command with sudo and check that the file is updated.
16 ◦ Check that the UFW program is installed on the virtual machine and check that it works correctly.
dpkg -s ufw
sudo service ufw status
17 ◦ List the active rules in UFW, if the bonus part is not done, the rule for port 4242 should only appear.
sudo ufw status numbered
18 ◦ Create a new rule for port 8080. Verify that it has been added to the active rules and then you can delete it.
sudo ufw allow 8080
to create it.
sudo ufw status numbered
To delete the rule, we must use the command. sudo ufw delete num_rule
We check that it has been deleted and we see the number of the next rule that needs to be deleted..
Delete the new rule.
We check that only the required rules in the subject remain.
19 ◦ Check that the ssh service is installed on the virtual machine, that it works correctly, and that it only works on port 4242.
which ssh
sudo service ssh status
20 ◦ Use ssh to log in with the newly created user. Make sure that you cannot use ssh with the root user.
We try to connect over ssh with the root user but we do not have permission.
We connect via ssh with the new user using the command ssh newuser@localhost -p 4242
21 ◦ Modify the runtime of the script from 10 minutes to 1.
We run the following command to modify the crontab file sudo crontab -u root -e
We modify the first parameter, instead of 10 we change it to 1.
22 ◦ Translate English: Finally, make the script stop running when the server has started, but without modifying the script.
sudo /etc/init.d/cron stop
Si queremos que vuelva a ejecutarse:
sudo /etc/init.d/cron start
Check that you didn't forget anything! Own tester to check that the installation and configuration has been carried out successfully.
This English version of the guide would not have been possible without the help of ElPatatin
◦ Linkedin: https://www.linkedin.com/in/cristope/
◦ Intra profile: https://profile.intra.42.fr/users/cpeset-c
◦ Email: [email protected]
◦ Linkedin: https://www.linkedin.com/in/gemartin99/