Home

Mandatory Part

1. Download Debian image - https://www.debian.org/download
2. New Virtual Machine with Oracle VirtualBox
   • Name and operating system:
     • Name: Born2beroot
     • Machine Folder: ..nfs/home/<user>/sgoinfre
     • Type: Linux
     • Debian (64-bit)
   • Memory Size:
     • RAM: 1024MB (recommended)
   • Hard Disk:
     • Create a virtual hard disk now
     • Hard disk file type: VDI (VirtualBox Disk Image)
     • Storage on physical hard disk: Dynamically allocated
     • File location and size: Default location | Size = 30.00GB
   • Mount iso file and Start VM
3. Debian installation
   • Install
   • Select language, country, and keyboard
   • Hostname:
     • <user>42 → lbordona42
   • Domain name:
     • Empty and Continue
   • Root password:
     • Choose and note the password
   • Full name for the new user:
     • <user> → lbordona
   • Password for the new user:
     • Choose and note the password
   • Select timezone
   • Partition disks:
     • Guided - use entire disk and set up encrypted LVM
     • Select the only disk that will appear
     • Separate /home, /var, and /tmp partitions
     • Write the changes to disk and configure LVM? Yes
     • Encryption passphrase: choose and note the password
     • Amount of volume group to use for guided partitioning: The maximum available size is
     • Finish partitioning and write changes to disk
     • Write the changes to disks? Yes
   • Configure the package manager:
     • Scan extra installation media? No
     • Select country
     • Select deb.debian.org
     • HTTP proxy information: Empty and Continue
   • Configuring popularity-contest
     • Participate in the package usage survey? No
   • Software selection
     • Disable all options of software and Continue
   • Install the GRUB boot loader
     • Install the GRUB boot loader to your primary drive: Yes
     • Device for boor loader installation: select /dev/sda
   • Installation complete!
4. Setup sudo, user and group

• su - change to admin user
• apt install sudo - sudo installation
• sudo reboot - reboot
• sudo adduser <user> - add user
  • sudo adduser lbordona
• sudo addgroup <group_name> - create group
  • sudo addgroup user42
• getent group user42 - view users inside group user42
• sudo adduser <user> <group> - add user to group
  • sudo adduser lbordona user42
  • sudo adduser sudo user42

5. SSH installation

   • sudo apt update - refresh repositories
   • sudo apt install openssh-server - ssh server installation
   • sudo service ssh status - verify ssh status
   • sudo nano /etc/sshsshd_config - set parameters
     • Port 4242 - enable Port 4242
     • PermitRootLogin no - disable root access to ssh
   • sudo nano /etc/ssh/ssh_config - set parameters
     • Port 4242 - enable Port 4242
   • sudo service ssh restart - restart ssh services
   • sudo service ssh status - verify ssh status

6. SSH Connection

   • Shutdown VM
   • Oracle VirtualBox:
     • Settings > Network > Advanced > Port Forwarding > New Rule
     • Host Port = 4242
     • Guest Port = 4242
   • Start VM
   • Open terminal:
     • ssh <user>@<IP> -p port - connect to lbordona user in VM - ssh lbordona@<IP> -p 4242
     • ip a - to discover IP
     • If you are not able to connect with error kex_exchange_identification: Connection closed by remote host in terminal, just change connection to Bridge instead of NAT

7. UFW firewall installation

   • sudo apt update - refresh repositories
   • sudo apt install ufw - UFW installation
   • sudo ufw enable - enable UFW service
   • sudo ufw allow 4242 - allow Port 4242 for firewall
   • sudo ufw status - check firewall rules and status

8. Setup sudo password policy

   • touch /etc/sudoers.d/sudo_config - create sudo_config file for sudo password config
   • mkdir /var/log/sudo - create folder for sudo logs
   • nano /etc/sudoers.d/sudo_config - edit the sudo_config file with rules:

   Defaults  passwd_tries=3 //max number of password tries
   Defaults  badpass_message="Erroooooooooou!!!!!!" //error password message
   Defaults  logfile="/var/log/sudo/sudo_config" //log file
   Defaults  log_input, log_output
   Defaults  iolog_dir="/var/log/sudo/logfile" //log file diretory
   Defaults  requiretty //TTY mode enabled
   Defaults  secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" //restrictions paths for sudo

9. Setup strong password policy

   • nano /etc/login.defs - change parameters of login.defs file
     • PASS_MAX_DAYS 30 - set password expiration to 30 days
     • PASS_MIN_DAYS 2 - set minimum days to change password again
     • PASS_WARN_AGE 7 - set 7 days to warn password expiration date
   • sudo apt install libpam-pwquality - installation of libpam-pwquality
   • nano /etc/pam.d/common-password - modify common password policies
     • minlen=10 lcredit=-1 ucredit=-1 dcredit=-1 maxrepeat=3 reject_username difok=7 enforce_for_root - insert after retry=3

   minlen=10 //minimum number of characters
   lcredit=-1 //minimum one lowercase character
   ucredit=-1 //minimum one uppercase character
   dcredit=-1 //minimum one number
   maxrepeat=3 //maximum number of same character repeated
   reject_username //reject username in password
   difok=7 //minimum 7 characters different from the last password
   enforce_for_root //add the rule to root user too

10. Script monitoring.sh - touch monitoring.sh in /home/lbordona/ - create monitoring.sh script - sudo crontab -u root -e - configure cron as root to schedule tasks

    • Select nano or vim
    • */10 * * * * sh /path/to/script - Set rule to run monitoring.sh → */10 * * * * sh /home/lbordona/monitoring.sh
    • sudo crontab -u root -l - check schedule for cron jobs

Bonus Part

1. Verify partitions and setup them correctly
2. lighttpd
   • sudo apt install lighttpd - install lighttpd
   • dpkg -l | grep lighttpd - verify lighttpd installation
   • sudo ufw allow 80 - allow port 80 in firewall for lighttpd
   • Configuration after WordPress Installation
3. MariaDB
   • sudo apt install mariadb-server - install MariaDB
   • dpkg -l | grep mariadb-server - verify MariaDB installation
   • sudo mysql_secure_installation - start script to remove insecure default settings - Switch to unix_socket authentication? No - Change the root password? No - Remove anonymous users? Yes - Disallow root login remotely? Yes - Remove test database and access to it? Yes - Reload privilege tables now? Yes
     • sudo mariadb - login to MariaDB console
       • CREATE DATABASE <database-name>; → CREATE DATABASE TestDatabase; - create new Database
       • GRANT ALL ON TestDatabase.* TO '<user>'@'localhost' IDENTIFIED BY '<password>' WITH GRANT OPTION; → ``GRANT ALL ON TestDatabase.* TO ''@'localhost' IDENTIFIED BY '' WITH GRANT OPTION;` - new database user and grant them full privileges on the newly-created database
       • FLUSH PRIVILEGES; - flush the privileges
       • exit
       • mariadb -u <user> -p → mariadb -u admin -p - login with user and password
       • SHOW DATABASES; - to view database created
       • exit
4. PHP
   • sudo apt install php-cgi php-mysql - install php-cgi and php-mysql
   • dpkg -l | grep php - verify php installation
5. WordPress
   • sudo apt install wget - install wget
   • sudo wget [http://wordpress.org/latest.tar.gz](http://wordpress.org/latest.tar.gz) -P /var/www/html - download WordPress to /var/www/html
   • cd .. → cd .. → cd /var/www/html
   • sudo tar -xvzf /var/www/html/latest.tar.gz - extract downloaded content
   • sudo rm /var/www/html/latest.tar.gz - delete .tar file
   • sudo cp -r /var/www/html/wordpress/* /var/www/html - copy content to /var/www/html
   • sudo rm -rf /var/www/html/wordpress - remove /var/www/html/wordpress
   • sudo cp /var/www/html/wp-config-sample.php /var/www/html/wp-config.php - create WordPress configuration file from its sample
6. lighttpd Configuration:
   • sudo lighty-enable-mod fastcgi
   • sudo lighty-enable-mod fastcgi-php
   • sudo service lighttpd force-reload
7. FTP - File Transfer Protocol [extra service]

   • sudo apt install vsftpd - install FTP

   • dpkg -l | grep vsftpd - verify FTP installation

   • sudo ufw allow 21 - allow incoming connections using Port 21

   • sudo nano /etc/vsftpd.conf - configure FTP

     • uncomment write_enable=YES
     • add below lines to set root folder for FTP-connected user:

     bash
     sudo mkdir /home/<user>/ftp
     sudo mkdir /home/<user>/ftp/files
     sudo chown nobody:nogroup /home/<user>/ftp
     sudo chmod a-w /home/<user>/ftp
     
     user_sub_token=$USER
     local_root=/home/$USER/ftp
     

     • uncomment chroot_local_user=YES to prevent user from acessing files or using commands outside the directory tree
     • add below lines to whitelist FTP service:

     bash
     sudo nano /etc/vsftpd.userlist
     echo <user> | sudo tee -a /etc/vsftpd.userlist
     
     userlist_enable=YES
     userlist_file=/etc/vsftpd.userlist
     userlist_deny=NO
     

   • connect to server via FTP → ftp <ip>

8. LiteSpeed [extra service]
   • sudo apt update
   • sudo apt upgrade
   • wget -O - http://rpms.litespeedtech.com/debian/enable_lst_debian_repo.sh | sudo bash - add repository for OpenLiteSpeed
   • sudo apt install **openlitespeed** - install OpenLiteSpeed
   • sudo /usr/local/lsws/admin/misc/admpass.sh - change default password (123456) to your password
     • user: idroot
     • password: your choice
   • sudo ufw allow 8088/tcp - allow ports for OpenLiteSpeed
   • sudo ufw allow 7080/tcp - allow ports for OpenLiteSpeed
   • sudo ufw reload - restart ufw
   • connect in browser with: IP:7080

Signature

• Power off the VM
• Open terminal:
  • cd sgoinfre/Born2beroot
  • shasum Born2beroot.vdi
  • Copy the signature and save as signature.txt - c9af2694e4bc28d1403e307a3407c47c9f489489

Script, Testing and Evaluation

1. Script
   • monitoring.sh
2. Testing
   • Password tests
   • FTP
3. Evaluation
   • Evaluation commands

Embed links

libpam-pwquality → provide common functions for password quality and checking.

Debian -- Details of package libpam-pwquality in stretch

wall / cron command

O crontab tem o seguinte formato:

[minutos] [horas] [dias do mês] [mês] [dias da semana] [usuário] [comando]

Minutos: informe números de 0 a 59;

Horas: informe números de 0 a 23;

Dias do mês: informe números de 0 a 31;

Mês: informe números de 1 a 12;

Dias da semana: informe números de 0 a 7 (Segunda-Domingo);

Usuário: é o usuário que vai executar o comando (não é necessário especificá-lo se o arquivo do próprio usuário for usado);

Comando: a tarefa que deve ser executada.

No lugar desses valores, você pode informar *** (asterisco)** para especificar uma execução constante. Por exemplo, se o campo dias do mês conter *, o comando relacionado será executado todos os dias.

Usando cron e crontab para agendar tarefas

Wall command in Linux

Usando cron e crontab para agendar tarefas

lighttpd:

lighttpd is a secure, fast, compliant, and very flexible web server that has been optimized for high-performance environments. lighttpd uses memory and CPU efficiently and has lower resource use than other popular web servers. Its advanced feature-set (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and much more) make lighttpd the perfect web server for all systems, small and large.

Home - Lighttpd - fly light

MariaDB:

MariaDB Foundation - MariaDB.org