School 42 Málaga cursus project
This is a repository to prepare the evaluation of the School 42 project Born2beRoot.
All the contents of this README.md are listed to help during the evaluation of the project, with useful commands, code and the explanation of functionalities and tasks that will be tested.
For more details about this project, read the subject.
- Why a virtual machine(VM)?
- Differences between CENTOS and Debian
- APT and aptitude
- SELinux and AppArmor
- UFW(Uncomplicated Firewall)
- Password policy
- LVM (Logical Volume Manager)
- SSH (Secure SHell)
- Cron
- Lightttpd
- Fail2ban
The main purpose of VMs is to use multiple operating systems (OS) at the same time, on the same machine. Companies that use many applications must use different configurations of hardware, which has a high maintenance cost, in addition to taking up physical space. VMs are the answer to this and other problems, because it's like emulating an OS. This is a list of the most common reasons to install a VM:
- Test software for a different OS
- Run old or incompatible software
- Develop software for other platforms
- Handle potential malware safely
- Clone a system to another machine
Both are related to package management. They are used for package search, removal, and installation, but have different approaches.
APT is an open source tool created for the Debian project. APT is designed to handle the installation and removal of software; it was part of the Debian .deb package; however, it now works with RPM Package Manager. It includes command line programs: apt, apt-get and apt-cache.
APT searchs in a list of cached packages and shows the dependencies that need to be installed or updated. APT automatically downloads, configures, and installs dependencies.
Update installed packages includes:
updateis used to sync files from their sources.upgradeis used to install the latest versions of all packages currently installed on the system from the sources listed in/etc/apt/sources.list. Installed packages with new versions available are downloaded and updated; under no circumstances installed packages are removed, or packages that are not yet installed are downloaded and installed. New versions that cannot be updated without changing the package state will remain at their current version.full-upgrade(apt) ydist-upgrade(apt-get), in addition to updating, also handles changing dependencies with new package versions; apt andapt-gethave smart conflict resolution system and will try to update more important packages at the expense of less important ones if necessary. The/etc/apt/sources.listfile contains a list of locations from which to download the desired package files.aptitudehas a smarter dist-upgrade function calledfull-upgrade.
aptitude is an interface to APT. Displays a list of software packages and allows the user to interactively choose which ones to install or remove. It has a search system that uses flexible patterns, which make it easy for the user to understand the complex dependency relationships that may exist between packages. Originally it was designed for GNU/Linux Debian distributions, but nowadays it can also be used in distributions based on RPM packages.
You need three essential points: user, port and server.
To use aptitude by command terminal, like apt-get, you must be logged in as super-user (root) or use the sudo command. In this link you can find list of common aptitude commands.
The main difference is that aptitude is a high-level package manager while APT is lower-level package manager which can be used by other higher-level package managers, other main highlights that separate these two package managers are:
Aptitude is vaster in functionality than apt-get and integrates functionalities of apt-get and its other variants including apt-mark and apt-cache. While apt-get handles all the package installation, up-gradation, system-upgradation, purging package, resolving dependencies etc. Aptitude handles lot more stuff than APT, including functionalities of apt-mark and apt-cache i.e. searching for a package in list of installed packages, marking a package to be automatically or manually installed, holding a package making it unavailable for up-gradation and so on. (source)
SELinux is a security architecture for Linux systems that allows administrators more control over who can access them. SELinux defines access controls for applications, processes, and files within a system. It uses security policies, which consist of a set of rules to tell SELinux which elements can be accessed.
AppArmor is a Linux kernel security module that allows the system administrator to restrict the capabilities of a program.
UFW is a firewall developed by Ubuntu that stands out for its simplicity . Use the command line to configure iptables using a small number of simple commands. UFW is written in python and is a GNU/Linux program.
Check UFW status via sudo ufw status
$ sudo ufw status verbose
Check AppArmor status
$ sudo aa-status
Check OS (Operating System)
$ lsb_release -a
Add user to a group
$ sudo adduser <username> <group>
Check if an user is in a group
$ getent group <groupname>
Get all groups of an user
$ id -Gn <username>
List all groups and users
$ getent group
- Passwords have to expire every 30 days.
- 2 must be the minimum number of days before being allowed to change a password.
- The user must receive a warning message 7 days before their password expires.
- A password must be at least 10 characters long.
- It must contain an uppercase letter and a number. Also, it must not contain more than 3 consecutive identical characters.
- The password must not include the name of the user.
- The following rule does not apply to the root password: The password must have at least 7 characters that are not part of the former password.
Check password rules
$ sudo cat /etc/login.defs
This three values are changed in the login.defs document, the Password aging controls section:
PASS_MAX_DAYS 30
PASS_MIN_DAYS 2
PASS_WARN_AGE 7
Now, we have to check the /etc/security/pwquality.conf configuration file. :
$ sudo cat /etc/security/pwquality.conf
This are the values that need to be modified in the configuration file:
# Number of characters in the new password that must not be present in the old password.
difok = 7
# The minimum acceptable size for the new password (plus one if credits are not disabled which is the default).
minlen = 10
# The maximum credit for having digits in the new password. If less than 0 it is the minimun number of digits in the new password.
dcredit = -1
# The maximum credit for having uppercase characters in the new password. If less than 0 it is the minimun number of uppercase characters in the new password.
ucredit = -1
# The maximum number of allowed consecutive same characters in the new password. The check is disabled if the value is 0.
maxrepeat = 3
# Whether to check it it contains the user name in some form. The check is disabled if the value is 0.
usercheck = 1
# Prompt user at most N times before returning with error. The default is 1.
retry = 3
# Enforces pwquality checks on the root user password. Enabled if the option is present.
enforce_for_root
Add a new user
$ sudo useradd <username>
List users
$ less /etc/passwd
Create user login password
$ sudo passwd <username>
Create a new group
$ groupadd <groupname>
Check the hostname
$ hostnamectl
Change the hostname
After modify the hostname is necessary to reboot the machine to apply the changes.
$ sudo nano /etc/hostname
Another way of doing this is:
$ sudo hostnamectl set-hostname <new_hostname>
Then, reboot the machine
$ reboot
Change from user to root user
Remember to use the root password!
$ sudo su
Check partitions during evaluation
$ lsblk
LVM is a software that allows the implementation of RAID (Redundant Array of Inexpensive Disks) from partitions and offer them to the operating system as new devices. For its operation, it assigns the disks to one or more physical volumes that must be partitioned as LVM type. LVM storage volumes have the ability to be resized and transported depending on user needs and using up-to-date appliance tools.
- restrictions of physical devices are eliminated.
- Performs Snapshots that allow the current state of a logical volume to be stored and make a backup copy of the file system. And it's also fault tolerant, so a drive is easily replaceable, should it ever fail.
Check all sudo logs
The file is in var/log/sudo/sudo.log
$ sudo cat /var/log/sudo/sudo.log
Cron (or crontab, short for chrono table) is a program that enables the execution of scripts or software in an automatic way, at a certain date and time or at a specified interval. It is installed by default in Debian (we can check this with the apt list cron command). To test and understand the Cron service, you can use this page.
Check the Cron service
$ crontab -e
Check the crontab jobs
$ sudo cat /var/spool/cron/crontabs/<username/root>
Disable Cron service
$ sudo systemctl disable cron
monitoring.sh is a script that displays a message on the terminals of all logged-in users. It searchs for certain values and saves them on variables to print on screen. sleep.shcalculates the amount of time that the virtual machine has been turned on to print the monitoring.sh message on the screen every ten minutes since the system was started.
Check monitoring.sh (Cron service archives)
$ sudo cat /root/monitoring.sh
Check sleep.sh (create a sleep delay)
$ sudo cat /root/sleep.sh
SSH is the name of a protocol and the program that implements it, whose main function is remote access to a server through a secure channel in which all information is encrypted. It is a protocol that allows secure communications between two systems using a client/server architecture and authorizes users to connect to a host remotely. Unlike other remote communication protocols such as FTP or Telnet, SSH encrypts the connection session, making it impossible for anyone to obtain unencrypted passwords.
By accessing a remote server through the SSH protocol, security risks are considerably reduced. Both in the case of the client and the system itself, security is improved thanks to encryption; SSH takes care of encrypting all sessions. Thus, it is impossible for someone to access the passwords, the client's access data or what the client has written.
Connect the VM via SSH
$ ssh <username>@localhost -p 4242
Check SSH status via sudo service ssh status
$ sudo service ssh status
Check SSH config file
$ sudo cat /etc/ssh/sshd_config
Lighttpd (pronounced 'lighty') is an open-source web server optimized for speed-critical environments while remaining standards-compliant, secure and flexible.
Check lighttpd
$ sudo systemctl status lighttpd
To check that lightspeed is working: in a browser on the host machine, connect to the following address and port (login into Wordpress): http://127.0.0.1:8080.
We can also check that PHP is correctly installed: http://127.0.0.1:8080/info.php
Check PHP version
$ php -v
Fail2ban is a program that analyses server logs to identify and ban suspicious IP addresses. If it finds multiple failed login attempts or automated attacks from an IP address, it can block it with the firewall, either temporarily or permanently.
Check Fail2ban
$ sudo systemctl status fail2ban
Get VM disk ID
$ shasum <path-to.vdi>
