Skip to content

Latest commit

 

History

History
455 lines (380 loc) · 17.5 KB

README.md

File metadata and controls

455 lines (380 loc) · 17.5 KB

roger-skyline-1

Summary

V.1 VM Part

hypervisor: VirtualBox; Linux OS: Debian(64-bit); size of the hard disk is 8.00 GB(VDI, fixed size); Next you should run the virtual machine and specify the image of the OS - i downloaded debian-10.1.0-amd64-netinst.iso from https://www.debian.org/distrib/. specify_img

Then you need to set up you Debian, process is quite simple, but i'll pay some attention on Partition disks part. Choose Partition method as manual and next choose: partition_1

then:

partition_2

go for Create a new partition and specify new partition size:

partition_3

choose type and location (i choosed beggining); choose file system(i went for / - the root file system):

partition_4

i created 2 partitions: one primary with mout point on the / (root) of OS and with 4.2GB capacity, second logical with mount point on the /home dir and 4.4GB of space:

partition_5

then go for Finish partitioning and write changes to disk. Finally, i did not install desktop envirinment; GRUB i accepted.

V.2 Network and Security Part

You must create a non-root user to connect to the machine and work.

Non-root login was created while setting up the OS. Just log in.

Use sudo, with this user, to be able to perform operation requiring special rights.

First, we need to install sudo, what we can do only as root, so:

$ su
$ apt-get update -y && apt-get upgrade -y
$ apt-get install sudo vim -y

exit root mode:

$ exit

but now, if we'll try to use sudo, the OS will respond: kseniia is not in the sudoers file. This incident will be reported. That means we need to open /etc/sudoers file (again under the root). Don't forget to check rights on the file (must be writible!).

$ pwd
/etc
$ chmod +w sudoers
$ vim sudoers

add username ALL=(ALL:ALL) ALL to # User priviliege specification section:

sudoers

We don’t want you to use the DHCP service of your machine. You’ve got to configure it to have a static IP and a Netmask in \30.

First, go to VirtualBox settings -> Network -> in Attached to subsection change NAT on Bridged Adapter; i like using ifconfig, that's why i'll install it (it's always possible to use ip):

$ sudo apt-get install net-tools
$ sudo ifconfig

As we see, the name of our bridged adapter is enp0s3. Let's setup static ip (not dynamical) - check How to setup a Static IP address on Debian Linux and Network of VirtualBox instances with static IP addresses and Internet access.

1. We should modify /etc/network/interfaces network config file (don't forget to$ sudo chmod +w interfaces):

interfaces

Файл настройки сети /etc/network/interfaces)

2. Define your network interfaces separately within /etc/network/interfaces.d/ directory. During the networking daemon initiation the /etc/network/interfaces.d/ directory is searched for network interface configurations. Any found network configuration is included as part of the /etc/network/interfaces. So:

$ cd interfaces.d
$ sudo touch enp0s3
$ sudo vim enp0s3

enp0s3

next restart the network service:

$ sudo service networking restart

run ifconfig to see the result:

ifconfig_res

You have to change the default port of the SSH service by the one of your choice. SSH access HAS TO be done with publickeys. SSH root access SHOULD NOT be allowed directly, but with a user who can be root.

let's check status of ssh server:

$ ps -ef | grep sshd

next we need to change /etc/ssh/sshd_config file Changing the SSH Port for Your Linux Server:

$ sudo vim /etc/ssh/sshd_config

and change the line # Port 22 - remove # and type choosen port number; you can use range of numbers from 49152 to 65535 (accordingly to IANA); i chosed port number 50000; restart the sshd service:

$ sudo service sshd restart

login with ssh and check status of our connection:

$ sudo ssh [email protected] -p 50000
$ sudo systemctl status ssh

Finaly

let's test the ssh conection from host. We need to setup SSH public key authentication Setup SSH Public Key Authentication; OS of my host is macOS Sierra; run from your host's terminal:

# host terminal

$ ssh-keygen -t rsa

to connect 2 interfaces they must be in one subnet; for the ip on VM allowed 2 ip adresses (because we use netmask /30): 192.168.10.42(for VM, ip addr that we set) and 192.168.10.41(for host); we need to set up the ip addr to the host: System Preferences -> Network -> Advanced -> TCP/IP -> Select Manual -> Enter the new ip addr (192.168.10.41) -> Apply; you can also try to change ip via ifconfig. Now we can connect to our server(VM):

# host terminal

$ ping 192.168.10.42
$ ssh [email protected] -p 50000
$ exit (logout from the ssh)

last step is HOW DO I DISABLE SSH LOGIN FOR THE ROOT USER?. To disable root SSH login, edit /etc/ssh/sshd_config, by changing line # PermitRootLogin yes to PermitRootLogin no. Restart the SSH daemon: sudo service sshd restart. And read Why should I really disable root ssh login?

You have to set the rules of your firewall on your server only with the services used outside the VM.

I'll set up a Firewall with the help of UFW (Uncomplicated Firewall), whisch is an interface to iptables that is geared towards simplifying the process of configuring a firewall.

by the way - couple of times i had the problem with upd-get install - for some reason my VM could nor reach the server with package, also ping did not work; SOLUTION for problem apt-get update fails to fetch files, “Temporary failure resolving …” error: open /etc/resolv.conf file on your host, copy the namserver value (nameserver fdb8:8db8:81bd::1) and modify /etc/resolv.conf on VM with this value

$ sudo apt-get install ufw
$ sudo ufw status
$ sudo ufw enable

we can allow or deny by service name since ufw reads from /etc/services. To see get a list of services:

$ less /etc/services

let's allow services, that we need:

# allow ssh
$ sudo ufw allow 50000/tcp
# allow http
$ sudo ufw allow 80/tcp
# allow https
$ sudo ufw allow 443

now let's check status of our firewall:

ufw_status

here are some usefull links:

You have to set a DOS (Denial Of Service Attack) protection on your open ports of your VM.

There are a lot of methods to set a DOS protection: A guide to secure your server from DDoS! Let's use one of listed via the link - Fail2Ban:

$ sudo apt-get install iptables fail2ban apache2

Fail2Ban keeps its configuration files in /etc/fail2ban folder. The configuration file is jail.conf which is present in this directory. This file can be modified by package upgrades so we will keep a copy of it jail.local and edit it.

$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$ sudo vim /etc/fail2ban/fail2ban.local
  1. SSH protocol security (protect open port 50000). Edit /etc/fail2ban/jail.local:

fail2ban_ssh

  1. HTTP protocol security (protect our port 80). Edit /etc/fail2ban/jail.local:

fail2ban_http

Now we need to create the filter, to do that, create the file /etc/fail2ban/filter.d/http-get-dos.conf and add this text:

http-get-dos.png

finaly:

$ sudo ufw reload
$ sudo service fail2ban restart

let's see the result:

fail2ban_check

You have to set a protection against scans on your VM’s open ports.

$ sudo apt-get install portsentry

modify the file /etc/default/portsentry:

TCP_MODE="atcp"
UDP_MODE="audp"

We also wish that portsentry is a blockage. We therefore need to activate it by passing BLOCK_UDP and BLOCK_TCP to 1; modify /etc/portsentry/portsentry.conf:

##################
# Ignore Options #
##################
# 0 = Do not block UDP/TCP scans.
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILL_RUN_CMD)

BLOCK_UDP="1"
BLOCK_TCP="1"

We opt for a blocking of malicious persons through iptables. We will therefore comment on all lines of the configuration file that begin with KILL_ROUTE except this one:

KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"

verify your actions:

$ cat portsentry.conf | grep KILL_ROUTE | grep -v "#"

relaunch service portsentry and it will now begin to block the port scans:

$ sudo /etc/init.d/portsentry start

portsentry logs are in the /var/log/syslog file.

Stop the services you don’t need for this project.

All the services are controlled with special shell scripts in /etc/init.d, so:

$ ls /etc/init.d

list_of_services

$ sudo systemctl disable bluetooth.service
$ sudo systemctl disable console-setup.service
$ sudo systemctl disable keyboard-setup.service

Create a script that updates all the sources of package, then your packages and which logs the whole in a file named /var/log/update_script.log. Create a scheduled task for this script once a week at 4AM and every time the machine reboots.

$ touch i_will_update.sh
$ chmod a+x i_will_update.sh

update

$ sudo crontab -e

cron_update

Make a script to monitor changes of the /etc/crontab file and sends an email to root if it has been modified. Create a scheduled script task every day at midnight.

$ touch i_will_monitor_cron.sh
$ chmod a+x i_will_monitor_cron.sh

monitor_cron

Add this line to crontab:

* * * * * /home/kseniia/i_will_monitor_cron.sh &

to be able to use the mail command

install the bsd-mailx package:

$ sudo apt install bsd-mailx

Install postfix (setup happens after installation):

$ sudo apt install postfix

In postfix setup, select "Local only" to create a local mail server.

  • System mail name: "debian.lan"
  • Root and postmaster mail recipient: "root@localhost"
  • Other destinations to accept mail for: "debian.lan, debian.lan, localhost.lan, , localhost"
  • Force synchronous updates on mail queue? - No
  • Local networks: ENTER
  • Mailbox size limit (bytes): 0 (no limit)
  • Local address extension character: ENTER
  • Internet protocols to use: all

Edit /etc/aliases:

root: root

Then:

$ sudo newaliases

To update the aliases here.

Then change the home mailbox directory:

$ sudo postconf -e "home_mailbox = mail/"

Restart the postfix service:

$ sudo service postfix restart

Install the CLI (non-graphical) mail client mutt:

$ sudo apt install mutt

Create a config file ".muttrc" for mutt in the /root/ directory and edit it:

set mbox_type=Maildir
set folder="/root/mail"
set mask="!^\\.[^.]"
set mbox="/root/mail"
set record="+.Sent"
set postponed="+.Drafts"
set spoolfile="/root/mail"

Start mutt and exit:

$ mutt
Enter 'q' to exit

Test sending a simple mail to root:

$ echo "Text" | sudo mail -s "Subject" [email protected]

Then login as root and start mutt. The mail should now be visible.

The crontab script should now work.

to copy file from host to VM via SSH: scp -P 50000 i_will_monitor_cron.sh [email protected]:~ (~ means home dir)

V.2 Web Part

my login page:

login_page

scp -P 50000 [email protected]:/var/www/html/index.html .

Generate SSL self-signed key and certificate:

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
Country name: UA
State or Province Name: ENTER
Locality Name: ENTER
Organization Name: ENTER
Organizational Unit Name: ENTER
Common Name: 192.168.10.42 (VM IP address)
Email Address: [email protected]

Create the file /etc/apache2/conf-available/ssl-params.conf and edit it:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On

Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff

SSLCompression off
SSLSessionTickets Off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

Edit the file /etc/apache2/sites-available/default-ssl.conf so it looks like this:

<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
		ServerAdmin root@localhost
		ServerName 192.168.10.42
		DocumentRoot /var/www/html
		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined
		SSLEngine on
		SSLCertificateFile	/etc/ssl/certs/apache-selfsigned.crt
		SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
		<FilesMatch "\.(cgi|shtml|phtml|php)$">
				SSLOptions +StdEnvVars
		</FilesMatch>
		<Directory /usr/lib/cgi-bin>
				SSLOptions +StdEnvVars
		</Directory>
	</VirtualHost>
</IfModule>

Add a redirect rule to /etc/apache2/sites-available/000-default.conf, to redirect HTTP to HTTPS:

Redirect "/" "https://192.168.10.42/"

Enable everything changed and restart the Apache service:

$ sudo a2enmod ssl
$ sudo a2enmod headers
$ sudo a2ensite default-ssl
$ sudo a2enconf ssl-params
$ sudo apache2ctl configtest (to check that the syntax is OK)
$ sudo systemctl restart apache2

The SSL server is tested by entering "https://192.168.10.42" in a host browser. The expected result is a "Your connection is not private" warning page. Continue from this by selecting Advanced->Proceed to... HTTP->HTTPS redirection is tested by entering "http://192.168.10.42" in the host browser.

V.3 Deployment Part

The deployment script deploy.sh can be run after the prerequisites are met, which are:

1) A VM has been created using Virtualbox with the settings stated above.
2) The VM network is set to Bridged Adapter.
3) sudo has been set up for the user.
4) Git is installed on the VM ("$ apt-get install git" as root)

Clone the repository to the VM:

git clone https://github.com/KseniiaPrytkova/roger-skyline-1

Execute the deployment script (must be done with sudo):

$ chmod +x ./deploy.sh
$ sudo ./deploy.sh

Test that the deployment went fine by logging in to 192.168.10.42://login.html on the host machine browser.

To get a checksum of the VM disk, go to /home/admin/VirtualBox VMs/, select the VM and then run:

$ shasum < [vdi file]