You will create your first machine in VirtualBox (or UTM if you can’t use VirtualBox) under specific instructions. Then, at the end of this project, you will be able to set up your own operating system while implementing strict rules.
A virtual machine is a software capable of installing an Operating System within itself, making the OS think that it is hosted on a real computer. With virtual machines we can create virtual devices that will behave in the same way as physical devices, using their own CPU, memory, network interface and storage. This is possible because the virtual machine is hosted on a physical device, which is the one that provides the hardware resources to the VM. The software program that creates virtual machines is the hypervisor. The hypervisor is responsible for isolating the VM resources from the system hardware and making the necessary implementations so that the VM can use these resources.
The devices that provide the hardware resources are called host machines or hosts. The different virtual machines that can be assigned to a host are called guests or guest machines. The hypervisor uses a part of the host machine's CPU, storage, etc., and distributes them among the different VMs.
There can be multiple virtual machines on the same host and each of these will be isolated from the rest of the system. Thanks to this, we can run different operating systems on our machine. For each virtual machine, we can run a different operating system distribution. Each of these operating systems will behave as if they were hosted on a physical device, so we will have the same experience when using an OS on a physical machine and on a virtual machine.
Virtualization allow us share a system with multiple virtual environments. The hypervisor manages the hardware system and separate the physical resources from the virtual environments. The resources are managed followitn the needs, from the host to the guests. When an user from a VM do a task that requires additional resources from the physical environment, the hypervisor manages the request so that the guest OS could access the resources of the physical environment.
Once we know how they work, it is a good idea to see all the advantages we get from using virtual machines:
- Different guest machines hosted on our computer can run different operating systems, so we will have different OS working on the same machine.
- They provide an environment in which to safely test unstable programs to see if they will affect the system or not.
- We get better use of shared resources.
- We reduce costs by reducing physical architecture.
- They are easy to implement because they provide mechanisms to clone a virtual machine to another physical device.
LVM (Logical Volume Manager) is an abstraction layer between a storage device and a file system. We get many advantages from using LVM, but the main advantage is that we have much more flexibility when it comes to managing partitions. Suppose we create four partitions on our storage disk. If for any reason we need to expand the storage of the first three partitions, we will not be able to because there is no space available next to them. In case we want to extend the last partition, we will always have the limit imposed by the disk. In other words, we will not be able to manipulate partitions in a friendly way. Thanks to LVM, all these problems are solved.
By using LVM, we can expand the storage of any partition (now known as a logical volume) whenever we want without worrying about the contiguous space available on each logical volume. We can do this with available storage located on different physical disks (which we cannot do with traditional partitions). We can also move different logical volumes between physical devices. Of course, services and processes will work the same way they always have. But to understand all this, we have to know:
- Physical Volume (PV): physical storage device. It can be a hard disk, an SD card, a floppy disk, etc. This device provides us with storage available to use.
- Volume Group (VG): to use the space provided by a PV, it must be allocated in a volume group. It is like a virtual storage disk that will be used by logical volumes. VGs can grow over time by adding new VPs.
- Logical volume (LV): these devices will be the ones we will use to create file systems, swaps, virtual machines, etc. If the VG is the storage disk, the LV are the partitions that are made on this disk.
AppArmor provides Mandatory Access Control (MAC) security. In fact, AppAmor allows the system administrator to restrict the actions that processes can perform. For example, if an installed application can take photos by accessing the camera application, but the administrator denies this privilege, the application will not be able to access the camera application. If a vulnerability occurs (some of the restricted tasks are performed), AppArmor blocks the application so that the damage does not spread to the rest of the system.
In AppArmor, processes are restricted by profiles. Profiles can work in complain-mode and in enforce-mode. In enforce mode, AppArmor prohibits applications from performing restricted tasks. In complain-mode, AppArmor allows applications to do these tasks, but creates a registry entry to display the complaint.
In Debian-based OS distributions, the default package manager we can use is dpkg. This tool allows us to install, remove and manage programs on our operating system. However, in most cases, these programs come with a list of dependencies that must be installed for the main program to function properly. One option is to manually install these dependencies. However, APT (Advanced Package Tool), which is a tool that uses dpkg, can be used to install all the necessary dependencies when installing a program. So now we can install a useful program with a single command.
APT can work with different back-ends and fron-ends to make use of its services. One of them is apt-get, which allows us to install and remove packages. Along with apt-get, there are also many tools like apt-cache to manage programs. In this case, apt-get and apt-cache are used by apt. Thanks to apt we can install .deb programs easily and without worrying about dependencies. But in case we want to use a graphical interface, we will have to use aptitude. Aptitude also does better control of dependencies, allowing the user to choose between different dependencies when installing a program.
SSH or Secure Shell is a remote administration protocol that allows users to control and modify their servers over the Internet thanks to an authentication mechanism. Provides a mechanism to authenticate a user remotely, transfer data from the client to the host, and return a response to the request made by the client.
SSH was created as an alternative to Telnet, which does not encrypt the information that is sent. SSH uses encryption techniques to ensure that all client-to-host and host-to-client communications are done in encrypted form. One of the advantages of SSH is that a user using Linux or MacOS can use SSH on their server to communicate with it remotely through their computer's terminal. Once authenticated, that user will be able to use the terminal to work on the server.
The command used to connect to a server with ssh is:
ssh username@localhost -p 4242
There are three different techniques that SSH uses to encrypt:
- Symmetric encryption: a method that uses the same secret key for both encryption and decryption of a message, for both the client and the host. Anyone who knows the password can access the message that has been transmitted.
- Asymmetric encryption: uses two separate keys for encryption and decryption. These are known as the public key and the private key. Together, they form the public-private key pair.
- Hashing: another form of cryptography used by SSH. Hash functions are made in a way that they don't need to be decrypted. If a client has the correct input, they can create a cryptographic hash and SSH will check if both hashes are the same.
UFW (Uncomplicated Firewall) is a software application responsible for ensuring that the system administrator can manage iptables in a simple way. Since it is very difficult to work with iptables, UFW provides us with an interface to modify the firewall of our device (netfilter) without compromising security. Once we have UFW installed, we can choose which ports we want to allow connections, and which ports we want to close. This will also be very useful with SSH, greatly improving all security related to communications between devices.
?
Once we know a little more about how to build a server inside a Virtual Machine (remember that you also have to look in other pages apart from this README), we will see two commands that will be very helpful in case of being system administrators. These commands are:
- Cron: Linux task manager that allows us to execute commands at a certain time. We can automate some tasks just by telling cron what command we want to run at a specific time. For example, if we want to restart our server every day at 4:00 am, instead of having to wake up at that time, cron will do it for us.
- Wall: command used by the root user to send a message to all users currently connected to the server. If the system administrator wants to alert about a major server change that could cause users to log out, the root user could alert them with wall.
At the time of writing, the latest stable version of Debian was Debian 10 Buster, but you can chose a lts verion from oficial page Watch bonus installation walkthrough (no audio) ➡️ here.
Check which user is using VM
whoami
Login as root or switch.
su -
Install sudo.
apt install sudo
Verify whether sudo was successfully installed.
dpkg -l | grep sudo
Install vim.
apt install vim
Add user to sudo group.
adduser <username> sudo
Alternative.
usermod -aG sudo <username>
Verify whether user was successfully added to sudo group.
getent group sudo
reboot for changes to take effect, then log in and verify sudopowers.
reboot
sudo -v
apt update
Configure sudo .
vim /etc/sudoers
🛡️If you type something wrong, it will show you the error and ask for saving like that🛡️
sudo visudo /etc/sudoers
To limit authentication using sudo to 3 attempts (defaults to 3 anyway) in the event of an incorrect password, add below line to the file. For wrong password warning message. If there is no /var/log/sudo folder, create the sudo folder inside of /var/log. Each inputs & outputs has to be saved in the /var/log/sudo/sudo.log. Require TTY.
Defaults passwd_tries=3
Defaults badpass_message="<custom-error-message>"
Defaults logfile="/var/log/sudo/sudo.log"
Defaults log_input,log_output
Defaults requiretty
Deafults insults for fun message
(Why use tty? If some non-root code is exploited (a PHP script, for example), the requiretty option means that the exploit code won't be able to directly upgrade its privileges by running sudo.)
Check if your sudoers file properties are declared like -rwxrwxrwx change it to -r--r----- using below command
chmod 440 /etc/sudoers
Install openssh-server.
apt install openssh-server
Verify whether openssh-server was successfully installed.
dpkg -l | grep ssh
Configure SSH.
vim /etc/ssh/sshd_config
To set up SSH using Port 4242, replace below line:
13 #Port 22
with:
13 Port 4242
To disable SSH login as root irregardless of authentication mechanism, replace below line
32 #PermitRootLogin prohibit-password
with:
32 PermitRootLogin no
Check SSH status.
sudo service ssh status
Alternatively.
sudo systemctl status ssh
Start and stop the SSH Server
sudo service ssh start
sudo service ssh stop
Alternatively.
sudo systemctl enable ssh
sudo systemctl disable ssh
Install ufw.
sudo apt install ufw
Verify whether ufw was successfully installed.
dpkg -l | grep ufw
Enable Firewall.
sudo ufw enable
Configure the rules. Allow incoming connections using Port 4242.
sudo ufw allow 4242
Check UFW status.
sudo ufw status
Remove rule for Port 22 line by line.
sudo ufw delete 1
Add forward rule for VirtualBox.
- Go to VirtualBox-> Choose the VM->Select Settings
- Choose “Network”-> “Adapter 1"->”Advanced”->”Port Forwarding”
Restart your VM.
sudo reboot
SSH into your VM using Port 4242. Type the line below into Terminal in your physicall machin.
ssh <username>@<ip-address> -p 4242
Terminate SSH session at any time.
logout
Alternatively, terminate SSH session.
exit
Configure password age policy.
sudo vim /etc/login.defs
To set password to expire every 30 days, replace below line
160 PASS_MAX_DAYS 99999
with:
160 PASS_MAX_DAYS 30
To set minimum number of days between password changes to 2 days, replace below line
161 PASS_MIN_DAYS 0
with:
161 PASS_MIN_DAYS 2
To send user a warning message 7 days (defaults to 7 anyway) before password expiry, keep below line as is.
162 PASS_WARN_AGE 7
Secondly, to set up policies in relation to password strength, install the libpam-pwquality package.
sudo apt install libpam-pwquality
Verify whether libpam-pwquality was successfully installed.
dpkg -l | grep libpam-pwquality
Configure password strength policy, specifically the below line:
sudo vim /etc/pam.d/common-password
25 password requisite pam_pwquality.so retry=3
To set password minimum length to 10 characters, add below option to the above line.
minlen=10
To require password to contain at least an uppercase character and a numeric character:
ucredit=-1 dcredit=-1
To set a maximum of 3 consecutive identical characters:
maxrepeat=3
To reject the password if it contains <username> in some form:
reject_username
To set the number of changes required in the new password from the old password to 7:
difok=7
To implement the same policy on root:
enforce_for_root
Finally, it should look like the below:
password requisite pam_pwquality.so retry=3 minlen=10 ucredit=-1 dcredit=-1 maxrepeat=3 reject_username difok=7 enforce_for_root
Create new user. (During the defense)
sudo adduser <username>
Verify whether user was successfully created.
getent passwd <username>
Verify newly-created user's password expiry information.
sudo chage -l <username>
Remove user.
sudo deluser <username>
Create new user42 group.
sudo addgroup user42
Add user to user42 group.
sudo adduser <username> user42
Alternatively.
sudo usermod -aG user42 <username>
Verify whether user was successfully added to user42 group.
getent group user42
Remove group.
sudo groupdel <groupname>
Configure cron as root.
sudo crontab -u root -e
To schedule a shell script to run every 10 minutes, add this line to the end
*/10 * * * * sh /path/to/script
You have to create a simple script called monitoring.sh It must be developed in bash.
At server startup, the script will display some information (listed below) on all terminals every 10 minutes (take a look at wall). The banner is optional. No error must be visible.
Your script must always be able to display the following information:
• The architecture of your operating system and its kernel version.
• The number of physical processors.
• The number of virtual processors.
• The current available RAM on your server and its utilization rate as a percentage.
• The current available memory on your server and its utilization rate as a percentage.
• The current utilization rate of your processors as a percentage.
• The date and time of the last reboot.
• Whether LVM is active or not.
• The number of active connections.
• The number of users using the server.
• The IPv4 address of your server and its MAC (Media Access Control) address.
• The number of commands executed with the sudo program.
Last restart 😄.
sudo reboot
| Nº | Question | Coommand |
|---|---|---|
| 1 | How a virtual machine works. | VM |
| 2 | Their choice of operating system. | head -n 2 /etc/os-release |
| 3 | The basic differences between CentOS and Debian. | Differences |
| 4 | The purpose of virtual machines. | VM |
| 5 | Debian: the difference between aptitude and apt, and what APPArmor is. | APT and APPArmor |
A password will be requested before attempting to connect to this machine. This user must not be root.
| Nº | Question | Coommand |
|---|---|---|
| 1 | Check that the UFW service is started. | sudo ufw status |
| 2 | Check that the SSH service is started. | sudo systemctl status ssh |
| 3 | Check that the chosen operating system is Debian or CentOS. | cat /etc/os-release |
The subject requests that a user with the login of the student being evaluated is present on the virtual machine. Check that it has been added and that it belongs to the sudo and user42 groups.
| Nº | Question | Coommand and Links |
|---|---|---|
| 1 | First, create a new user. | Step 2 |
| 2 | Assign it a password of your choice. | password with new rules |
| 3 | Normally there should be one or two modified files. | Step 1 |
| 4 | Create a group named evaluating in front of you and assign it to this user. | Step 3 |
| 5 | Check that this user belongs to the evaluating group. | getent group evaluating |
| Nº | Question | Coommand |
|---|---|---|
| 1 | The hostname is login42. |
hostnamectl |
| 2 | Modify this hostname by replacing the login with yours, then restart the machine. | hostnamectl set-hostname <new_hostname> or sudo vim /etc/hostname |
| 3 | Restore the machine to the original hostname. | repeat 2. again |
| 4 | How to view the partitions for this virtual machine. | lsblk |
| 4 | How LVM works and what it is all about. | LVM |
| Nº | Question | Coommand |
|---|---|---|
| 1 | Check that the sudo program is properly installed on the virtual machine. |
dpkg -l |
| 2 | Assigning your new user to the sudo group. |
Step 2 |
| 3 | Explain the value and operation of sudo using examples of their choice. | Step 4 |
| 4 | Verify that the /var/log/sudo/ folder exists and has at least one file. |
cd /var/log/sudo/ |
| 5 | Check the contents of the files in this folder, You should see a history of the commands used with sudo. | vim sudo.log |
| 6 | Try to run a command via sudo. See if the file(s) in the /var/log/sudo/ folder have been updated. |
vim sudo.log |
| Nº | Question | Coommand |
|---|---|---|
| 1 | Check that the UFW program is properly installed on the VM. |
dpkg -l |
| 2 | Explain basically what UFW is and the value of using it. |
UFW |
| 3 | List the active rules in UFW - port 4242. |
sudo ufw status verbose |
| 4 | Add a new rule to open port 8080. | Settings in VirtualBoxVM and allow |
| 5 | Delete this new rule. | sudo ufw delete string number |
| Nº | Question | Coommand |
|---|---|---|
| 1 | Check that the SSH service is properly installed on the virtual machine. |
dpkg -l |
| 2 | Explain basically what SSH is and the value of using it. | SSH |
| 3 | Verify that the SSH service only uses port 4242. |
Port |
| 4 | Use SSH in order to log in with the newly created user. You can use a key or a simple password. |
ssh username@localhost -p 4242 |
| 5 | Make sure that you cannot use SSH with the root user. |
ssh root@localhost -p 4242 |
| Nº | Question | Coommand |
|---|---|---|
| 1 | How their script works by showing you the code. | Bash |
| 2 | What cron is. |
Cron |
| 3 | Set up their script so that it runs every 10 minutes from when the server starts. | Crontab |
| 4 | Once the correct functioning of the script has been verified, ensure that this script runs every 1m. | Change 10 to 1 |
| 5 | You can run whatever you want to make sure the script runs with dynamic values correctly. | Comment line 23 |
| 6 | Make the script stop running when the server has started up, but without modifying the script itself. | vim monitoring.sh |
| 7 | Restart the server one last time. | reboot |
| 8 | At startup, it will be necessary to check that the script still exists in the same place, that its rights have remained unchanged, and that it has not been modified. | I make changes in crontab and didn't modified monitoring.sh |
Turn off your VM. Crate signature.txt file and put there your VM key by generating it with below line
shasum goinfre/born2beroot.vdi
As a precaution, you can duplicate the initial VM in order to keep 2 more copy's and after evaluation, if you were evaluated by 1 evaluator (to keep pushed key the same), just delete your .vdi and open the copy.
Really finish 🤪Push only signature.txt and don't turn it on till evaluation starts.