Creating on my own Virtual Machine!😀
I choose the DebianOS(download link!).
several encrypted partitions are made using LVM when OS was setting up.
to me, this part was the most complicated.
need to care of the mountpoint, size...
Set up sudo
install sudo
apt-get install sudo
requirment
• Authentication using sudo has to be limited to 3 attempts in the event of an incorrect password.
• A custom message of your choice has to be displayed if an error due to a wrong password occurs when using sudo.
• Each action using sudo has to be archived, both inputs and outputs. The log file has to be saved in the /var/log/sudo/ folder.
• The TTY mode has to be enabled for security reasons.
• For security reasons too, the paths that can be used by sudo must be restricted.
Example:
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
visudo
add some required options.
Defaults authfail_message="A custom message"
Defaults badpass_message="A custom message"
Defaults iolog_dir="/var/log/sudo/"
Defaults log_input
Defaults log_output
Defaults requiretty
Defaults passwd_tries=3
append user to sudo, user42 group.
groupadd user42
usermod -aG sudo id
cat /etc/group | grep 'id'
look up the group and user list.
setting SSH
SSH(Secure Shell) is a network protocol that gives a secure way to access a computer over an unsecured network.
provides strong password authentication and public key authentication, as well as encrypted data communications between two computers connecting over an open network, such as the internet.
requirment
installing SSH is needed at the first time.
su -
apt install openssh-server
open config file to modify.
vi /etc/ssh/sshd_config
Port 4242
PermitRootLogin no
modified port setting line and Permition for root login setting line.
systemctl restart ssh
systemctl status ssh
restart ssh and check status.
then you can see result like below.
made new Network. to access to myWorld.
in local terminal, you can reach to myWorld using
this command.
ssh id@ip -p 4242
Since I modified the setting, no login root is allowed.
set up a password policy
requirment
• Your password has to expire every 30 days.
• The minimum number of days allowed before the modification of a password will be set to 2.
• The user has to receive a warning message 7 days before their password expires.
• Your password must be at least 10 characters long. It must contain an uppercase letter and a number.
Also, it must not contain more than 3 consecutive identical characters.
• The password must not include the name of the user.
• The following rule does not apply to the root password: The password must have at least 7 characters that are not part of the former password.
• Of course, your root password has to comply with this policy.
su -
vi /etc/login.defs
PASS_MAX_DAYS 30
PASS_MIN_DATS 2
PASS_WARN_AGE 7
apt-get -y install libpam-pwquality
vi /etc/pam.d/common-password
retry=3
minlen=10 ucredit=-1 lcredit=-1 dcredit=-1 maxrepeat=3 reject_username enforce_for_root difok=7
Create monitoring.sh
requirment
Your script must always be able to display the following information:
• The architecture of your operating system and its kernel version.
• The number of physical processors.
• The number of virtual processors.
• The current available RAM on your server and its utilization rate as a percentage.
• The current available memory on your server and its utilization rate as a percentage.
• The current utilization rate of your processors as a percentage.
• The date and time of the last reboot.
• Whether LVM is active or not.
• The number of active connections.
• The number of users using the server.
• The IPv4 address of your server and its MAC (Media Access Control) address.
• The number of commands executed with the sudo program.
command
requirment
crontab -e
*/10 * * * * /root/monitoring.sh | wall
'/10 * * *' means everydey every 10mins.
set up default firewall
UFW(Uncomplicated FireWall)
: a front-end for iptables and is particularly well-suited for host-based firewalls. UFW was developed specifically for Ubuntu (but is available in other distributions), and is also configured from the terminal.
requirment
apt-get install ufw -y
ufw enable
ufw default deny
ufw allow 4242
ufw status verbose