A 42-school project. Involves the use of basic sysadmin/network tools and the creation of my first web server. Due to the size of the VDI (and the nature of the project), it is not included as part of this repository.
- Installed VM to specifications -- I used Debian. Ensure VM filesize/disk space is 8GB.
- Check partition sizes with
cfdisk.- Ensure one partition is '4.2GB'. Diffentiation between Gigabyte and Gibibyte in the brief left ambigous. Make your own decision on this matter.
- apt-get install required services.
- Nginx, ufw, fail2ban, portsentry were all tools that I utilised.
- adduser & give them Sudo permissions.
- adduser <name>
- usermod -Ag sudo <name>
- Modify /etc/network/interfaces.d/ to specifications outlined in the brief (Static IP, etc).
- Modify /etc/ssh/sshd_config to alter the default SSH port, as outlined in the brief.
- ssh-keygen a new SSH key for accessing the remote. Copy it to the remote and use this to connect.
- Configure UFW to default to deny incoming and allow outgoing. Open only required ports.
- Ensure SSH connections still work and use a portscan tool to check for any ports that remain open.
- I limited UFW to allowing only 80/tcp, <ssh_port>/tcp and 443/tcp.
- Configure F2B for DOS protection. Modify jail.local and create appropriate filters.
- Modify
ignoreipif needed, as well asbantime,findtimeandmaxretry. - Use sendmail as the mta.
- Ensure the correct default action is taken
action = %(action_mwl)sso that you recieve mail. - You can use several default apache filters as Nginx filters, some will require configuration.
- Create a new DOS jail and filter.
- (Optional) You can also use F2B to detect and attempt to ban portscans.
- Modify
- Configure PortSentry for port scanning protection. Modify /etc/default/portsentry & /etc/portsentry/portsentry.conf
- Use
systemctl --type=service --state=activeto find non-vital services running andsystemctl disable <service>to disable them.service --status-allandserivce <service> disableis another option. - Create/configure Crontab scripts, as outlined in the brief.
- (OPTIONAL) Create pretty website.
- Create and configure SSL certificates.
- Use HTML/CSS etc. to make an amazing website. Put it someplace safe, I used /var/www/
- Modifiy /etc/nginx/sites-available/<website.conf> to ensure that SSL is enabled and that traffic is being correctly routed (from HTTP to HTTPS).
- Remove the symlink to "default" from the /etc/nginx/sites-available/ to ensure Nginx is publishing your content.
- Success!
- Nginx
- UFW
- Fail2ban
- Portsentry
- nmap
- Cron
- HTML & CSS
sudo <cmd\>ufwservice --status-allservice <service name\> stop/restart/startssh -i <keyfile\> <IP\> -p <port\>crontab -enc -z -v {host-name-here} {port-range-here}
- /etc/aliases
- /etc/default/portsentry
- /etc/fail2ban/jail.local
- /etc/hosts.deny
- /etc/network/interfaces.d/
- /var/mail/
-
Installing Debian: https://medium.com/platform-engineer/how-to-install-debian-linux-on-virtualbox-with-guest-additions-778afa0ee7e0
-
Nginx Config: https://www.linode.com/docs/web-servers/nginx/how-to-configure-nginx/
-
UFW Config: https://help.ubuntu.com/community/UFW
-
Fail2Ban Configuration
-
Protecting against portscans with Port Sentry: https://en-wiki.ikoula.com/en/To_protect_against_the_scan_of_ports_with_portsentry
-
Using Nginx to host a Webpage: https://medium.com/@jgefroh/a-guide-to-using-nginx-for-static-websites-d96a9d034940
-
HTML/CSS Guides: https://www.w3schools.com/html/default.asp
-
Self-Signing SSL Cert: https://webtips4u.com/guides/linux/creating-a-self-signed-ssl-certificate-on-linux-or-unix-server/
-
A SlowLoris attack for use in testing DOS protection https://github.com/llaera/slowloris.pl