Skip to content

Latest commit

 

History

History
219 lines (174 loc) · 15.6 KB

Debian-en.md

File metadata and controls

219 lines (174 loc) · 15.6 KB
Raw

Debian 11

This implementation guide was made in collaboration with @HCastanha, who indeed chose Debian as the OS to implement this project (I just tagged along for the fun).

Debian is a GNU/Linux distribution composed interely of free and open-source software. It is also one of the oldest operating systems based on the Linux Kernel. Debian is the basis for many other distros, being the most popular one Ubuntu.

Debian has one of the most active communities online, what can be very helpful when you are searching for error fixes and bugs in open forums. Debian is also updated a lot more frequently, what can be a downside if you're looking for stability, but also represents packages less prone to contain bugs.

Overall, Debian is a stable enough system to operate smaller servers, and it's a lot more user-friendly than its pairs. It is a very good system to learn the basics on how to deal with servers and its utilities - what is, at the end, the whole purpose of this project.

Index

Installing LVM Logging in Package Management AppArmor UFW SSH Testing the SSH connection SUDO Password Policy Hostname, Users and Groups Monitoring Script Bonus

Pre-Requisites

The project will be run entirely on a Virtual Machine, so the initial setup consists of only two downloadables:

Installing

  1. Open VirtualBox and click 'New';
  2. Initial set up of the Virtual Machine includes memory and hard disk specifications (since I did the bonus part, the hard drive allocation was of 30.8Gb instead of 8Gb);
  3. After creating the VM, click on 'Settings' and enable your network with 'Bridge Adapter', so that your Virtual Machine will be able to use your local internet settings;
  4. Start your machine and when prompted, choose the previously downloaded .iso file as a start-up disk to boot;
  5. When loaded, you will be asked to choose among a few options, including "Graphical install" or just "Install". They are virtually the same, so whatever you choose shouldn't impact too much for you to follow along. I chose "Install".
  6. On the chosen interface, set-up your machine as required:

TIP

If might have come to your attention that, when partitioning the hard drives, there might be some inconsistency regarding the total number of GB available. If you've set, at the initial VM set up, a total drive of 30.8GB and now it appears to you as though you have a 33.1GB of available disk space, or even if you're typing 500MB, but the system only reserves 467MB or something: fear not, 'cause you're not alone.

My best guess is that it happens because of a malfunction conversion of the Debian installer itself. You see, 1 kylobyte equals to 1024 bytes, not 1000. If you project that to Megas or even Gigas, it's a lot of bytes you're simply not counting. That's what Debian's installer is doing.

To be very practical, it matters not in your day-to-day life either you're converting bytes by the 1000s or 1024s. But, since the project's specifications were very precise, I decided to follow along and convert everything to real bytes before typing them down on the partioning menu (for example, 500 MegaBytes turned into 524288000 Bytes. A lot of numbers in this one, I know, but Excel is your friend).

However, whether you do that in your own project is completely up to you!

LVM

Logical Volume Manager is a system of mapping and managing hard disk memory used on Linux-kernel's based systems. Instead of the old method of partitioning disks on a single filesystem, and having it be limited to only 4 partitions, LVM allows you to work with "Logical Volumes", a more dinamically and flexible way to deal with your hardware.

There are three major concepts you must understand to fully grasp the behaviour of LVM:

  • Volume Group: It is a named collection of physical and logical volumes. Typical systems only need one Volume Group to contain all of the physical and logical volumes on the system;
  • Physical Volumes: They correspond to disks; they are block devices that provide the space to store logical volumes;
  • Logical Volumes: They correspond to partitions: they hold a filesystem. Unlike partitions though, logical volumes get names rather than numbers, they can span across multiple disks, and do not have to be physically contiguous.

The idea sounds simple enough: You take a disk, declare it as a Physical Volume, then you take that volume and append it to the Volume Group of your choice (usually only one per computer). At last, you may "partition" that volume into small Logical Volumes that can correspond to 1 or multiple disks, and can be reallocated in memory even if they are already in use.

LVM is a great utility to have on servers and systems that demand usage stability and great necessity of quick management of the available physical devices (it makes it way easier to add or remove memory, for instance).

Logging in

Once the installation has completed, and you've rebooted your system you must log into the OS.

The first step is to type in the password you used to encrypt your LVM partitions. Then, you must choose a user to log-in to. I recommend using the root for now, as we still need to have root privileges to completely finish the set-up.

Once you're logged in, use the following commands to check if everything is according to the plan:

Some importante commands to keep in hand:

  • logout or exit - exit current session to enable you to change the active user;
  • reboot - reboot the system (needs root permission);
  • poweroff - turns the system off (needs root permission).

Package Management

Debian based systems, by default, use APT (Advanced Package Tool) and DPKG package management tools. While DPKG is a low level package manager, used to install, remove and provide information about .deb packages, APT is more high leveled, working its way through complex package relations, such as dependency resolution.

For Debian, APT is the most common and most used package manager. It comes installed by default and provides command-line management for all the packages you might need on your computer in a resonably user-friendly way, with shorter and more intuitive commands.

It is also preferable, for some users, to use the Aptitude package manager. Aptitude is a front-end alternative to APT. It allows the user to interactively pick the packages they want to install or remove, apart from also allowing flexible search patterns, such as commands and/or close-typed words.

For this project, one would be wise to work with APT as it is more scriptable and replicable, which makes a good choice for writing documentation (including this one). It is to my understading that APT can handle most of Aptitude's functions through certain in-line commands (althought in not such an user-friendly and graphical way).

However, I will choose Aptitude for pedagogical purposes and for the fact that it has more elaborate algorithms when trying to handle difficult situations. Aptitude is a great alternative to APT.

Since Aptitude doesn't come installed in Debian, you will need to install it.

# apt-get install aptitude

After the installation is completed, type aptitude to open aptitude front-end. From here forward, we'll use aptitude to manage the packages needed.

AppArmor

Mandatory Access Control (or MAC) is a security protocol that forbids any certain program, even one running on effective superuser privileges, to do anything other than what it was previously allowed to do. It is a secure measure used, mainly, in systems where stability and protection are paramount concepts (such as server units).

To enforce MAC, we can use a variety of programs. For Debian and all its similar systems, the default option is AppArmor. It enforces protection over objects as per configuration. That means, the application "imunizes" other apps one by one. By default, something that has not been previously set as "protected" is, by all means, vulnerable.

AppArmor might not be considered as efficient and secure as SELinux, for example, but it has an easier interface and is more user-friendly. For someone who is not all-accostumed to system administration, it becomes a great alternative for managing access control.

To make sure AppArmor is installed, use:

# aptitude search apparmor

If by any reason it is not installed, you must install it first and enable it at startup:

# aptitude install apparmor
# aa-status 
# systemctl enable apparmor

UFW

UFW (or "Uncomplicated Firewall") is a program designed, as the name suggests, to be an easy-to-use firewall manager. 'Firewall', in turn, is a security device responsable for monitoring the information and data traffic from your local computer to the network.

As per the instructions, UFW will have to be installed on our machine and configured in a way that will only allow connection to port 4242.

UFW needs to installed and then enabled:

# aptitude install ufw
# ufw enable

To check the UFW current status and ports allowed or denied, use:

# ufw status verbose

You will see that the 'outgoing' rule is set to allow. Do not change that, otherwise the package manager and other essencial applications will stop working. The subject only allows for port 4242 to be enabled, so what you can do is deny all ports available and allow only 4242. The following commands may help you with this:

# ufw default allow/deny incoming
# ufw default allow/deny outgoing
# ufw allow/deny <port-number>

However, if you only deny a port, it will keep appearing on the rules as "DENY" status. To delete it completely, use:

# ufw status numbered
# ufw delete <rule-number>

Do not forget to enable your firewall on startup.

# systemctl enable ufw

To eventually disable the firewall, use:

# ufw disable

References

Why Debian?