This implementation guide was made in collaboration with @HCastanha, who indeed chose Debian as the OS to implement this project (I just tagged along for the fun).
Debian is a GNU/Linux distribution composed interely of free and open-source software. It is also one of the oldest operating systems based on the Linux Kernel. Debian is the basis for many other distros, being the most popular one Ubuntu.
Debian has one of the most active communities online, what can be very helpful when you are searching for error fixes and bugs in open forums. Debian is also updated a lot more frequently, what can be a downside if you're looking for stability, but also represents packages less prone to contain bugs.
Overall, Debian is a stable enough system to operate smaller servers, and it's a lot more user-friendly than its pairs. It is a very good system to learn the basics on how to deal with servers and its utilities - what is, at the end, the whole purpose of this project.
Installing • LVM • Logging in • Package Management • AppArmor • UFW • SSH • Testing the SSH connection • SUDO • Password Policy • Hostname, Users and Groups • Monitoring Script • Bonus
The project will be run entirely on a Virtual Machine, so the initial setup consists of only two downloadables:
- The latest available Oracle VIrtualBox (VirtualBox 6.1 was the one used at the time of this project);
- The Debian 11 ISO.
- Open
VirtualBox
and click 'New'; - Initial set up of the Virtual Machine includes memory and hard disk specifications (since I did the bonus part, the hard drive allocation was of 30.8Gb instead of 8Gb);
- After creating the VM, click on 'Settings' and enable your network with 'Bridge Adapter', so that your Virtual Machine will be able to use your local internet settings;
- Start your machine and when prompted, choose the previously downloaded
.iso
file as a start-up disk to boot; - When loaded, you will be asked to choose among a few options, including "Graphical install" or just "Install". They are virtually the same, so whatever you choose shouldn't impact too much for you to follow along. I chose "Install".
- On the chosen interface, set-up your machine as required:
If might have come to your attention that, when partitioning the hard drives, there might be some inconsistency regarding the total number of GB available. If you've set, at the initial VM set up, a total drive of 30.8GB and now it appears to you as though you have a 33.1GB of available disk space, or even if you're typing 500MB, but the system only reserves 467MB or something: fear not, 'cause you're not alone.
- Choose a language that is better suited for your needs (I chose English as default);
- Location must be set accordinly to your current location. I chose 'other' >'South America'>'Brazil' and then you must choose your "locale configuration" (aka keyboard language) (mine is 'en_US.UTF-8'>'American English');
- Configure the network by setting you hostname according to the especifications (
intralogin+42
). At this part, your hostname can be any of your choice, since you'll be asked to modify it by command-line once the installation is complete). Your domain name will be automatically generated if you just hit continue on the next step;- Set up users ans passwords by choosing a strong Root Password (again, this password will be changed during the project). You can already configure a user by typing your fullname and your intra login if you want, but this step can be done once you boot your new machine;
- *Configure the clock* by choosing your current location;
- You must correctly set-up partitions choosing Manual configuration, according to specific instructions (at this point, you can choose to create the Mandatory part's partitioning, or the Bonus part's one. I chose the Bonus one). Once you choose the hard drive to partition and click yes. Now you must choose your available free space to start partitioning. GO on Create new partition for
\boot
with the specified size. Choose primary(this is a Standard Partition) at the beggining of the available space. At the end, yoursda1
must look like something like this;- To set up the Logical Volumes you need to undestand the basics of what a LVM really is (see below for more on LVM). You will choose the next available free space and configure it as a 'physical volume for encryption'. Then, you must choose to 'configure encrypted volumes'>'created encrypted volumes'>'choose volumes to encrypt'>'finish' so that the partition will be overwritten with random data. When it is done, you will be asked to type in the passphrase to protect your ENcrypted Disk;
- After encrypting the partition, you will have to declare it a Volume Group by going to 'Configure the Logical Volume Manager', then write the changes on disk, create a Logical Group, name it, select the partition to do it and finally create the Logical Volumes one by one by giving it a name, set its size and create them with the specifications declared on the project. At the end, you can display the volumes created (mine showed something like this). I use
ext4
as a filesystem to the Logical Volumes in this part. Click on 'Finish'. At last, don't forget to mount the volumes by clicking on each of them and choosing a correct mount point before finishing the partitioning. The overview should look like this;- Now you make sure to be scanning for new packages and to set your location correctly to configure the
apt
package manager (this is Debian's default, but you can change it for appititude later if you wish);- In the next step you must make sure you are not installing any graphical interface to your Debian OS. Since our goal is to set up a server, GUIs are explicitily forbidden and are, altogether, very much dispensable;
- Install the GRUB boot loader and, when that's done, finally reboot your new system so you're now all set!
My best guess is that it happens because of a malfunction conversion of the Debian installer itself. You see, 1 kylobyte equals to 1024 bytes, not 1000. If you project that to Megas or even Gigas, it's a lot of bytes you're simply not counting. That's what Debian's installer is doing.
To be very practical, it matters not in your day-to-day life either you're converting bytes by the 1000s or 1024s. But, since the project's specifications were very precise, I decided to follow along and convert everything to real bytes before typing them down on the partioning menu (for example, 500 MegaBytes turned into 524288000 Bytes. A lot of numbers in this one, I know, but Excel is your friend).
However, whether you do that in your own project is completely up to you!
Logical Volume Manager is a system of mapping and managing hard disk memory used on Linux-kernel's based systems. Instead of the old method of partitioning disks on a single filesystem, and having it be limited to only 4 partitions, LVM allows you to work with "Logical Volumes", a more dinamically and flexible way to deal with your hardware.
There are three major concepts you must understand to fully grasp the behaviour of LVM:
- Volume Group: It is a named collection of physical and logical volumes. Typical systems only need one Volume Group to contain all of the physical and logical volumes on the system;
- Physical Volumes: They correspond to disks; they are block devices that provide the space to store logical volumes;
- Logical Volumes: They correspond to partitions: they hold a filesystem. Unlike partitions though, logical volumes get names rather than numbers, they can span across multiple disks, and do not have to be physically contiguous.
The idea sounds simple enough: You take a disk, declare it as a Physical Volume, then you take that volume and append it to the Volume Group of your choice (usually only one per computer). At last, you may "partition" that volume into small Logical Volumes that can correspond to 1 or multiple disks, and can be reallocated in memory even if they are already in use.
LVM is a great utility to have on servers and systems that demand usage stability and great necessity of quick management of the available physical devices (it makes it way easier to add or remove memory, for instance).
Once the installation has completed, and you've rebooted your system you must log into the OS.
The first step is to type in the password you used to encrypt your LVM
partitions. Then, you must choose a user to log-in to. I recommend using the root
for now, as we still need to have root privileges to completely finish the set-up.
Once you're logged in, use the following commands to check if everything is according to the plan:
cat /etc/os-release
- see information on the system installed;lsblk
- see the partitioning's scheme.
Some importante commands to keep in hand:
logout
orexit
- exit current session to enable you to change the active user;reboot
- reboot the system (needs root permission);poweroff
- turns the system off (needs root permission).
Debian based systems, by default, use APT
(Advanced Package Tool) and DPKG
package management tools. While DPKG
is a low level package manager, used to install, remove and provide information about .deb
packages, APT
is more high leveled, working its way through complex package relations, such as dependency resolution.
For Debian, APT
is the most common and most used package manager. It comes installed by default and provides command-line management for all the packages you might need on your computer in a resonably user-friendly way, with shorter and more intuitive commands.
It is also preferable, for some users, to use the Aptitude
package manager. Aptitude
is a front-end alternative to APT
. It allows the user to interactively pick the packages they want to install or remove, apart from also allowing flexible search patterns, such as commands and/or close-typed words.
For this project, one would be wise to work with APT
as it is more scriptable and replicable, which makes a good choice for writing documentation (including this one). It is to my understading that APT
can handle most of Aptitude
's functions through certain in-line commands (althought in not such an user-friendly and graphical way).
However, I will choose Aptitude
for pedagogical purposes and for the fact that it has more elaborate algorithms when trying to handle difficult situations. Aptitude is a great alternative to APT
.
Since Aptitude
doesn't come installed in Debian, you will need to install it.
# apt-get install aptitude
After the installation is completed, type aptitude
to open aptitude front-end. From here forward, we'll use aptitude
to manage the packages needed.
Mandatory Access Control (or MAC) is a security protocol that forbids any certain program, even one running on effective superuser privileges, to do anything other than what it was previously allowed to do. It is a secure measure used, mainly, in systems where stability and protection are paramount concepts (such as server units).
To enforce MAC, we can use a variety of programs. For Debian and all its similar systems, the default option is AppArmor
. It enforces protection over objects as per configuration. That means, the application "imunizes" other apps one by one. By default, something that has not been previously set as "protected" is, by all means, vulnerable.
AppArmor might not be considered as efficient and secure as SELinux
, for example, but it has an easier interface and is more user-friendly. For someone who is not all-accostumed to system administration, it becomes a great alternative for managing access control.
To make sure AppArmor
is installed, use:
# aptitude search apparmor
If by any reason it is not installed, you must install it first and enable it at startup:
# aptitude install apparmor
# aa-status
# systemctl enable apparmor
UFW
(or "Uncomplicated Firewall") is a program designed, as the name suggests, to be an easy-to-use firewall manager. 'Firewall', in turn, is a security device responsable for monitoring the information and data traffic from your local computer to the network.
As per the instructions, UFW
will have to be installed on our machine and configured in a way that will only allow connection to port 4242.
UFW
needs to installed and then enabled:
# aptitude install ufw
# ufw enable
To check the UFW
current status and ports allowed or denied, use:
# ufw status verbose
You will see that the 'outgoing' rule is set to allow
. Do not change that, otherwise the package manager and other essencial applications will stop working.
The subject only allows for port 4242 to be enabled, so what you can do is deny all ports available and allow only 4242. The following commands may help you with this:
# ufw default allow/deny incoming
# ufw default allow/deny outgoing
# ufw allow/deny <port-number>
However, if you only deny
a port, it will keep appearing on the rules as "DENY" status. To delete it completely, use:
# ufw status numbered
# ufw delete <rule-number>
Do not forget to enable your firewall on startup.
# systemctl enable ufw
To eventually disable the firewall, use:
# ufw disable