Skip to content
/ Born2beRoot Public

42 Related System Administration Project -Born2beRoot- Rocky Version (WIP)

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

sumxtx/Born2beRoot

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
assets
assets
 
 
README.md
README.md
 
 
dnf.md
dnf.md
 
 
monitoring.sh
monitoring.sh
 
 
selinux.md
selinux.md
 
 

Repository files navigation

Rocky Linux

Rocky Linux is a community-driven Enterprise Linux distribution— stable enough for the largest enterprise to rely on it,
and community-driven to ensure it stays accessible to all.
About

On this guide i won't delve that much into explaining all the commands, configurations, tools, etc... This is up to you. As some people will just blindly copy and repeat what is here without really understading it. The part of prepare and investigate for the defense is on you. Good Luck :P!!!

Download

OS Installation Prerequisites

Download the ISO to use for this installation of Rocky Linux.

You can download the latest ISO image for the version of Rocky Linux for this installation here

To download the ISO directly from the command line on an existing Linux-based system:

Chose your closest mirror here

Use the wget command:

wget https://Your chosen mirror/9/isos/x86_64/Rocky-<MAJOR#>.<MINOR#>-<ARCH#>-<VARIANT#>.iso

For example I am going to use the DE (Germany, geographically closer to me and tend to have pretty reliable and fast servers)
version=9.4, architecture=x86_64, variant=minimal:

wget https://de.mirrors.cicku.me/rocky/9/isos/x86_64/Rocky-9.4-x86_64-minimal.iso

Verifying the Installation ISO File

Once the download is complete we are going to check if the ISO file is not corrupted, and is the one we are pretending to install.
First we need to also download the CHECKSUM file, a SHA-256 hash of the file.

wget https://de.mirrors.cicku.me/rocky/9/isos/x86_64/CHECKSUM

And compare it to the SHA-256 hash of the ISO file we have downloaded.

sha256sum -c CHECKSUM --ignore-missing

We should get an ok message

Rocky-9.4-x86_64-minimal.iso: OK

Setting up the Virtualization Engine

That is up to what you are using: Virtualbox,VMWare,Virt-Manager... And how many resources you're allowed to assign to the VM
For Exampple in my campus, at most 30GB is what our Infra has allowed.

Doing this at home I will assign the following resources to my machine:

Boot CPU Ram Disk Network SATA
UEFI 2 Cores 8 GB 100 GB NAT Rocky....iso

And Boot it up

Installing the System

After Booting you should get the Select Language page, chose your preferred

After that you will get to the Installation Summary

Disk Partitioning

Go to The System > Installation Destination To Start Partitioning.
Here you should Select ✅ Custom, and ✅ Done.

Next chose Partitioning Scheme ✅ LVM and ✅ Encrypt my data
After that DON'T hit Done go to > Click here to create them automatically instead

That will generate some default partitions partitions and random size, we gonna edit them according to our needs

As i have 100Gb available and minding the bonus part as well, that will be my disk layout:

/ /home /var /srv /tmp /var/log swap
30G 15G 9G 15G 9G 12G 8GB

Doing that on an Infra with let's say 30Gb, shoulda something look like this:

/ /home /var /srv /tmp /var/log swap
10G 5G 3G 3G 3G 4G 2GB

Click on /home and in Desired Capacity on the right side box, enter your amount
The Same for /

After that on the + Sign on the bottom left

we are going to enter our Desired Mount Point, and the Desired Capacity, for example
for the /var mount point i need 15G, it would look like this:

Select Add Mount Point and repeat the same for /srv /tmp /var/log and swap
Notice swap don't have / before the name, as it is not mountable
Ensure everythin is correct and now we can click on Done

We will be prompted to the DISK ENXRYPTION PASSPHRASE Enter the Encryption passphrase for your disk and on the Passphrase and Again on the Confirm

Save Passphrase and Accept Changes

KDump

As the subject does not explicitly requires it, we are going to just disable

Network & Host Name

Next on Network & Host Name you should enter yours, mine gonna be just rocky42

Apply and Done

Root Password

Select a Root Password and click on Done

After that no User Creation is needed to Start the Installation, so we will do that later on, Just click on Begin Installation on th bottom right

Wait for the Installation to Complete and Reboot System

First boot

After Rebooting you will be prompt for the Disk Encryption Passphrase, Enter the one we used on the Installation Process

That will finish the boot process and prompt us for the login. As we didn't create an user yet boot with the root account and the passphrase for the root

Update the system with dnf

dnf update

That may ask you to confirm a few times, press y and Enter and Install a few packages

dnf install sudo openssh vim
systemctl enable sshd

That may be already Installed by default, after that reboot again your system

reboot

User Settings

After rebooting and login again with root let's create our user and groups

  • Add user
useradd -c "Ying Yang" ying42
  • Change User password
passwd ying42
  • Add user to wheel group
usermod -aG wheel ying42
  • Create user42 group
groupadd user42
  • Add user to user42 group
usermod -aG user42 ying42

  • Changing user to ying42
su ying42

And to double check we can

exit

Until the login prompt again and try to login with the ying42 user Than we can try to run a sudo command with the user tho confirm it can run sudo commands

sudo dnf update

If Everything is correct we can proceed, and disable the root login That's an extra measure that you block the login with the root account

  • Disable root login
sudo passwd -l root

SSH

Installing SSH

SSH Server Hardening

  • On the local machine (not server, the one you will ssh from) Generate a ssh key pair in case of not having one, or generate a new one exclusevily for this purpose
cd ~/.ssh
ssh-keygen -C "web server1" -f id-web1 -t rsa -b 4096

  • Copy the ssh key into the server with ssh-copy-id user@the ip of your machine
ssh-copy-id -i id-web1 [email protected]

We are still login with the user password, let's fix that in the next steps: Back into the server machine

sudo dnf install selinux-policy-targeted
sudo dnf install policycoreutils-python-utils
sudo semanage port -a -t ssh_port_t -p tcp 4242

Install [firewalld](TODO cheatsheet fiwd), Start the [service](TODO systemctl cheatsheet) and Configure firewalld for ssh

sudo dnf install firewalld
sudo systemctl start firewalld
sudo systemctl enable firewalld
sudo firewall-cmd --permanent --add-port=4242/tcp
sudo firewall-cmd --reload

Configuring sshd_config file

  • Edit /etc/ssh/sshd_config
sudo vim /etc/ssh/sshd_config

Uncomment and change the following values:

    Port 4242
    PermitRootLogin no
    MaxAuthTries 3
    MaxSessions 3
    PubkeyAuthentication yes
    PasswordAuthentication no

Test Connection

  • restart sshd
sudo systemctl restart sshd
  • Check sshd status
sudo systemctl status sshd
  • Try to connect again from your machine but now using the following commands
ssh Youruser42@Theserverip -p 4242 -i ~/.ssh/id-web1

Now you should see that your are being ask the password of the ssh we generate earlier, that being said if you lost this key or this password youre completely remotely locked out of the server be aware

Now we are good to go.
Nonetheless, try to log with different manners to see if all is correct
For example, try to log with the root account, without the sshid, from another ports etc

Configuring sudo and password policies

sudo general config and logs

  • Create the logs folder for sudo command
sudo mkdir /var/log/sudo
  • Edit the sudo configuration file
sudo vim /etc/sudoers.d/sudo_config
  • Add these lines to it
Defaults  passwd_tries=3
Defaults  badpass_message="You are a few steps of being locked out. Try Again:"
Defaults  logfile="/var/log/sudo/sudo_config"
Defaults  log_input, log_output
Defaults  iolog_dir="/var/log/sudo"
Defaults  requiretty
Defaults  secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

password policies

  • Edit the login defaults file
sudo vim /etc/login.defs
  • Modify these values
PASS_MAX_DAYS: 30
PASS_MIN_DAYS: 2
PASS_WARN_AGE: 7
  • Get the values for current user
sudo chage -l ying42
  • Modify the values for existing users
sudo chage -m 2 root
sudo chage -M 30 root
sudo chage -W 7 root
sudo chage -m 2 ying42
sudo chage -M 30 ying42
sudo chage -W 7 ying42

pampwquality password configuration

  • libpwquality should have been installed by default
sudo dnf install libpwquality
  • Edit the system authenticator file to impose password policies
sudo vim /etc/pam.d/password-auth
  • Add those values to password requisit pam_pwquality.so ...
minlen=10 ucredit=-1 dcredit=-1 lcredit=-1 maxrepeat=3 reject_username difok=7 enforce_for_root
  • The same on the system authenticator file
sudo vim /etc/pam.d/system-auth
  • Add those values to password requisit pam_pwquality.so ...
minlen=10 ucredit=-1 dcredit=-1 lcredit=-1 maxrepeat=3 reject_username difok=7 enforce_for_root
  • Now you could try to create a new user let's say tester and try to modify it's password to something weak, to ensure the policies are getting applied
sudo useradd tester
sudo passwd tester
  • In my case i have put 15 to make it harder and be able to display the errors, here is what i got when trying to enforce bad password policies

Monitoring Script

  • [monitoring.sh](Monitoring Script)

About

42 Related System Administration Project -Born2beRoot- Rocky Version (WIP)

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages