This project was an introduction to the world of virtualization. The goal was to create a virtual machine (VM) under specific requirements.
It was only necessary to submit a text file with the SHA-1 checksum to verify the integrity of the VM.
No graphical interface was allowed and the selected operating system (OS) was Debian GNU/Linux (download page).
The virtualization software (hypervisor) that was used was Oracle VirtualBox (official site).
- The memory size and the size of the virtual hard disk were set to 1024 MB and 30.8 GB, respectively.
- The partitions were set manually. The primary partition (sda1) was set to 500 MB and an encrypted logical partition (sda5) was created.
- The Logical Volume Manager (LVM) was configured creating a volume group named LVMGroup. Each logical volume was created and properly configured, selecting the file system (Ext4) and the respective mount point.
- With the OS fully installed and the disk properly partitioned the detailed partition structure can be shown by typing
lsblkon the command line (see the image below for an example output).
- To check the OS installed:
$ uname -v - To see if there is no graphical interface:
$ ls /usr/bin/*session
- Login as the root user:
$ su
- Install sudo using the Advanced Packaging Tool (APT):
$ apt install sudo
- Reboot the system to check if it was installed correctly:
$ sudo reboot
$ sudo -V
- Adding user:
$ sudo adduser <username>
- Adding group 'user42' as requested:
$ sudo addgroup user42
- Adding the user to the groups 'sudo' and 'user42':
$ sudo adduser <username> <groupname>
- Useful commands:
$ getent group <groupname> - to check if the user belongs to the group
$ groups <username> - to check the groups the user belongs to
$ cat /etc/group - to see the account details for all the existing groups
- Updating the package management system:
$ sudo apt update
- Installing OpenSSH server package:
$ sudo apt install openssh-server
- Check the status of the SSH service:
$ sudo service ssh status or $ sudo systemctl status ssh
- If the SSH service is not running:
$ sudo service ssh start or $ sudo systemctl start ssh
- To enable the SSH service to start automatically on system boot:
$ sudo systemctl enable ssh
- To run the SSH service on the port 4242:
$ nano /etc/ssh/sshd_config
(-> Replace #Port 22 with #Port 4242 -> Edit #PermitRootLogin prohibit-password to #PermitRootLogin no)
$ nano /etc/ssh/ssh_config
(-> Replace #Port 22 with #Port 4242
- To update the changes on the previous files:
$ sudo service ssh restart
- Install UFW:
$ sudo apt install ufw
$ sudo ufw enable - to enable the firewall on system startup
- Adding a rule to allow incoming traffic on port 4242:
$ sudo ufw allow 4242
- Check the new rule:
$ sudo ufw status
- Check the status of the UFW:
$ sudo service ufw status
- To delete a rule:
$ sudo ufw status numbered -> $ sudo ufw delete <rule_number>
- Creating a file to store the password configuration:
$ touch /etc/sudoers.d/sudo_config
- Creating a sudo directory, where the input and output for each sudo-executed command will be stored:
$ mkdir /var/log/sudo
- Editing
sudo_configfile:
$ nano /etc/sudoers.d/sudo_config
Defaults passwd_tries=3
Defaults badpass_message="Password is wrong, please try again."
Defaults logfile="/var/log/sudo/sudo_config"
Defaults log_input, log_output
Defaults iolog_dir="/var/log/sudo"
Defaults requiretty
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
- Edit
login.defsfile:
$ nano /etc/login.defs
(-> PASS_MAX_DAYS 30, PASS_MIN_DAYS 2, PASS_WARN_AGE 7)
- Install PAM (Pluggable Authentication Module) to perform password quality checking:
$ sudo apt install libpam-pwquality
- Edit
common_passwordfile:
$ nano /etc/pam.d/common_password
retry=3 minlen=10 ucredit=-1 lcredit=-1 dcredit=-1 maxrepeat=3 reject_username difok=7 enforce_for_root
(This new password policy will affect only the newly created users.)
- To enforce the policy to the previously created users (including root):
$ sudo chage -l <username> - to list the information
$ sudo chage -m 2 <username> - to edit the min_days
$ sudo chage -M 30 <username> - to edit the max_days
-
In VirtualBox go to Settings -> Network -> BridgedAdapter
-
Reboot the VM.
-
Find the VM IP:
$ hostname -I
- While the VM is running open a Terminal window:
$ ssh <username>@<IP> -p 4242
- Logout:
$ exit
A script named monitoring.sh(see file) was created in bash to display some information on all terminals every 10 minutes since the server startup.
#!/bin/bash
while true; do
# ARCHITECTURE
arch=$(uname -a)
# PHYSICAL CPU
cpuf=$(grep "physical id" /proc/cpuinfo | wc -l)
# VIRTUAL CPU
cpuv=$(grep "processor" /proc/cpuinfo | wc -l)
# RAM
ram_total=$(free --mega | awk '$1 == "Mem:" {print $2}')
ram_use=$(free --mega | awk '$1 == "Mem:" {print $3}')
ram_percent=$(free --mega | awk '$1 == "Mem:" {printf("%.2f"), $3/$2*100}')
# DISK
disk_total=$(df -m | grep "/dev/" | grep -v "/boot" | awk '{disk_t += $2} END {printf ("%.1fGb\n"), disk_t/1024}')
disk_use=$(df -m | grep "/dev/" | grep -v "/boot" | awk '{disk_u += $3} END {print disk_u}')
disk_percent=$(df -m | grep "/dev/" | grep -v "/boot" | awk '{disk_u += $3} {disk_t+= $2} END {printf("%d"), disk_u/disk_t*100}')
# CPU LOAD
cpul=$(vmstat 1 2 | tail -1 | awk '{printf $15}')
cpu_op=$(expr 100 - $cpul)
cpu_fin=$(printf "%.1f" $cpu_op)
# LAST BOOT
lb=$(who -b | awk '$1 == "system" {print $3 " " $4}')
# LVM USE
lvmu=$(if [ $(lsblk | grep "lvm" | wc -l) -gt 0 ]; then echo yes; else echo no; fi)
# TCP CONNECTIONS
tcpc=$(ss -ta | grep ESTAB | wc -l)
# USER LOG
ulog=$(users | wc -w)
# NETWORK
ip=$(hostname -I)
mac=$(ip link | grep "link/ether" | awk '{print $2}')
# SUDO
cmnd=$(journalctl _COMM=sudo | grep COMMAND | wc -l)
wall " Architecture: $arch
CPU physical: $cpuf
vCPU: $cpuv
Memory Usage: $ram_use/${ram_total}MB ($ram_percent%)
Disk Usage: $disk_use/${disk_total} ($disk_percent%)
CPU load: $cpu_fin%
Last boot: $lb
LVM use: $lvmu
Connections TCP: $tcpc ESTABLISHED
User log: $ulog
Network: IP $ip ($mac)
Sudo: $cmnd cmd"
sleep 600
done
The cron table is used for scheduling and automating tasks.
- Open crontab as root in the default text editor:
$ sudo crontab -u root -e
- Edit the file:
@reboot <path for the script> &
To obtain the SHA-1 hash value that identifies the VM go to the directory where the VM is.
Then:
$ sha1sum <VM Name>.vdi
And save it in a signature.txt file.
🐸 Feel free to fork, clone, or contact me for questions or feedback.