[HIRE ME] System Admin

stephvibes · Mar 25, 2018

Vouch for Poss!!

Possibilities · Mar 25, 2018

FoxIsBae said:
Vouch for Poss!!

Thanks for the vouch!

1337 · Mar 25, 2018

How would you go about properly setting up, securing, and optimizing a linux server running Ubuntu 16.04 or CentOS 7

55r · Mar 25, 2018

Vouch

Possibilities · Mar 25, 2018

Fox said:
How would you go about properly setting up, securing, and optimizing a linux server running Ubuntu 16.04 or CentOS 7

the "setting up" portion would depend on what the box would be used for. But since I'm assuming you're testing my knowledge, I'll use the scenario that an Ubuntu 16.04 box has been purchased from OVH for use on a new Minecraft network.

first off, I would install the proper Java JRE package for the system. In most cases, I would just apt install openjdk-jre or apt install default-jre. In other cases, I might download the official tarball using wget from the oracle website, and go through the process of extracting the tarball and installing it that way. I would then make a new user on the box, and give it certain privileges to access the minecraft server's directory, which I would put under /mcserver.

To secure a box, I would first change the default port for SSH, which is 22. I would change it to a random number below 65535. I would also configure IPTables to close open ports, and to deny incoming connections. The only ports I would keep open would be the ssh port, and the MC server's port (25565), and even in some cases, I might use IPTables to only allow certain IP addresses to access the ssh port. I would also install SELinux and AppArmor, If they are not already installed. Strong randomly generated passwords would be used on all accounts, and I would also disable remote root login. In its place, I would make a sudoer user.

To maintain security, I would periodically check connected IP's using "w".

To optimize, I would use rcconf (a utility which can turn on/off startup processes), to disable unnecessary processes on startup.

Finally, I would reboot the box![DOUBLEPOST=1522015515][/DOUBLEPOST]

55r said:
Vouch

Thanks!

1337 · Mar 25, 2018

Possibilities said:
the "setting up" portion would depend on what the box would be used for. But since I'm assuming you're testing my knowledge, I'll use the scenario that an Ubuntu 16.04 box has been purchased from OVH for use on a new Minecraft network.

first off, I would install the proper Java JRE package for the system. In most cases, I would just apt install openjdk-jre. In other cases, I might download the official tarball using wget from the oracle website, and go through the process of extracting the tarball and installing it that way. I would then make a new user on the box, and give it certain privileges to access the minecraft server's directory, which I would put under /mcserver.

To secure a box, I would first change the default port for SSH, which is 22. I would change it to a random number below 65535. I would also configure IPTables to close open ports, and to deny incoming connections. The only ports I would keep open would be the ssh port, and the MC server's port (25565), and even in some cases, I might use IPTables to only allow certain IP addresses to access the ssh port. I would also install SELinux and AppArmor, If they are not already installed. Strong randomly generated passwords would be used on all accounts, and I would also disable remote root login. In its place, I would make a sudoer user.

To maintain security, I would periodically check connected IP's using "w".

To optimize, I would use rcconf (a utility which can turn on/off startup processes), to disable unnecessary processes on startup.

Finally, I would reboot the box![DOUBLEPOST=1522015515][/DOUBLEPOST]

Thanks!

I guess we live in an era where SSH keys are obsolete. Also, why change the SSH port and not just install fail2ban? you also wrote out three sentences of explaining how you install java.

A few more questions as well, if you wouldn't mind:

1. MySQL or MariaDB and why
2. Any past references?
3. Why put servers into the root directory?
4. Checking "periodically" active connections with 'w' isn't reliable, sure you might check it once every few days but you will 9/10 times miss the attacker which could easily be able to access your non-SSH key'd server.
5. On minimal installs, there's usually very little bloat to be found that would need tools like rcconf. In reality, the only true answer to the general question of how to optimize your server is "it depends".
6. Would you mind elaborating a bit on "casual pentester"?

Spenser · Mar 25, 2018

Fox said:
I guess we live in an era where SSH keys are obsolete. Also, why change the SSH port and not just install fail2ban? you also wrote out three sentences of explaining how you install java.

A few more questions as well, if you wouldn't mind:

1. MySQL or MariaDB and why
2. Any past references?
3. Why put servers into the root directory?
4. Checking "periodically" active connections with 'w' isn't reliable, sure you might check it once every few days but you will 9/10 times miss the attacker which could easily be able to access your non-SSH key'd server.
5. On minimal installs, there's usually very little bloat to be found that would need tools like rcconf. In reality, the only true answer to the general question of how to optimize your server is "it depends".
6. Would you mind elaborating a bit on "casual pentester"?

If its any consolidation I used SSH keys on all my dedis for my networks

Possibilities · Mar 25, 2018

Fox said:
I guess we live in an era where SSH keys are obsolete. Also, why change the SSH port and not just install fail2ban? you also wrote out three sentences of explaining how you install java.

A few more questions as well, if you wouldn't mind:

1. MySQL or MariaDB and why
2. Any past references?
3. Why put servers into the root directory?
4. Checking "periodically" active connections with 'w' isn't reliable, sure you might check it once every few days but you will 9/10 times miss the attacker which could easily be able to access your non-SSH key'd server.
5. On minimal installs, there's usually very little bloat to be found that would need tools like rcconf. In reality, the only true answer to the general question of how to optimize your server is "it depends".
6. Would you mind elaborating a bit on "casual pentester"?

Fail2Ban is a smart solution, Honestly didn't think of it in a spur of the moment situation.

1.) MariaDB. It's more optimized and offers more storage engines.
2.) Yeah, They all have quit MC tho, and some of them have become shady. But I can give a list in a PM if needed.
3.) For ease of access.
4.) I understand this. But it's still something I do occasionally (a few times a week), or in case of suspicious activity, to check to see who is on the machine.
5.) You are right. But you asked what I would do. And for disabling services on non-minimal installs, this could be handy.
6.) I go to a trade school, taking a Cybersecurity & Cisco Networking course. Part of what I learn is using Kali Linux and ParrotSec, as well as finding and patching vulnerabilities. I do not "hack", nor do I do illegal activities. If I had been tasked to pentest somebody's or a corporation's network, I would get explicit written permission from that person/corporation before doing a thing. Also keep in mind that I am still learning how to effectively audit and/or pentest via my school, hence the "casual" part of that. I do labs on hackthebox and also set up machines on my home network and attempt to pentest these.

O-T · Mar 25, 2018

Possibilities said:
Fail2Ban is a smart solution, Honestly didn't think of it in a spur of the moment situation.

1.) MariaDB. It's more optimized and offers more storage engines.
2.) Yeah, They all have quit MC tho, and some of them have become shady. But I can give a list in a PM if needed.
3.) For ease of access.
4.) I understand this. But it's still something I do occasionally (a few times a week), or in case of suspicious activity, to check to see who is on the machine.
5.) You are right. But you asked what I would do. And for disabling services on non-minimal installs, this could be handy.
6.) I go to a trade school, taking a Cybersecurity & Cisco Networking course. Part of what I learn is using Kali Linux and ParrotSec, as well as finding and patching vulnerabilities. I do not "hack", nor do I do illegal activities. If I had to pentest somebody's or a corporation's network, I would get explicit written permission from that person/corporation before doing a thing. Also keep in mind that I am still learning how to effectively audit and/or pentest via my school, hence the "casual" part of that.

Number 3 doesn't make sense? Ease of access? But do you not know that putting anything in the root directory is highly unconventional and absolutely not recommended? You'd put such a thing in a subdirectory in /srv for example, Linux has a filesystem structure that deserves to be respected, here's a visual view of it: https://image-store.slidesharecdn.com/aefe2299-2c18-4ca2-8bb7-0f6b23bb25f1-original.png

And also, number 4, if someone decides to sneak in and if it is really your worry I doubt you'd catch him before he does anything bad, so checking every week is a waste of time, if you really really want to monitor such a thing you're better off runing a script checking for connected IPs and automatically sending you an email if it's not recognized, you'd put it in the crontab and run it like every 5 minutes, but manually monitoring that is useless.

Just my view on this, otherwise, GLWS

Possibilities · Mar 25, 2018

O-T said:
Number 3 doesn't make sense? Ease of access? But do you not know that putting anything in the root directory is highly unconventional and absolutely not recommended? You'd put such a thing in a subdirectory in /srv for example, Linux has a filesystem structure that deserves to be respected, here's a visual view of it: https://image-store.slidesharecdn.com/aefe2299-2c18-4ca2-8bb7-0f6b23bb25f1-original.png

And also, number 4, if someone decides to sneak in and if it is really your worry I doubt you'd catch him before he does anything bad, so checking every week is a waste of time, if you really really want to monitor such a thing you're better off runing a script checking for connected IPs and automatically sending you an email if it's not recognized, you'd put it in the crontab and run it like every 5 minutes, but manually monitoring that is useless.

Just my view on this, otherwise, GLWS

Thanks for the input.

I've been doing system administration for a while now, and to be fair, I don't follow some conventional methods (the MC server directory within the root directory being a prime example). I've never had any issues with doing so, however.

You're also right about the "w" thing. I'm just kind of like that, though. Checking to see who is also logged in when I'm logged in is just something I do as a "security check". Writing a python script to run "w" every 5 minutes and save the output would be a smart idea. And if it finds an IP address not on the specified whitelist, It would send an email to me and/or the company's security team.

Skye · Mar 25, 2018

55r said:
Vouch

nice post farming.

1337 · Mar 26, 2018

Possibilities said:
Thanks for the input.

I've been doing system administration for a while now, and to be fair, I don't follow some conventional methods (the MC server directory within the root directory being a prime example). I've never had any issues with doing so, however.

is like saying, "I drink battery acid every night and haven't died yet, so I'll be fine drinking battery acid forever!"

Just because you have been lucky enough to not run into issues yet doesn't mean you won't. recommended practices are usually recommended for a reason

Possibilities · Mar 26, 2018

Fox said:
is like saying, "I drink battery acid every night and haven't died yet, so I'll be fine drinking battery acid forever!"

Just because you have been lucky enough to not run into issues yet doesn't mean you won't. recommended practices are usually recommended for a reason

True.

1337 · Mar 26, 2018

What steps would you take to efficiently and securely load balance 3 webservers, 2 database nodes, and 5 minecraft servers using vLan on a private network with each of those running on different servers?

Possibilities said:
True.

Possibilities · Mar 26, 2018

Fox said:
What steps would you take to efficiently and securely load balance 3 webservers, 2 database nodes, and 5 minecraft servers using vLan on a private network with each of those running on different servers?

To load balance three web servers, I would use a round robin DNS setup to load balance the three servers. With 5 Minecraft servers, I would use the same round robin DNS configuration. 2 database nodes would be load balanced with an HAProxy, assuming they are MariaDB databases.

[HIRE ME] System Admin

Possibilities

System Admin & Pentester

stephvibes

poggers

Possibilities

System Admin & Pentester

1337

ash is our purest form

55r

Possibilities

System Admin & Pentester

1337

ash is our purest form

Spenser

That guy!

Possibilities

System Admin & Pentester

O-T

IT Consultant

Possibilities

System Admin & Pentester

Skye

Protecting Turtles one Florida Man At A Time

1337

ash is our purest form

Possibilities

System Admin & Pentester

1337

ash is our purest form

Possibilities

System Admin & Pentester