Overview

Born to be Root is a system administration project focused on deploying and hardening a production Linux server from scratch. The goal: set up a secure, partitioned Debian server running WordPress with defense-in-depth security measures.

Note: VMs are auto-deleted post-submission per 42 policy. Proof of completion available on 42 Intra profile.

validation-photo

Architecture

┌─────────────────────────────────────────────────────────────┐
│                    Hardened Debian Server                     │
├─────────────────────────────────────────────────────────────┤
│  • Strict partition scheme (/, /home, /var, /tmp, etc.)      │
│  • Encrypted LVM volumes                                      │
│  • SSH hardening (key-only auth, port change)                 │
├─────────────────────────────────────────────────────────────┤
│  Security Layers:                                             │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐  │
│  │   Fail2Ban  │  │   AppArmor  │  │   WordPress + TLS   │  │
│  │  (brute     │  │  (mandatory │  │  (HTTPS/SSL certs)  │  │
│  │   force)    │  │   access    │  │                     │  │
│  │   protection)│  │   control)  │  │                     │  │
│  └─────────────┘  └─────────────┘  └─────────────────────┘  │
└─────────────────────────────────────────────────────────────┘

What I Built

  • Partitioned Debian Installation: Strict partition layout with separate mount points for security and performance isolation
  • WordPress Deployment: Full LEMP-like stack (Nginx, MariaDB, PHP-FPM) with automated setup
  • AppArmor Profiles: Mandatory access control (MAC) restricting WordPress and service capabilities
  • Fail2Ban Configuration: Automated intrusion prevention banning brute-force SSH and web attacks
  • TLS/SSL Certificates: Self-signed certificates with TLS 1.2+ configuration
  • SSH Hardening: Key-based authentication, root login disabled, non-standard port
  • Service Management: Systemd unit configuration and service isolation

Key Concepts

  • Defense in depth: multiple security layers (partitioning + MAC + IPS + TLS)
  • Linux filesystem hierarchy and mount point security
  • Mandatory Access Control (MAC) vs Discretionary Access Control (DAC)
  • Automated attack mitigation and log analysis (Fail2Ban)
  • TLS handshake and certificate chain validation
  • Production server deployment workflow from bare metal

Security Measures

Layer Implementation
Partitioning Separate /, /home, /var, /tmp, /var/log with appropriate mount options
Access Control AppArmor profiles for nginx, php-fpm, mysql
Intrusion Prevention Fail2Ban jails for sshd, nginx-noscript, nginx-auth
Encryption TLS 1.2+ with strong cipher suites
Authentication SSH key-only, root login disabled, port obfuscation