Week 1: System Planning and Distribution Selection
24/10/2025
System Architecture Diagram
Distribution Selection Justification
| Distribution | Pros | Cons |
|---|---|---|
| Ubuntu Server | Widely supported, stable LTS, large community, compatible with VirtualBox | Slightly heavier base install |
| Debian | Extremely stable, secure, minimal setup | Older packages, smaller repositories for new tools |
| CentOS | Enterprise-level stability, SELinux enabled by default | Steeper learning curve, enterprise-focused tools |
After comparing several Linux server distributions, I decided to use Ubuntu Server for my project. I chose Ubuntu because it is stable, easy to configure, and well-documented, which makes it suitable for developing my command-line and remote administration skills. Although Debian is extremely reliable and secure, its slower updates and smaller repositories make it less flexible for experimenting. On the other hand, CentOS is designed more for enterprise environments and has a steeper learning curve. Overall, Ubuntu provides the best balance between usability, support, and performance for a headless SSH-based setup.
Workstation Configuration Decision
The workstation used is my host operating system running on macOS. MacOS provides built in terminal SSH access to the server virtual machine; this method ensures that all administration is performed remotely, and aligning with professional practices. VirtualBox is used to host the server image and isolating it from the host environment.
Network Configuration Documentation
Due to university network restrictions preventing LAN connections over Wi-Fi, I configured my virtual machine
to use a NAT network in VirtualBox 7.2.4 instead of a host-only adapter.
To enable secure remote administration, I created a port forwarding rule that maps
SSH traffic from the host (MacBook) to the guest virtual machine. This forwards connections from
127.0.0.1:2222 on the host to port 22 on the virtual machine, allowing me to
connect locally using the command ssh -p 2222 username@127.0.0.1. This approach avoids
university network restrictions while maintaining a realistic remote management workflow.
System Specifications
I used the uname, free, df -h, ip addr, lsb_release commands to provide the following specifications.
# uname -a
Linux
# free -h
total used free shared buff/cache available
Mem: 2001372 246300 1165364 1024 678632 1755072
Swap: 0 0 0
# df -h
Filesystem Size Used Avail Use% Mounted on
tmpfs 196M 1.2M 195M 1% /run
/dev/sda2 24G 2.7G 20G 12% /
tmpfs 981M 0 981M 0% /dev/shm
/dev/sda1 1.1G 6.4M 1.0G 1% /boot/efi
tmpfs 196M 4.0K 196M 1% /run/user/1000
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
2: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 10.0.2.15/24 scope global dynamic enp0s8
# lsb_release -a
Distributor ID: Ubuntu
Description: Ubuntu 22.04 LTS
Week 2: Security Planning and Testing Methodology
31/10/2025
Performance Testing Plane
For this phase, I plan to design a performance testing and monitoring approach that ensures my Linux server
remains stable and secure during remote administration. I will monitor resource usage using command-line tools such as
top, free, and df -h to assess CPU load, memory utilisation, and disk activity.
Network responsiveness will be tested using ping and traceroute, while service reliability will
be checked through systemctl status ssh and log analysis with journalctl. These results will form
the foundation for comparing performance before and after security hardening, helping to identify any negative impact caused
by configuration changes. By maintaining a clear testing methodology and consistent monitoring approach, I aim to ensure
the system remains efficient, responsive, and secure throughout the deployment.
Security Configuration Checklist
| Area | Action | Purpose |
|---|---|---|
| SSH Hardening | Disabled root login, limited login attempts | Prevent brute-force and root access |
| Firewall Configuration | Installed & configured UFW | Restrict inbound traffic |
| Mandatory Access Control | Verified AppArmor/SELinux active | Enforce application-level security |
| Automatic Updates | Enabled unattended-upgrades | Maintain up-to-date security patches |
| User Priviledge Management | Created limited user, removed default admin | Principle of least privilege |
| Network Security | Checked open ports | Identify unnecessary exposed services |
Threat Model
The threat model outlines three seperate security concerns and suggests mitigation strategies for each of them.
- Brute-force SSH attacks: This occurs when an attacker repeatedly attempts to guess login credentials to gain remote access. To prevent this, I disabled root login, reduced the number of allowed authentication attempts, and configured the firewall to restrict repeated SSH connections, significantly lowering the chance of unauthorised access.
-
Privilege escalation: This threat involves a regular user gaining administrative access, often through misconfigured permissions
or exploitation of vulnerabilities. I mitigated this by enforcing the principle of least privilege, creating dedicated non-root user accounts,
and carefully controlling
sudoaccess to minimise the risk of elevated privilege misuse. -
Unpatched software vulnerabilities: Outdated packages can be exploited by attackers to compromise system security.
To address this, I enabled automatic updates using
unattended-upgradesand scheduled periodic manual patch reviews to ensure that the system remains fully updated with the latest security fixes.