DEV Community

Cover image for Capstone Project: PCI DSS Online Payment Website
Christiana
Christiana

Posted on

Capstone Project: PCI DSS Online Payment Website

INTRODUCTION

As part of my capstone project, I developed two websites with a strong focus on security and compliance: a payment website that adheres to PCI DSS standards. In this project, I aimed to demonstrate my understanding of security best practices and compliance requirements in real-world applications. Without much talk, let's dive in 😊

  • DATABASE MYSQL IN AZURE
  • Log in to your Azure account
  • Search for Resource group and click on it
  • Name it pci-dss project
  • Choose a region
  • Review and create

  • LET'S CREATE OUR AZURE DATABASE MYSQL
  • In your Azure account, search for Azure database for MySQL flexible server and click on it
  • Choose advanced create in a flexible server

  • Name your database server
  • Choose your region with an active subscription
  • Choose 8.0 in MySQL version

NOTE: I DON'T HAVE AN ACTIVE SUBSCRIPTION BUT FOLLOW THESE STEPS IF YOU HAVE AN ACTIVE SUBSCRIPTION

  • Choose for dev/test in workload type
  • Leave the default compute storage
  • In the availability zone, choose any one. But for this project, I will choose no preference

  • Don't enable high availability if you choose no preference (but you can enable it if you choose other type of availability zone)
  • Choose MySQL authentication only in authentication method

  • Put Username for your administrator login
  • Put password
  • And confirm the password

  • Click on Network
  • Choose public access in connectivity method (for this project. But if you are working on a real-time environment, please choose private access)

  • Click on add current IP address (to add your IP address)
    NOTE: If you are working in a company and the company's servers has sensitive data, please when you get to this part, do not click on add 0.0.0.0-255. If you click on it, you are giving permission to everyone to have access to that server. It is dangerous

  • Add the IP addresses of the people that you want to have access to the server at end IP address

  • In firewall rule name, put allow this person to connect

  • In starting IP address, paste the person's IP address

  • Click on security
  • Click on service-managed key
  • Click on review and create
  • Create

LET'S CREATE A VIRTUAL NETWORK WITH 3 SUBNETS

  • In your Azure account, search for virtual network and click on it
  • Click on create virtual network
  • Choose your region with active subscription
  • Name your Virtual network

  • Click on security
  • Enable virtual network encryption

  • Click on IP address
  • Erase the default IP (10.0.0.0) and put a new IP address ( example 192.168.0.0)
  • Delete the default subnet IP address
  • Click on add subnet
  • Name it database_subnet
  • Click save

  • Click on add another subnet
  • Name it backend_subnet
  • Click save
  • Click add another subnet
  • Name it frontend_subnet

  • This is what you should have

  • Click on review and create
  • Then create

LET'S CREATE NSG FOR DATABASE

  • Search for network security group in your Azure
  • Click on create
  • Choose your resource group
  • Name it database-nsg
  • Choose your region
  • create

  • After creating it, click on it
  • click on inbound
  • Click on add
  • In source, leave it at any
  • Source port range, put *
  • In destination, put Any
  • In service, put custom
  • In destination port range, put *
  • In protocol, put Any
  • In action, put Deny
  • In priority, put 1000
  • In description, type Deny all IP and all port
  • Click on add NOTE: We only want the Backend to have access to the Database, so we are going to set NSG that allows only Backend to access the Database server
  • Click on the virtual network you created
  • Scroll down and click on subnet
  • Copy the Backend subnet IP
  • Go to your NSG inbound
  • Click on add
  • In source, select IP address
  • Source IP address, paste the backend IP address
  • In source port, put *
  • In destination, put Any
  • In service, select MySQL
  • In action, put allow
  • In priority, put 999 or any lesser number
  • In description, type allow this IP and port ( or anything)
  • Click on add

LET'S ADD THE IP ADDRESS OF THE BACKEND ENGINEER

  • Still in your NSG inbound rules, click add
  • In source, select IP address
  • Put the IP address
  • In source port, out *
  • In destination, select Any
  • In service, select MySQL
  • In action, put Allow
  • In priority, put 998 or lesser number
  • Click on add

LET'S CREATE VIRTUAL MACHINE FOR THE DATABASE

  • Search virtual machine in your Azure account
  • Click on it and click create virtual machine
  • Select your resource group
  • Name it database-Vm
  • Choose your region
  • I'm working with Ubuntu
  • Choose SSH public key in authentication type
  • Put Username (example is datadmin)
  • In SSH public key source, select use existing public key
  • Copy and paste your SSH public key
  • In public inbound port, select none
  • Go to network section
  • In subnet, select database_subnet
  • In public IP, let it at (new) database-vm-ip
  • In nic, choose advanced
  • In configure network sg, select database-nsg
  • Enable delete public IP&nic when VM is deleted
  • Click review+create
  • Click create

LET'S CREATE INBOUND RULE FOR SSH

  • Click on your NSG inbound rules
  • Click on add
  • In source, select my IP or IP address (as the case may be)
  • Put the IP address, if you selected IP address
  • In source port, put *
  • In destination, select Any
  • In service, select SSH
  • In action, select Allow
  • In priority, put 100 or any number
  • Click add

LET'S CONNECT OUR DATABASE VM WITH MOBAXTERM

  • Copy your database VM public IP address
  • Open your mobaxterm
  • Click on session
  • Click SSH
  • Paste the public IP
  • Put the database VM username
  • Enable use private key and click on the icon in front of it
  • Select your private SSH key
  • Click on
  • Click Accept
  • Once you are in, type sudo apt update
  • After updating, log in to the root user by typing sudo su -
  • After logging in, type nano databaseinstall.sh
  • Once it opens, type #!/bin/bash, hit enter
  • Then type these things. echo "============System is updating==================" sudo apt update -y

sleep 6

echo "============Installing mysql-server=================="
sudo apt install mysql-server -y

sleep 6

echo "============starting mysql-service after installation =================="
sudo systemctl start mysql.service

sleep 6

echo "============enable mysql service=================="
sudo systemctl enable mysql.service

echo "============task completed=================="
systemctl status mysql.service

  • Right click and save
  • After saving, type ls
  • Type chmod +× database install.sh
  • To start running the server, type./database install.sh
  • Type cd/etc/mysql hit enter
  • Type nano mysql.cnf
  • Type bind-address=0.0.0.0 or the IP address of the person that will have access to the server. Save and exit
  • Let's create a root User by typing ULTER USER 'root'@'localhost'IDENTIFIED WITH mysql_native_password By 'admin@123'; you can create your own password
  • Then type exit
  • Login in again by typing mysql -u root -pAdmin@123

  • Create a User, Password and grant the user all privileges for this project by typing CREATE USER 'jackson'@'%'IDENTIFIED BY'prime@123'; ( prime@123 is the user's password. You can create your own password). This % sign means, you are giving the user right to access the server.
  • Type GRANT ALL PRIVILEGES ON*.*TO'jackson'@%'WITH GEANT OPTIONS;
  • Then type FLUSH PRIVILEGES; Flushing means, to sink everything. Grant privileges*.* Means you are granting all the database privileges together with everything that is attached to the database.

BACKEND

Let's Create NSG and VNET for Our Backend

  • Search for Virtual network and click on it
  • Choose the same resource group
  • Name your VNET (backend VNET)
  • Click on security and enable encryption
  • Click on IP
  • Erase the default IP (10.0.0.0) and put a new IP (192.168.0.0)
  • Click on review + create
  • Then click on create

Let's Create NSG for our Backend

  • Search for network security group and click on it
  • Click on create
  • Choose your resource group
  • Name it ( backend NSG)
  • Choose region
  • Create

Let's set rule for SSH, Frontend subnet IP, and our IP to access the Backend server

  • Click on the backend NSG you just created
  • Click on settings and click on inbound
  • Click on add
  • In source, I choose my IP ( you can choose IP addresses and put the IP addresses of those whom you want to give access to the server)
  • Source port, put *
  • Destination, put Any
  • Service, Choose SSH
  • Action, Choose allow
  • Priority, put a number not less than 100. I put 101
  • Click on add

Add another rule for your IP or IPS

  • Click add
  • Source, put my IP or IPS
  • Source port, put *
  • Destination, put Any
  • service, put custom
  • Destination port, put a port (i.e 4000)
  • Priority, I put 102
  • Click on add

Add another rule for your frontend to access backend

  • Click add
  • Source, Choose IP address
  • Source IP, copy the frontend subnet IP you created in your database VNET and paste it.
  • Source port, *
  • Destination, Any
  • Service, Custom
  • Destination port, 4000
  • Priority, I put 103
  • Action, put Allow
  • click add

Let's Create A Backend Virtual Machine

  • Search for Virtual machine and click on it
  • Click create
  • Choose your region
  • Name it backend-vm
  • In image, I choose Ubuntu
  • Authentication type, choose SSH
  • Put a username (i.e backend admin)
  • In SSH public key, choose existing public key
  • Copy your SSH public key and paste it
  • In public inbound port, click none
  • Go to network section
  • In subnet, select backend-subnet
  • In Nic, click on advanced
  • In configure network, choose backend-nsg
  • Enable delete public IP and Nic
  • Click on review+create
  • Then click on create

Let's Connect our Backend server and begin installation

  • I connected my backend server with mobaxterm
  • Once you are inside the server, type sudo apt update

  • Let's install open jdk17 by typing sudo apt install open jdk-17-jdk -y

  • Type java --version to check the jdk version

  • Let's install maven by typing sudo apt install maven -y

  • Type mvn --version to see the version of maven installed
  • Git clone the repo I'm working with (git clone https://my username:my generated token@the repo

  • Type ls
  • type cd to the repo
  • ls
  • Type cd src
  • ls
  • Type cd main
  • ls
  • Type cd resource
  • ls
  • Type sudo nano application.properties
  • Remove those things in front of spring datasours.url=jdbc: mysql://copy and paste your database VM private IP:the port number/online_banking
  • Remove those things in front of spring data source.username= put the username you created during the MySQL configuration
  • Remove those things in front of spring data source.password= and put the username password you created (prime@123)

  • Press cntrl x and press y to save and exit
  • Type sudo apt install mysql-client -y

  • Let's connect to the MySQL publicly by typing mysql -u Jackson -pprime@123 -h the database VM public IP Note: before this, make sure you have created a rule for backend to access database in the database NSG
  • After confirming that you can connect to the MySQL publicly, type exit
  • Let's connect to the MySQL privately by typing mysql -u Jackson -pprime@123 -h the private IP address of your database VM


Once you have confirmed that you can login publicly, please go back to your database NSG and remove the backend VM public IP rule you connected.

  • Type MySQL.cnf to change the port number (in compliance with pci-dss standards)
  • Press cntrl x and press y to save and exit
  • Then type nano application.properties to update the port number, then save and exit
  • Type create database onlin_banking;
  • Type show database;
  • Type use online_banking

  • Type exit
  • ls
  • Type cd
  • ls
  • cd to my repo
  • Type mvn clean package

FRONTEND
CREATE NSG FOR FRONTEND AND ADD RULES

  • Go to the Frontend NSG
  • Click on security, and then click on inbound
  • Click on add
  • In source, Choose Any (or IP and put the IP address on source IP)
  • In source range, put *
  • Destination, put Any
  • Service, choose SSH
  • Action, choose Allow
  • Priority, I put 100
  • Save

  • Add another rule

  • Source, put Any (or IP/IPs)

  • Source range, put *

  • Destination, Choose Any

  • Service, Choose custom

  • Destination port range, for this project, I put 3000,443

  • Protocol, Choose Any

  • Action, choose Allow

  • Priority, I put 101

  • Save

CONNECT OUR FRONTEND VM AND START INSTALLING

  • Connected mine with mobaxterm
  • Once you are in, type sudo apt update
  • Then type sudo apt install nodejs -y

  • Then type sudo apt install npm -y

  • Then clone the repository you have your source in by typing git clone https://your token@your GitHub username/your repo.git
  • Then ls to see the repo
  • Type cd (your frontend repo name/)
  • Open your vs code
  • Click on connect to

  • Click on connect to host

  • Click on configure SSH host

  • Click on SSH/config

  • In host, name it frontend server
  • In hostname, put the frontend VM public IP
  • In user, put the Frontend VM Username
  • Type Identityfile, and paste your private SSH key path

  • Save it
  • Click on this icon

  • Click connect to host
  • Click on the file you just created

  • Choose the OS you want to work with. I chose Linux

  • Click on continue
  • Once you are connected, type code .
  • Click on the OS you choose
  • Then click on yes
  • Type ls
  • Click on the search bar in your vs code
  • Copy your frontend VM private IP
  • Type localhost in the search bar
  • Paste the IP on replace side
  • Click on the icon beside AB
  • Then click replace

  • Type cd (your frontend repo)
  • Then type sudo npm start

  • If it refuses to start, type sudo npm audit fix --force (to forcedly start it) then re-type sudo npm start
  • Go to your browser, paste your Frontend public IP:3000

THE ABSOLUTE END☺️

Would you try this out? And you are welcome to ask me any questions.

See you soon

Top comments (0)