https://wiki.cdot.senecacollege.ca/w/api.php?action=feedcontributions&user=Mark&feedformat=atomCDOT Wiki - User contributions [en]2024-03-29T07:20:16ZUser contributionsMediaWiki 1.30.0https://wiki.cdot.senecacollege.ca/w/index.php?title=Tutorial7:_Installing_Linux_/_Live_Linux_/_Virtualization&diff=145745Tutorial7: Installing Linux / Live Linux / Virtualization2020-02-03T21:34:18Z<p>Mark: /* LINUX PRACTICE QUESTIONS */</p>
<hr />
<div>=INSTALLING LINUX / LIVE LINUX / VIRTUALIZATION=<br />
<br><br />
===Main Objectives of this Practice Tutorial===<br />
<br />
:* List and explain the common types of installing Linux<br />
<br />
:* Define and explain the purpose of using a '''Live Linux distribution'''<br />
<br />
:* Define and explain the purpose of '''Virtualization'''<br />
<br />
:* Boot the Knoppix Live Linux distribution from MyApps<br />
<br><br />
<br />
===Tutorial Reference Material===<br />
<br />
{|width="100%" cellspacing="0" cellpadding="10"<br />
<br />
|- valign="top"<br />
<br />
|colspan="2" style="font-size:16px;font-weight:bold;border-bottom: thin solid black;border-spacing:0px;"|Course Notes<br><br />
<br />
|colspan="2" style="font-size:16px;font-weight:bold;border-bottom: thin solid black;border-spacing:0px;padding-left:15px;"|Concepts<br><br />
<br />
|colspan="1" style="font-size:16px;font-weight:bold;border-bottom: thin solid black;border-spacing:0px;padding-left:15px;"|YouTube Videos<br><br />
<br />
|- valign="top" style="padding-left:15px;"<br />
<br />
|colspan="2" |Course Notes:<ul><li>[https://ict.senecacollege.ca/~murray.saul/uli101/ULI101-Week7.pdf PDF] | [https://ict.senecacollege.ca/~murray.saul/uli101/ULI101-Week7.pptx PPTX]</li></ul><br />
<br />
| style="padding-left:15px;" |Installing Linux<br />
* Linux Installation Methods<br />
* Live Linux<br />
* Virtualization<br><br><br />
| style="padding-left:15px;"|Software<br />
* Knoppix<br />
<br />
|colspan="1" style="padding-left:15px;" width="30%"|Instructional Videos:<ul><li>x</li></ul><br />
|}<br />
<br />
= KEY CONCEPTS =<br />
<br />
===Installing Linux===<br />
<br />
<br />
Having your own Linux system offers a Linux student a great learning opportunity and gives you access to a large library of open source software.<br>You can also install different versions of a Linux system including a graphical desktop version, server version, etc.<br />
<br />
Installing your own version of Linux on your notebook or desktop computer at home can also help for working<br>in the Linux environment and learn how to perform routine Linux OS administration tasks.<br />
<br />
<br />
[[Image:distro-1.png|thumb|right|450px|Listing of Common Linux Distributions.<br>(Image licensed under [https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
''A '''Linux distribution''' (often abbreviated as distro) is an operating system made from a software collection that is based upon the Linux kernel and, often, a package management system. Linux users usually obtain their operating system by downloading one of the Linux distributions, which are available for a wide variety of systems ranging from embedded devices (for example, OpenWrt) and personal computers (for example, Linux Mint) to powerful supercomputers (for example, Rocks Cluster Distribution).''<br />
<br />
Reference: https://en.wikipedia.org/wiki/Linux_distribution<br />
<br />
<br />
''Steps in the Linux Installation Process:''<br />
<br />
* '''Select a Linux Distribution''' and '''download''' a Linux Distribution Install ISO file<br>to your Computer ('''Note:''' Be aware of any required Hardware Requirements for the Linux OS prior to installation.)<br />
* '''Burn an Linux Distribution CD/DVD''', or '''USB''', or use '''downloaded file when creating a virtual machine'''<br />
* Once booted, the installation process '''transfers the live image to a disk (or flash memory)''' and configures the system<br />
* For most distributions, the installation involves a '''guided graphical environment''' help assist with the Linux installation process<br />
<br />
===Linux Installation Methods===<br />
<br />
<br />
'''Standalone Installation'''<br />
<br />
* Linux is the only OS on the computer <br />
* Any existing data on disk will be erased<br />
<br />
<br />
[[Image:grub-boot-menu.png|thumb|right|250px|The '''grub boot menu''' to select different operating systems upon computer startup.<br>(Image licensed under [https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
'''Dual-boot / Multi-boot Installation'''<br />
<br />
* A '''boot menu''' allows the user to select the desired OS<br />
* This options provides a method to still use your computer if one OS fails to boot-up<br />
* Most Linux distributions can access the Windows partition if your Windows OS cannot boot-up<br />
* This option is great for troubleshooting: for example booting into other OS to confirm that you can connect to the Internet to rule-out hardware issues<br />
* The installation process will take some of the free disk space from the OS already installed<br />
* It is recommended to back up important data before proceeding<br />
* It is recommended to install the Linux OS last, as other operating systems may not offer a multi-boot option<br />
<br />
<br />
'''Virtualized Installation'''<br />
<br />
[[Image:vm-player-menu.png|thumb|right|250px|VMware Player launch menu for Ubuntu Linux OS<br>(Image licensed under [https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
* Virtualization requires a compatible processor – not all processors support that feature<br />
* Most recent multi-core processors support virtualization<br />
* The virtualized OS is installed and run in a window under another OS<br />
* The installation can usually be completed from an ISO image<br />
* One or more virtual machines can be run at the same time The guest OS shares the hardware with the host OS and possibly other virtualized systems<br />
* Special software is used to manage the entire process, this is the “hypervisor”<br />
* The guest systems have network access through the host<br />
* The selection of virtualization software (which allows creation and running of virtual machines) depends mainly on the host OS, although some are cross-platform. Other considerations as to virtualization software may be features, support, price and/or personal preferences.<br />
<br />
<br />
Popular VM software for Windows and MAC include:<br />
*VMware<br />
*Oracle Virtual Box<br />
*KVM<br />
*XEN<br />
<br />
===Live Linux CD===<br />
<br />
[[Image:linux-distro-2.png|thumb|right|150px|Knoppix is a popular Live Linux CD Distribution.<br>(Image licensed under[https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
''A live CD (also live DVD, live disc, or live operating system) is a complete bootable computer installation including operating system which runs directly from a CD-ROM or similar storage device into a computer's memory, rather than loading from a hard disk drive. A Live CD allows users to run an operating system for any purpose without installing it or making any changes to the computer's configuration. Live CDs can run on a computer without secondary storage, such as a hard disk drive, or with a corrupted hard disk drive or file system, allowing data recovery.<br><br>As CD and DVD drives have been steadily phased-out, live CDs have become less popular, being replaced by live USBs, which are equivalent systems written onto USB flash drives, which have the added benefit of having write-able storage. The functionality of a live CD is also available with a bootable live USB flash drive, or an external hard disk drive connected by USB.''<br />
<br />
Reference: https://en.wikipedia.org/wiki/Live_CD<br />
<br />
<br />
The Knoppix Live CD id available to run on workstations at Seneca College or your home computer via '''AppsAnywhere'''.<br />
<br />
:''Steps to Run Knoppix from AppsAnywhere:''<br />
<table align="right"><tr valign="top" ><td>[[Image:knoppix-3.png|thumb|right|280px|'''Launch Knoppix''' from '''Virtualbox''' menu.<br>(Image licensed under[https://creativecommons.org/licenses/by-sa/3.0/ cc])]]</td><td>[[Image:knoppix-4.png|thumb|right|200px|Click '''Switch''' to enter '''scale mode'''.]]</td></tr></table><br />
#Start your workstation in your lab and login to your Seneca Windows account.<br />
#Click on the '''Search Apps''' area located in the top right corner of the MyApps window and type the word: '''knoppix'''<br />
#Select the ''knoppix'' application icon and click '''Launch'''. Your file manager will open and display both the Knoppix virtual machine icon and a Knoppix Installation ISO file.<br />
# '''Double-click''' on the icon '''Knoppix.vbox''' The Virtualbox application will launch and display the virtual machine for Knoppix.<br />
# '''Double-click''' on the Knoppix VM in the left window to launch this VM and click the '''Switch''' button when prompted to enter scale mode.<br />
<br />
<br />
You can also burn in a Knoppix CD or USB Live Image to Run on your Computer<br />
<br />
:''Steps to Run Knoppix Live from Your Computer:''<br />
[[Image:knoppix-download.png|thumb|right|280px|'''Knoppix Download Webpage.]]<br />
# Click on the following link to download the lastest knoppix ISO:<br>[https://www.knopper.net/knoppix-mirrors/index-en.html https://www.knopper.net/knoppix-mirrors/index-en.html]<br><br><br />
# If you are burning to a CD, click on the following link for instructions:<br>[https://www.wikihow.com/Install-Knoppix-Linux Install Knoppix LInux]<br><br>'''NOTE:''' If you are burning to a USB, click on the following link for instructions:<br>[https://itstillworks.com/boot-knoppix-usb-6904288.html How to Boot Knoppix from USB]<br />
<br><br><br />
<br />
=INVESTIGATION 1: BOOTING KNOPPIX (LIVE LINUX) FROM MYAPPS=<br />
<br />
<br><br />
In this section, you will learn how to launch the Knoppix Live Linux distribution from a workstation as Seneca College using MyApps.<br />
<br />
<br />
'''Perform the Following Steps:'''<br />
<br />
# Start your workstation in your lab and login to your Seneca Windows account.<br><br><br />
# Make certain that the '''MyApps''' window is open. This window should have opened shortly after you logged into your Windows workstation. If the application windows is not open, click on the '''MyApps''' icon on the desktop to launch).<br><br><br />
# Click on the '''Search Apps''' area located in the top right corner of the MyApps window and type the word: <span style="color:blue;font-weight:bold;font-family:courier;">knoppix</span><br><br><br />
# The ''Knoppix'' Linux Distribution will appear. <br><br>'''NOTE:''' All of these applications allow you to connect to your Matrix account.<br>We will use the application called '''SSH Secure Shell Client''' for this practice tutorial.<br><br>[[Image:knoppix-3.png|thumb|right|280px|'''Launch Knoppix''' from '''Virtualbox''' menu.<br>(Image licensed under[https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
# Launch the '''Knoppix''' Linux distribution by clicking the '''Launch''' button.<br><br>'''NOTE:''' Your file manager will open and display both the '''Knoppix virtual machine icon''' and a '''Knoppix Installation ISO file'''. You will be launching the Knoppix Virtual machine in the '''Virtualbox''' application.<br><br><br />
# Double-click on the icon Knoppix.vbox in the Virtualbox menu.<br><br><br />
# Another dialog box will appear. Double-click on the '''Switch''' button when prompted to enter '''scale mode'''.<br><br>'''NOTE:''' You should notice that you can switch between your Knoppix VM and your Windows computer which is referred to as the '''host machine'''.<br><br><br />
# Allow a little time for the Knoppix Linux distribution to start. This is a '''graphical Linux distribution''' which will start-up in a desktop environment.<br><br>'''NOTE:''' You are NOT prompted for a username and password because this is a Linux Live distribution,<br>and you have been assigned a '''generic account'''.<br><br>[[Image:knoppix-desktop.png|thumb|right|380px|The '''Knoppix Linux desktop environment''' has a similar look as the MS Windows desktop environment.<br>(Image licensed under[https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
# On the bottom left-hand side, click on the '''Knoppix start menu''' (similar to the Windows start menu).<br><br><br />
# In the start menu, select '''System Tools'''<br><br>[[Image:xterm.png|thumb|right|200px|The '''xterm''' application will display the Bash shell to issue Linux commands.]]<br />
# In the system tools menu, scroll down and select to launch the terminal application called '''xterm'''<br><br><br />
# In the bash shell, issue the following Linux command: <span style="color:blue;font-weight:bold;font-family:courier;">whoami</span><br><br>What is the name of your generic Knoppix Linux Live account?<br><br><br />
# Issue the following command to connect to your Matrix account (when prompted for your password, enter your MySeneca password as you do when checking your MySeneca email. <b>NOTE:</b> Nothing appears on the screen as you type your password but ensure you press <b>Enter</b> when done.): <span style="color:blue;font-weight:bold;font-family:courier;">ssh yourSenecaId@matrix.senecacollege.ca</span><br><br>Where you able to connect to your Matrix account?<br><br><br />
# After logging in to your Matrix account, issue the following command to terminate your Matrix session: <span style="color:blue;font-weight:bold;font-family:courier;">exit</span><br><br><br />
# Make certain to close your '''xterm''' application.<br><br><br />
# Use the ''Knoppix start menu'' to launch a web-browser and go to the '''Google''' website.<br><br><br />
# Use the ''Knoppix start menu'' to select '''Office''' and then select '''LibreOffice - Writer''' to launch a word processor application.<br><br><br />
# Create a small document and save changes to your home directory using your first name, and exit the Libreoffice word processing document.<br><br><br />
# Use the ''Knoppix start menu'' to select '''logout''', then select '''shutdown''' to terminate your Knoppix Linux Live session.<br><br><br />
# Repeat the steps to launch a new Knoppix Linux Live session.<br><br>[[Image:libreoffice.png|thumb|right|200px|The '''LibreOffice''' application is the default word processor.<br>]]<br />
# Use the ''Knoppix start menu'' to launch a graphical file manager called x.<br><br><br />
# Search for the word processing document that you saved on your home directory. Is there document there. If not, why?<br><br><br />
# Use the ''Knoppix start menu'' to shutdown your Knoppix Linux Live session.<br><br><br />
# Work on the Linux practice questions located at the bottom of this tutorial.<br />
<br><br><br />
<br />
= LINUX PRACTICE QUESTIONS =<br />
<br />
The purpose of this section is to obtain '''extra practice''' to help with '''quizzes''', your '''midterm''', and your '''final exam'''.<br />
<br />
Here is a link to the MS Word Document of ALL of the questions displayed below but with extra room to answer on the document to<br />
simulate a quiz:<br />
<br />
https://ict.senecacollege.ca/~murray.saul/uli101/uli101_week7_practice.docx<br />
<br />
Your instructor may take-up these questions during class. It is up to the student to attend classes in order to obtain the answers to the following questions. Your instructor will NOT provide these answers in any other form (eg. e-mail, etc).<br />
<br />
<br />
'''Review Questions:'''<br />
<br />
# Define the term '''Linux Distribution'''.<br />
# List and explain '''two advantages''' of installing a Linux distribution on your home computer or laptop. <br />
# List and explain two things to consider <u>prior</u> to installing a Linux distribution on your home computer.<br />
# Explain why installing '''Multi-boot''' for Linux is useful for '''computer troubleshooting'''.<br />
# Define the term '''Virtualization'''.<br />
# List the steps to boot the Knoppix Linux distribution from a Workstation at Seneca College.<br />
# List the steps to boot the Knoppix Linux distribution from a CD or USB from your home computer.<br />
# List the home pages of the Linux distributions shown in the Linux distribution image above.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=Tutorial7:_Installing_Linux_/_Live_Linux_/_Virtualization&diff=145740Tutorial7: Installing Linux / Live Linux / Virtualization2020-02-03T21:24:33Z<p>Mark: /* INVESTIGATION 1: BOOTING KNOPPIX (LIVE LINUX) FROM MYAPPS */</p>
<hr />
<div>=INSTALLING LINUX / LIVE LINUX / VIRTUALIZATION=<br />
<br><br />
===Main Objectives of this Practice Tutorial===<br />
<br />
:* List and explain the common types of installing Linux<br />
<br />
:* Define and explain the purpose of using a '''Live Linux distribution'''<br />
<br />
:* Define and explain the purpose of '''Virtualization'''<br />
<br />
:* Compare running a Live Linux distribution from MyApps with booting a Live Linux CD<br />
<br><br />
<br />
===Tutorial Reference Material===<br />
<br />
{|width="100%" cellspacing="0" cellpadding="10"<br />
<br />
|- valign="top"<br />
<br />
|colspan="2" style="font-size:16px;font-weight:bold;border-bottom: thin solid black;border-spacing:0px;"|Course Notes<br><br />
<br />
|colspan="2" style="font-size:16px;font-weight:bold;border-bottom: thin solid black;border-spacing:0px;padding-left:15px;"|Concepts<br><br />
<br />
|colspan="1" style="font-size:16px;font-weight:bold;border-bottom: thin solid black;border-spacing:0px;padding-left:15px;"|YouTube Videos<br><br />
<br />
|- valign="top" style="padding-left:15px;"<br />
<br />
|colspan="2" |Course Notes:<ul><li>[https://ict.senecacollege.ca/~murray.saul/uli101/ULI101-Week7.pdf PDF] | [https://ict.senecacollege.ca/~murray.saul/uli101/ULI101-Week7.pptx PPTX]</li></ul><br />
<br />
| style="padding-left:15px;" |Installing Linux<br />
* Linux Installation Methods<br />
* Live Linux<br />
* Virtualization<br><br><br />
| style="padding-left:15px;"|Software<br />
* Knoppix<br />
<br />
|colspan="1" style="padding-left:15px;" width="30%"|Instructional Videos:<ul><li>x</li></ul><br />
|}<br />
<br />
= KEY CONCEPTS =<br />
<br />
===Installing Linux===<br />
<br />
<br />
Having your own Linux system offers a great learning opportunity and gives you access to a large library of software.<br>You can also install different versions of a Linux system including a graphical desktop version, server version, etc.<br />
<br />
Installing your own version of Linux on your notebook or desktop computer at home can also help for working<br>in the Linux environment and learn how to perform routine Linux OS administration tasks.<br />
<br />
<br />
[[Image:distro-1.png|thumb|right|450px|Listing of Common Linux Distributions.<br>(Image licensed under [https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
''A '''Linux distribution''' (often abbreviated as distro) is an operating system made from a software collection that is based upon the Linux kernel and, often, a package management system. Linux users usually obtain their operating system by downloading one of the Linux distributions, which are available for a wide variety of systems ranging from embedded devices (for example, OpenWrt) and personal computers (for example, Linux Mint) to powerful supercomputers (for example, Rocks Cluster Distribution).''<br />
<br />
Reference: https://en.wikipedia.org/wiki/Linux_distribution<br />
<br />
<br />
''Steps in the Linux Installation Process:''<br />
<br />
* '''Select a Linux Distribution''' and '''download''' a Linux Distribution Install ISO file<br>to your Computer ('''Note:''' Be aware of any required Hardware Requirements for the Linux OS prior to installation.)<br />
* '''Burn an Linux Distribution CD/DVD''', or USB, or use '''downloaded file when creating a virtual machine'''<br />
* Once booted, the installation process '''transfers the live image to a disk (or flash memory)''' and configures the system<br />
* For most distributions the installation involves a '''guided graphical environment''' and it is easy to accomplish<br />
<br />
===Linux Installation Methods===<br />
<br />
<br />
'''Standalone Installation'''<br />
<br />
* Linux is the only OS on the computer <br />
* Any existing data on disk will be erased<br />
<br />
<br />
[[Image:grub-boot-menu.png|thumb|right|250px|The '''grub boot menu''' to select different operating systems upon computer startup.<br>(Image licensed under [https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
'''Dual-boot / Multi-boot Installation'''<br />
<br />
* A '''boot menu''' allows the user to select the desired OS<br />
* This options provides a method to still use your computer if one OS fails to boot-up<br />
* Most Linux distributions can access the Windows partition if your Windows OS cannot boot-up<br />
* This option is great for troubleshooting: for example booting into other OS to confirm that you can connect to the Internet to rule-out hardware issues<br />
* The installation process will take some of the free disk space from the OS already installed<br />
* It is recommended to back up important data before proceeding<br />
* It is recommended to install the Linux OS last, as other operating systems may not offer a multi-boot option<br />
<br />
<br />
'''Virtualized Installation'''<br />
<br />
[[Image:vm-player-menu.png|thumb|right|250px|VMware Player launch menu for Ubuntu Linux OS<br>(Image licensed under [https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
* Virtualization requires a compatible processor – not all processors support that feature<br />
* Most recent multi-core processors support virtualization<br />
* The virtualized OS is installed and run in a window under another OS<br />
* The installation can usually be completed from an ISO image<br />
* One or more virtual machines can be run at the same time The guest OS shares the hardware with the host OS and possibly other virtualized systems<br />
* Special software is used to manage the entire process, this is the “hypervisor”<br />
* The guest systems have network access through the host<br />
* The selection of virtualization software (which allows creation and running of virtual machines) depends mainly on the host OS, although some are cross-platform. Other considerations as to virtualization software may be features, support, price and/or personal preferences.<br />
<br />
<br />
Popular VM software for Windows and MAC include:<br />
*VMware<br />
*Oracle Virtual Box<br />
*KVM<br />
*XEN<br />
<br />
===Live Linux CD===<br />
<br />
[[Image:linux-distro-2.png|thumb|right|150px|Knoppix is a popular Live Linux CD Distribution.<br>(Image licensed under[https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
''A live CD (also live DVD, live disc, or live operating system) is a complete bootable computer installation including operating system which runs directly from a CD-ROM or similar storage device into a computer's memory, rather than loading from a hard disk drive. A Live CD allows users to run an operating system for any purpose without installing it or making any changes to the computer's configuration. Live CDs can run on a computer without secondary storage, such as a hard disk drive, or with a corrupted hard disk drive or file system, allowing data recovery.<br><br>As CD and DVD drives have been steadily phased-out, live CDs have become less popular, being replaced by live USBs, which are equivalent systems written onto USB flash drives, which have the added benefit of having write-able storage. The functionality of a live CD is also available with a bootable live USB flash drive, or an external hard disk drive connected by USB.''<br />
<br />
Reference: https://en.wikipedia.org/wiki/Live_CD<br />
<br />
<br />
The Knoppix Live CD id available to run on workstations at Seneca College or your home computer via '''AppsAnywhere'''.<br />
<br />
:''Steps to Run Knoppix from AppsAnywhere:''<br />
<table align="right"><tr valign="top" ><td>[[Image:knoppix-3.png|thumb|right|280px|'''Launch Knoppix''' from '''Virtualbox''' menu.<br>(Image licensed under[https://creativecommons.org/licenses/by-sa/3.0/ cc])]]</td><td>[[Image:knoppix-4.png|thumb|right|200px|Click '''Switch''' to enter '''scale mode'''.]]</td></tr></table><br />
#Start your workstation in your lab and login to your Seneca Windows account.<br />
#Click on the '''Search Apps''' area located in the top right corner of the MyApps window and type the word: '''knoppix'''<br />
#Select the ''knoppix'' application icon and click '''Launch'''. Your file manager will open and display both the Knoppix virtual machine icon and a Knoppix Installation ISO file.<br />
# '''Double-click''' on the icon '''Knoppix.vbox''' The Virtualbox application will launch and display the virtual machine for Knoppix.<br />
# '''Double-click''' on the Knoppix VM in the left window to launch this VM and click the '''Switch''' button when prompted to enter scale mode.<br />
<br />
<br />
You can also burn in a Knoppix CD or USB Live Image to Run on your Computer<br />
<br />
:''Steps to Run Knoppix Live from Your Computer:''<br />
[[Image:knoppix-download.png|thumb|right|280px|'''Knoppix Download Webpage.]]<br />
# Click on the following link to download the lastest knoppix ISO:<br>[https://www.knopper.net/knoppix-mirrors/index-en.html https://www.knopper.net/knoppix-mirrors/index-en.html]<br><br><br />
# If you are burning to a CD, click on the following link for instructions:<br>[https://www.wikihow.com/Install-Knoppix-Linux Install Knoppix LInux]<br><br>'''NOTE:''' If you are burning to a USB, click on the following link for instructions:<br>[https://itstillworks.com/boot-knoppix-usb-6904288.html How to Boot Knoppix from USB]<br />
<br><br><br />
<br />
=INVESTIGATION 1: BOOTING KNOPPIX (LIVE LINUX) FROM MYAPPS=<br />
<br />
<br><br />
In this section, you will learn how to launch the Knoppix Live Linux distribution from a workstation as Seneca College using MyApps.<br />
<br />
<br />
'''Perform the Following Steps:'''<br />
<br />
# Start your workstation in your lab and login to your Seneca Windows account.<br><br><br />
# Make certain that the '''MyApps''' window is open. This window should have opened shortly after you logged into your Windows workstation. If the application windows is not open, click on the '''MyApps''' icon on the desktop to launch).<br><br><br />
# Click on the '''Search Apps''' area located in the top right corner of the MyApps window and type the word: <span style="color:blue;font-weight:bold;font-family:courier;">knoppix</span><br><br><br />
# The ''Knoppix'' Linux Distribution will appear. <br><br>'''NOTE:''' All of these applications allow you to connect to your Matrix account.<br>We will use the application called '''SSH Secure Shell Client''' for this practice tutorial.<br><br>[[Image:knoppix-3.png|thumb|right|280px|'''Launch Knoppix''' from '''Virtualbox''' menu.<br>(Image licensed under[https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
# Launch the '''Knoppix''' Linux distribution by clicking the '''Launch''' button.<br><br>'''NOTE:''' Your file manager will open and display both the '''Knoppix virtual machine icon''' and a '''Knoppix Installation ISO file'''. You will be launching the Knoppix Virtual machine in the '''Virtualbox''' application.<br><br><br />
# Double-click on the icon Knoppix.vbox in the Virtualbox menu.<br><br><br />
# Another dialog box will appear. Double-click on the '''Switch''' button when prompted to enter '''scale mode'''.<br><br>'''NOTE:''' You should notice that you can switch between your Knoppix VM and your Windows computer which is referred to as the '''host machine'''.<br><br><br />
# Allow a little time for the Knoppix Linux distribution to start. This is a '''graphical Linux distribution''' which will start-up in a desktop environment.<br><br>'''NOTE:''' You are NOT prompted for a username and password because this is a Linux Live distribution,<br>and you have been assigned a '''generic account'''.<br><br>[[Image:knoppix-desktop.png|thumb|right|380px|The '''Knoppix Linux desktop environment''' has a similar look as the MS Windows desktop environment.<br>(Image licensed under[https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
# On the bottom left-hand side, click on the '''Knoppix start menu''' (similar to the Windows start menu).<br><br><br />
# In the start menu, select '''System Tools'''<br><br>[[Image:xterm.png|thumb|right|200px|The '''xterm''' application will display the Bash shell to issue Linux commands.]]<br />
# In the system tools menu, scroll down and select to launch the terminal application called '''xterm'''<br><br><br />
# In the bash shell, issue the following Linux command: <span style="color:blue;font-weight:bold;font-family:courier;">whoami</span><br><br>What is the name of your generic Knoppix Linux Live account?<br><br><br />
# Issue the following command to connect to your Matrix account (when prompted for your password, enter your MySeneca password as you do when checking your MySeneca email. <b>NOTE:</b> Nothing appears on the screen as you type your password but ensure you press <b>Enter</b> when done.): <span style="color:blue;font-weight:bold;font-family:courier;">ssh yourSenecaId@matrix.senecacollege.ca</span><br><br>Where you able to connect to your Matrix account?<br><br><br />
# After logging in to your Matrix account, issue the following command to terminate your Matrix session: <span style="color:blue;font-weight:bold;font-family:courier;">exit</span><br><br><br />
# Make certain to close your '''xterm''' application.<br><br><br />
# Use the ''Knoppix start menu'' to launch a web-browser and go to the '''Google''' website.<br><br><br />
# Use the ''Knoppix start menu'' to select '''Office''' and then select '''LibreOffice - Writer''' to launch a word processor application.<br><br><br />
# Create a small document and save changes to your home directory using your first name, and exit the Libreoffice word processing document.<br><br><br />
# Use the ''Knoppix start menu'' to select '''logout''', then select '''shutdown''' to terminate your Knoppix Linux Live session.<br><br><br />
# Repeat the steps to launch a new Knoppix Linux Live session.<br><br>[[Image:libreoffice.png|thumb|right|200px|The '''LibreOffice''' application is the default word processor.<br>]]<br />
# Use the ''Knoppix start menu'' to launch a graphical file manager called x.<br><br><br />
# Search for the word processing document that you saved on your home directory. Is there document there. If not, why?<br><br><br />
# Use the ''Knoppix start menu'' to shutdown your Knoppix Linux Live session.<br><br><br />
# Work on the Linux practice questions located at the bottom of this tutorial.<br />
<br><br><br />
<br />
= LINUX PRACTICE QUESTIONS =<br />
<br />
The purpose of this section is to obtain '''extra practice''' to help with '''quizzes''', your '''midterm''', and your '''final exam'''.<br />
<br />
Here is a link to the MS Word Document of ALL of the questions displayed below but with extra room to answer on the document to<br />
simulate a quiz:<br />
<br />
https://ict.senecacollege.ca/~murray.saul/uli101/uli101_week7_practice.docx<br />
<br />
Your instructor may take-up these questions during class. It is up to the student to attend classes in order to obtain the answers to the following questions. Your instructor will NOT provide these answers in any other form (eg. e-mail, etc).<br />
<br />
<br />
'''Review Questions:'''<br />
<br />
# Define the term '''Linux Distribution'''.<br />
# List and explain '''two advantages''' of installing a Linux distribution on your home computer or laptop. <br />
# List and explain two things to consider <u>prior</u> to installing a Linux distribution on your home computer.<br />
# Explain why installing '''Multi-boot''' for Linux is useful for '''computer troubleshooting'''.<br />
# Define the term '''Virtualization'''.<br />
# List the steps to boot the Knoppix Linux distribution from a Workstation at Seneca College.<br />
# List the steps to boot the Knoppix Linux distribution from a CD or USB from your home computer.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=Tutorial7:_Installing_Linux_/_Live_Linux_/_Virtualization&diff=145739Tutorial7: Installing Linux / Live Linux / Virtualization2020-02-03T21:17:29Z<p>Mark: /* LINUX PRACTICE QUESTIONS */</p>
<hr />
<div>=INSTALLING LINUX / LIVE LINUX / VIRTUALIZATION=<br />
<br><br />
===Main Objectives of this Practice Tutorial===<br />
<br />
:* List and explain the common types of installing Linux<br />
<br />
:* Define and explain the purpose of using a '''Live Linux distribution'''<br />
<br />
:* Define and explain the purpose of '''Virtualization'''<br />
<br />
:* Compare running a Live Linux distribution from MyApps with booting a Live Linux CD<br />
<br><br />
<br />
===Tutorial Reference Material===<br />
<br />
{|width="100%" cellspacing="0" cellpadding="10"<br />
<br />
|- valign="top"<br />
<br />
|colspan="2" style="font-size:16px;font-weight:bold;border-bottom: thin solid black;border-spacing:0px;"|Course Notes<br><br />
<br />
|colspan="2" style="font-size:16px;font-weight:bold;border-bottom: thin solid black;border-spacing:0px;padding-left:15px;"|Concepts<br><br />
<br />
|colspan="1" style="font-size:16px;font-weight:bold;border-bottom: thin solid black;border-spacing:0px;padding-left:15px;"|YouTube Videos<br><br />
<br />
|- valign="top" style="padding-left:15px;"<br />
<br />
|colspan="2" |Course Notes:<ul><li>[https://ict.senecacollege.ca/~murray.saul/uli101/ULI101-Week7.pdf PDF] | [https://ict.senecacollege.ca/~murray.saul/uli101/ULI101-Week7.pptx PPTX]</li></ul><br />
<br />
| style="padding-left:15px;" |Installing Linux<br />
* Linux Installation Methods<br />
* Live Linux<br />
* Virtualization<br><br><br />
| style="padding-left:15px;"|Software<br />
* Knoppix<br />
<br />
|colspan="1" style="padding-left:15px;" width="30%"|Instructional Videos:<ul><li>x</li></ul><br />
|}<br />
<br />
= KEY CONCEPTS =<br />
<br />
===Installing Linux===<br />
<br />
<br />
Having your own Linux system offers a great learning opportunity and gives you access to a large library of software.<br>You can also install different versions of a Linux system including a graphical desktop version, server version, etc.<br />
<br />
Installing your own version of Linux on your notebook or desktop computer at home can also help for working<br>in the Linux environment and learn how to perform routine Linux OS administration tasks.<br />
<br />
<br />
[[Image:distro-1.png|thumb|right|450px|Listing of Common Linux Distributions.<br>(Image licensed under [https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
''A '''Linux distribution''' (often abbreviated as distro) is an operating system made from a software collection that is based upon the Linux kernel and, often, a package management system. Linux users usually obtain their operating system by downloading one of the Linux distributions, which are available for a wide variety of systems ranging from embedded devices (for example, OpenWrt) and personal computers (for example, Linux Mint) to powerful supercomputers (for example, Rocks Cluster Distribution).''<br />
<br />
Reference: https://en.wikipedia.org/wiki/Linux_distribution<br />
<br />
<br />
''Steps in the Linux Installation Process:''<br />
<br />
* '''Select a Linux Distribution''' and '''download''' a Linux Distribution Install ISO file<br>to your Computer ('''Note:''' Be aware of any required Hardware Requirements for the Linux OS prior to installation.)<br />
* '''Burn an Linux Distribution CD/DVD''', or USB, or use '''downloaded file when creating a virtual machine'''<br />
* Once booted, the installation process '''transfers the live image to a disk (or flash memory)''' and configures the system<br />
* For most distributions the installation involves a '''guided graphical environment''' and it is easy to accomplish<br />
<br />
===Linux Installation Methods===<br />
<br />
<br />
'''Standalone Installation'''<br />
<br />
* Linux is the only OS on the computer <br />
* Any existing data on disk will be erased<br />
<br />
<br />
[[Image:grub-boot-menu.png|thumb|right|250px|The '''grub boot menu''' to select different operating systems upon computer startup.<br>(Image licensed under [https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
'''Dual-boot / Multi-boot Installation'''<br />
<br />
* A '''boot menu''' allows the user to select the desired OS<br />
* This options provides a method to still use your computer if one OS fails to boot-up<br />
* Most Linux distributions can access the Windows partition if your Windows OS cannot boot-up<br />
* This option is great for troubleshooting: for example booting into other OS to confirm that you can connect to the Internet to rule-out hardware issues<br />
* The installation process will take some of the free disk space from the OS already installed<br />
* It is recommended to back up important data before proceeding<br />
* It is recommended to install the Linux OS last, as other operating systems may not offer a multi-boot option<br />
<br />
<br />
'''Virtualized Installation'''<br />
<br />
[[Image:vm-player-menu.png|thumb|right|250px|VMware Player launch menu for Ubuntu Linux OS<br>(Image licensed under [https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
* Virtualization requires a compatible processor – not all processors support that feature<br />
* Most recent multi-core processors support virtualization<br />
* The virtualized OS is installed and run in a window under another OS<br />
* The installation can usually be completed from an ISO image<br />
* One or more virtual machines can be run at the same time The guest OS shares the hardware with the host OS and possibly other virtualized systems<br />
* Special software is used to manage the entire process, this is the “hypervisor”<br />
* The guest systems have network access through the host<br />
* The selection of virtualization software (which allows creation and running of virtual machines) depends mainly on the host OS, although some are cross-platform. Other considerations as to virtualization software may be features, support, price and/or personal preferences.<br />
<br />
<br />
Popular VM software for Windows and MAC include:<br />
*VMware<br />
*Oracle Virtual Box<br />
*KVM<br />
*XEN<br />
<br />
===Live Linux CD===<br />
<br />
[[Image:linux-distro-2.png|thumb|right|150px|Knoppix is a popular Live Linux CD Distribution.<br>(Image licensed under[https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
''A live CD (also live DVD, live disc, or live operating system) is a complete bootable computer installation including operating system which runs directly from a CD-ROM or similar storage device into a computer's memory, rather than loading from a hard disk drive. A Live CD allows users to run an operating system for any purpose without installing it or making any changes to the computer's configuration. Live CDs can run on a computer without secondary storage, such as a hard disk drive, or with a corrupted hard disk drive or file system, allowing data recovery.<br><br>As CD and DVD drives have been steadily phased-out, live CDs have become less popular, being replaced by live USBs, which are equivalent systems written onto USB flash drives, which have the added benefit of having write-able storage. The functionality of a live CD is also available with a bootable live USB flash drive, or an external hard disk drive connected by USB.''<br />
<br />
Reference: https://en.wikipedia.org/wiki/Live_CD<br />
<br />
<br />
The Knoppix Live CD id available to run on workstations at Seneca College or your home computer via '''AppsAnywhere'''.<br />
<br />
:''Steps to Run Knoppix from AppsAnywhere:''<br />
<table align="right"><tr valign="top" ><td>[[Image:knoppix-3.png|thumb|right|280px|'''Launch Knoppix''' from '''Virtualbox''' menu.<br>(Image licensed under[https://creativecommons.org/licenses/by-sa/3.0/ cc])]]</td><td>[[Image:knoppix-4.png|thumb|right|200px|Click '''Switch''' to enter '''scale mode'''.]]</td></tr></table><br />
#Start your workstation in your lab and login to your Seneca Windows account.<br />
#Click on the '''Search Apps''' area located in the top right corner of the MyApps window and type the word: '''knoppix'''<br />
#Select the ''knoppix'' application icon and click '''Launch'''. Your file manager will open and display both the Knoppix virtual machine icon and a Knoppix Installation ISO file.<br />
# '''Double-click''' on the icon '''Knoppix.vbox''' The Virtualbox application will launch and display the virtual machine for Knoppix.<br />
# '''Double-click''' on the Knoppix VM in the left window to launch this VM and click the '''Switch''' button when prompted to enter scale mode.<br />
<br />
<br />
You can also burn in a Knoppix CD or USB Live Image to Run on your Computer<br />
<br />
:''Steps to Run Knoppix Live from Your Computer:''<br />
[[Image:knoppix-download.png|thumb|right|280px|'''Knoppix Download Webpage.]]<br />
# Click on the following link to download the lastest knoppix ISO:<br>[https://www.knopper.net/knoppix-mirrors/index-en.html https://www.knopper.net/knoppix-mirrors/index-en.html]<br><br><br />
# If you are burning to a CD, click on the following link for instructions:<br>[https://www.wikihow.com/Install-Knoppix-Linux Install Knoppix LInux]<br><br>'''NOTE:''' If you are burning to a USB, click on the following link for instructions:<br>[https://itstillworks.com/boot-knoppix-usb-6904288.html How to Boot Knoppix from USB]<br />
<br><br><br />
<br />
=INVESTIGATION 1: BOOTING KNOPPIX (LIVE LINUX) FROM MYAPPS=<br />
<br />
<br><br />
In this section, you will learn how to launch the Knoppix Live Linux distribution from a workstation as Seneca College using MyApps.<br />
<br />
<br />
'''Perform the Following Steps:'''<br />
<br />
# Start your workstation in your lab and login to your Seneca Windows account.<br><br><br />
# Make certain that the '''MyApps''' window is open. This window should have opened shortly after you logged into your Windows workstation. If the application windows is not open, click on the '''MyApps''' icon on the desktop to launch).<br><br><br />
# Click on the '''Search Apps''' area located in the top right corner of the MyApps window and type the word: <span style="color:blue;font-weight:bold;font-family:courier;">knoppix</span><br><br><br />
# The ''Knoppix'' Linux Distribution will appear. <br><br>'''NOTE:''' All of these applications allow you to connect to your Matrix account.<br>We will use the application called '''SSH Secure Shell Client''' for this practice tutorial.<br><br>[[Image:knoppix-3.png|thumb|right|280px|'''Launch Knoppix''' from '''Virtualbox''' menu.<br>(Image licensed under[https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
# Launch the '''Knoppix''' Linux distribution by clicking the '''Launch''' button.<br><br>'''NOTE:''' Your file manager will open and display both the '''Knoppix virtual machine icon''' and a '''Knoppix Installation ISO file'''. You will be launching the Knoppix Virtual machine in the '''Virtualbox''' application.<br><br><br />
# Double-click on the icon Knoppix.vbox in the Virtualbox menu.<br><br><br />
# Another dialog box will appear. Double-click on the '''Switch''' button when prompted to enter '''scale mode'''.<br><br>'''NOTE:''' You should notice that you can switch between your Knoppix VM and your Windows computer which is referred to as the '''host machine'''.<br><br><br />
# Allow a little time for the Knoppix Linux distribution to start. This is a '''graphical Linux distribution''' which will start-up in a desktop environment.<br><br>'''NOTE:''' You are NOT prompted for a username and password because this is a Linux Live distribution,<br>and you have been assigned a '''generic account'''.<br><br>[[Image:knoppix-desktop.png|thumb|right|380px|The '''Knoppix Linux desktop environment''' has a similar look as the MS Windows desktop environment.<br>(Image licensed under[https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
# On the bottom left-hand side, click on the '''Knoppix start menu''' (similar to the Windows start menu).<br><br><br />
# In the start menu, select '''System Tools'''<br><br>[[Image:xterm.png|thumb|right|200px|The '''xterm''' application will display the Bash shell to issue Linux commands.]]<br />
# In the system tools menu, scroll down and select to launch the terminal application called '''xterm'''<br><br><br />
# In the bash shell, issue the following Linux command: <span style="color:blue;font-weight:bold;font-family:courier;">whoami</span><br><br>What is the name of your generic Knoppix Linux Live account?<br><br><br />
# Issue the following command to connect to your Matrix account: <span style="color:blue;font-weight:bold;font-family:courier;">ssh yourSenecaId@matrix.senecacollege.ca</span><br><br>Where you able to connect to your Matrix account?<br><br><br />
# After logging in to your Matrix account, issue the following command to terminate your Matrix session: <span style="color:blue;font-weight:bold;font-family:courier;">exit</span><br><br><br />
# Make certain to close your '''xterm''' application.<br><br><br />
# Use the ''Knoppix start menu'' to launch a web-browser and go to the '''Google''' website.<br><br><br />
# Use the ''Knoppix start menu'' to select '''Office''' and then select '''LibreOffice - Writer''' to launch a word processor application.<br><br><br />
# Create a small document and save changes to your home directory using your first name, and exit the Libreoffice word processing document.<br><br><br />
# Use the ''Knoppix start menu'' to select '''logout''', then select '''shutdown''' to terminate your Knoppix Linux Live session.<br><br><br />
# Repeat the steps to launch a new Knoppix Linux Live session.<br><br>[[Image:libreoffice.png|thumb|right|200px|The '''LibreOffice''' application is the default word processor.<br>]]<br />
# Use the ''Knoppix start menu'' to launch a graphical file manager called x.<br><br><br />
# Search for the word processing document that you saved on your home directory. Is there document there. If not, why?<br><br><br />
# Use the ''Knoppix start menu'' to shutdown your Knoppix Linux Live session.<br><br><br />
# Work on the Linux practice questions located at the bottom of this tutorial.<br />
<br><br><br />
<br />
= LINUX PRACTICE QUESTIONS =<br />
<br />
The purpose of this section is to obtain '''extra practice''' to help with '''quizzes''', your '''midterm''', and your '''final exam'''.<br />
<br />
Here is a link to the MS Word Document of ALL of the questions displayed below but with extra room to answer on the document to<br />
simulate a quiz:<br />
<br />
https://ict.senecacollege.ca/~murray.saul/uli101/uli101_week7_practice.docx<br />
<br />
Your instructor may take-up these questions during class. It is up to the student to attend classes in order to obtain the answers to the following questions. Your instructor will NOT provide these answers in any other form (eg. e-mail, etc).<br />
<br />
<br />
'''Review Questions:'''<br />
<br />
# Define the term '''Linux Distribution'''.<br />
# List and explain '''two advantages''' of installing a Linux distribution on your home computer or laptop. <br />
# List and explain two things to consider <u>prior</u> to installing a Linux distribution on your home computer.<br />
# Explain why installing '''Multi-boot''' for Linux is useful for '''computer troubleshooting'''.<br />
# Define the term '''Virtualization'''.<br />
# List the steps to boot the Knoppix Linux distribution from a Workstation at Seneca College.<br />
# List the steps to boot the Knoppix Linux distribution from a CD or USB from your home computer.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=Tutorial7:_Installing_Linux_/_Live_Linux_/_Virtualization&diff=145738Tutorial7: Installing Linux / Live Linux / Virtualization2020-02-03T21:14:31Z<p>Mark: /* KEY CONCEPTS */</p>
<hr />
<div>=INSTALLING LINUX / LIVE LINUX / VIRTUALIZATION=<br />
<br><br />
===Main Objectives of this Practice Tutorial===<br />
<br />
:* List and explain the common types of installing Linux<br />
<br />
:* Define and explain the purpose of using a '''Live Linux distribution'''<br />
<br />
:* Define and explain the purpose of '''Virtualization'''<br />
<br />
:* Compare running a Live Linux distribution from MyApps with booting a Live Linux CD<br />
<br><br />
<br />
===Tutorial Reference Material===<br />
<br />
{|width="100%" cellspacing="0" cellpadding="10"<br />
<br />
|- valign="top"<br />
<br />
|colspan="2" style="font-size:16px;font-weight:bold;border-bottom: thin solid black;border-spacing:0px;"|Course Notes<br><br />
<br />
|colspan="2" style="font-size:16px;font-weight:bold;border-bottom: thin solid black;border-spacing:0px;padding-left:15px;"|Concepts<br><br />
<br />
|colspan="1" style="font-size:16px;font-weight:bold;border-bottom: thin solid black;border-spacing:0px;padding-left:15px;"|YouTube Videos<br><br />
<br />
|- valign="top" style="padding-left:15px;"<br />
<br />
|colspan="2" |Course Notes:<ul><li>[https://ict.senecacollege.ca/~murray.saul/uli101/ULI101-Week7.pdf PDF] | [https://ict.senecacollege.ca/~murray.saul/uli101/ULI101-Week7.pptx PPTX]</li></ul><br />
<br />
| style="padding-left:15px;" |Installing Linux<br />
* Linux Installation Methods<br />
* Live Linux<br />
* Virtualization<br><br><br />
| style="padding-left:15px;"|Software<br />
* Knoppix<br />
<br />
|colspan="1" style="padding-left:15px;" width="30%"|Instructional Videos:<ul><li>x</li></ul><br />
|}<br />
<br />
= KEY CONCEPTS =<br />
<br />
===Installing Linux===<br />
<br />
<br />
Having your own Linux system offers a great learning opportunity and gives you access to a large library of software.<br>You can also install different versions of a Linux system including a graphical desktop version, server version, etc.<br />
<br />
Installing your own version of Linux on your notebook or desktop computer at home can also help for working<br>in the Linux environment and learn how to perform routine Linux OS administration tasks.<br />
<br />
<br />
[[Image:distro-1.png|thumb|right|450px|Listing of Common Linux Distributions.<br>(Image licensed under [https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
''A '''Linux distribution''' (often abbreviated as distro) is an operating system made from a software collection that is based upon the Linux kernel and, often, a package management system. Linux users usually obtain their operating system by downloading one of the Linux distributions, which are available for a wide variety of systems ranging from embedded devices (for example, OpenWrt) and personal computers (for example, Linux Mint) to powerful supercomputers (for example, Rocks Cluster Distribution).''<br />
<br />
Reference: https://en.wikipedia.org/wiki/Linux_distribution<br />
<br />
<br />
''Steps in the Linux Installation Process:''<br />
<br />
* '''Select a Linux Distribution''' and '''download''' a Linux Distribution Install ISO file<br>to your Computer ('''Note:''' Be aware of any required Hardware Requirements for the Linux OS prior to installation.)<br />
* '''Burn an Linux Distribution CD/DVD''', or USB, or use '''downloaded file when creating a virtual machine'''<br />
* Once booted, the installation process '''transfers the live image to a disk (or flash memory)''' and configures the system<br />
* For most distributions the installation involves a '''guided graphical environment''' and it is easy to accomplish<br />
<br />
===Linux Installation Methods===<br />
<br />
<br />
'''Standalone Installation'''<br />
<br />
* Linux is the only OS on the computer <br />
* Any existing data on disk will be erased<br />
<br />
<br />
[[Image:grub-boot-menu.png|thumb|right|250px|The '''grub boot menu''' to select different operating systems upon computer startup.<br>(Image licensed under [https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
'''Dual-boot / Multi-boot Installation'''<br />
<br />
* A '''boot menu''' allows the user to select the desired OS<br />
* This options provides a method to still use your computer if one OS fails to boot-up<br />
* Most Linux distributions can access the Windows partition if your Windows OS cannot boot-up<br />
* This option is great for troubleshooting: for example booting into other OS to confirm that you can connect to the Internet to rule-out hardware issues<br />
* The installation process will take some of the free disk space from the OS already installed<br />
* It is recommended to back up important data before proceeding<br />
* It is recommended to install the Linux OS last, as other operating systems may not offer a multi-boot option<br />
<br />
<br />
'''Virtualized Installation'''<br />
<br />
[[Image:vm-player-menu.png|thumb|right|250px|VMware Player launch menu for Ubuntu Linux OS<br>(Image licensed under [https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
* Virtualization requires a compatible processor – not all processors support that feature<br />
* Most recent multi-core processors support virtualization<br />
* The virtualized OS is installed and run in a window under another OS<br />
* The installation can usually be completed from an ISO image<br />
* One or more virtual machines can be run at the same time The guest OS shares the hardware with the host OS and possibly other virtualized systems<br />
* Special software is used to manage the entire process, this is the “hypervisor”<br />
* The guest systems have network access through the host<br />
* The selection of virtualization software (which allows creation and running of virtual machines) depends mainly on the host OS, although some are cross-platform. Other considerations as to virtualization software may be features, support, price and/or personal preferences.<br />
<br />
<br />
Popular VM software for Windows and MAC include:<br />
*VMware<br />
*Oracle Virtual Box<br />
*KVM<br />
*XEN<br />
<br />
===Live Linux CD===<br />
<br />
[[Image:linux-distro-2.png|thumb|right|150px|Knoppix is a popular Live Linux CD Distribution.<br>(Image licensed under[https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
''A live CD (also live DVD, live disc, or live operating system) is a complete bootable computer installation including operating system which runs directly from a CD-ROM or similar storage device into a computer's memory, rather than loading from a hard disk drive. A Live CD allows users to run an operating system for any purpose without installing it or making any changes to the computer's configuration. Live CDs can run on a computer without secondary storage, such as a hard disk drive, or with a corrupted hard disk drive or file system, allowing data recovery.<br><br>As CD and DVD drives have been steadily phased-out, live CDs have become less popular, being replaced by live USBs, which are equivalent systems written onto USB flash drives, which have the added benefit of having write-able storage. The functionality of a live CD is also available with a bootable live USB flash drive, or an external hard disk drive connected by USB.''<br />
<br />
Reference: https://en.wikipedia.org/wiki/Live_CD<br />
<br />
<br />
The Knoppix Live CD id available to run on workstations at Seneca College or your home computer via '''AppsAnywhere'''.<br />
<br />
:''Steps to Run Knoppix from AppsAnywhere:''<br />
<table align="right"><tr valign="top" ><td>[[Image:knoppix-3.png|thumb|right|280px|'''Launch Knoppix''' from '''Virtualbox''' menu.<br>(Image licensed under[https://creativecommons.org/licenses/by-sa/3.0/ cc])]]</td><td>[[Image:knoppix-4.png|thumb|right|200px|Click '''Switch''' to enter '''scale mode'''.]]</td></tr></table><br />
#Start your workstation in your lab and login to your Seneca Windows account.<br />
#Click on the '''Search Apps''' area located in the top right corner of the MyApps window and type the word: '''knoppix'''<br />
#Select the ''knoppix'' application icon and click '''Launch'''. Your file manager will open and display both the Knoppix virtual machine icon and a Knoppix Installation ISO file.<br />
# '''Double-click''' on the icon '''Knoppix.vbox''' The Virtualbox application will launch and display the virtual machine for Knoppix.<br />
# '''Double-click''' on the Knoppix VM in the left window to launch this VM and click the '''Switch''' button when prompted to enter scale mode.<br />
<br />
<br />
You can also burn in a Knoppix CD or USB Live Image to Run on your Computer<br />
<br />
:''Steps to Run Knoppix Live from Your Computer:''<br />
[[Image:knoppix-download.png|thumb|right|280px|'''Knoppix Download Webpage.]]<br />
# Click on the following link to download the lastest knoppix ISO:<br>[https://www.knopper.net/knoppix-mirrors/index-en.html https://www.knopper.net/knoppix-mirrors/index-en.html]<br><br><br />
# If you are burning to a CD, click on the following link for instructions:<br>[https://www.wikihow.com/Install-Knoppix-Linux Install Knoppix LInux]<br><br>'''NOTE:''' If you are burning to a USB, click on the following link for instructions:<br>[https://itstillworks.com/boot-knoppix-usb-6904288.html How to Boot Knoppix from USB]<br />
<br><br><br />
<br />
=INVESTIGATION 1: BOOTING KNOPPIX (LIVE LINUX) FROM MYAPPS=<br />
<br />
<br><br />
In this section, you will learn how to launch the Knoppix Live Linux distribution from a workstation as Seneca College using MyApps.<br />
<br />
<br />
'''Perform the Following Steps:'''<br />
<br />
# Start your workstation in your lab and login to your Seneca Windows account.<br><br><br />
# Make certain that the '''MyApps''' window is open. This window should have opened shortly after you logged into your Windows workstation. If the application windows is not open, click on the '''MyApps''' icon on the desktop to launch).<br><br><br />
# Click on the '''Search Apps''' area located in the top right corner of the MyApps window and type the word: <span style="color:blue;font-weight:bold;font-family:courier;">knoppix</span><br><br><br />
# The ''Knoppix'' Linux Distribution will appear. <br><br>'''NOTE:''' All of these applications allow you to connect to your Matrix account.<br>We will use the application called '''SSH Secure Shell Client''' for this practice tutorial.<br><br>[[Image:knoppix-3.png|thumb|right|280px|'''Launch Knoppix''' from '''Virtualbox''' menu.<br>(Image licensed under[https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
# Launch the '''Knoppix''' Linux distribution by clicking the '''Launch''' button.<br><br>'''NOTE:''' Your file manager will open and display both the '''Knoppix virtual machine icon''' and a '''Knoppix Installation ISO file'''. You will be launching the Knoppix Virtual machine in the '''Virtualbox''' application.<br><br><br />
# Double-click on the icon Knoppix.vbox in the Virtualbox menu.<br><br><br />
# Another dialog box will appear. Double-click on the '''Switch''' button when prompted to enter '''scale mode'''.<br><br>'''NOTE:''' You should notice that you can switch between your Knoppix VM and your Windows computer which is referred to as the '''host machine'''.<br><br><br />
# Allow a little time for the Knoppix Linux distribution to start. This is a '''graphical Linux distribution''' which will start-up in a desktop environment.<br><br>'''NOTE:''' You are NOT prompted for a username and password because this is a Linux Live distribution,<br>and you have been assigned a '''generic account'''.<br><br>[[Image:knoppix-desktop.png|thumb|right|380px|The '''Knoppix Linux desktop environment''' has a similar look as the MS Windows desktop environment.<br>(Image licensed under[https://creativecommons.org/licenses/by-sa/3.0/ cc])]]<br />
# On the bottom left-hand side, click on the '''Knoppix start menu''' (similar to the Windows start menu).<br><br><br />
# In the start menu, select '''System Tools'''<br><br>[[Image:xterm.png|thumb|right|200px|The '''xterm''' application will display the Bash shell to issue Linux commands.]]<br />
# In the system tools menu, scroll down and select to launch the terminal application called '''xterm'''<br><br><br />
# In the bash shell, issue the following Linux command: <span style="color:blue;font-weight:bold;font-family:courier;">whoami</span><br><br>What is the name of your generic Knoppix Linux Live account?<br><br><br />
# Issue the following command to connect to your Matrix account: <span style="color:blue;font-weight:bold;font-family:courier;">ssh yourSenecaId@matrix.senecacollege.ca</span><br><br>Where you able to connect to your Matrix account?<br><br><br />
# After logging in to your Matrix account, issue the following command to terminate your Matrix session: <span style="color:blue;font-weight:bold;font-family:courier;">exit</span><br><br><br />
# Make certain to close your '''xterm''' application.<br><br><br />
# Use the ''Knoppix start menu'' to launch a web-browser and go to the '''Google''' website.<br><br><br />
# Use the ''Knoppix start menu'' to select '''Office''' and then select '''LibreOffice - Writer''' to launch a word processor application.<br><br><br />
# Create a small document and save changes to your home directory using your first name, and exit the Libreoffice word processing document.<br><br><br />
# Use the ''Knoppix start menu'' to select '''logout''', then select '''shutdown''' to terminate your Knoppix Linux Live session.<br><br><br />
# Repeat the steps to launch a new Knoppix Linux Live session.<br><br>[[Image:libreoffice.png|thumb|right|200px|The '''LibreOffice''' application is the default word processor.<br>]]<br />
# Use the ''Knoppix start menu'' to launch a graphical file manager called x.<br><br><br />
# Search for the word processing document that you saved on your home directory. Is there document there. If not, why?<br><br><br />
# Use the ''Knoppix start menu'' to shutdown your Knoppix Linux Live session.<br><br><br />
# Work on the Linux practice questions located at the bottom of this tutorial.<br />
<br><br><br />
<br />
= LINUX PRACTICE QUESTIONS =<br />
<br />
The purpose of this section is to obtain '''extra practice''' to help with '''quizzes''', your '''midterm''', and your '''final exam'''.<br />
<br />
Here is a link to the MS Word Document of ALL of the questions displayed below but with extra room to answer on the document to<br />
simulate a quiz:<br />
<br />
https://ict.senecacollege.ca/~murray.saul/uli101/uli101_week7_practice.docx<br />
<br />
Your instructor may take-up these questions during class. It is up to the student to attend classes in order to obtain the answers to the following questions. Your instructor will NOT provide these answers in any other form (eg. e-mail, etc).<br />
<br />
<br />
'''Review Questions:'''<br />
<br />
# Define the term '''Linux Distribution'''.<br />
# List and explain '''two advantages''' of installing a Linux distribution on your home computer or laptop. <br />
# List and explain two things to consider <u>prior</u> to installing a Linux distribution on your home computer.<br />
# Explain why installing '''Multi-boot''' for Linux is useful for '''computer troubleshooting'''.<br />
# Define the term '''Virtualization'''.<br />
# List the steps to boot the Knoppix Linux distribution from a Workstation at Seneca College<br />
# List the steps to boot the Knoppix Linux distribution from a CD or USB from your home computer</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=ULI101_Week_2&diff=139861ULI101 Week 22019-09-06T00:01:41Z<p>Mark: </p>
<hr />
<div>= Linux File System =<br />
<br />
<br />
== Unix File System. ==<br />
<br />
* The Unix/Linux file system is hierarchical, similar to other operating systems today<br />
** Files are organized in directories<br />
** Directories may contain sub-directories<br />
* What is different (from Windows) is that there are no drive letters (such as C:, or D:)? All files and directories appear under a single root, even if multiple storage devices are used.<br />
* Learning command-line navigation of the file system is essential for efficient system usage<br />
<br />
== Hierarchical File System? ==<br />
<br />
* In the Linux (Unix) OS, the ''root directory'' <code>/</code> is the starting directory, and other ''child directories'', ''grandchild directories'', etc. are created.<br />
* The hierarchical structure resembles an ''upside-down tree''. There is actually a command called <code>tree</code> that can display a ''tree diagram''!<br />
<br />
<source lang="bash"># display files and directories below root (/) with the tree command<br />
$ tree /<br />
/<br />
|- home<br />
| |- user1<br />
| |- user2<br />
| |- user3<br />
| ...<br />
|<br />
|- public<br />
| |- ipc144<br />
| |- nled<br />
|<br />
....<br />
</source><br />
In the code shown above, the <code>$</code> refers to the prompt that waits for you to type something. That's where you type the command <code>tree</code>; some sample output of the command <code>tree</code> is shown below (notice the leading root directory, i.e. <code>/</code> at the top of the output following the <code>tree</code> command).<br />
<br />
This course will teach you the skills you require to navigate the directory tree in a Linux file system because learning command-line navigation of the file system is essential for efficient system usage and administration.<br />
<br />
== Typical Unix/Linux Directories ==<br />
<br />
A sample of some of the commonly found subdirectories that lie below the root directory (<code>/</code>) is shown in the table below. The table includes a brief description of the purpose of that subdirectory.<br />
<br />
{|<br />
| <code>/</code><br />
| Root directory (ancestor to all directories).<br />
|-<br />
| <code>/home</code><br />
| Used to store usersf home directories.<br />
|-<br />
| <code>/bin</code><br />
| Common system binaries (commands).<br />
|-<br />
| <code>/usr/bin</code><br />
| Common utilities (commands) for users.<br />
|-<br />
| <code>/usr/sbin</code><br />
| Common utilities for user administration.<br />
|-<br />
| <code>/etc</code><br />
| General System Admin. Files (eg passwd).<br />
|-<br />
| <code>/var</code><br />
| Dynamic files (log files).<br />
|-<br />
| <code>/tmp</code>, <code>/var/tmp</code><br />
| Temporary files for programs.<br />
|-<br />
| <code>/dev</code><br />
| Device files (terminals, printers, etc.).<br />
|}<br />
<br />
== Home directory ==<br />
<br />
* Every user when receiving an account has a ''home'' directory created.<br />
* This is where you keep your personal files<br />
* <code>~</code> represents your home<br />
** You can use the <code>~</code> symbol in pathnames<br />
* A <code>cd</code> command without any argument will get you directly to your home directory<br />
* Remember to keep your files private<br />
<br />
== Types of Files ==<br />
<br />
On a Unix/Linux file system a ''file'' can be anything. To an average computer user a file is a container for: a text document, video, music, photo etc.<br />
<br />
A directory is a special type of file (index file) containing references to other file locations on the physical disc or to other file related information. Devices like a terminal, a scanner, or a printer are also files. You will learn more details about these types of files later in this course. Any file (or directory) name starting with a period (such as <code>.</code> or <code>..</code>) is considered a hidden file (or directory). You can use the <code>ls -l</code> command to determine the type of file.<br />
<br />
For Example:<br />
<br />
<source lang="bash">$ ls -l /dev/tty<br />
crw-rw-rw- 1 root root 5, 0 2003-03-14 08:07 /dev/tty<br />
<br />
$ ls -l monday.txt w1.c<br />
-rw-r--r-- 1 someuser users 214 2006-01-23 14:20 monday.txt<br />
-rw-r--r-- 1 someuser users 248 2005-10-12 13:36 w1.c<br />
<br />
$ ls -ld uli101<br />
drwxr-xr-x 2 someuser users 4096 2006-01-17 16:43 uli101<br />
</source><br />
<blockquote>Notes for listing above:<br />
<br />
* Use the <code>-l</code> option of the <code>ls</code> command to get detailed information about a file.<br />
* Use the <code>-ld</code> option of the <code>ls</code> command to get detailed information for just the directory itself, not the filenames within it<br />
* The first character in detailed listing determines the file type, so:<br />
** <code>-</code> indicates a regular file<br />
** b or c indicates a device file<br />
** d indicates a directory<br />
</blockquote><br />
== Hidden Files ==<br />
<br />
A filename that begins with a '<code>.</code>' is a hidden file. So, if a filename name starts with a '<code>.</code>' as its first character, like <code>.profile</code> for example, it is a considered to be a hidden file by Linux commands and is suppressed from the normal listing of files. See the examples shown below:<br />
<br />
<source lang="bash">$ pwd<br />
/home/murray<br />
<br />
$ ls<br />
uli101.txt<br />
<br />
$ ls -a<br />
. .. .profile uli101.txt<br />
<br />
$ ls -A<br />
.profile uli101.txt<br />
</source><br />
<blockquote>In the file listing shown above<br />
<br />
* <code>pwd</code> displays the present working directory. This command is used to display where on in the Linux file system the logged in user is presently working in. In the example shown above, that location is <code>/home/murray</code><br />
* <code>ls</code> displays the normal listing of file, i.e. all non-hidden files in the present working directory (this is usually abbreviated to pwd in these notes).<br />
* <code>ls -a</code> displays all files including hidden.<br />
* '<code>.</code>' and '<code>..</code>' directories are hidden.<br />
* <code>ls -A</code> displays 'Almost' all files not including <code>.</code> and <code>..</code><br />
</blockquote><br />
* Why make files hidden?<br />
** To clean up directories.<br />
** To hide backups.<br />
** To protect important files from accidental deletion.<br />
* Remember: directories are really files, you can hide them as well.<br />
<br />
== Working With The File System ==<br />
<br />
* Be very careful when working with files on the command line, as there is no undo command or a Trash/Recycling Bin<br />
** A single command can wipe out your entire account<br />
** Changes are instant and permanent<br />
* Make backups of important files, preferably outside of your account - USB storage is a good option<br />
* You will learn later additional ways to control file access through file permissions which will help you prevent accidental file damage or deletion<br />
<br />
== Basic Commands ==<br />
<br />
; <code>pwd</code><br />
: Used to display the user’s present working directory. A user may need to know where they are located on the computer system in order to build directories, copy files, etc.<br />
; <code>cd</code> ''directorypath''<br />
: Used to change to a directory. Entering the cd command without a directory name will change to the user’s home directory.<br />
; <code>ls</code><br />
: Used to display the contents of a directory (eg. regular files or sub-directories). By default, the ls command displays non-hidden filenames only.<br />
;* The following are common options available with the <code>ls</code> command:<br />
;* <code>-a</code> short display of hidden &amp; non-hidden files<br />
;* <code>-l</code> detailed display of files (excl. hidden files)<br />
;* <code>-d</code> combined with <code>-l</code> option, displays info about the directory itself instead of the files within it<br />
;* Options can be combined, for example: <code>ls -la</code> (or <code>ls -l -a</code>)<br />
<br />
; <code>mkdir</code> ''directorypath''<br />
: Used to create a directory. Multiple arguments can be used to create multiple directories. The option <code>–p</code> (parent) allows multiple directory levels to be created.<br />
; <code>rmdir</code> ''directorypath''<br />
: Used to remove only empty directories (i.e. directories that contain no subdirectories or regular files). A user cannot remove a directory from within the directory itself.<br />
; <code>mv</code> ''sourcepath'' ''directorypath''<br />
: Used to move a file from one location to another and/or rename the file. The mv command can be used to move directories as well as files. The <code>-i</code> option asks for confirmation if the destination filename already exists.<br />
; <code>cp</code> ''sourcepath'' ''directorypath''<br />
: Used to copy a file from one location to another. The cp command can be used to backup important files. – The <code>-i</code> option asks for confirmation if the destination filename already exists. – The <code>-r</code> (recursive) option allows copying of directories and their contents.<br />
; <code>rm</code> ''filepath''<br />
: Used to remove a regular file.<br />
; <code>rm -r</code> ''filepath''<br />
: Used to recursively remove a directory and it's contents. Recursive means to descend to lower levels, which in this case, indicates that subdirectories and their contents are also removed. Note: it is a good idea to include the <code>-i</code> option to confirm deletion of subdirectories and their contents!<br />
; <code>cat</code> ''filepath''<br />
: To display contents of one or more files (i.e. to catenate files). For example, <code>cat file1 file2 file3</code> will display the contents of <code>file1</code> and <code>file2</code> and <code>file3</code> on the screen one after the other. To display the contents of small files (files longer than the screen will scroll to the end). For example, issuing the command <code>cat .bash_profile</code> in your home directory would display the contents of your setup file.<br />
;; <code>more</code> ''filepath''<br />
;: Used to display the contents of large regular files one screen at a time. The user can navigate throughout the file by pressing keys such as:<br />
<br />
<blockquote>{|<br />
| &lt;SPACEBAR&gt;<br />
| Move to next screen<br />
|-<br />
| b<br />
| Move to previous screen<br />
|-<br />
| &lt;ENTER&gt;<br />
| Move to next line<br />
|-<br />
| /car&lt;ENTER&gt;<br />
| Search for pattern &quot;car&quot;<br />
|-<br />
| q<br />
| Exit to shell<br />
|}<br />
</blockquote><br />
; <code>less</code> ''filepath''<br />
: Works like more command, but contains more navigation features.<br />
; <code>touch</code> ''path''<br />
: Used to update the date and time of existing files. The <code>touch</code> command is also used to create empty files. You will be using the touch command to create empty files when you practice the file management on-line tutorial<br />
; <code>file</code> ''path''<br />
: Determines a file type. Useful when a particular file has no file extension or the extension is unknown or incorrect.<br />
<br />
== The find Command ==<br />
<br />
The <code>find</code> command allows searching for files by file name, size, and file attributes recursively throughout the file system. An optional action can be performed on matches<br />
<br />
<source lang="bash">#Search for a file named bob:<br />
find / -name bob<br />
<br />
# Delete empty files belonging to user alice:<br />
find / -user alice -empty -delete<br />
<br />
# Find all files modified less than 5 minutes ago:<br />
find / -mmin -5<br />
<br />
# Find large files<br />
find . -size +100M<br />
</source><br />
== File Naming ==<br />
<br />
* Unix/Linux is case sensitive!<br />
* Adopt a consistent file naming scheme. this will help you find your files later<br />
* Make your file and directory names meaningful<br />
* Avoid non alphanumeric characters, as they have a special meaning to the system and will make your work more difficult<br />
* Avoid using spaces in file names - consider periods, hyphens and underscores instead<br />
* Feel free to use file name extensions to describe the file purpose<br />
<br />
== Getting Help with Commands ==<br />
<br />
* A comprehensive online manual for common UNIX/Linux commands exists on your server<br />
* The online manual is a command called <code>man</code><br />
<br />
<source lang="bash"># show man page of ls command<br />
$ man ls<br />
</source><br />
<pre class="example">man [options] command<br />
<br />
Options:<br />
<br />
-k provides short (one-line) explanation relating to the commands matching the character string.<br />
This can be used if user doesn't know name of command, eg. man -k calendar<br />
</pre><br />
== Text Editing ==<br />
<br />
Editing text files is an everyday activity for both users as well as administrators on a Unix and Linux system<br />
<br />
* System configuration files<br />
* Scripts and programs<br />
* Documentation<br />
* Web pages<br />
<br />
As the GUI may not always be available, knowing command-line text editors is a very valuable skill.<br />
<br />
Please note that although both Unix/Linux and Windows use ASCII to encode text files, there are small differences that may cause problems (particularly with scripts) when copying files between different systems:<br />
<br />
* If needed, use the <code>unix2dos</code> and <code>dos2unix</code> utilities to convert between the two systems<br />
* A specific system may have many editors available and as you work with one for a while you will probably pick a favourite one<br />
* A traditional fall-back is the <code>vi</code> editor, as it is most likely to be present on all Unix-like systems, especially when installed with a minimum software complement<br />
<br />
Consider knowing <code>vi</code> as one of many badges of a competent Unix/Linux user<br />
<br />
* <code>vi</code> has a relatively steep learning curve and is not user friendly, but it offers nice advanced features which will be introduced later in the course (Visual) Editor<br />
<br />
<code>vi</code> is a powerful, interactive, visually-oriented text editor with these features:<br />
<br />
* Efficient editing by using keystrokes instead of mouse.<br />
* Use of regular expressions<br />
* Possibility to recover files after accidental loss of connection<br />
* Features for programmers (eg. line numbering, auto-indent, etc)<br />
* Although you may prefer to use other editors (such as <code>nano</code> or <code>nled</code>), knowing <code>vi</code> is very useful, as this is one editor that is present on all Unix-like systems<br />
<br />
== Starting vi Session ==<br />
<br />
There are two ways to start an editing session with <code>vi</code>:<br />
<br />
– Enter <code>vi</code> ''filename'' -recommended since ''filename'' has already been assigned and changes will be saved to that ''filename'' when saving within <code>vi</code>, for example <code>:w&lt;ENTER&gt;</code> – If the ''filename'' exists, it will be edited. If the ''filename'' doesn't exist, it will be created. – Enter <code>vi</code> - filename is not assigned, therefore user has to type <code>:w filename&lt;ENTER&gt;</code> in order to save the file.<br />
<br />
== Modes ==<br />
<br />
There are three operational modes while using the vi editor:<br />
<br />
– Command Mode (default mode when starting) :: User presses letter(s) for a command<br />
<br />
– for example to input text, delete text, append text, etc. Does NOT require <code>&lt;ENTER&gt;</code> key, the keystrokes are used individually.<br />
<br />
– Input Mode :: Input Mode allows user to enter or edit text. Press <code>&lt;ESC&gt;</code> to return to command mode.<br />
<br />
– Last-line Mode :: Pressing colon &quot;:&quot; opens a prompt at the bottom of the screen to enter more complex commands, such as search and replace. Requires <code>&lt;ENTER&gt;</code> key to execute command.<br />
<br />
== Moving in Command Mode ==<br />
<br />
You can move around to text in the screen by using the following keys:<br />
<br />
{|<br />
| h<br />
| left<br />
|-<br />
| j<br />
| down<br />
|-<br />
| k<br />
| up<br />
|-<br />
| l<br />
| right<br />
|-<br />
| w<br />
| right one word to special character<br />
|-<br />
| W<br />
| right one word including special characters<br />
|-<br />
| b<br />
| left one word to special character<br />
|-<br />
| B<br />
| left one word including special characters<br />
|-<br />
| 0 (zero)<br />
| beginning of line<br />
|-<br />
| $<br />
| end of line<br />
|-<br />
| G<br />
| go to last line in file<br />
|-<br />
| 237G<br />
| go to line 237 in file<br />
|}<br />
<br />
* You may be able to move around by using the arrow keys (depends on version of vi).<br />
<br />
== Getting into Input Mode ==<br />
<br />
While in command mode, you can issue the following commands to input text:<br />
<br />
{|<br />
| i<br />
| insert to left of cursor<br />
|-<br />
| I<br />
| insert at beginning of line<br />
|-<br />
| o<br />
| insert line below current line<br />
|-<br />
| O<br />
| insert line above current line<br />
|-<br />
| a<br />
| append to right of cursor<br />
|-<br />
| A<br />
| append at end of current line<br />
|-<br />
| r<br />
| replace character under cursor<br />
|-<br />
| R<br />
| overwrite text character-by-character<br />
|}<br />
<br />
Don't forget to hit &lt;ESC&gt; to return to command mode.<br />
<br />
== Common Editing Commands ==<br />
<br />
{|<br />
| x<br />
| Delete single character under the cursor<br />
|-<br />
| d<br />
| Delete<br />
|-<br />
|<br />
| eg. dw - delete from the current position to the next word or special character<br />
|-<br />
|<br />
| eg. d$ - delete from the current position to the end of the line<br />
|-<br />
|<br />
| eg. dd - delete the entire current line<br />
|-<br />
| c<br />
| Change<br />
|-<br />
|<br />
| eg. cw - change from the current position to the next word or special character<br />
|-<br />
|<br />
| eg. c$ - change from the current position to the end of the line<br />
|-<br />
|<br />
| eg. cc - change the entire current line<br />
|-<br />
| y<br />
| Yank (copy)<br />
|-<br />
|<br />
| eg. yw - copy from the current position to the next word or special character<br />
|-<br />
|<br />
| eg. y$ - copy from the current position to the end of the line<br />
|-<br />
|<br />
| eg. yy - copy the entire current line<br />
|-<br />
| p<br />
| paste deleted or copied text after or below cursor<br />
|-<br />
| P<br />
| paste deleted or copied text before or above cursor<br />
|-<br />
| u<br />
| undo previous edit<br />
|-<br />
| .<br />
| repeat previous edit<br />
|}<br />
<br />
<blockquote>Editing commands can be preceded with a number, for example: 3x = delete the next three characters 2u = undo the last two edits 12dd = delete 12 lines<br />
</blockquote><br />
== Searching ==<br />
<br />
Search for text (in command mode)<br />
<br />
{|<br />
| /pattern<br />
| Search forward for pattern<br />
|-<br />
| ?pattern<br />
| Search backwards for pattern<br />
|-<br />
| n<br />
| Display next match<br />
|}<br />
<br />
== Saving Edited File ==<br />
<br />
* Work performed during vi session is stored in a Work Buffer (temporary storage) until the user saves their work.<br />
* To save your vi session, make sure you are in command mode by pressing <code>&lt;ESC&gt;</code><br />
* To save your changes and exit, type <code>ZZ</code> (two capital z’s). You can also use either <code>:x&lt;ENTER&gt;</code> or <code>:wq&lt;ENTER&gt;</code><br />
* You can save without exiting by typing <code>:w&lt;ENTER&gt;</code><br />
<br />
== Aborting Editing Session ==<br />
<br />
If you make a mistake in your editing session that undo cannot easily solve, you can abort your session without modifying the contents of your file by using the following last-line command: <code>:q!&lt;ENTER&gt;</code><br />
<br />
<br />
<br />
[[Category:ULI101]]<br />
[[Category:ULI101-2018]]</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Assignment1&diff=139293SRT210 Assignment12019-06-13T14:19:22Z<p>Mark: /* Assignment 1 */</p>
<hr />
<div>= Assignment 1 =<br />
<br />
Due date: 12th of June<br />
*'''(Update: June 13 2019)''': Final version. Added clarity (See the '''A1 Test Cases''' section below) to what will be tested at demo time (based on A1 requirements). More details of what should be in the project report. [[:File:19b-SRT210_a1.pdf|Download PDF]].<br />
*'''(Update: May 31 2019)''': First draft. Additional edits will only clarify language and improve readability. You may consider these requirements complete for '''Assignment 1 in Summer 2019'''.<br />
*'''(May 7 2019)''': Additional requirements will be added at a later date.<br />
<br />
Late penalties: 10% per day, including weekends and holidays<br />
<br />
== Part 1: Set up and routing (10 marks) ==<br />
<br />
# Complete labs 1 through 4.<br />
# Create a new virtual network named asg1 with subnet 192.168.X where X is the first two digits of your Seneca student number. Do not use DHCP on this network.<br />
# Create a new virtual machine and install CentOS on it as a minimal install. Name this virtual machine lin1a1 but set its hostname to yourmysenecaid.lin1a1.<br />
# Setup lin1a1 to have two network interfaces where both network interfaces are virtio virtual devices. Next, setup one network interface with IP address 192.168.X.32 and to connect to the asg1 network while the other network interface has IP address 192.168.210.22 and it connects to the network1 network.<br />
# Keep in mind in any networked system you can have just one, and only one, default gateway. So configure the default gateway of lin1a1 to be c7host on the 192.168.210 subnet. Confirm lin1a1 can communicate with the Internet and with hosts on network1.<br />
# Create another minimal CentOS VM: name it lin2a1; set its hostname to yourmysenecaid.lin2a1; let it have one network interface and IP 192.168.X.33 (X being the first two digits of your student ID). By default, after the install, this second VM should be able to access machines on the asg1 network but it will not be able to communicate with any hosts on the network1 network.<br />
# Configure lin2a1, the second VM, to be able to access the Internet and the network1 network via lin1a1. You will need to enable IP forwarding and masquerading on the appropriate interface and the appropriate machine for that to happen.<br />
# Configure both VMs (lin1a1 and lin2a1) to be added to your DNS server. able to connect to c7host.yourmysenecaid.ops, lin1.yourmysenecaid.ops, and lin2.yourmysenecaid.ops by their hostnames (don't be tempted to set up another DNS server, use what you already have from your earlier lab)<br />
# Ensure you start your firewall setup on each VM from the default iptables-services rules. You'll lose marks if you don't have a functional firewall on lin1a1 and on lin2a1.<br />
<br />
== Part 2: Multiple WebServer Setup (10 marks) ==<br />
<br />
# (2 Marks) Install NGINX on lin1a1 and Caddy on lin2a2. Confirm that each works locally with thier VM and from c7host. Do the testing of NGINX and Caddy in two stages.<br />
# (3 Marks) From a browser running on c7host confirm connections using IP addresses:<br />
#: * http://192.168.210.11 connects to Apache (from the earlier lab)<br />
#: * http://192.168.210.22 connects to NGINX running on lin1a1<br />
#: * http://192.168.X.33 connects to Caddy running on lin2a1.<br />
# (3 Marks) From a browser running on c7host confirm connections using hostnames:<br />
#: * http://lin1.yourmysenecaid.ops connects to Apache (from the earlier lab)<br />
#: * http://lin1a1.yourmysenecaid.ops connects to NGINX running on lin1a1<br />
#: * http://lin1a2.yourmysenecaid.ops connects to Caddy running on lin2a1.<br />
# (1 Mark) From a browser running on lin2 show you can connect to all 3 webservers using their IP addresses and their hostnames.<br />
# (1 Mark) From a browser running on Windows show you can connect to each of the 3 webservers using the c7host IP address. NOTE: when doing this test, you will want to turn off the other two VMs.<br />
<br />
== Part 3: Report (10 marks) ==<br />
<br />
Write a report where you describe in your own words your learning experience of this assignment. Keep the tone of your writing such that your present self is teaching your future self (who might have forgotten) the learning experience you achieved while doing this assignment. Be sure to include all the major learning points you overcame to make this assignment work as described.<br />
<br />
# The report must be in a PDF format otherwise it will be considered unreadable. The text part of the report can use a Serif or Sans-Serif font (such as Arial or DejaVu Sans) but the configuration file output must be in a fixed-width (such as Courier or MonoType).<br />
# The very FIRST FEW LINES MUST CONTAIN: '''Full Name''', your '''MySeneca username''', and your '''student ID'''.<br />
# The next FEW LINES MUST CONTAIN output from the command line (use a screen shots for doing this) showing:<br />
#* MAC and IP address of <code>eth0</code> on '''lin1a1'''<br />
#* MAC and IP address of <code>eth1</code> on '''lin1a1'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin1a2'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin1:'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin2:'''<br />
# What you had to do to set everything up (most important are the networking, routing, and firewall configurations). Screenshots of the configuration files are acceptable, however, the screenshot must be readable. If the font is too small (less than 12 pt) or the screenshot is blurry, you will lose marks. You may take multiple screenshots of a long configuration file provided they show the previous few lines to show continuation. Ideally, it is best (and probably fastest) to use scp to get the configurations out of the VMs and append them into your report.<br />
# Describe any challenges you ran into and how you solved them.<br />
# Screenshots are required for proof that your setup works. Each screenshot must:<br />
#* Clearly be labelled the test you are proving, for example: Connect to <code>http://lin1a2.yourmysenecaid.ops</code> from '''c7host'''.<br />
#* Cover '''ALL''' of the individual test cases described in '''A1 Test Case''' section below.<br />
#* Show the interaction between '''c7host''' (or '''lin2''') in a readable (12 pt) font.<br />
#* The prompt on the terminal MUST show the logged in user and hostname of the VM so it captures what is happenning where.<br />
#* Use <code>curl</code> and <code>ping</code> to show connections to each server and the web. Pipe the output from <code>curl</code> into <code>head</code> to restrict output to 4 lines maximum.<br />
#* Use <code>cat</code> show contents of <code>/etc/resolv.conf</code> on <code>lin1a1</code> and <code>lin2a1</code>.<br />
#* Use <code>cat</code> to show the contents of <code>/etc/sysconfig/iptables</code> on '''lin1a1''', and '''lin2a1'''. Show all the additional commands you ran on '''c7host''' after it booted up to test connectivity to Apache on '''lin1''', NGINX on '''lin1a1''', and Caddy on '''lin2a1'''.<br />
#* Use cat to show full configuration of these network cards:<br />
#** <code>eth0</code> on '''lin1a1'''<br />
#** <code>eth1</code> on '''lin1a1'''<br />
#** <code>eth0</code> on '''lin2a1'''<br />
# Show the output of each of the Assignment 1 test cases (see the next section) in your report.<br />
<br />
== A1 Test Cases: ==<br />
<br />
<ol><br />
<li><p>Using <code>ping 1.1.1.1</code>, <code>ssh root@hostname</code>, and <code>curl http://centos.org</code> show the following use cases:</p><br />
<ol type="a"><li>From '''lin1a1''': prove Internet connectivity of '''lin1a1'''</li><li>From '''lin2a1''': prove '''lin1a1''' acts as a router for '''lin2a1''' and acts as a bridge between '''asg1''' and '''network1''' using the following 3 test cases.</li><br />
<ol><br />
<li>when '''lin1a1''' is shut down '''lin2a1''' no longer has Internet connectivity</li><br />
<li>when '''lin1a1''' is turned on '''lin2a1''' has Internet connectivity</li><br />
<li>use <code>ping</code> and <code>ssh</code> from '''lin2a1''' to connect to '''lin1''' and '''lin2'''</li></ol><br />
<br />
<li>From '''c7host''':</li><br />
<ol><br />
<li><p>use <code>ping</code> and <code>ssh</code> to prove connectivity to '''lin1a1''' and '''lin2a1''' using their IP numbers and their domain names. The domain names for both '''lin1a1''' and '''lin2a1''' should be resolved through '''lin2'''.</p></li><br />
<li><p>use <code>curl</code> to display the home pages of Apache running on '''lin1'''; NGINX running on '''lin1a1''', and Caddy running on '''lin2a1'''. Use both IP and friendly-names methods to demonstrate this: IP addresses of their respective hosts and the domain names of those respective hosts, for example '''yourMySeneca.host.ops'''. and <code>192.168.X.33</code></p></li></ol><br />
</li></ol><br />
<li><p>From Windows, using Internet Exporer or Edge, show home page contents of your website on that host using the webserver installed on that host, example: Apache on '''lin1''', NGINX on '''lin1a1''', and Caddy on '''lin2a1'''. You may have to edit iptables rules on '''c7host''' each time you want to access that particular VM so HTTP requests coming from port <code>80</code> on Windows go directly to that VM.</p></li></ol><br />
<br />
== Submit ==<br />
<br />
Submit the report on Blackboard.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Assignment1&diff=139292SRT210 Assignment12019-06-13T14:18:48Z<p>Mark: /* Assignment 1 */</p>
<hr />
<div>= Assignment 1 =<br />
<br />
Due date: 12th of June<br />
*'''(Update: June 13 2019)''': Final version. Added clarity (See the '''A1 Test Cases''' section below) to what will be tested at demo time (based on A1 requirements). More details of what should be in the project report too [[:File:19b-SRT210_a1.pdf|Download PDF]].<br />
*'''(Update: May 31 2019)''': First draft. Additional edits will only clarify language and improve readability. You may consider these requirements complete for '''Assignment 1 in Summer 2019'''.<br />
*'''(May 7 2019)''': Additional requirements will be added at a later date.<br />
<br />
Late penalties: 10% per day, including weekends and holidays<br />
<br />
== Part 1: Set up and routing (10 marks) ==<br />
<br />
# Complete labs 1 through 4.<br />
# Create a new virtual network named asg1 with subnet 192.168.X where X is the first two digits of your Seneca student number. Do not use DHCP on this network.<br />
# Create a new virtual machine and install CentOS on it as a minimal install. Name this virtual machine lin1a1 but set its hostname to yourmysenecaid.lin1a1.<br />
# Setup lin1a1 to have two network interfaces where both network interfaces are virtio virtual devices. Next, setup one network interface with IP address 192.168.X.32 and to connect to the asg1 network while the other network interface has IP address 192.168.210.22 and it connects to the network1 network.<br />
# Keep in mind in any networked system you can have just one, and only one, default gateway. So configure the default gateway of lin1a1 to be c7host on the 192.168.210 subnet. Confirm lin1a1 can communicate with the Internet and with hosts on network1.<br />
# Create another minimal CentOS VM: name it lin2a1; set its hostname to yourmysenecaid.lin2a1; let it have one network interface and IP 192.168.X.33 (X being the first two digits of your student ID). By default, after the install, this second VM should be able to access machines on the asg1 network but it will not be able to communicate with any hosts on the network1 network.<br />
# Configure lin2a1, the second VM, to be able to access the Internet and the network1 network via lin1a1. You will need to enable IP forwarding and masquerading on the appropriate interface and the appropriate machine for that to happen.<br />
# Configure both VMs (lin1a1 and lin2a1) to be added to your DNS server. able to connect to c7host.yourmysenecaid.ops, lin1.yourmysenecaid.ops, and lin2.yourmysenecaid.ops by their hostnames (don't be tempted to set up another DNS server, use what you already have from your earlier lab)<br />
# Ensure you start your firewall setup on each VM from the default iptables-services rules. You'll lose marks if you don't have a functional firewall on lin1a1 and on lin2a1.<br />
<br />
== Part 2: Multiple WebServer Setup (10 marks) ==<br />
<br />
# (2 Marks) Install NGINX on lin1a1 and Caddy on lin2a2. Confirm that each works locally with thier VM and from c7host. Do the testing of NGINX and Caddy in two stages.<br />
# (3 Marks) From a browser running on c7host confirm connections using IP addresses:<br />
#: * http://192.168.210.11 connects to Apache (from the earlier lab)<br />
#: * http://192.168.210.22 connects to NGINX running on lin1a1<br />
#: * http://192.168.X.33 connects to Caddy running on lin2a1.<br />
# (3 Marks) From a browser running on c7host confirm connections using hostnames:<br />
#: * http://lin1.yourmysenecaid.ops connects to Apache (from the earlier lab)<br />
#: * http://lin1a1.yourmysenecaid.ops connects to NGINX running on lin1a1<br />
#: * http://lin1a2.yourmysenecaid.ops connects to Caddy running on lin2a1.<br />
# (1 Mark) From a browser running on lin2 show you can connect to all 3 webservers using their IP addresses and their hostnames.<br />
# (1 Mark) From a browser running on Windows show you can connect to each of the 3 webservers using the c7host IP address. NOTE: when doing this test, you will want to turn off the other two VMs.<br />
<br />
== Part 3: Report (10 marks) ==<br />
<br />
Write a report where you describe in your own words your learning experience of this assignment. Keep the tone of your writing such that your present self is teaching your future self (who might have forgotten) the learning experience you achieved while doing this assignment. Be sure to include all the major learning points you overcame to make this assignment work as described.<br />
<br />
# The report must be in a PDF format otherwise it will be considered unreadable. The text part of the report can use a Serif or Sans-Serif font (such as Arial or DejaVu Sans) but the configuration file output must be in a fixed-width (such as Courier or MonoType).<br />
# The very FIRST FEW LINES MUST CONTAIN: '''Full Name''', your '''MySeneca username''', and your '''student ID'''.<br />
# The next FEW LINES MUST CONTAIN output from the command line (use a screen shots for doing this) showing:<br />
#* MAC and IP address of <code>eth0</code> on '''lin1a1'''<br />
#* MAC and IP address of <code>eth1</code> on '''lin1a1'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin1a2'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin1:'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin2:'''<br />
# What you had to do to set everything up (most important are the networking, routing, and firewall configurations). Screenshots of the configuration files are acceptable, however, the screenshot must be readable. If the font is too small (less than 12 pt) or the screenshot is blurry, you will lose marks. You may take multiple screenshots of a long configuration file provided they show the previous few lines to show continuation. Ideally, it is best (and probably fastest) to use scp to get the configurations out of the VMs and append them into your report.<br />
# Describe any challenges you ran into and how you solved them.<br />
# Screenshots are required for proof that your setup works. Each screenshot must:<br />
#* Clearly be labelled the test you are proving, for example: Connect to <code>http://lin1a2.yourmysenecaid.ops</code> from '''c7host'''.<br />
#* Cover '''ALL''' of the individual test cases described in '''A1 Test Case''' section below.<br />
#* Show the interaction between '''c7host''' (or '''lin2''') in a readable (12 pt) font.<br />
#* The prompt on the terminal MUST show the logged in user and hostname of the VM so it captures what is happenning where.<br />
#* Use <code>curl</code> and <code>ping</code> to show connections to each server and the web. Pipe the output from <code>curl</code> into <code>head</code> to restrict output to 4 lines maximum.<br />
#* Use <code>cat</code> show contents of <code>/etc/resolv.conf</code> on <code>lin1a1</code> and <code>lin2a1</code>.<br />
#* Use <code>cat</code> to show the contents of <code>/etc/sysconfig/iptables</code> on '''lin1a1''', and '''lin2a1'''. Show all the additional commands you ran on '''c7host''' after it booted up to test connectivity to Apache on '''lin1''', NGINX on '''lin1a1''', and Caddy on '''lin2a1'''.<br />
#* Use cat to show full configuration of these network cards:<br />
#** <code>eth0</code> on '''lin1a1'''<br />
#** <code>eth1</code> on '''lin1a1'''<br />
#** <code>eth0</code> on '''lin2a1'''<br />
# Show the output of each of the Assignment 1 test cases (see the next section) in your report.<br />
<br />
== A1 Test Cases: ==<br />
<br />
<ol><br />
<li><p>Using <code>ping 1.1.1.1</code>, <code>ssh root@hostname</code>, and <code>curl http://centos.org</code> show the following use cases:</p><br />
<ol type="a"><li>From '''lin1a1''': prove Internet connectivity of '''lin1a1'''</li><li>From '''lin2a1''': prove '''lin1a1''' acts as a router for '''lin2a1''' and acts as a bridge between '''asg1''' and '''network1''' using the following 3 test cases.</li><br />
<ol><br />
<li>when '''lin1a1''' is shut down '''lin2a1''' no longer has Internet connectivity</li><br />
<li>when '''lin1a1''' is turned on '''lin2a1''' has Internet connectivity</li><br />
<li>use <code>ping</code> and <code>ssh</code> from '''lin2a1''' to connect to '''lin1''' and '''lin2'''</li></ol><br />
<br />
<li>From '''c7host''':</li><br />
<ol><br />
<li><p>use <code>ping</code> and <code>ssh</code> to prove connectivity to '''lin1a1''' and '''lin2a1''' using their IP numbers and their domain names. The domain names for both '''lin1a1''' and '''lin2a1''' should be resolved through '''lin2'''.</p></li><br />
<li><p>use <code>curl</code> to display the home pages of Apache running on '''lin1'''; NGINX running on '''lin1a1''', and Caddy running on '''lin2a1'''. Use both IP and friendly-names methods to demonstrate this: IP addresses of their respective hosts and the domain names of those respective hosts, for example '''yourMySeneca.host.ops'''. and <code>192.168.X.33</code></p></li></ol><br />
</li></ol><br />
<li><p>From Windows, using Internet Exporer or Edge, show home page contents of your website on that host using the webserver installed on that host, example: Apache on '''lin1''', NGINX on '''lin1a1''', and Caddy on '''lin2a1'''. You may have to edit iptables rules on '''c7host''' each time you want to access that particular VM so HTTP requests coming from port <code>80</code> on Windows go directly to that VM.</p></li></ol><br />
<br />
== Submit ==<br />
<br />
Submit the report on Blackboard.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Assignment1&diff=139291SRT210 Assignment12019-06-13T14:14:51Z<p>Mark: /* A1 Test Cases: */</p>
<hr />
<div>= Assignment 1 =<br />
<br />
Due date: 12th of June<br />
*'''(Update: June 13 2019)''': Final version. Added clarity to what will be actually tested during the demo (based on the requirements given) and the details of the project report required [[:File:19b-SRT210_a1.pdf|Download PDF]].<br />
*'''(Update: May 31 2019)''': First draft. Additional edits will only clarify language and improve readability. You may consider these requirements complete for '''Assignment 1 in Summer 2019'''.<br />
*'''(May 7 2019)''': Additional requirements will be added at a later date.<br />
<br />
Late penalties: 10% per day, including weekends and holidays<br />
<br />
== Part 1: Set up and routing (10 marks) ==<br />
<br />
# Complete labs 1 through 4.<br />
# Create a new virtual network named asg1 with subnet 192.168.X where X is the first two digits of your Seneca student number. Do not use DHCP on this network.<br />
# Create a new virtual machine and install CentOS on it as a minimal install. Name this virtual machine lin1a1 but set its hostname to yourmysenecaid.lin1a1.<br />
# Setup lin1a1 to have two network interfaces where both network interfaces are virtio virtual devices. Next, setup one network interface with IP address 192.168.X.32 and to connect to the asg1 network while the other network interface has IP address 192.168.210.22 and it connects to the network1 network.<br />
# Keep in mind in any networked system you can have just one, and only one, default gateway. So configure the default gateway of lin1a1 to be c7host on the 192.168.210 subnet. Confirm lin1a1 can communicate with the Internet and with hosts on network1.<br />
# Create another minimal CentOS VM: name it lin2a1; set its hostname to yourmysenecaid.lin2a1; let it have one network interface and IP 192.168.X.33 (X being the first two digits of your student ID). By default, after the install, this second VM should be able to access machines on the asg1 network but it will not be able to communicate with any hosts on the network1 network.<br />
# Configure lin2a1, the second VM, to be able to access the Internet and the network1 network via lin1a1. You will need to enable IP forwarding and masquerading on the appropriate interface and the appropriate machine for that to happen.<br />
# Configure both VMs (lin1a1 and lin2a1) to be added to your DNS server. able to connect to c7host.yourmysenecaid.ops, lin1.yourmysenecaid.ops, and lin2.yourmysenecaid.ops by their hostnames (don't be tempted to set up another DNS server, use what you already have from your earlier lab)<br />
# Ensure you start your firewall setup on each VM from the default iptables-services rules. You'll lose marks if you don't have a functional firewall on lin1a1 and on lin2a1.<br />
<br />
== Part 2: Multiple WebServer Setup (10 marks) ==<br />
<br />
# (2 Marks) Install NGINX on lin1a1 and Caddy on lin2a2. Confirm that each works locally with thier VM and from c7host. Do the testing of NGINX and Caddy in two stages.<br />
# (3 Marks) From a browser running on c7host confirm connections using IP addresses:<br />
#: * http://192.168.210.11 connects to Apache (from the earlier lab)<br />
#: * http://192.168.210.22 connects to NGINX running on lin1a1<br />
#: * http://192.168.X.33 connects to Caddy running on lin2a1.<br />
# (3 Marks) From a browser running on c7host confirm connections using hostnames:<br />
#: * http://lin1.yourmysenecaid.ops connects to Apache (from the earlier lab)<br />
#: * http://lin1a1.yourmysenecaid.ops connects to NGINX running on lin1a1<br />
#: * http://lin1a2.yourmysenecaid.ops connects to Caddy running on lin2a1.<br />
# (1 Mark) From a browser running on lin2 show you can connect to all 3 webservers using their IP addresses and their hostnames.<br />
# (1 Mark) From a browser running on Windows show you can connect to each of the 3 webservers using the c7host IP address. NOTE: when doing this test, you will want to turn off the other two VMs.<br />
<br />
== Part 3: Report (10 marks) ==<br />
<br />
Write a report where you describe in your own words your learning experience of this assignment. Keep the tone of your writing such that your present self is teaching your future self (who might have forgotten) the learning experience you achieved while doing this assignment. Be sure to include all the major learning points you overcame to make this assignment work as described.<br />
<br />
# The report must be in a PDF format otherwise it will be considered unreadable. The text part of the report can use a Serif or Sans-Serif font (such as Arial or DejaVu Sans) but the configuration file output must be in a fixed-width (such as Courier or MonoType).<br />
# The very FIRST FEW LINES MUST CONTAIN: '''Full Name''', your '''MySeneca username''', and your '''student ID'''.<br />
# The next FEW LINES MUST CONTAIN output from the command line (use a screen shots for doing this) showing:<br />
#* MAC and IP address of <code>eth0</code> on '''lin1a1'''<br />
#* MAC and IP address of <code>eth1</code> on '''lin1a1'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin1a2'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin1:'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin2:'''<br />
# What you had to do to set everything up (most important are the networking, routing, and firewall configurations). Screenshots of the configuration files are acceptable, however, the screenshot must be readable. If the font is too small (less than 12 pt) or the screenshot is blurry, you will lose marks. You may take multiple screenshots of a long configuration file provided they show the previous few lines to show continuation. Ideally, it is best (and probably fastest) to use scp to get the configurations out of the VMs and append them into your report.<br />
# Describe any challenges you ran into and how you solved them.<br />
# Screenshots are required for proof that your setup works. Each screenshot must:<br />
#* Clearly be labelled the test you are proving, for example: Connect to <code>http://lin1a2.yourmysenecaid.ops</code> from '''c7host'''.<br />
#* Cover '''ALL''' of the individual test cases described in '''A1 Test Case''' section below.<br />
#* Show the interaction between '''c7host''' (or '''lin2''') in a readable (12 pt) font.<br />
#* The prompt on the terminal MUST show the logged in user and hostname of the VM so it captures what is happenning where.<br />
#* Use <code>curl</code> and <code>ping</code> to show connections to each server and the web. Pipe the output from <code>curl</code> into <code>head</code> to restrict output to 4 lines maximum.<br />
#* Use <code>cat</code> show contents of <code>/etc/resolv.conf</code> on <code>lin1a1</code> and <code>lin2a1</code>.<br />
#* Use <code>cat</code> to show the contents of <code>/etc/sysconfig/iptables</code> on '''lin1a1''', and '''lin2a1'''. Show all the additional commands you ran on '''c7host''' after it booted up to test connectivity to Apache on '''lin1''', NGINX on '''lin1a1''', and Caddy on '''lin2a1'''.<br />
#* Use cat to show full configuration of these network cards:<br />
#** <code>eth0</code> on '''lin1a1'''<br />
#** <code>eth1</code> on '''lin1a1'''<br />
#** <code>eth0</code> on '''lin2a1'''<br />
# Show the output of each of the Assignment 1 test cases (see the next section) in your report.<br />
<br />
== A1 Test Cases: ==<br />
<br />
<ol><br />
<li><p>Using <code>ping 1.1.1.1</code>, <code>ssh root@hostname</code>, and <code>curl http://centos.org</code> show the following use cases:</p><br />
<ol type="a"><li>From '''lin1a1''': prove Internet connectivity of '''lin1a1'''</li><li>From '''lin2a1''': prove '''lin1a1''' acts as a router for '''lin2a1''' and acts as a bridge between '''asg1''' and '''network1''' using the following 3 test cases.</li><br />
<ol><br />
<li>when '''lin1a1''' is shut down '''lin2a1''' no longer has Internet connectivity</li><br />
<li>when '''lin1a1''' is turned on '''lin2a1''' has Internet connectivity</li><br />
<li>use <code>ping</code> and <code>ssh</code> from '''lin2a1''' to connect to '''lin1''' and '''lin2'''</li></ol><br />
<br />
<li>From '''c7host''':</li><br />
<ol><br />
<li><p>use <code>ping</code> and <code>ssh</code> to prove connectivity to '''lin1a1''' and '''lin2a1''' using their IP numbers and their domain names. The domain names for both '''lin1a1''' and '''lin2a1''' should be resolved through '''lin2'''.</p></li><br />
<li><p>use <code>curl</code> to display the home pages of Apache running on '''lin1'''; NGINX running on '''lin1a1''', and Caddy running on '''lin2a1'''. Use both IP and friendly-names methods to demonstrate this: IP addresses of their respective hosts and the domain names of those respective hosts, for example '''yourMySeneca.host.ops'''. and <code>192.168.X.33</code></p></li></ol><br />
</li></ol><br />
<li><p>From Windows, using Internet Exporer or Edge, show home page contents of your website on that host using the webserver installed on that host, example: Apache on '''lin1''', NGINX on '''lin1a1''', and Caddy on '''lin2a1'''. You may have to edit iptables rules on '''c7host''' each time you want to access that particular VM so HTTP requests coming from port <code>80</code> on Windows go directly to that VM.</p></li></ol><br />
<br />
== Submit ==<br />
<br />
Submit the report on Blackboard.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Assignment1&diff=139289SRT210 Assignment12019-06-13T14:13:21Z<p>Mark: /* A1 Test Cases: */</p>
<hr />
<div>= Assignment 1 =<br />
<br />
Due date: 12th of June<br />
*'''(Update: June 13 2019)''': Final version. Added clarity to what will be actually tested during the demo (based on the requirements given) and the details of the project report required [[:File:19b-SRT210_a1.pdf|Download PDF]].<br />
*'''(Update: May 31 2019)''': First draft. Additional edits will only clarify language and improve readability. You may consider these requirements complete for '''Assignment 1 in Summer 2019'''.<br />
*'''(May 7 2019)''': Additional requirements will be added at a later date.<br />
<br />
Late penalties: 10% per day, including weekends and holidays<br />
<br />
== Part 1: Set up and routing (10 marks) ==<br />
<br />
# Complete labs 1 through 4.<br />
# Create a new virtual network named asg1 with subnet 192.168.X where X is the first two digits of your Seneca student number. Do not use DHCP on this network.<br />
# Create a new virtual machine and install CentOS on it as a minimal install. Name this virtual machine lin1a1 but set its hostname to yourmysenecaid.lin1a1.<br />
# Setup lin1a1 to have two network interfaces where both network interfaces are virtio virtual devices. Next, setup one network interface with IP address 192.168.X.32 and to connect to the asg1 network while the other network interface has IP address 192.168.210.22 and it connects to the network1 network.<br />
# Keep in mind in any networked system you can have just one, and only one, default gateway. So configure the default gateway of lin1a1 to be c7host on the 192.168.210 subnet. Confirm lin1a1 can communicate with the Internet and with hosts on network1.<br />
# Create another minimal CentOS VM: name it lin2a1; set its hostname to yourmysenecaid.lin2a1; let it have one network interface and IP 192.168.X.33 (X being the first two digits of your student ID). By default, after the install, this second VM should be able to access machines on the asg1 network but it will not be able to communicate with any hosts on the network1 network.<br />
# Configure lin2a1, the second VM, to be able to access the Internet and the network1 network via lin1a1. You will need to enable IP forwarding and masquerading on the appropriate interface and the appropriate machine for that to happen.<br />
# Configure both VMs (lin1a1 and lin2a1) to be added to your DNS server. able to connect to c7host.yourmysenecaid.ops, lin1.yourmysenecaid.ops, and lin2.yourmysenecaid.ops by their hostnames (don't be tempted to set up another DNS server, use what you already have from your earlier lab)<br />
# Ensure you start your firewall setup on each VM from the default iptables-services rules. You'll lose marks if you don't have a functional firewall on lin1a1 and on lin2a1.<br />
<br />
== Part 2: Multiple WebServer Setup (10 marks) ==<br />
<br />
# (2 Marks) Install NGINX on lin1a1 and Caddy on lin2a2. Confirm that each works locally with thier VM and from c7host. Do the testing of NGINX and Caddy in two stages.<br />
# (3 Marks) From a browser running on c7host confirm connections using IP addresses:<br />
#: * http://192.168.210.11 connects to Apache (from the earlier lab)<br />
#: * http://192.168.210.22 connects to NGINX running on lin1a1<br />
#: * http://192.168.X.33 connects to Caddy running on lin2a1.<br />
# (3 Marks) From a browser running on c7host confirm connections using hostnames:<br />
#: * http://lin1.yourmysenecaid.ops connects to Apache (from the earlier lab)<br />
#: * http://lin1a1.yourmysenecaid.ops connects to NGINX running on lin1a1<br />
#: * http://lin1a2.yourmysenecaid.ops connects to Caddy running on lin2a1.<br />
# (1 Mark) From a browser running on lin2 show you can connect to all 3 webservers using their IP addresses and their hostnames.<br />
# (1 Mark) From a browser running on Windows show you can connect to each of the 3 webservers using the c7host IP address. NOTE: when doing this test, you will want to turn off the other two VMs.<br />
<br />
== Part 3: Report (10 marks) ==<br />
<br />
Write a report where you describe in your own words your learning experience of this assignment. Keep the tone of your writing such that your present self is teaching your future self (who might have forgotten) the learning experience you achieved while doing this assignment. Be sure to include all the major learning points you overcame to make this assignment work as described.<br />
<br />
# The report must be in a PDF format otherwise it will be considered unreadable. The text part of the report can use a Serif or Sans-Serif font (such as Arial or DejaVu Sans) but the configuration file output must be in a fixed-width (such as Courier or MonoType).<br />
# The very FIRST FEW LINES MUST CONTAIN: '''Full Name''', your '''MySeneca username''', and your '''student ID'''.<br />
# The next FEW LINES MUST CONTAIN output from the command line (use a screen shots for doing this) showing:<br />
#* MAC and IP address of <code>eth0</code> on '''lin1a1'''<br />
#* MAC and IP address of <code>eth1</code> on '''lin1a1'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin1a2'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin1:'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin2:'''<br />
# What you had to do to set everything up (most important are the networking, routing, and firewall configurations). Screenshots of the configuration files are acceptable, however, the screenshot must be readable. If the font is too small (less than 12 pt) or the screenshot is blurry, you will lose marks. You may take multiple screenshots of a long configuration file provided they show the previous few lines to show continuation. Ideally, it is best (and probably fastest) to use scp to get the configurations out of the VMs and append them into your report.<br />
# Describe any challenges you ran into and how you solved them.<br />
# Screenshots are required for proof that your setup works. Each screenshot must:<br />
#* Clearly be labelled the test you are proving, for example: Connect to <code>http://lin1a2.yourmysenecaid.ops</code> from '''c7host'''.<br />
#* Cover '''ALL''' of the individual test cases described in '''A1 Test Case''' section below.<br />
#* Show the interaction between '''c7host''' (or '''lin2''') in a readable (12 pt) font.<br />
#* The prompt on the terminal MUST show the logged in user and hostname of the VM so it captures what is happenning where.<br />
#* Use <code>curl</code> and <code>ping</code> to show connections to each server and the web. Pipe the output from <code>curl</code> into <code>head</code> to restrict output to 4 lines maximum.<br />
#* Use <code>cat</code> show contents of <code>/etc/resolv.conf</code> on <code>lin1a1</code> and <code>lin2a1</code>.<br />
#* Use <code>cat</code> to show the contents of <code>/etc/sysconfig/iptables</code> on '''lin1a1''', and '''lin2a1'''. Show all the additional commands you ran on '''c7host''' after it booted up to test connectivity to Apache on '''lin1''', NGINX on '''lin1a1''', and Caddy on '''lin2a1'''.<br />
#* Use cat to show full configuration of these network cards:<br />
#** <code>eth0</code> on '''lin1a1'''<br />
#** <code>eth1</code> on '''lin1a1'''<br />
#** <code>eth0</code> on '''lin2a1'''<br />
# Show the output of each of the Assignment 1 test cases (see the next section) in your report.<br />
<br />
== A1 Test Cases: ==<br />
<br />
<ol><br />
<li><p>Using <code>ping 1.1.1.1</code>, <code>ssh root@hostname</code>, and <code>curl http://centos.org</code> show the following use cases:</p><br />
<ol type="a"><li>From '''lin1a1''': prove Internet connectivity of '''lin1a1'''</li><li>From '''lin2a1''': prove '''lin1a1''' acts as a router for '''lin2a1''' and acts as a bridge between '''asg1''' and '''network1''' using the following 3 test cases.</li><br />
<ol><br />
<li>when '''lin1a1''' is shut down '''lin2a1''' no longer has Internet connectivity</li><br />
<li>when '''lin1a1''' is turned on '''lin2a1''' has Internet connectivity</li><br />
<li>use <code>ping</code> and <code>ssh</code> from '''lin2a1''' to connect to '''lin1''' and *lin2</li></ol><br />
<br />
<li>From '''c7host''':</li><br />
<ol><br />
<li><p>use <code>ping</code> and <code>ssh</code> to prove connectivity to '''lin1a1''' and '''lin2a1''' using their IP numbers and their domain names. The domain names for both '''lin1a1''' and '''lin2a1''' should be resolved through '''lin2'''.</p></li><br />
<li><p>use <code>curl</code> to display the home pages of Apache running on '''lin1'''; NGINX running on '''lin1a1''', and Caddy running on '''lin2a1'''. Use both IP and friendly-names methods to demonstrate this: IP addresses of their respective hosts and the domain names of those respective hosts, for example '''yourMySeneca.host.ops'''. and <code>192.168.X.33</code></p></li></ol><br />
</li></ol><br />
<li><p>From Windows, using Internet Exporer or Edge, show home page contents of your website on that host using the webserver installed on that host, example: Apache on '''lin1''', NGINX on '''lin1a1''', and Caddy on '''lin2a1'''. You may have to edit iptables rules on '''c7host''' each time you want to access that particular VM so HTTP requests coming from port <code>80</code> on Windows go directly to that VM.</p></li></ol><br />
<br />
== Submit ==<br />
<br />
Submit the report on Blackboard.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=File:19b-SRT210_a1.pdf&diff=139288File:19b-SRT210 a1.pdf2019-06-13T14:01:38Z<p>Mark: </p>
<hr />
<div></div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Assignment1&diff=139287SRT210 Assignment12019-06-13T13:59:51Z<p>Mark: /* Assignment 1 */</p>
<hr />
<div>= Assignment 1 =<br />
<br />
Due date: 12th of June<br />
*'''(Update: June 13 2019)''': Final version. Added clarity to what will be actually tested during the demo (based on the requirements given) and the details of the project report required [[:File:19b-SRT210_a1.pdf|Download PDF]].<br />
*'''(Update: May 31 2019)''': First draft. Additional edits will only clarify language and improve readability. You may consider these requirements complete for '''Assignment 1 in Summer 2019'''.<br />
*'''(May 7 2019)''': Additional requirements will be added at a later date.<br />
<br />
Late penalties: 10% per day, including weekends and holidays<br />
<br />
== Part 1: Set up and routing (10 marks) ==<br />
<br />
# Complete labs 1 through 4.<br />
# Create a new virtual network named asg1 with subnet 192.168.X where X is the first two digits of your Seneca student number. Do not use DHCP on this network.<br />
# Create a new virtual machine and install CentOS on it as a minimal install. Name this virtual machine lin1a1 but set its hostname to yourmysenecaid.lin1a1.<br />
# Setup lin1a1 to have two network interfaces where both network interfaces are virtio virtual devices. Next, setup one network interface with IP address 192.168.X.32 and to connect to the asg1 network while the other network interface has IP address 192.168.210.22 and it connects to the network1 network.<br />
# Keep in mind in any networked system you can have just one, and only one, default gateway. So configure the default gateway of lin1a1 to be c7host on the 192.168.210 subnet. Confirm lin1a1 can communicate with the Internet and with hosts on network1.<br />
# Create another minimal CentOS VM: name it lin2a1; set its hostname to yourmysenecaid.lin2a1; let it have one network interface and IP 192.168.X.33 (X being the first two digits of your student ID). By default, after the install, this second VM should be able to access machines on the asg1 network but it will not be able to communicate with any hosts on the network1 network.<br />
# Configure lin2a1, the second VM, to be able to access the Internet and the network1 network via lin1a1. You will need to enable IP forwarding and masquerading on the appropriate interface and the appropriate machine for that to happen.<br />
# Configure both VMs (lin1a1 and lin2a1) to be added to your DNS server. able to connect to c7host.yourmysenecaid.ops, lin1.yourmysenecaid.ops, and lin2.yourmysenecaid.ops by their hostnames (don't be tempted to set up another DNS server, use what you already have from your earlier lab)<br />
# Ensure you start your firewall setup on each VM from the default iptables-services rules. You'll lose marks if you don't have a functional firewall on lin1a1 and on lin2a1.<br />
<br />
== Part 2: Multiple WebServer Setup (10 marks) ==<br />
<br />
# (2 Marks) Install NGINX on lin1a1 and Caddy on lin2a2. Confirm that each works locally with thier VM and from c7host. Do the testing of NGINX and Caddy in two stages.<br />
# (3 Marks) From a browser running on c7host confirm connections using IP addresses:<br />
#: * http://192.168.210.11 connects to Apache (from the earlier lab)<br />
#: * http://192.168.210.22 connects to NGINX running on lin1a1<br />
#: * http://192.168.X.33 connects to Caddy running on lin2a1.<br />
# (3 Marks) From a browser running on c7host confirm connections using hostnames:<br />
#: * http://lin1.yourmysenecaid.ops connects to Apache (from the earlier lab)<br />
#: * http://lin1a1.yourmysenecaid.ops connects to NGINX running on lin1a1<br />
#: * http://lin1a2.yourmysenecaid.ops connects to Caddy running on lin2a1.<br />
# (1 Mark) From a browser running on lin2 show you can connect to all 3 webservers using their IP addresses and their hostnames.<br />
# (1 Mark) From a browser running on Windows show you can connect to each of the 3 webservers using the c7host IP address. NOTE: when doing this test, you will want to turn off the other two VMs.<br />
<br />
== Part 3: Report (10 marks) ==<br />
<br />
Write a report where you describe in your own words your learning experience of this assignment. Keep the tone of your writing such that your present self is teaching your future self (who might have forgotten) the learning experience you achieved while doing this assignment. Be sure to include all the major learning points you overcame to make this assignment work as described.<br />
<br />
# The report must be in a PDF format otherwise it will be considered unreadable. The text part of the report can use a Serif or Sans-Serif font (such as Arial or DejaVu Sans) but the configuration file output must be in a fixed-width (such as Courier or MonoType).<br />
# The very FIRST FEW LINES MUST CONTAIN: '''Full Name''', your '''MySeneca username''', and your '''student ID'''.<br />
# The next FEW LINES MUST CONTAIN output from the command line (use a screen shots for doing this) showing:<br />
#* MAC and IP address of <code>eth0</code> on '''lin1a1'''<br />
#* MAC and IP address of <code>eth1</code> on '''lin1a1'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin1a2'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin1:'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin2:'''<br />
# What you had to do to set everything up (most important are the networking, routing, and firewall configurations). Screenshots of the configuration files are acceptable, however, the screenshot must be readable. If the font is too small (less than 12 pt) or the screenshot is blurry, you will lose marks. You may take multiple screenshots of a long configuration file provided they show the previous few lines to show continuation. Ideally, it is best (and probably fastest) to use scp to get the configurations out of the VMs and append them into your report.<br />
# Describe any challenges you ran into and how you solved them.<br />
# Screenshots are required for proof that your setup works. Each screenshot must:<br />
#* Clearly be labelled the test you are proving, for example: Connect to <code>http://lin1a2.yourmysenecaid.ops</code> from '''c7host'''.<br />
#* Cover '''ALL''' of the individual test cases described in '''A1 Test Case''' section below.<br />
#* Show the interaction between '''c7host''' (or '''lin2''') in a readable (12 pt) font.<br />
#* The prompt on the terminal MUST show the logged in user and hostname of the VM so it captures what is happenning where.<br />
#* Use <code>curl</code> and <code>ping</code> to show connections to each server and the web. Pipe the output from <code>curl</code> into <code>head</code> to restrict output to 4 lines maximum.<br />
#* Use <code>cat</code> show contents of <code>/etc/resolv.conf</code> on <code>lin1a1</code> and <code>lin2a1</code>.<br />
#* Use <code>cat</code> to show the contents of <code>/etc/sysconfig/iptables</code> on '''lin1a1''', and '''lin2a1'''. Show all the additional commands you ran on '''c7host''' after it booted up to test connectivity to Apache on '''lin1''', NGINX on '''lin1a1''', and Caddy on '''lin2a1'''.<br />
#* Use cat to show full configuration of these network cards:<br />
#** <code>eth0</code> on '''lin1a1'''<br />
#** <code>eth1</code> on '''lin1a1'''<br />
#** <code>eth0</code> on '''lin2a1'''<br />
# Show the output of each of the Assignment 1 test cases (see the next section) in your report.<br />
<br />
== A1 Test Cases: ==<br />
<br />
<ol><br />
<li><p>Using <code>ping 1.1.1.1</code>, <code>ssh root@hostname</code>, and <code>curl http://centos.org</code> show the following use cases:</p><br />
<p>a. From '''lin1a1''': prove Internet connectivity of '''lin1a1''' b. From '''lin2a1''': prove '''lin1a1''' acts as a router for '''lin2a1''' and acts as a bridge between '''asg1''' and '''network1''' using the following 3 test cases.</p><br />
<ol><br />
<li>when '''lin1a1''' is shut down '''lin2a1''' no longer has Internet connectivity</li><br />
<li>when '''lin1a1''' is turned on '''lin2a1''' has Internet connectivity</li><br />
<li>use <code>ping</code> and <code>ssh</code> from '''lin2a1''' to connect to '''lin1''' and *lin2</li></ol><br />
<br />
<p>c. From '''c7host''':</p><br />
<ol><br />
<li><p>use <code>ping</code> and <code>ssh</code> to prove connectivity to '''lin1a1''' and '''lin2a1''' using their IP numbers and their domain names. The domain names for both '''lin1a1''' and '''lin2a1''' should be resolved through '''lin2'''.</p></li><br />
<li><p>use <code>curl</code> to display the home pages of Apache running on '''lin1'''; NGINX running on '''lin1a1''', and Caddy running on '''lin2a1'''. Use both IP and friendly-names methods to demonstrate this: IP addresses of their respective hosts and the domain names of those respective hosts, for example '''yourMySeneca.host.ops'''. and <code>192.168.X.33</code></p></li></ol><br />
</li><br />
<li><p>From Windows, using Internet Exporer or Edge, show home page contents of your website on that host using the webserver installed on that host, example: Apache on '''lin1''', NGINX on '''lin1a1''', and Caddy on '''lin2a1'''. You may have to edit iptables rules on '''c7host''' each time you want to access that particular VM so HTTP requests coming from port <code>80</code> on Windows go directly to that VM.</p></li></ol><br />
<br />
== Submit ==<br />
<br />
Submit the report on Blackboard.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Assignment1&diff=139286SRT210 Assignment12019-06-13T13:59:16Z<p>Mark: /* Assignment 1 */</p>
<hr />
<div>= Assignment 1 =<br />
<br />
Due date: 12th of June<br />
*'''(Update: June 13 2019)''': Final version. Added clarity to what will be actually tested during the demo (based on the requirements given) and the details of the project report required [[:File:19b-SRT210_a1.pdf|Download PDF]][[:File:SRT210_a1.pdf|Download PDF]].<br />
*'''(Update: May 31 2019)''': First draft. Additional edits will only clarify language and improve readability. You may consider these requirements complete for '''Assignment 1 in Summer 2019'''.<br />
*'''(May 7 2019)''': Additional requirements will be added at a later date.<br />
<br />
Late penalties: 10% per day, including weekends and holidays<br />
<br />
== Part 1: Set up and routing (10 marks) ==<br />
<br />
# Complete labs 1 through 4.<br />
# Create a new virtual network named asg1 with subnet 192.168.X where X is the first two digits of your Seneca student number. Do not use DHCP on this network.<br />
# Create a new virtual machine and install CentOS on it as a minimal install. Name this virtual machine lin1a1 but set its hostname to yourmysenecaid.lin1a1.<br />
# Setup lin1a1 to have two network interfaces where both network interfaces are virtio virtual devices. Next, setup one network interface with IP address 192.168.X.32 and to connect to the asg1 network while the other network interface has IP address 192.168.210.22 and it connects to the network1 network.<br />
# Keep in mind in any networked system you can have just one, and only one, default gateway. So configure the default gateway of lin1a1 to be c7host on the 192.168.210 subnet. Confirm lin1a1 can communicate with the Internet and with hosts on network1.<br />
# Create another minimal CentOS VM: name it lin2a1; set its hostname to yourmysenecaid.lin2a1; let it have one network interface and IP 192.168.X.33 (X being the first two digits of your student ID). By default, after the install, this second VM should be able to access machines on the asg1 network but it will not be able to communicate with any hosts on the network1 network.<br />
# Configure lin2a1, the second VM, to be able to access the Internet and the network1 network via lin1a1. You will need to enable IP forwarding and masquerading on the appropriate interface and the appropriate machine for that to happen.<br />
# Configure both VMs (lin1a1 and lin2a1) to be added to your DNS server. able to connect to c7host.yourmysenecaid.ops, lin1.yourmysenecaid.ops, and lin2.yourmysenecaid.ops by their hostnames (don't be tempted to set up another DNS server, use what you already have from your earlier lab)<br />
# Ensure you start your firewall setup on each VM from the default iptables-services rules. You'll lose marks if you don't have a functional firewall on lin1a1 and on lin2a1.<br />
<br />
== Part 2: Multiple WebServer Setup (10 marks) ==<br />
<br />
# (2 Marks) Install NGINX on lin1a1 and Caddy on lin2a2. Confirm that each works locally with thier VM and from c7host. Do the testing of NGINX and Caddy in two stages.<br />
# (3 Marks) From a browser running on c7host confirm connections using IP addresses:<br />
#: * http://192.168.210.11 connects to Apache (from the earlier lab)<br />
#: * http://192.168.210.22 connects to NGINX running on lin1a1<br />
#: * http://192.168.X.33 connects to Caddy running on lin2a1.<br />
# (3 Marks) From a browser running on c7host confirm connections using hostnames:<br />
#: * http://lin1.yourmysenecaid.ops connects to Apache (from the earlier lab)<br />
#: * http://lin1a1.yourmysenecaid.ops connects to NGINX running on lin1a1<br />
#: * http://lin1a2.yourmysenecaid.ops connects to Caddy running on lin2a1.<br />
# (1 Mark) From a browser running on lin2 show you can connect to all 3 webservers using their IP addresses and their hostnames.<br />
# (1 Mark) From a browser running on Windows show you can connect to each of the 3 webservers using the c7host IP address. NOTE: when doing this test, you will want to turn off the other two VMs.<br />
<br />
== Part 3: Report (10 marks) ==<br />
<br />
Write a report where you describe in your own words your learning experience of this assignment. Keep the tone of your writing such that your present self is teaching your future self (who might have forgotten) the learning experience you achieved while doing this assignment. Be sure to include all the major learning points you overcame to make this assignment work as described.<br />
<br />
# The report must be in a PDF format otherwise it will be considered unreadable. The text part of the report can use a Serif or Sans-Serif font (such as Arial or DejaVu Sans) but the configuration file output must be in a fixed-width (such as Courier or MonoType).<br />
# The very FIRST FEW LINES MUST CONTAIN: '''Full Name''', your '''MySeneca username''', and your '''student ID'''.<br />
# The next FEW LINES MUST CONTAIN output from the command line (use a screen shots for doing this) showing:<br />
#* MAC and IP address of <code>eth0</code> on '''lin1a1'''<br />
#* MAC and IP address of <code>eth1</code> on '''lin1a1'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin1a2'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin1:'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin2:'''<br />
# What you had to do to set everything up (most important are the networking, routing, and firewall configurations). Screenshots of the configuration files are acceptable, however, the screenshot must be readable. If the font is too small (less than 12 pt) or the screenshot is blurry, you will lose marks. You may take multiple screenshots of a long configuration file provided they show the previous few lines to show continuation. Ideally, it is best (and probably fastest) to use scp to get the configurations out of the VMs and append them into your report.<br />
# Describe any challenges you ran into and how you solved them.<br />
# Screenshots are required for proof that your setup works. Each screenshot must:<br />
#* Clearly be labelled the test you are proving, for example: Connect to <code>http://lin1a2.yourmysenecaid.ops</code> from '''c7host'''.<br />
#* Cover '''ALL''' of the individual test cases described in '''A1 Test Case''' section below.<br />
#* Show the interaction between '''c7host''' (or '''lin2''') in a readable (12 pt) font.<br />
#* The prompt on the terminal MUST show the logged in user and hostname of the VM so it captures what is happenning where.<br />
#* Use <code>curl</code> and <code>ping</code> to show connections to each server and the web. Pipe the output from <code>curl</code> into <code>head</code> to restrict output to 4 lines maximum.<br />
#* Use <code>cat</code> show contents of <code>/etc/resolv.conf</code> on <code>lin1a1</code> and <code>lin2a1</code>.<br />
#* Use <code>cat</code> to show the contents of <code>/etc/sysconfig/iptables</code> on '''lin1a1''', and '''lin2a1'''. Show all the additional commands you ran on '''c7host''' after it booted up to test connectivity to Apache on '''lin1''', NGINX on '''lin1a1''', and Caddy on '''lin2a1'''.<br />
#* Use cat to show full configuration of these network cards:<br />
#** <code>eth0</code> on '''lin1a1'''<br />
#** <code>eth1</code> on '''lin1a1'''<br />
#** <code>eth0</code> on '''lin2a1'''<br />
# Show the output of each of the Assignment 1 test cases (see the next section) in your report.<br />
<br />
== A1 Test Cases: ==<br />
<br />
<ol><br />
<li><p>Using <code>ping 1.1.1.1</code>, <code>ssh root@hostname</code>, and <code>curl http://centos.org</code> show the following use cases:</p><br />
<p>a. From '''lin1a1''': prove Internet connectivity of '''lin1a1''' b. From '''lin2a1''': prove '''lin1a1''' acts as a router for '''lin2a1''' and acts as a bridge between '''asg1''' and '''network1''' using the following 3 test cases.</p><br />
<ol><br />
<li>when '''lin1a1''' is shut down '''lin2a1''' no longer has Internet connectivity</li><br />
<li>when '''lin1a1''' is turned on '''lin2a1''' has Internet connectivity</li><br />
<li>use <code>ping</code> and <code>ssh</code> from '''lin2a1''' to connect to '''lin1''' and *lin2</li></ol><br />
<br />
<p>c. From '''c7host''':</p><br />
<ol><br />
<li><p>use <code>ping</code> and <code>ssh</code> to prove connectivity to '''lin1a1''' and '''lin2a1''' using their IP numbers and their domain names. The domain names for both '''lin1a1''' and '''lin2a1''' should be resolved through '''lin2'''.</p></li><br />
<li><p>use <code>curl</code> to display the home pages of Apache running on '''lin1'''; NGINX running on '''lin1a1''', and Caddy running on '''lin2a1'''. Use both IP and friendly-names methods to demonstrate this: IP addresses of their respective hosts and the domain names of those respective hosts, for example '''yourMySeneca.host.ops'''. and <code>192.168.X.33</code></p></li></ol><br />
</li><br />
<li><p>From Windows, using Internet Exporer or Edge, show home page contents of your website on that host using the webserver installed on that host, example: Apache on '''lin1''', NGINX on '''lin1a1''', and Caddy on '''lin2a1'''. You may have to edit iptables rules on '''c7host''' each time you want to access that particular VM so HTTP requests coming from port <code>80</code> on Windows go directly to that VM.</p></li></ol><br />
<br />
== Submit ==<br />
<br />
Submit the report on Blackboard.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Assignment1&diff=139285SRT210 Assignment12019-06-13T13:58:31Z<p>Mark: /* Assignment 1 */</p>
<hr />
<div>= Assignment 1 =<br />
<br />
Due date: 12th of June<br />
*'''(Update: June 13 2019)''': Final version. Added clarity to what will be actually tested during the demo (based on the requirements given) and the details of the project report required [[:File:19b-SRT210_a1.pdf|Download PDF]].<br />
*'''(Update: May 31 2019)''': First draft. Additional edits will only clarify language and improve readability. You may consider these requirements complete for '''Assignment 1 in Summer 2019'''.<br />
*'''(May 7 2019)''': Additional requirements will be added at a later date.<br />
<br />
Late penalties: 10% per day, including weekends and holidays<br />
<br />
== Part 1: Set up and routing (10 marks) ==<br />
<br />
# Complete labs 1 through 4.<br />
# Create a new virtual network named asg1 with subnet 192.168.X where X is the first two digits of your Seneca student number. Do not use DHCP on this network.<br />
# Create a new virtual machine and install CentOS on it as a minimal install. Name this virtual machine lin1a1 but set its hostname to yourmysenecaid.lin1a1.<br />
# Setup lin1a1 to have two network interfaces where both network interfaces are virtio virtual devices. Next, setup one network interface with IP address 192.168.X.32 and to connect to the asg1 network while the other network interface has IP address 192.168.210.22 and it connects to the network1 network.<br />
# Keep in mind in any networked system you can have just one, and only one, default gateway. So configure the default gateway of lin1a1 to be c7host on the 192.168.210 subnet. Confirm lin1a1 can communicate with the Internet and with hosts on network1.<br />
# Create another minimal CentOS VM: name it lin2a1; set its hostname to yourmysenecaid.lin2a1; let it have one network interface and IP 192.168.X.33 (X being the first two digits of your student ID). By default, after the install, this second VM should be able to access machines on the asg1 network but it will not be able to communicate with any hosts on the network1 network.<br />
# Configure lin2a1, the second VM, to be able to access the Internet and the network1 network via lin1a1. You will need to enable IP forwarding and masquerading on the appropriate interface and the appropriate machine for that to happen.<br />
# Configure both VMs (lin1a1 and lin2a1) to be added to your DNS server. able to connect to c7host.yourmysenecaid.ops, lin1.yourmysenecaid.ops, and lin2.yourmysenecaid.ops by their hostnames (don't be tempted to set up another DNS server, use what you already have from your earlier lab)<br />
# Ensure you start your firewall setup on each VM from the default iptables-services rules. You'll lose marks if you don't have a functional firewall on lin1a1 and on lin2a1.<br />
<br />
== Part 2: Multiple WebServer Setup (10 marks) ==<br />
<br />
# (2 Marks) Install NGINX on lin1a1 and Caddy on lin2a2. Confirm that each works locally with thier VM and from c7host. Do the testing of NGINX and Caddy in two stages.<br />
# (3 Marks) From a browser running on c7host confirm connections using IP addresses:<br />
#: * http://192.168.210.11 connects to Apache (from the earlier lab)<br />
#: * http://192.168.210.22 connects to NGINX running on lin1a1<br />
#: * http://192.168.X.33 connects to Caddy running on lin2a1.<br />
# (3 Marks) From a browser running on c7host confirm connections using hostnames:<br />
#: * http://lin1.yourmysenecaid.ops connects to Apache (from the earlier lab)<br />
#: * http://lin1a1.yourmysenecaid.ops connects to NGINX running on lin1a1<br />
#: * http://lin1a2.yourmysenecaid.ops connects to Caddy running on lin2a1.<br />
# (1 Mark) From a browser running on lin2 show you can connect to all 3 webservers using their IP addresses and their hostnames.<br />
# (1 Mark) From a browser running on Windows show you can connect to each of the 3 webservers using the c7host IP address. NOTE: when doing this test, you will want to turn off the other two VMs.<br />
<br />
== Part 3: Report (10 marks) ==<br />
<br />
Write a report where you describe in your own words your learning experience of this assignment. Keep the tone of your writing such that your present self is teaching your future self (who might have forgotten) the learning experience you achieved while doing this assignment. Be sure to include all the major learning points you overcame to make this assignment work as described.<br />
<br />
# The report must be in a PDF format otherwise it will be considered unreadable. The text part of the report can use a Serif or Sans-Serif font (such as Arial or DejaVu Sans) but the configuration file output must be in a fixed-width (such as Courier or MonoType).<br />
# The very FIRST FEW LINES MUST CONTAIN: '''Full Name''', your '''MySeneca username''', and your '''student ID'''.<br />
# The next FEW LINES MUST CONTAIN output from the command line (use a screen shots for doing this) showing:<br />
#* MAC and IP address of <code>eth0</code> on '''lin1a1'''<br />
#* MAC and IP address of <code>eth1</code> on '''lin1a1'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin1a2'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin1:'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin2:'''<br />
# What you had to do to set everything up (most important are the networking, routing, and firewall configurations). Screenshots of the configuration files are acceptable, however, the screenshot must be readable. If the font is too small (less than 12 pt) or the screenshot is blurry, you will lose marks. You may take multiple screenshots of a long configuration file provided they show the previous few lines to show continuation. Ideally, it is best (and probably fastest) to use scp to get the configurations out of the VMs and append them into your report.<br />
# Describe any challenges you ran into and how you solved them.<br />
# Screenshots are required for proof that your setup works. Each screenshot must:<br />
#* Clearly be labelled the test you are proving, for example: Connect to <code>http://lin1a2.yourmysenecaid.ops</code> from '''c7host'''.<br />
#* Cover '''ALL''' of the individual test cases described in '''A1 Test Case''' section below.<br />
#* Show the interaction between '''c7host''' (or '''lin2''') in a readable (12 pt) font.<br />
#* The prompt on the terminal MUST show the logged in user and hostname of the VM so it captures what is happenning where.<br />
#* Use <code>curl</code> and <code>ping</code> to show connections to each server and the web. Pipe the output from <code>curl</code> into <code>head</code> to restrict output to 4 lines maximum.<br />
#* Use <code>cat</code> show contents of <code>/etc/resolv.conf</code> on <code>lin1a1</code> and <code>lin2a1</code>.<br />
#* Use <code>cat</code> to show the contents of <code>/etc/sysconfig/iptables</code> on '''lin1a1''', and '''lin2a1'''. Show all the additional commands you ran on '''c7host''' after it booted up to test connectivity to Apache on '''lin1''', NGINX on '''lin1a1''', and Caddy on '''lin2a1'''.<br />
#* Use cat to show full configuration of these network cards:<br />
#** <code>eth0</code> on '''lin1a1'''<br />
#** <code>eth1</code> on '''lin1a1'''<br />
#** <code>eth0</code> on '''lin2a1'''<br />
# Show the output of each of the Assignment 1 test cases (see the next section) in your report.<br />
<br />
== A1 Test Cases: ==<br />
<br />
<ol><br />
<li><p>Using <code>ping 1.1.1.1</code>, <code>ssh root@hostname</code>, and <code>curl http://centos.org</code> show the following use cases:</p><br />
<p>a. From '''lin1a1''': prove Internet connectivity of '''lin1a1''' b. From '''lin2a1''': prove '''lin1a1''' acts as a router for '''lin2a1''' and acts as a bridge between '''asg1''' and '''network1''' using the following 3 test cases.</p><br />
<ol><br />
<li>when '''lin1a1''' is shut down '''lin2a1''' no longer has Internet connectivity</li><br />
<li>when '''lin1a1''' is turned on '''lin2a1''' has Internet connectivity</li><br />
<li>use <code>ping</code> and <code>ssh</code> from '''lin2a1''' to connect to '''lin1''' and *lin2</li></ol><br />
<br />
<p>c. From '''c7host''':</p><br />
<ol><br />
<li><p>use <code>ping</code> and <code>ssh</code> to prove connectivity to '''lin1a1''' and '''lin2a1''' using their IP numbers and their domain names. The domain names for both '''lin1a1''' and '''lin2a1''' should be resolved through '''lin2'''.</p></li><br />
<li><p>use <code>curl</code> to display the home pages of Apache running on '''lin1'''; NGINX running on '''lin1a1''', and Caddy running on '''lin2a1'''. Use both IP and friendly-names methods to demonstrate this: IP addresses of their respective hosts and the domain names of those respective hosts, for example '''yourMySeneca.host.ops'''. and <code>192.168.X.33</code></p></li></ol><br />
</li><br />
<li><p>From Windows, using Internet Exporer or Edge, show home page contents of your website on that host using the webserver installed on that host, example: Apache on '''lin1''', NGINX on '''lin1a1''', and Caddy on '''lin2a1'''. You may have to edit iptables rules on '''c7host''' each time you want to access that particular VM so HTTP requests coming from port <code>80</code> on Windows go directly to that VM.</p></li></ol><br />
<br />
== Submit ==<br />
<br />
Submit the report on Blackboard.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Assignment1&diff=139284SRT210 Assignment12019-06-13T13:51:17Z<p>Mark: /* Part 3: Report (10 marks) */</p>
<hr />
<div>= Assignment 1 =<br />
<br />
Due date: 12th of June<br />
<br />
*'''(Update: May 31 2019)''': First draft. Additional edits will only clarify language and improve readability. You may consider these requirements complete for '''Assignment 1 in Summer 2019'''.<br />
*'''(May 7 2019)''': Additional requirements will be added at a later date.<br />
<br />
Late penalties: 10% per day, including weekends and holidays<br />
<br />
== Part 1: Set up and routing (10 marks) ==<br />
<br />
# Complete labs 1 through 4.<br />
# Create a new virtual network named asg1 with subnet 192.168.X where X is the first two digits of your Seneca student number. Do not use DHCP on this network.<br />
# Create a new virtual machine and install CentOS on it as a minimal install. Name this virtual machine lin1a1 but set its hostname to yourmysenecaid.lin1a1.<br />
# Setup lin1a1 to have two network interfaces where both network interfaces are virtio virtual devices. Next, setup one network interface with IP address 192.168.X.32 and to connect to the asg1 network while the other network interface has IP address 192.168.210.22 and it connects to the network1 network.<br />
# Keep in mind in any networked system you can have just one, and only one, default gateway. So configure the default gateway of lin1a1 to be c7host on the 192.168.210 subnet. Confirm lin1a1 can communicate with the Internet and with hosts on network1.<br />
# Create another minimal CentOS VM: name it lin2a1; set its hostname to yourmysenecaid.lin2a1; let it have one network interface and IP 192.168.X.33 (X being the first two digits of your student ID). By default, after the install, this second VM should be able to access machines on the asg1 network but it will not be able to communicate with any hosts on the network1 network.<br />
# Configure lin2a1, the second VM, to be able to access the Internet and the network1 network via lin1a1. You will need to enable IP forwarding and masquerading on the appropriate interface and the appropriate machine for that to happen.<br />
# Configure both VMs (lin1a1 and lin2a1) to be added to your DNS server. able to connect to c7host.yourmysenecaid.ops, lin1.yourmysenecaid.ops, and lin2.yourmysenecaid.ops by their hostnames (don't be tempted to set up another DNS server, use what you already have from your earlier lab)<br />
# Ensure you start your firewall setup on each VM from the default iptables-services rules. You'll lose marks if you don't have a functional firewall on lin1a1 and on lin2a1.<br />
<br />
== Part 2: Multiple WebServer Setup (10 marks) ==<br />
<br />
# (2 Marks) Install NGINX on lin1a1 and Caddy on lin2a2. Confirm that each works locally with thier VM and from c7host. Do the testing of NGINX and Caddy in two stages.<br />
# (3 Marks) From a browser running on c7host confirm connections using IP addresses:<br />
#: * http://192.168.210.11 connects to Apache (from the earlier lab)<br />
#: * http://192.168.210.22 connects to NGINX running on lin1a1<br />
#: * http://192.168.X.33 connects to Caddy running on lin2a1.<br />
# (3 Marks) From a browser running on c7host confirm connections using hostnames:<br />
#: * http://lin1.yourmysenecaid.ops connects to Apache (from the earlier lab)<br />
#: * http://lin1a1.yourmysenecaid.ops connects to NGINX running on lin1a1<br />
#: * http://lin1a2.yourmysenecaid.ops connects to Caddy running on lin2a1.<br />
# (1 Mark) From a browser running on lin2 show you can connect to all 3 webservers using their IP addresses and their hostnames.<br />
# (1 Mark) From a browser running on Windows show you can connect to each of the 3 webservers using the c7host IP address. NOTE: when doing this test, you will want to turn off the other two VMs.<br />
<br />
== Part 3: Report (10 marks) ==<br />
<br />
Write a report where you describe in your own words your learning experience of this assignment. Keep the tone of your writing such that your present self is teaching your future self (who might have forgotten) the learning experience you achieved while doing this assignment. Be sure to include all the major learning points you overcame to make this assignment work as described.<br />
<br />
# The report must be in a PDF format otherwise it will be considered unreadable. The text part of the report can use a Serif or Sans-Serif font (such as Arial or DejaVu Sans) but the configuration file output must be in a fixed-width (such as Courier or MonoType).<br />
# The very FIRST FEW LINES MUST CONTAIN: '''Full Name''', your '''MySeneca username''', and your '''student ID'''.<br />
# The next FEW LINES MUST CONTAIN output from the command line (use a screen shots for doing this) showing:<br />
#* MAC and IP address of <code>eth0</code> on '''lin1a1'''<br />
#* MAC and IP address of <code>eth1</code> on '''lin1a1'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin1a2'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin1:'''<br />
#* MAC and IP address of <code>eth0</code> on '''lin2:'''<br />
# What you had to do to set everything up (most important are the networking, routing, and firewall configurations). Screenshots of the configuration files are acceptable, however, the screenshot must be readable. If the font is too small (less than 12 pt) or the screenshot is blurry, you will lose marks. You may take multiple screenshots of a long configuration file provided they show the previous few lines to show continuation. Ideally, it is best (and probably fastest) to use scp to get the configurations out of the VMs and append them into your report.<br />
# Describe any challenges you ran into and how you solved them.<br />
# Screenshots are required for proof that your setup works. Each screenshot must:<br />
#* Clearly be labelled the test you are proving, for example: Connect to <code>http://lin1a2.yourmysenecaid.ops</code> from '''c7host'''.<br />
#* Cover '''ALL''' of the individual test cases described in '''A1 Test Case''' section below.<br />
#* Show the interaction between '''c7host''' (or '''lin2''') in a readable (12 pt) font.<br />
#* The prompt on the terminal MUST show the logged in user and hostname of the VM so it captures what is happenning where.<br />
#* Use <code>curl</code> and <code>ping</code> to show connections to each server and the web. Pipe the output from <code>curl</code> into <code>head</code> to restrict output to 4 lines maximum.<br />
#* Use <code>cat</code> show contents of <code>/etc/resolv.conf</code> on <code>lin1a1</code> and <code>lin2a1</code>.<br />
#* Use <code>cat</code> to show the contents of <code>/etc/sysconfig/iptables</code> on '''lin1a1''', and '''lin2a1'''. Show all the additional commands you ran on '''c7host''' after it booted up to test connectivity to Apache on '''lin1''', NGINX on '''lin1a1''', and Caddy on '''lin2a1'''.<br />
#* Use cat to show full configuration of these network cards:<br />
#** <code>eth0</code> on '''lin1a1'''<br />
#** <code>eth1</code> on '''lin1a1'''<br />
#** <code>eth0</code> on '''lin2a1'''<br />
# Show the output of each of the Assignment 1 test cases (see the next section) in your report.<br />
<br />
== A1 Test Cases: ==<br />
<br />
<ol><br />
<li><p>Using <code>ping 1.1.1.1</code>, <code>ssh root@hostname</code>, and <code>curl http://centos.org</code> show the following use cases:</p><br />
<p>a. From '''lin1a1''': prove Internet connectivity of '''lin1a1''' b. From '''lin2a1''': prove '''lin1a1''' acts as a router for '''lin2a1''' and acts as a bridge between '''asg1''' and '''network1''' using the following 3 test cases.</p><br />
<ol><br />
<li>when '''lin1a1''' is shut down '''lin2a1''' no longer has Internet connectivity</li><br />
<li>when '''lin1a1''' is turned on '''lin2a1''' has Internet connectivity</li><br />
<li>use <code>ping</code> and <code>ssh</code> from '''lin2a1''' to connect to '''lin1''' and *lin2</li></ol><br />
<br />
<p>c. From '''c7host''':</p><br />
<ol><br />
<li><p>use <code>ping</code> and <code>ssh</code> to prove connectivity to '''lin1a1''' and '''lin2a1''' using their IP numbers and their domain names. The domain names for both '''lin1a1''' and '''lin2a1''' should be resolved through '''lin2'''.</p></li><br />
<li><p>use <code>curl</code> to display the home pages of Apache running on '''lin1'''; NGINX running on '''lin1a1''', and Caddy running on '''lin2a1'''. Use both IP and friendly-names methods to demonstrate this: IP addresses of their respective hosts and the domain names of those respective hosts, for example '''yourMySeneca.host.ops'''. and <code>192.168.X.33</code></p></li></ol><br />
</li><br />
<li><p>From Windows, using Internet Exporer or Edge, show home page contents of your website on that host using the webserver installed on that host, example: Apache on '''lin1''', NGINX on '''lin1a1''', and Caddy on '''lin2a1'''. You may have to edit iptables rules on '''c7host''' each time you want to access that particular VM so HTTP requests coming from port <code>80</code> on Windows go directly to that VM.</p></li></ol><br />
<br />
== Submit ==<br />
<br />
Submit the report on Blackboard.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Weekly_Schedule&diff=139242SRT210 Weekly Schedule2019-06-01T00:21:07Z<p>Mark: </p>
<hr />
<div>= Summer 2019 =<br />
<br />
<br />
<table cellspacing="0" cellpadding="5" width="100%" style="border-top: thin solid black;"><br />
<tr valign="top><br />
<td width="20%" style="border-bottom: thin solid black;font-weight:bold;background-color:#f0f0f5;">Week</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;background-color:#f0f0f5;">Objectives and Tasks</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;background-color:#f0f0f5;">Labs</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;background-color:#f0f0f5;">Other Assessments</td><br />
</tr> <br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 1:'''<br>6 - 10 may</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Course overview</li><br />
<li>Set up host machine for course work (c7host)</li><br />
<li>Offline file access security</li><br />
<li>passwd and shadow files</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_1 | Lab1]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 2:'''<br>13 - 17 may</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Set up a nested virtual machine</li><br />
<li>Get familiar with basic networking setup and utilities used on Linux</li><br />
<li>Understand how the IPtables firewall works and use it to make simple rules</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_2 | Lab2]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Quiz on Lab 1</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 3:'''<br>20 - 24 may</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Understand how port forwarding works and how it relates to security.</li><br />
<li>Set up port forwarding using iptables.</li><br />
<li>Understand fundamental concepts that make up SELinux.</li><br />
<li>Troubleshoot problems caused by SELinux.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_3 | Lab3]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Quiz on Lab 2</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 4:'''<br>27 - 31 may</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Understand the principles of how DNS works.</li><br />
<li>Set up an authoritative DNS server.</li><br />
<li>Test your DNS server to confirm that it works as expected.</li><br />
<li>Configure an operating system to use a specific DNS server.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_4 | Lab4]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Quiz on Lab 3</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 5:'''<br>3 - 7 jun</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Reverse DNS</li><br />
<li>DNS and security</li><br />
<li style="font-weight:bold">[[SRT210_First_Half_Review | Review of labs to date]]</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_4_Part_2 | Lab4 Part 2]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"> Quiz on Lab 4</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 6:'''<br>10 - 14 jun</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Practical Midterm test</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Assignment1 | Assignment 1]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 7:'''<br>17 - 21 jun</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Results of the practical test and late assignments</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
<td style="border-bottom: thin solid black;"/><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;background-color:#f0f0f5;">'''Study Week:'''<br>24 - 28 jun</td><br />
<td colspan="3" style="border-bottom: thin solid black;background-color:#f0f0f5;">&nbsp;</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 8:'''<br>1 - 5 jul</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Understand how DHCP works and set up a working server/client.</li><br />
<li>Understand which types of traffic can be captured where, from the point of view of an attacker.</li><br />
<li>Practice capturing traffic, and browsing it using Wireshark.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_5 | Lab5]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 9:'''<br>8 - 12 jul</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Learn some fundamental concepts and terminology used with LDAP.</li><br />
<li>Practice creating users in OpenLDAP.</li><br />
<li>Set up linux machines to authenticate against an OpenLDAP server.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_6 | Lab6]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Quiz on Lab 5</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 10:'''<br>15 - 19 jul</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Understand the basics of public key encryption from a practical point of view.</li><br />
<li>Set up a Certificate Authority.</li><br />
<li>Create certificate+key pairs for servers, signed by your own CA.</li><br />
<li>Set up Apache to serve pages over HTTPS.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_7 | Lab7]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Quiz on Lab 6</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 11:'''<br>22 - 26 jul</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Semi-automated host fingerprint distribution using /etc/skel/</li><br />
<li>Use assymetric encryption (with SSH keys) for password-less SSH authentication.</li><br />
<li>Ditribute SSH public keys manually.</li><br />
<li>Backup using rsync.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_8 | Lab8]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Quiz on Lab 7</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 12:'''<br>jul 29 - 2 aug</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Review and practice for the exam.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_8 | Lab8]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Assignment2 | Assignment 2]] and Quiz on Lab 8</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 13:'''<br>5 - 9 aug</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Practical Final Exam.</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Assignment2 | LATE Assignment 2]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;background-color:#f0f0f5;">'''Exam Week:'''<br>12 - 16 aug</td><br />
<td colspan="3" style="border-bottom: thin solid black;background-color:#f0f0f5;">&nbsp;</td><br />
</tr><br />
</table><br />
<br />
<br />
[[Category:SRT210]]</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Assignment1&diff=139241SRT210 Assignment12019-05-31T21:05:01Z<p>Mark: /* Assignment 1 */</p>
<hr />
<div>= Assignment 1 =<br />
<br />
Due date: 12th of June<br />
<br />
*'''(Update: May 31 2019)''': First draft. Additional edits will only clarify language and improve readability. You may consider these requirements complete for '''Assignment 1 in Summer 2019'''.<br />
*'''(May 7 2019)''': Additional requirements will be added at a later date.<br />
<br />
Late penalties: 10% per day, including weekends and holidays<br />
<br />
== Part 1: Set up and routing (10 marks) ==<br />
<br />
# Complete labs 1 through 4.<br />
# Create a new virtual network named asg1 with subnet 192.168.X where X is the first two digits of your Seneca student number. Do not use DHCP on this network.<br />
# Create a new virtual machine and install CentOS on it as a minimal install. Name this virtual machine lin1a1 but set its hostname to yourmysenecaid.lin1a1.<br />
# Setup lin1a1 to have two network interfaces where both network interfaces are virtio virtual devices. Next, setup one network interface with IP address 192.168.X.32 and to connect to the asg1 network while the other network interface has IP address 192.168.210.22 and it connects to the network1 network.<br />
# Keep in mind in any networked system you can have just one, and only one, default gateway. So configure the default gateway of lin1a1 to be c7host on the 192.168.210 subnet. Confirm lin1a1 can communicate with the Internet and with hosts on network1.<br />
# Create another minimal CentOS VM: name it lin2a1; set its hostname to yourmysenecaid.lin2a1; let it have one network interface and IP 192.168.X.33 (X being the first two digits of your student ID). By default, after the install, this second VM should be able to access machines on the asg1 network but it will not be able to communicate with any hosts on the network1 network.<br />
# Configure lin2a1, the second VM, to be able to access the Internet and the network1 network via lin1a1. You will need to enable IP forwarding and masquerading on the appropriate interface and the appropriate machine for that to happen.<br />
# Configure both VMs (lin1a1 and lin2a1) to be added to your DNS server. able to connect to c7host.yourmysenecaid.ops, lin1.yourmysenecaid.ops, and lin2.yourmysenecaid.ops by their hostnames (don't be tempted to set up another DNS server, use what you already have from your earlier lab)<br />
# Ensure you start your firewall setup on each VM from the default iptables-services rules. You'll lose marks if you don't have a functional firewall on lin1a1 and on lin2a1.<br />
<br />
== Part 2: Multiple WebServer Setup (10 marks) ==<br />
<br />
# (2 Marks) Install NGINX on lin1a1 and Caddy on lin2a2. Confirm that each works locally with thier VM and from c7host. Do the testing of NGINX and Caddy in two stages.<br />
# (3 Marks) From a browser running on c7host confirm connections using IP addresses:<br />
#: * http://192.168.210.11 connects to Apache (from the earlier lab)<br />
#: * http://192.168.210.22 connects to NGINX running on lin1a1<br />
#: * http://192.168.X.33 connects to Caddy running on lin2a2.<br />
# (3 Marks) From a browser running on c7host confirm connections using hostnames:<br />
#: * http://lin1.yourmysenecaid.ops connects to Apache (from the earlier lab)<br />
#: * http://lin1a1.yourmysenecaid.ops connects to NGINX running on lin1a1<br />
#: * http://lin1a2.yourmysenecaid.ops connects to Caddy running on lin2a2.<br />
# (1 Mark) From a browser running on lin2 show you can connect to all 3 webservers using their IP addresses and their hostnames.<br />
# (1 Mark) From a browser running on Windows show you can connect to each of the 3 webservers using the c7host IP address. NOTE: when doing this test, you will want to turn off the other two VMs.<br />
<br />
== Part 3: Report (10 marks) ==<br />
<br />
Write a report, where you describe (in your own words):<br />
<br />
# The report must be in a PDF format otherwise it will be considered unreadable. The text part of the report can use a Serif or Sans-Serif font (such as Arial or DejaVu Sans) but the configuration file output must be in a fixed-width (such as Courier or MonoType)<br />
# The Very FIRST FEW LINES MUST CONTAIN: Full Name, your MySeneca username, and your student ID.<br />
# What you had to do to set everything up (most important are the networking, routing, and firewall configurations). Screenshots of the configuration files are acceptable, however, the screenshot must be readable. If the font is too small (less than 12 pt) or the screenshot is blurry, you will lose marks. You may take multiple screenshots of a long configuration file provided they show the previous few lines to show continuation. Ideally, it is best (and probably fastest) to use scp to get the configurations out of the VMs and append them into your report.<br />
# Describe any challenges you ran into and how you solved them.<br />
# Screenshots are required for proof that your setup works. Each screenshot must:<br />
#: * Clearly be labelled the test you are proving (for example: Connect to http://lin1a2.yourmysenecaid.ops from c7host).<br />
#: * Show the interaction between c7host (or lin2) in a readable (12 pt) font.<br />
#: * The prompt on the terminal MUST show the logged in user and hostname of the VM.<br />
#: * Use curl to connect to the web server. Pipe the output from curl into another Unix utility and restrict that output to a maximum of 4 lines.<br />
<br />
== Submit ==<br />
<br />
Submit the report on Blackboard.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Assignment1&diff=139240SRT210 Assignment12019-05-31T21:04:23Z<p>Mark: /* Assignment 1 */</p>
<hr />
<div>= Assignment 1 =<br />
<br />
Due date: 12th of June<br />
<br />
*'''(Update: May 31 2019)''': First draft. Additional edits will only clarify language and improve readability. You may consider these requirements complete for '''Assignment 1 in Summer 2019'''.<br />
*'''(Update: May 7 2019)''': Additional requirements will be added at a later date.<br />
<br />
Late penalties: 10% per day, including weekends and holidays<br />
<br />
== Part 1: Set up and routing (10 marks) ==<br />
<br />
# Complete labs 1 through 4.<br />
# Create a new virtual network named asg1 with subnet 192.168.X where X is the first two digits of your Seneca student number. Do not use DHCP on this network.<br />
# Create a new virtual machine and install CentOS on it as a minimal install. Name this virtual machine lin1a1 but set its hostname to yourmysenecaid.lin1a1.<br />
# Setup lin1a1 to have two network interfaces where both network interfaces are virtio virtual devices. Next, setup one network interface with IP address 192.168.X.32 and to connect to the asg1 network while the other network interface has IP address 192.168.210.22 and it connects to the network1 network.<br />
# Keep in mind in any networked system you can have just one, and only one, default gateway. So configure the default gateway of lin1a1 to be c7host on the 192.168.210 subnet. Confirm lin1a1 can communicate with the Internet and with hosts on network1.<br />
# Create another minimal CentOS VM: name it lin2a1; set its hostname to yourmysenecaid.lin2a1; let it have one network interface and IP 192.168.X.33 (X being the first two digits of your student ID). By default, after the install, this second VM should be able to access machines on the asg1 network but it will not be able to communicate with any hosts on the network1 network.<br />
# Configure lin2a1, the second VM, to be able to access the Internet and the network1 network via lin1a1. You will need to enable IP forwarding and masquerading on the appropriate interface and the appropriate machine for that to happen.<br />
# Configure both VMs (lin1a1 and lin2a1) to be added to your DNS server. able to connect to c7host.yourmysenecaid.ops, lin1.yourmysenecaid.ops, and lin2.yourmysenecaid.ops by their hostnames (don't be tempted to set up another DNS server, use what you already have from your earlier lab)<br />
# Ensure you start your firewall setup on each VM from the default iptables-services rules. You'll lose marks if you don't have a functional firewall on lin1a1 and on lin2a1.<br />
<br />
== Part 2: Multiple WebServer Setup (10 marks) ==<br />
<br />
# (2 Marks) Install NGINX on lin1a1 and Caddy on lin2a2. Confirm that each works locally with thier VM and from c7host. Do the testing of NGINX and Caddy in two stages.<br />
# (3 Marks) From a browser running on c7host confirm connections using IP addresses:<br />
#: * http://192.168.210.11 connects to Apache (from the earlier lab)<br />
#: * http://192.168.210.22 connects to NGINX running on lin1a1<br />
#: * http://192.168.X.33 connects to Caddy running on lin2a2.<br />
# (3 Marks) From a browser running on c7host confirm connections using hostnames:<br />
#: * http://lin1.yourmysenecaid.ops connects to Apache (from the earlier lab)<br />
#: * http://lin1a1.yourmysenecaid.ops connects to NGINX running on lin1a1<br />
#: * http://lin1a2.yourmysenecaid.ops connects to Caddy running on lin2a2.<br />
# (1 Mark) From a browser running on lin2 show you can connect to all 3 webservers using their IP addresses and their hostnames.<br />
# (1 Mark) From a browser running on Windows show you can connect to each of the 3 webservers using the c7host IP address. NOTE: when doing this test, you will want to turn off the other two VMs.<br />
<br />
== Part 3: Report (10 marks) ==<br />
<br />
Write a report, where you describe (in your own words):<br />
<br />
# The report must be in a PDF format otherwise it will be considered unreadable. The text part of the report can use a Serif or Sans-Serif font (such as Arial or DejaVu Sans) but the configuration file output must be in a fixed-width (such as Courier or MonoType)<br />
# The Very FIRST FEW LINES MUST CONTAIN: Full Name, your MySeneca username, and your student ID.<br />
# What you had to do to set everything up (most important are the networking, routing, and firewall configurations). Screenshots of the configuration files are acceptable, however, the screenshot must be readable. If the font is too small (less than 12 pt) or the screenshot is blurry, you will lose marks. You may take multiple screenshots of a long configuration file provided they show the previous few lines to show continuation. Ideally, it is best (and probably fastest) to use scp to get the configurations out of the VMs and append them into your report.<br />
# Describe any challenges you ran into and how you solved them.<br />
# Screenshots are required for proof that your setup works. Each screenshot must:<br />
#: * Clearly be labelled the test you are proving (for example: Connect to http://lin1a2.yourmysenecaid.ops from c7host).<br />
#: * Show the interaction between c7host (or lin2) in a readable (12 pt) font.<br />
#: * The prompt on the terminal MUST show the logged in user and hostname of the VM.<br />
#: * Use curl to connect to the web server. Pipe the output from curl into another Unix utility and restrict that output to a maximum of 4 lines.<br />
<br />
== Submit ==<br />
<br />
Submit the report on Blackboard.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Assignment1&diff=139239SRT210 Assignment12019-05-31T20:59:33Z<p>Mark: /* Part 3: Report (10 marks) */</p>
<hr />
<div>= Assignment 1 =<br />
<br />
Due date: 7th of June<br />
'''(Update: May 7 2019): Additional requirements will be added at a later date'''<br />
<br />
Late penalties: 10% per day, including weekends and holidays<br />
<br />
== Part 1: Set up and routing (10 marks) ==<br />
<br />
# Complete labs 1 through 4.<br />
# Create a new virtual network named asg1 with subnet 192.168.X where X is the first two digits of your Seneca student number. Do not use DHCP on this network.<br />
# Create a new virtual machine and install CentOS on it as a minimal install. Name this virtual machine lin1a1 but set its hostname to yourmysenecaid.lin1a1.<br />
# Setup lin1a1 to have two network interfaces where both network interfaces are virtio virtual devices. Next, setup one network interface with IP address 192.168.X.32 and to connect to the asg1 network while the other network interface has IP address 192.168.210.22 and it connects to the network1 network.<br />
# Keep in mind in any networked system you can have just one, and only one, default gateway. So configure the default gateway of lin1a1 to be c7host on the 192.168.210 subnet. Confirm lin1a1 can communicate with the Internet and with hosts on network1.<br />
# Create another minimal CentOS VM: name it lin2a1; set its hostname to yourmysenecaid.lin2a1; let it have one network interface and IP 192.168.X.33 (X being the first two digits of your student ID). By default, after the install, this second VM should be able to access machines on the asg1 network but it will not be able to communicate with any hosts on the network1 network.<br />
# Configure lin2a1, the second VM, to be able to access the Internet and the network1 network via lin1a1. You will need to enable IP forwarding and masquerading on the appropriate interface and the appropriate machine for that to happen.<br />
# Configure both VMs (lin1a1 and lin2a1) to be added to your DNS server. able to connect to c7host.yourmysenecaid.ops, lin1.yourmysenecaid.ops, and lin2.yourmysenecaid.ops by their hostnames (don't be tempted to set up another DNS server, use what you already have from your earlier lab)<br />
# Ensure you start your firewall setup on each VM from the default iptables-services rules. You'll lose marks if you don't have a functional firewall on lin1a1 and on lin2a1.<br />
<br />
== Part 2: Multiple WebServer Setup (10 marks) ==<br />
<br />
# (2 Marks) Install NGINX on lin1a1 and Caddy on lin2a2. Confirm that each works locally with thier VM and from c7host. Do the testing of NGINX and Caddy in two stages.<br />
# (3 Marks) From a browser running on c7host confirm connections using IP addresses:<br />
#: * http://192.168.210.11 connects to Apache (from the earlier lab)<br />
#: * http://192.168.210.22 connects to NGINX running on lin1a1<br />
#: * http://192.168.X.33 connects to Caddy running on lin2a2.<br />
# (3 Marks) From a browser running on c7host confirm connections using hostnames:<br />
#: * http://lin1.yourmysenecaid.ops connects to Apache (from the earlier lab)<br />
#: * http://lin1a1.yourmysenecaid.ops connects to NGINX running on lin1a1<br />
#: * http://lin1a2.yourmysenecaid.ops connects to Caddy running on lin2a2.<br />
# (1 Mark) From a browser running on lin2 show you can connect to all 3 webservers using their IP addresses and their hostnames.<br />
# (1 Mark) From a browser running on Windows show you can connect to each of the 3 webservers using the c7host IP address. NOTE: when doing this test, you will want to turn off the other two VMs.<br />
<br />
== Part 3: Report (10 marks) ==<br />
<br />
Write a report, where you describe (in your own words):<br />
<br />
# The report must be in a PDF format otherwise it will be considered unreadable. The text part of the report can use a Serif or Sans-Serif font (such as Arial or DejaVu Sans) but the configuration file output must be in a fixed-width (such as Courier or MonoType)<br />
# The Very FIRST FEW LINES MUST CONTAIN: Full Name, your MySeneca username, and your student ID.<br />
# What you had to do to set everything up (most important are the networking, routing, and firewall configurations). Screenshots of the configuration files are acceptable, however, the screenshot must be readable. If the font is too small (less than 12 pt) or the screenshot is blurry, you will lose marks. You may take multiple screenshots of a long configuration file provided they show the previous few lines to show continuation. Ideally, it is best (and probably fastest) to use scp to get the configurations out of the VMs and append them into your report.<br />
# Describe any challenges you ran into and how you solved them.<br />
# Screenshots are required for proof that your setup works. Each screenshot must:<br />
#: * Clearly be labelled the test you are proving (for example: Connect to http://lin1a2.yourmysenecaid.ops from c7host).<br />
#: * Show the interaction between c7host (or lin2) in a readable (12 pt) font.<br />
#: * The prompt on the terminal MUST show the logged in user and hostname of the VM.<br />
#: * Use curl to connect to the web server. Pipe the output from curl into another Unix utility and restrict that output to a maximum of 4 lines.<br />
<br />
== Submit ==<br />
<br />
Submit the report on Blackboard.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Assignment1&diff=139238SRT210 Assignment12019-05-31T20:58:18Z<p>Mark: /* Part 3: Report (10 marks) */</p>
<hr />
<div>= Assignment 1 =<br />
<br />
Due date: 7th of June<br />
'''(Update: May 7 2019): Additional requirements will be added at a later date'''<br />
<br />
Late penalties: 10% per day, including weekends and holidays<br />
<br />
== Part 1: Set up and routing (10 marks) ==<br />
<br />
# Complete labs 1 through 4.<br />
# Create a new virtual network named asg1 with subnet 192.168.X where X is the first two digits of your Seneca student number. Do not use DHCP on this network.<br />
# Create a new virtual machine and install CentOS on it as a minimal install. Name this virtual machine lin1a1 but set its hostname to yourmysenecaid.lin1a1.<br />
# Setup lin1a1 to have two network interfaces where both network interfaces are virtio virtual devices. Next, setup one network interface with IP address 192.168.X.32 and to connect to the asg1 network while the other network interface has IP address 192.168.210.22 and it connects to the network1 network.<br />
# Keep in mind in any networked system you can have just one, and only one, default gateway. So configure the default gateway of lin1a1 to be c7host on the 192.168.210 subnet. Confirm lin1a1 can communicate with the Internet and with hosts on network1.<br />
# Create another minimal CentOS VM: name it lin2a1; set its hostname to yourmysenecaid.lin2a1; let it have one network interface and IP 192.168.X.33 (X being the first two digits of your student ID). By default, after the install, this second VM should be able to access machines on the asg1 network but it will not be able to communicate with any hosts on the network1 network.<br />
# Configure lin2a1, the second VM, to be able to access the Internet and the network1 network via lin1a1. You will need to enable IP forwarding and masquerading on the appropriate interface and the appropriate machine for that to happen.<br />
# Configure both VMs (lin1a1 and lin2a1) to be added to your DNS server. able to connect to c7host.yourmysenecaid.ops, lin1.yourmysenecaid.ops, and lin2.yourmysenecaid.ops by their hostnames (don't be tempted to set up another DNS server, use what you already have from your earlier lab)<br />
# Ensure you start your firewall setup on each VM from the default iptables-services rules. You'll lose marks if you don't have a functional firewall on lin1a1 and on lin2a1.<br />
<br />
== Part 2: Multiple WebServer Setup (10 marks) ==<br />
<br />
# (2 Marks) Install NGINX on lin1a1 and Caddy on lin2a2. Confirm that each works locally with thier VM and from c7host. Do the testing of NGINX and Caddy in two stages.<br />
# (3 Marks) From a browser running on c7host confirm connections using IP addresses:<br />
#: * http://192.168.210.11 connects to Apache (from the earlier lab)<br />
#: * http://192.168.210.22 connects to NGINX running on lin1a1<br />
#: * http://192.168.X.33 connects to Caddy running on lin2a2.<br />
# (3 Marks) From a browser running on c7host confirm connections using hostnames:<br />
#: * http://lin1.yourmysenecaid.ops connects to Apache (from the earlier lab)<br />
#: * http://lin1a1.yourmysenecaid.ops connects to NGINX running on lin1a1<br />
#: * http://lin1a2.yourmysenecaid.ops connects to Caddy running on lin2a2.<br />
# (1 Mark) From a browser running on lin2 show you can connect to all 3 webservers using their IP addresses and their hostnames.<br />
# (1 Mark) From a browser running on Windows show you can connect to each of the 3 webservers using the c7host IP address. NOTE: when doing this test, you will want to turn off the other two VMs.<br />
<br />
== Part 3: Report (10 marks) ==<br />
<br />
Write a report, where you describe (in your own words):<br />
<br />
# The report must be in a PDF format otherwise it will be considered unreadable. The text part of the report can use a Serif or Sans-Serif font (such as Arial or DejaVu Sans) but the configuration file output must be in a fixed-width (such as Courier or MonoType)<br />
# The Very FIRST FEW LINES MUST CONTAIN: Full Name, your MySeneca username, and your student ID.<br />
# What you had to do to set everything up (most important are the networking, routing, and firewall configurations). Screenshots of the configuration files are acceptable, however, the screenshot must be readable. If the font is too small (less than 12 pt) or the screenshot is blurry, you will lose marks. You may take multiple screenshots of a long configuration file provided they show the previous few lines to show continuation. Ideally, it is best (and probably fastest) to use scp to get the configurations out of the VMs and append them into your report.<br />
# Describe any challenges you ran into and how you solved them.<br />
# Screenshots are required for this part of the report. Each screenshot must:<br />
#: * Clearly be labelled the test you are proving (for example: Connect to http://lin1a2.yourmysenecaid.ops from c7host).<br />
#: * Show the interaction between c7host (or lin2) in a readable (12 pt) font.<br />
#: * The prompt on the terminal MUST show the logged in user and hostname of the VM.<br />
#: * Use curl to connect to the web server. Pipe the output from curl into another Unix utility and restrict that output to a maximum of 4 lines.<br />
<br />
== Submit ==<br />
<br />
Submit the report on Blackboard.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Assignment1&diff=139237SRT210 Assignment12019-05-31T20:55:12Z<p>Mark: /* Part 2: Multiple WebServer Setup (10 marks) */</p>
<hr />
<div>= Assignment 1 =<br />
<br />
Due date: 7th of June<br />
'''(Update: May 7 2019): Additional requirements will be added at a later date'''<br />
<br />
Late penalties: 10% per day, including weekends and holidays<br />
<br />
== Part 1: Set up and routing (10 marks) ==<br />
<br />
# Complete labs 1 through 4.<br />
# Create a new virtual network named asg1 with subnet 192.168.X where X is the first two digits of your Seneca student number. Do not use DHCP on this network.<br />
# Create a new virtual machine and install CentOS on it as a minimal install. Name this virtual machine lin1a1 but set its hostname to yourmysenecaid.lin1a1.<br />
# Setup lin1a1 to have two network interfaces where both network interfaces are virtio virtual devices. Next, setup one network interface with IP address 192.168.X.32 and to connect to the asg1 network while the other network interface has IP address 192.168.210.22 and it connects to the network1 network.<br />
# Keep in mind in any networked system you can have just one, and only one, default gateway. So configure the default gateway of lin1a1 to be c7host on the 192.168.210 subnet. Confirm lin1a1 can communicate with the Internet and with hosts on network1.<br />
# Create another minimal CentOS VM: name it lin2a1; set its hostname to yourmysenecaid.lin2a1; let it have one network interface and IP 192.168.X.33 (X being the first two digits of your student ID). By default, after the install, this second VM should be able to access machines on the asg1 network but it will not be able to communicate with any hosts on the network1 network.<br />
# Configure lin2a1, the second VM, to be able to access the Internet and the network1 network via lin1a1. You will need to enable IP forwarding and masquerading on the appropriate interface and the appropriate machine for that to happen.<br />
# Configure both VMs (lin1a1 and lin2a1) to be added to your DNS server. able to connect to c7host.yourmysenecaid.ops, lin1.yourmysenecaid.ops, and lin2.yourmysenecaid.ops by their hostnames (don't be tempted to set up another DNS server, use what you already have from your earlier lab)<br />
# Ensure you start your firewall setup on each VM from the default iptables-services rules. You'll lose marks if you don't have a functional firewall on lin1a1 and on lin2a1.<br />
<br />
== Part 2: Multiple WebServer Setup (10 marks) ==<br />
<br />
# (2 Marks) Install NGINX on lin1a1 and Caddy on lin2a2. Confirm that each works locally with thier VM and from c7host. Do the testing of NGINX and Caddy in two stages.<br />
# (3 Marks) From a browser running on c7host confirm connections using IP addresses:<br />
#: * http://192.168.210.11 connects to Apache (from the earlier lab)<br />
#: * http://192.168.210.22 connects to NGINX running on lin1a1<br />
#: * http://192.168.X.33 connects to Caddy running on lin2a2.<br />
# (3 Marks) From a browser running on c7host confirm connections using hostnames:<br />
#: * http://lin1.yourmysenecaid.ops connects to Apache (from the earlier lab)<br />
#: * http://lin1a1.yourmysenecaid.ops connects to NGINX running on lin1a1<br />
#: * http://lin1a2.yourmysenecaid.ops connects to Caddy running on lin2a2.<br />
# (1 Mark) From a browser running on lin2 show you can connect to all 3 webservers using their IP addresses and their hostnames.<br />
# (1 Mark) From a browser running on Windows show you can connect to each of the 3 webservers using the c7host IP address. NOTE: when doing this test, you will want to turn off the other two VMs.<br />
<br />
== Part 3: Report (10 marks) ==<br />
<br />
Write a report, where you describe (in your own words):<br />
* What you were trying to accomplish.<br />
* What you had to do to set everything up (most important are the networking, routing, and firewall configurations).<br />
* Describe how the tool you chose for Part 2 works, how you used it, and why it gave you the results that it gave you.<br />
* Describe at least two ways to make brute-force SSH attacks less likely to be successful.<br />
* Describe any challenges you ran into and how you solved them.<br />
<br />
Screenshots might be helpful but are not required for the report. The report should be at least two pages long, not including screenshots, titles, and other fluff.<br />
<br />
== Submit ==<br />
<br />
Submit the report on Blackboard.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Assignment1&diff=139236SRT210 Assignment12019-05-31T20:49:31Z<p>Mark: /* Part 1: Set up and routing (10 marks) */</p>
<hr />
<div>= Assignment 1 =<br />
<br />
Due date: 7th of June<br />
'''(Update: May 7 2019): Additional requirements will be added at a later date'''<br />
<br />
Late penalties: 10% per day, including weekends and holidays<br />
<br />
== Part 1: Set up and routing (10 marks) ==<br />
<br />
# Complete labs 1 through 4.<br />
# Create a new virtual network named asg1 with subnet 192.168.X where X is the first two digits of your Seneca student number. Do not use DHCP on this network.<br />
# Create a new virtual machine and install CentOS on it as a minimal install. Name this virtual machine lin1a1 but set its hostname to yourmysenecaid.lin1a1.<br />
# Setup lin1a1 to have two network interfaces where both network interfaces are virtio virtual devices. Next, setup one network interface with IP address 192.168.X.32 and to connect to the asg1 network while the other network interface has IP address 192.168.210.22 and it connects to the network1 network.<br />
# Keep in mind in any networked system you can have just one, and only one, default gateway. So configure the default gateway of lin1a1 to be c7host on the 192.168.210 subnet. Confirm lin1a1 can communicate with the Internet and with hosts on network1.<br />
# Create another minimal CentOS VM: name it lin2a1; set its hostname to yourmysenecaid.lin2a1; let it have one network interface and IP 192.168.X.33 (X being the first two digits of your student ID). By default, after the install, this second VM should be able to access machines on the asg1 network but it will not be able to communicate with any hosts on the network1 network.<br />
# Configure lin2a1, the second VM, to be able to access the Internet and the network1 network via lin1a1. You will need to enable IP forwarding and masquerading on the appropriate interface and the appropriate machine for that to happen.<br />
# Configure both VMs (lin1a1 and lin2a1) to be added to your DNS server. able to connect to c7host.yourmysenecaid.ops, lin1.yourmysenecaid.ops, and lin2.yourmysenecaid.ops by their hostnames (don't be tempted to set up another DNS server, use what you already have from your earlier lab)<br />
# Ensure you start your firewall setup on each VM from the default iptables-services rules. You'll lose marks if you don't have a functional firewall on lin1a1 and on lin2a1.<br />
<br />
== Part 2: SSH brute-force attack (10 marks) ==<br />
<br />
# Create at least 5 users on lin2, give some of them simple/common names (like "john") and simple or relatively-simple passwords. If you have a complex root password - you might want to change that to something simpler too.<br />
# Find some software to perform a brute-force SSH login attack on lin2 from lin2a2.<br />
# Run the attack. Record how long it took, and what the results were. If it fails to find usable credentials for you - make sure you have an explanation for why that was.<br />
<br />
== Part 3: Report (10 marks) ==<br />
<br />
Write a report, where you describe (in your own words):<br />
* What you were trying to accomplish.<br />
* What you had to do to set everything up (most important are the networking, routing, and firewall configurations).<br />
* Describe how the tool you chose for Part 2 works, how you used it, and why it gave you the results that it gave you.<br />
* Describe at least two ways to make brute-force SSH attacks less likely to be successful.<br />
* Describe any challenges you ran into and how you solved them.<br />
<br />
Screenshots might be helpful but are not required for the report. The report should be at least two pages long, not including screenshots, titles, and other fluff.<br />
<br />
== Submit ==<br />
<br />
Submit the report on Blackboard.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Lab_3&diff=139231SRT210 Lab 32019-05-28T23:17:18Z<p>Mark: /* PART 2: NAT */</p>
<hr />
<div>= Objectives =<br />
<br />
* Understand how port forwarding works and how it relates to security.<br />
* Set up port forwarding using iptables.<br />
* Understand fundamental concepts that make up SELinux.<br />
* Troubleshoot problems caused by SELinux.<br />
<br />
= PART 1: FIX IPTABLES MISTAKES =<br />
<br />
Most of you will have experimented with iptables last week and have made mistakes, which should be fixed before you start this week's lab. Here are some tips:<br />
<br />
* You should start with the default iptables setup which you got when you installed iptables-services. If you've lost that - you can get it back by by putting the default values into /etc/sysconfig/iptables:<br />
<source># cat /etc/sysconfig/iptables<br />
# sample configuration for iptables service<br />
# you can edit this manually or use system-config-firewall<br />
# please do not ask us to add additional ports/services to this default configuration<br />
*filter<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT<br />
-A INPUT -j REJECT --reject-with icmp-host-prohibited<br />
-A FORWARD -j REJECT --reject-with icmp-host-prohibited<br />
COMMIT</source><br />
* Then re-add the rules you created last week, and make them persistent by running <code>service iptables save</code><br />
<br />
= PART 2: NAT =<br />
<br />
[https://www.systutorials.com/816/port-forwarding-using-iptables/ This website] has a decent overview of port forwarding. <br />
<br />
* We'll set up your lin1 machine to be a web server accessible from the internet (in our case specifically that means accessible from the Seneca network).<br />
* Create a text file on lin1 named index.html in the /var/www/html directory with the following contents (replace Andrew with your name):<br />
<source>Hello, this is Andrew's web server on lin1.</source><br />
* Feel free to add as much HTML in there as you like.<br />
* Confirm that:<br />
** Apache on lin1 is running, and accessible from lin1.<br />
** It's accessible from c7host<br />
* Notice that if you try to access 192.168.210.11 from outside your vmware environment - there will not be a route to get to it.<br />
* Try to go to the Seneca IP address of your c7host using a web browser on your VMware host (Windows for lab machines). That should also not work but at least you should have a route to it.<br />
** Note that if you're using a laptop on wireless - you probably have your c7host network adapter set to NAT instead of bridged mode. If that's the case - you might need to modify some steps from this lab.<br />
* Now we'll configure port forwarding so that any requests to TCP port 80 arriving at c7host will be forwarded to lin1:<br />
<br />
<source># any inbound HTTP requests on ens33 are for Apache (running in linX)<br />
iptables -A PREROUTING -t nat -i ens33 -p tcp --dport 80 -j DNAT --to 192.168.210.11:80<br />
<br />
# any outbound HTTP requests on ens33 (originating from linX) are returned to same linX<br />
iptables -A POSTROUTING -t nat -o ens33 -p tcp -s 192.168.210.11 --sport 80 -j SNAT --to 192.168.210.11<br />
<br />
# let c7host forward packets otherwise they won't reach linX <br />
iptables -I FORWARD -p tcp -d 192.168.210.11 --dport 80 -j ACCEPT</source><br />
<br />
* Don't just run those commands blindly - understand what they do. You can read more detail on the above rule set from [https://wiki.archlinux.org/index.php/Simple_stateful_firewall this website]<br />
* Try accessing your c7host from a web browser again. You should see the web page from your lin1 web server.<br />
<br />
== NAT as a security tool ==<br />
<br />
Note that there is plenty of nonsense on the internet, and lots of Google results will tell you that NAT is absolutely definitely not supposed to be used for securing systems online. Use your own brain to make your own decisions. I encourage you to ignore loud proclamations of fact that are missing any specific technical explanation and real-world examples.<br />
<br />
A machine on a private subnet is not addressable from the internet. So out of the box you don't need to worry about port scans, brute force attacks, and services that were running by default that you didn't know about or didn't pay attention to.<br />
<br />
In order to allow access to a machine on a private subnet you have to make a whitelist on the router, with every explicit service that's supposed to be accessible on your internal machine. All things being equal - a whitelist provides a greater level of security than a blacklist.<br />
<br />
And at the end of the day if you screw up the setup of your router: the worst thing that will happen is that your internal service will be inaccessible. From a security point of view that is much better than a screwup with a firewall which can make ''every system and service'' accessible to ''everyone on the internet''.<br />
<br />
= SELINUX BASICS =<br />
<br />
SELinux is a ridiculously complex topic. Very few people understand it fully, and you're not expected to either. But you need at least to have a grasp of the basics and be able to debug an SELinux-related problem when it's manifest.<br />
<br />
We'll use an example as an exercise to help us learn the basic concepts. The example is based on the better illustrated "SELinux Practical Examples" section from [https://www.computernetworkingnotes.com/rhce-study-guide/selinux-explained-with-examples-in-easy-language.html ComputerNetworkingNotes].<br />
<br />
* You should already have Apache running on lin1, and serving your custom index.html file.<br />
* If you run <code>ls -al /var/www/html</code> you'll find that only root has write access to that directory. Let's change that so it's more realistic.<br />
* Use the chown command to change the ownership of the /var/www/html directory and its contents from root/root to youruser/yourgroup.<br />
* Switch to your regular user in the terminal and go to your home directory.<br />
* Create a file named copytest.html and another called movetest.html with some text inside.<br />
* Run <code>ls -lZ</code> and save the output somewhere (you can write it down in your labbook for example).<br />
* Copy copytest.html to /var/www/html and move movetest.html to the same directory.<br />
* Try to access each file from a web browser. You should be able to access one but not the other.<br />
* Check the web server error log (/var/log/httpd/error_log) - it should tell you there's a problem with permissions.<br />
* Check your permisions with <code>ls -l</code>, they should apear to allow acces for everyone to read movetest.html<br />
** This is a good bit of learning to absorb. When there's a permission denied error that makes no sense - it's quite likely that SELinux is at fault.<br />
* Look for "movetest.html" in the SELinux log /var/log/audit/audit.log<br />
* You should find a line in there with the word "denied" in it. Instead of giving yourself a headache trying to descipher that log line, go and check the SELinux context on the files involved:<br />
** Run <code>ls -lZ</code> on /var/www/html and compare the output to the one you saved earlier.<br />
* The problem is the security context of the movetest.html file. Fix it using the chcon command (read [https://www.computernetworkingnotes.com/rhce-study-guide/selinux-explained-with-examples-in-easy-language.html the tutorial]).<br />
<br />
= PART 3: YOUR TASKS =<br />
<br />
Use what you learned so far and what you can learn online in order to set up the following:<br />
<br />
# Fix any problems with your firewall from last week.<br />
# Set up access to lin1's Apache from the Seneca network, and test it. Ideally test it with other students' help.<br />
# Set up lin2 (192.168.210.12) the same way you set up lin1. Make sure you have the firewall and networking tools installed, but you don't need Apache on it.<br />
# Set up IPTables on c7host to forward SSH requests to port 2221 to go to the SSH server on lin1, and port 2222 to go to the ssh server on lin2.<br />
# Complete the exercise in the SELinux section of the lab.<br />
<br />
= Lab completion =<br />
<br />
* Make sure you understand what you've done in this lab, so that you're ready to answer questions about it.<br />
* Have notes in your labbook from this lab.<br />
* Show your work to the professor and have them sign your labbook.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Lab_2&diff=139211SRT210 Lab 22019-05-23T23:06:53Z<p>Mark: /* IPtables overview */</p>
<hr />
<div>= Objectives =<br />
<br />
* Set up a nested virtual machine<br />
* Get familiar with basic networking setup and utilities used on Linux<br />
* Understand how the IPtables firewall works and use it to make simple rules<br />
<br />
= PART 1: NESTED VIRTUAL MACHINE =<br />
<br />
Since we're forced to use a Windows machine as the main VM host, we're going to have to set up nested virtualisation. Luckily that's not too difficult.<br />
<br />
* Change the settings for your c7host to have at least 4GB of RAM, and enable "Virtual Intel VT-X/EPT or AMD-V/RVI" under VM/Settings/Processors.<br />
* Install the following packages: qemu-kvm qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer bridge-utils<br />
* Make sure (using <code>systemctl enable</code>) that the libvirtd service starts at boot.<br />
* Those will include both the KVM hypervisor and Virt Manager, which is a graphical tool used to administer it.<br />
* Create a new virtual machine with the following settings:<br />
** Will be installed from the network: https://mirror.senecacollege.ca/centos/7/os/x86_64/ or http://mirror.netflash.net/centos/7/os/x86_64/<br />
** 2GB of RAM<br />
** 10GB of disk<br />
** NAT for networking<br />
** hostname lin1<br />
** Minimal install<br />
<br />
After you're done - you'll have a command-line-only CentOS machine (lin1) running inside a graphical CentOS desktop (c7host).<br />
<br />
= PART 2: BASIC NETWORKING =<br />
<br />
== Simple commands ==<br />
<br />
Use these commands to check the curent network settings on lin1:<br />
<br />
* ip link (show interfaces)<br />
* ip address (the MAC address, IP address, and subnet mask for every interface)<br />
* ip route (the routing table)<br />
* cat /etc/resolv.conf (the DNS server you're configured to query)<br />
* arp -n (the ARP table)<br />
<br />
Note if you're missing a command - you can figure out what package contains in by using <code>yum whatprovides</code><br />
<br />
== New virtual network ==<br />
<br />
By default a KVM setup has a NAT network with a DHCP server. That works nicely out of the box but won't work for us because we'll need to configure network settings manually.<br />
<br />
# Power off lin1<br />
# In the '''Connection Details''' dialog box, select the '''Virtual Networks''' tab<br />
# Click to <u>de-select</u> the '''Autostart (on boot)''' check-box options and click the '''Apply''' button.<br />
# Stop the default network by clicking on the '''stop''' button at the bottom left-side of the dialog box.<br />
# Click the '''add''' button to add a new network configuration.<br />
# Leave the default network name '''network1'''.<br />
# In the next screen, enter the '''new network IP address space''' called: '''192.168.210.0/24'''<br />
# Disable '''DHCPv4'''<br />
# Enable Network Forwarding by Selecting '''Forwarding to physical network''', the destination should be '''Any physical device''' and the mode should be '''NAT'''<br />
<br />
== Network settings on lin1 ==<br />
<br />
* Now if you try to start lin1 - it will tell you that the network "default" is unavailable. Go into the lin1 VM settings and configure the NIC to use "network1" instead.<br />
* After starting the VM you'll find that your network interface is not configured (try all the commands above again to see their output).<br />
* Configure your wired interface by editing the file as described in the steps below.<br />
* Change to the '''/etc/sysconfig/network-scripts''' directory.<br />
* List the contents of this directory. You should see 2 different types of files, network config scripts and network configuration files.<br />
* Look for the configuration file for your interface. It should have the name of the interface in the filename and the interface's MAC address in its contents.<br />
* Edit that file and give it the following settings:<br />
::DEVICE=eth0<br />
::IPADDR=192.168.210.11<br />
::NETMASK=255.255.255.0<br />
::GATEWAY=192.168.210.1<br />
::HWADDR=xx:xx:xx:xx:xx:xx '''# Make sure it's the right MAC address<br />
::DNS1=192.168.210.1 <br />
::BOOTPROTO=static<br />
::ONBOOT=yes<br />
::NM_CONTROLLED=yes<br />
::IPV6INIT=no<br />
* Ask yourself where did the IP address 192.168.210.1 come from and why it's your default gateway and DNS server.<br />
<br />
= PART 2: IPTABLES =<br />
<br />
CentOS comes with firewalld installed by default. We will not be using that, instead we'll do all our firewall work with iptables. Therefore we'll need to uninstall firewalld and install iptables management tools:<br />
<br />
* Use systemctl to stop firewalld and disable it from starting on boot.<br />
* Use yum to uninstall firewalld and install iptables-services<br />
* Use systemctl to start the iptables service and configure it to be started on boot.<br />
* Run <code>iptables -L</code>. We will be learning how to read that mess in the next section.<br />
<br />
IPtables is a complex system, and there's a lot of material this week to cover it. Keep in mind as you're going through the lab that you're trying to learn three things:<br />
<br />
* '''How iptables works'''<br />
* '''How to understand the current state of the firewall'''<br />
* '''How to make useful changes to the firewall'''<br />
<br />
== IPtables overview ==<br />
<br />
We will use an example of setting up a firewall on a web server.<br />
<br />
[[Image:iptables.png]]<br />
<br />
'''There are some important things to be aware of in terms of this diagram:'''<br />
<br />
:*There are '''<u>two sets</u> of IPtables rules (chains) that apply:''' '''OUTPUT/INPUT on the client''' and '''INPUT/OUTPUT on the server'''.<br>It is important to think about trafic from the perspective from the client as well as the server.<br />
<br />
:* '''Outbound traffic is rarely blocked <u>unless</u> there is a security policy to <u>prevent</u> some kind of traffic'''.<br>Even in that case, that security policy is usually performed on a router.<br />
<br />
:* '''Inbound traffic is of two distinct types'''. Our diagram shows:<br />
::# '''New incoming <u>connections</u>''' (what you normally think of as '''<u>inbound traffic</u>'''): the web server receives a '''new incoming connection'''.<br />
::# '''Incoming <u>data</u> that client receives as a response from the server''': the web page that the server sent back in the diagram above.<br />
<br />
::::The analogy would be like making a '''telephone call''':<ul><li>A '''NEW''' packet is like the phone ringing</li><li>An '''ESTABLISHED''' packet is the connection and the packet says "hello", along with any further communication.</li><li>A '''RELATED''' packet would be the same person calling on a second line. (eg. a second connection that is made because of something that happened in the first, like an ftp transfer).</li></ul><br />
<br />
::::We normally don't want to do anything special for the response. It is safe to assume that '''a connection that was allowed to be established should be allowed to receive a response'''. This is accomplished with the following '''INPUT chain rule''' that should be there by default on your machines:<br><br />
::::<pre>ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED</pre><br />
<br />
:* '''Rules are applied to:''' '''chains''' (e.g. ''input/output'') and contain information regarding the type of traffic they apply to. For example, '''protocols''' such as ''tcp/udp/icmp'', '''port numbers''' such as ''22 (SSH), 80 (HTTP), 443 (HTTPS)'', '''addresses''', and many other things.<br />
<br />
::Let's look at how these rules would apply to a simple web connection (HTTP - port 80):<br />
::# For the ''request'' (originating from browser on local machine), the '''source port (sport) for the example in the above diagram is 40112 (browser on local machine)''' and the '''destination port (dport) is 80 (webserver on remote machine)'''<br />
::# For the ''response'' (originating from server on remote machine), the '''source port (sport) is 80 (webserver on remote machine)''' and the '''destination port (dport) is 40112 (browser on local machine)'''<br />
::# Since the '''RELATED,ESTABLISHED''' rule already exists, we are only concerned about <u>'''controlling'''</u> the '''incoming traffic on the server''', which in our example, the '''chain is: INPUT''', the '''protocol is: tcp''', and the '''destination is: port 80'''.<br />
<br />
:* Most other services work in a similar way as discussed above.<br />
<br />
== Adding a rule ==<br />
<br />
'''<source>iptables -I OUTPUT -p tcp -s0/0 -d 0/0 --dport 80 -j DROP</source>'''<br />
<br />
Can be read like this: ''Insert a rule into the iptables OUTPUT chain that will match any tcp packet, with any a source address, any destination address, and a deistination port of 80. Any packet that matches will be dropped.''<br />
<br />
<br />
'''Let's break down the <u>command displayed above</u> to see how it works:'''<br />
<br />
<br />
<br />
{|cellpadding="15" width="60%"<br />
|- valign="top"<br />
| | <span style="font-family:courier; font-weight:bold">-I</span><br />
| | tells iptables to INSERT this line into the OUTPUT policy. This means it will be the first line in the policy. If we used a <span style="font-family:courier; font-weight:bold">-A</span> switch it would have appended the line and it would be the last line of the policy. If you are writing complex iptables rules where multiple matches can occur, it is important that the lines go in the right order. If you follow the -I with a number, the new rule will be inserted at that location in the chain (for example, <code>-I 3 OUTPUT</code> will insert the rule into the 3rd position in the OUTPUT chain, moving the existing rules down as necessary (the old rule #3 will become the new rule #4, for example)<br />
|- valign="top"<br />
|width="75" | '''-p tcp'''<br />
| | tells iptables to only match TCP packets. Alternately, the protocol could be set to '''udp''', '''icmp''', or '''all'''<br />
|- valign="top"<br />
| |'''-s0/0'''<br />
| |specifies the source IP address. 0/0 means a source address of “anywhere.” this has been put into the lab because your ip address will change because it is dynamically assigned. You can change this value if you want to the IP address that has been specifically assigned to your PC<br />
|- valign="top"<br />
| |'''-d0/0'''<br />
| |specifies the destination address. It makes sense that this address is set to “anywhere” because if we want to block all requests to the WWW, we will never know the specific IP address of web server that is trying to be accessed<br />
|- valign="top"<br />
| |'''--dport 80'''<br />
| |tells iptables to look at the destination port in the packet and see if it is equal to 80. Alternately, you can filter based on source addresses using the <code>--sport</code> switch<br />
|- valign="top"<br />
| |'''-j'''<br />
| |means when condition is met, then jump to a particular target – Basic targets are '''ACCEPT''', '''DROP''', '''REJECT''', and '''LOG'''. The available targets depend on which table contains the chain<br />
|- valign="top"<br />
| |'''DROP''' <br />
| |means drop the packet – make it disappear - and do not continue processing rules. '''REJECT''' is similar, but causes an error packet to be sent back to the source host. '''ACCEPT''' causes the packet to be processed. '''LOG''' causes an entry to be made in the system logs showing that the packet was processed. Note that the LOG target is the only one that does not stop rule-checking in the chain - so you can log a packet with one rule, and then use a later rule in the chain to DROP, REJECT, or ACCEPT it<br />
|}<br />
<br />
To play with this:<br />
* Install the Apache web server on lin1 (the package is called httpd).<br />
* Enable and start that service.<br />
* Install elinks (a command-line web browser) and see if you can connect to http://localhost (it should work by default).<br />
* Using Firefox on c7host, check whether you can view the same webpage in lin1 (by default you wont).<br />
* Next, check the iptables rules in lin1 and try to figure out why Firefox could not connect from c7host by reading the output of <code>iptables -L</code> on lin1 carefully looking for clues whether lin1 is letting inbound http traffic (TCP port 80) through.<br />
* If the output of <code>iptables -L</code> on lin1 isn't letting HTTP traffic through, which by default it does not, add a rule to the iptables in lin1 to allow inbound traffic to pass through to Apache (TCP port 80).<br />
* Go back to c7host after verifing lin1 permits http traffic and once again test whether Firefox on c7host displays the webpage (you may need to give Firefox the IP address of lin1 to view the webpage). Now it should.<br />
<br />
If you make such a mess that you don't know what you did any longer, there are a couple of things that can help you get back to normal:<br />
<br />
* iptables --flush will erase all the rules<br />
* Restarting the iptables service will revert all the rules to the defaults.<br />
<br />
= PART 3: YOUR TASKS =<br />
<br />
Use what you learned so far and what you can learn online in order to set up the following:<br />
<br />
# lin1 will allow access to Apache from any source.<br />
# c7host will allow access to SSH from hosts on the 192.168.210.* subnet and deny it from any other source.<br />
<br />
= Lab completion =<br />
<br />
* Make sure you understand what you've done in this lab, so that you're ready to answer questions about it.<br />
* Have notes in your labbook from this lab.<br />
* Show your work to the professor and have them sign your labbook.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Lab_2&diff=139210SRT210 Lab 22019-05-23T22:55:54Z<p>Mark: /* IPtables overview */</p>
<hr />
<div>= Objectives =<br />
<br />
* Set up a nested virtual machine<br />
* Get familiar with basic networking setup and utilities used on Linux<br />
* Understand how the IPtables firewall works and use it to make simple rules<br />
<br />
= PART 1: NESTED VIRTUAL MACHINE =<br />
<br />
Since we're forced to use a Windows machine as the main VM host, we're going to have to set up nested virtualisation. Luckily that's not too difficult.<br />
<br />
* Change the settings for your c7host to have at least 4GB of RAM, and enable "Virtual Intel VT-X/EPT or AMD-V/RVI" under VM/Settings/Processors.<br />
* Install the following packages: qemu-kvm qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer bridge-utils<br />
* Make sure (using <code>systemctl enable</code>) that the libvirtd service starts at boot.<br />
* Those will include both the KVM hypervisor and Virt Manager, which is a graphical tool used to administer it.<br />
* Create a new virtual machine with the following settings:<br />
** Will be installed from the network: https://mirror.senecacollege.ca/centos/7/os/x86_64/ or http://mirror.netflash.net/centos/7/os/x86_64/<br />
** 2GB of RAM<br />
** 10GB of disk<br />
** NAT for networking<br />
** hostname lin1<br />
** Minimal install<br />
<br />
After you're done - you'll have a command-line-only CentOS machine (lin1) running inside a graphical CentOS desktop (c7host).<br />
<br />
= PART 2: BASIC NETWORKING =<br />
<br />
== Simple commands ==<br />
<br />
Use these commands to check the curent network settings on lin1:<br />
<br />
* ip link (show interfaces)<br />
* ip address (the MAC address, IP address, and subnet mask for every interface)<br />
* ip route (the routing table)<br />
* cat /etc/resolv.conf (the DNS server you're configured to query)<br />
* arp -n (the ARP table)<br />
<br />
Note if you're missing a command - you can figure out what package contains in by using <code>yum whatprovides</code><br />
<br />
== New virtual network ==<br />
<br />
By default a KVM setup has a NAT network with a DHCP server. That works nicely out of the box but won't work for us because we'll need to configure network settings manually.<br />
<br />
# Power off lin1<br />
# In the '''Connection Details''' dialog box, select the '''Virtual Networks''' tab<br />
# Click to <u>de-select</u> the '''Autostart (on boot)''' check-box options and click the '''Apply''' button.<br />
# Stop the default network by clicking on the '''stop''' button at the bottom left-side of the dialog box.<br />
# Click the '''add''' button to add a new network configuration.<br />
# Leave the default network name '''network1'''.<br />
# In the next screen, enter the '''new network IP address space''' called: '''192.168.210.0/24'''<br />
# Disable '''DHCPv4'''<br />
# Enable Network Forwarding by Selecting '''Forwarding to physical network''', the destination should be '''Any physical device''' and the mode should be '''NAT'''<br />
<br />
== Network settings on lin1 ==<br />
<br />
* Now if you try to start lin1 - it will tell you that the network "default" is unavailable. Go into the lin1 VM settings and configure the NIC to use "network1" instead.<br />
* After starting the VM you'll find that your network interface is not configured (try all the commands above again to see their output).<br />
* Configure your wired interface by editing the file as described in the steps below.<br />
* Change to the '''/etc/sysconfig/network-scripts''' directory.<br />
* List the contents of this directory. You should see 2 different types of files, network config scripts and network configuration files.<br />
* Look for the configuration file for your interface. It should have the name of the interface in the filename and the interface's MAC address in its contents.<br />
* Edit that file and give it the following settings:<br />
::DEVICE=eth0<br />
::IPADDR=192.168.210.11<br />
::NETMASK=255.255.255.0<br />
::GATEWAY=192.168.210.1<br />
::HWADDR=xx:xx:xx:xx:xx:xx '''# Make sure it's the right MAC address<br />
::DNS1=192.168.210.1 <br />
::BOOTPROTO=static<br />
::ONBOOT=yes<br />
::NM_CONTROLLED=yes<br />
::IPV6INIT=no<br />
* Ask yourself where did the IP address 192.168.210.1 come from and why it's your default gateway and DNS server.<br />
<br />
= PART 2: IPTABLES =<br />
<br />
CentOS comes with firewalld installed by default. We will not be using that, instead we'll do all our firewall work with iptables. Therefore we'll need to uninstall firewalld and install iptables management tools:<br />
<br />
* Use systemctl to stop firewalld and disable it from starting on boot.<br />
* Use yum to uninstall firewalld and install iptables-services<br />
* Use systemctl to start the iptables service and configure it to be started on boot.<br />
* Run <code>iptables -L</code>. We will be learning how to read that mess in the next section.<br />
<br />
IPtables is a complex system, and there's a lot of material this week to cover it. Keep in mind as you're going through the lab that you're trying to learn three things:<br />
<br />
* '''How iptables works'''<br />
* '''How to understand the current state of the firewall'''<br />
* '''How to make useful changes to the firewall'''<br />
<br />
== IPtables overview ==<br />
<br />
We will use an example of setting up a firewall on a web server.<br />
<br />
[[Image:iptables.png]]<br />
<br />
'''There are some important things to be aware of in terms of this diagram:'''<br />
<br />
:*There are '''<u>two sets</u> of IPtables rules (chains) that apply:''' '''OUTPUT/INPUT on the client''' and '''INPUT/OUTPUT on the server'''.<br>It is important to think about trafic from the perspective from the client as well as the server.<br />
<br />
:* '''Outbound traffic is rarely blocked <u>unless</u> there is a security policy to <u>prevent</u> some kind of traffic'''.<br>Even in that case, that security policy is usually performed on a router.<br />
<br />
:* '''Inbound traffic is of two distinct types'''. Our diagram shows:<br />
::# '''New incoming <u>connections</u>''' (what you normally think of as '''<u>inbound traffic</u>'''): the web server receives a '''new incoming connection'''.<br />
::# '''Incoming <u>data</u> that client receives as a response from the server''': the web page that the server sent back in the diagram above.<br />
<br />
::::The analogy would be like making a '''telephone call''':<ul><li>A '''NEW''' packet is like the phone ringing</li><li>An '''ESTABLISHED''' packet is the connection and the packet says "hello", along with any further communication.</li><li>A '''RELATED''' packet would be the same person calling on a second line. (eg. a second connection that is made because of something that happened in the first, like an ftp transfer).</li></ul><br />
<br />
::::We normally don't want to do anything special for the response. It is safe to assume that '''a connection that was allowed to be established should be allowed to receive a response'''. This is accomplished with the following '''INPUT chain rule''' that should be there by default on your machines:<br><br />
::::<pre>ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED</pre><br />
<br />
:* '''Rules are applied to:''' '''chains''' (e.g. ''input/output'') and contain information regarding the type of traffic they apply to. For example, '''protocols''' such as ''tcp/udp/icmp'', '''port numbers''' such as ''22 (SSH), 80 (HTTP), 443 (HTTPS)'', '''addresses''', and many other things.<br />
<br />
::Let's look at how these rules would apply to a simple web connection (HTTP - port 80):<br />
::# For the ''request'', the '''source port (sport) for the example in the above diagram is 40112''' and the '''destination port (dport) is 80'''<br />
::# For the ''response'', the '''source port (sport) is 80''' and the '''destination port (dport) is 40112'''<br />
::# Since the '''RELATED,ESTABLISHED''' rule already exists, we are only concerned about <u>'''controlling'''</u> the '''incoming traffic on the server''', which in our example, the '''chain is: INPUT''', the '''protocol is: tcp''', and the '''destination is: port 80'''.<br />
<br />
:* Most other services work in a similar way as discussed above.<br />
<br />
== Adding a rule ==<br />
<br />
'''<source>iptables -I OUTPUT -p tcp -s0/0 -d 0/0 --dport 80 -j DROP</source>'''<br />
<br />
Can be read like this: ''Insert a rule into the iptables OUTPUT chain that will match any tcp packet, with any a source address, any destination address, and a deistination port of 80. Any packet that matches will be dropped.''<br />
<br />
<br />
'''Let's break down the <u>command displayed above</u> to see how it works:'''<br />
<br />
<br />
<br />
{|cellpadding="15" width="60%"<br />
|- valign="top"<br />
| | <span style="font-family:courier; font-weight:bold">-I</span><br />
| | tells iptables to INSERT this line into the OUTPUT policy. This means it will be the first line in the policy. If we used a <span style="font-family:courier; font-weight:bold">-A</span> switch it would have appended the line and it would be the last line of the policy. If you are writing complex iptables rules where multiple matches can occur, it is important that the lines go in the right order. If you follow the -I with a number, the new rule will be inserted at that location in the chain (for example, <code>-I 3 OUTPUT</code> will insert the rule into the 3rd position in the OUTPUT chain, moving the existing rules down as necessary (the old rule #3 will become the new rule #4, for example)<br />
|- valign="top"<br />
|width="75" | '''-p tcp'''<br />
| | tells iptables to only match TCP packets. Alternately, the protocol could be set to '''udp''', '''icmp''', or '''all'''<br />
|- valign="top"<br />
| |'''-s0/0'''<br />
| |specifies the source IP address. 0/0 means a source address of “anywhere.” this has been put into the lab because your ip address will change because it is dynamically assigned. You can change this value if you want to the IP address that has been specifically assigned to your PC<br />
|- valign="top"<br />
| |'''-d0/0'''<br />
| |specifies the destination address. It makes sense that this address is set to “anywhere” because if we want to block all requests to the WWW, we will never know the specific IP address of web server that is trying to be accessed<br />
|- valign="top"<br />
| |'''--dport 80'''<br />
| |tells iptables to look at the destination port in the packet and see if it is equal to 80. Alternately, you can filter based on source addresses using the <code>--sport</code> switch<br />
|- valign="top"<br />
| |'''-j'''<br />
| |means when condition is met, then jump to a particular target – Basic targets are '''ACCEPT''', '''DROP''', '''REJECT''', and '''LOG'''. The available targets depend on which table contains the chain<br />
|- valign="top"<br />
| |'''DROP''' <br />
| |means drop the packet – make it disappear - and do not continue processing rules. '''REJECT''' is similar, but causes an error packet to be sent back to the source host. '''ACCEPT''' causes the packet to be processed. '''LOG''' causes an entry to be made in the system logs showing that the packet was processed. Note that the LOG target is the only one that does not stop rule-checking in the chain - so you can log a packet with one rule, and then use a later rule in the chain to DROP, REJECT, or ACCEPT it<br />
|}<br />
<br />
To play with this:<br />
* Install the Apache web server on lin1 (the package is called httpd).<br />
* Enable and start that service.<br />
* Install elinks (a command-line web browser) and see if you can connect to http://localhost (it should work by default).<br />
* Using Firefox on c7host, check whether you can view the same webpage in lin1 (by default you wont).<br />
* Next, check the iptables rules in lin1 and try to figure out why Firefox could not connect from c7host by reading the output of <code>iptables -L</code> on lin1 carefully looking for clues whether lin1 is letting inbound http traffic (TCP port 80) through.<br />
* If the output of <code>iptables -L</code> on lin1 isn't letting HTTP traffic through, which by default it does not, add a rule to the iptables in lin1 to allow inbound traffic to pass through to Apache (TCP port 80).<br />
* Go back to c7host after verifing lin1 permits http traffic and once again test whether Firefox on c7host displays the webpage (you may need to give Firefox the IP address of lin1 to view the webpage). Now it should.<br />
<br />
If you make such a mess that you don't know what you did any longer, there are a couple of things that can help you get back to normal:<br />
<br />
* iptables --flush will erase all the rules<br />
* Restarting the iptables service will revert all the rules to the defaults.<br />
<br />
= PART 3: YOUR TASKS =<br />
<br />
Use what you learned so far and what you can learn online in order to set up the following:<br />
<br />
# lin1 will allow access to Apache from any source.<br />
# c7host will allow access to SSH from hosts on the 192.168.210.* subnet and deny it from any other source.<br />
<br />
= Lab completion =<br />
<br />
* Make sure you understand what you've done in this lab, so that you're ready to answer questions about it.<br />
* Have notes in your labbook from this lab.<br />
* Show your work to the professor and have them sign your labbook.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Lab_2&diff=139197SRT210 Lab 22019-05-21T20:20:54Z<p>Mark: /* Adding a rule */</p>
<hr />
<div>= Objectives =<br />
<br />
* Set up a nested virtual machine<br />
* Get familiar with basic networking setup and utilities used on Linux<br />
* Understand how the IPtables firewall works and use it to make simple rules<br />
<br />
= PART 1: NESTED VIRTUAL MACHINE =<br />
<br />
Since we're forced to use a Windows machine as the main VM host, we're going to have to set up nested virtualisation. Luckily that's not too difficult.<br />
<br />
* Change the settings for your c7host to have at least 4GB of RAM, and enable "Virtual Intel VT-X/EPT or AMD-V/RVI" under VM/Settings/Processors.<br />
* Install the following packages: qemu-kvm qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer bridge-utils<br />
* Make sure (using <code>systemctl enable</code>) that the libvirtd service starts at boot.<br />
* Those will include both the KVM hypervisor and Virt Manager, which is a graphical tool used to administer it.<br />
* Create a new virtual machine with the following settings:<br />
** Will be installed from the network: https://mirror.senecacollege.ca/centos/7/os/x86_64/ or http://mirror.netflash.net/centos/7/os/x86_64/<br />
** 2GB of RAM<br />
** 10GB of disk<br />
** NAT for networking<br />
** hostname lin1<br />
** Minimal install<br />
<br />
After you're done - you'll have a command-line-only CentOS machine (lin1) running inside a graphical CentOS desktop (c7host).<br />
<br />
= PART 2: BASIC NETWORKING =<br />
<br />
== Simple commands ==<br />
<br />
Use these commands to check the curent network settings on lin1:<br />
<br />
* ip link (show interfaces)<br />
* ip address (the MAC address, IP address, and subnet mask for every interface)<br />
* ip route (the routing table)<br />
* cat /etc/resolv.conf (the DNS server you're configured to query)<br />
* arp -n (the ARP table)<br />
<br />
Note if you're missing a command - you can figure out what package contains in by using <code>yum whatprovides</code><br />
<br />
== New virtual network ==<br />
<br />
By default a KVM setup has a NAT network with a DHCP server. That works nicely out of the box but won't work for us because we'll need to configure network settings manually.<br />
<br />
# Power off lin1<br />
# In the '''Connection Details''' dialog box, select the '''Virtual Networks''' tab<br />
# Click to <u>de-select</u> the '''Autostart (on boot)''' check-box options and click the '''Apply''' button.<br />
# Stop the default network by clicking on the '''stop''' button at the bottom left-side of the dialog box.<br />
# Click the '''add''' button to add a new network configuration.<br />
# Leave the default network name '''network1'''.<br />
# In the next screen, enter the '''new network IP address space''' called: '''192.168.210.0/24'''<br />
# Disable '''DHCPv4'''<br />
# Enable Network Forwarding by Selecting '''Forwarding to physical network''', the destination should be '''Any physical device''' and the mode should be '''NAT'''<br />
<br />
== Network settings on lin1 ==<br />
<br />
* Now if you try to start lin1 - it will tell you that the network "default" is unavailable. Go into the lin1 VM settings and configure the NIC to use "network1" instead.<br />
* After starting the VM you'll find that your network interface is not configured (try all the commands above again to see their output).<br />
* Configure your wired interface by editing the file as described in the steps below.<br />
* Change to the '''/etc/sysconfig/network-scripts''' directory.<br />
* List the contents of this directory. You should see 2 different types of files, network config scripts and network configuration files.<br />
* Look for the configuration file for your interface. It should have the name of the interface in the filename and the interface's MAC address in its contents.<br />
* Edit that file and give it the following settings:<br />
::DEVICE=eth0<br />
::IPADDR=192.168.210.11<br />
::NETMASK=255.255.255.0<br />
::GATEWAY=192.168.210.1<br />
::HWADDR=xx:xx:xx:xx:xx:xx '''# Make sure it's the right MAC address<br />
::DNS1=192.168.210.1 <br />
::BOOTPROTO=static<br />
::ONBOOT=yes<br />
::NM_CONTROLLED=yes<br />
::IPV6INIT=no<br />
* Ask yourself where did the IP address 192.168.210.1 come from and why it's your default gateway and DNS server.<br />
<br />
= PART 2: IPTABLES =<br />
<br />
CentOS comes with firewalld installed by default. We will not be using that, instead we'll do all our firewall work with iptables. Therefore we'll need to uninstall firewalld and install iptables management tools:<br />
<br />
* Use systemctl to stop firewalld and disable it from starting on boot.<br />
* Use yum to uninstall firewalld and install iptables-services<br />
* Use systemctl to start the iptables service and configure it to be started on boot.<br />
* Run <code>iptables -L</code>. We will be learning how to read that mess in the next section.<br />
<br />
IPtables is a complex system, and there's a lot of material this week to cover it. Keep in mind as you're going through the lab that you're trying to learn three things:<br />
<br />
* '''How iptables works'''<br />
* '''How to understand the current state of the firewall'''<br />
* '''How to make useful changes to the firewall'''<br />
<br />
== IPtables overview ==<br />
<br />
We will use an example of setting up a firewall on a web server.<br />
<br />
[[Image:iptables.png]]<br />
<br />
'''There are some important things to be aware of in terms of this diagram:'''<br />
<br />
:*There are '''<u>two sets</u> of IPtables rules (chains) that apply:''' '''OUTPUT/INPUT on the client''' and '''INPUT/OUTPUT on the server'''.<br>It is important to think about trafic from the perspective from the client as well as the server.<br />
<br />
:* '''Outbound traffic is rarely blocked <u>unless</u> there is a security policy to <u>prevent</u> some kind of traffic'''.<br>Even in that case, that security policy is usually performed on a router.<br />
<br />
:* '''Inbound traffic is of two distinct types'''. Our diagram shows:<br />
::# '''New incoming <u>connections</u>''' (what you normally think of as '''<u>inbound traffic</u>'''): the web server receives a '''new incoming connection'''.<br />
::# '''Incoming <u>data</u> that client receives as a response from the server''': the web page that the server sent back in the diagram above.<br />
<br />
::::The analogy would be like making a '''telephone call''':<ul><li>A '''NEW''' packet is like the phone ringing</li><li>An '''ESTABLISHED''' packet is the connection and the packet says "hello", along with any further communication.</li><li>A '''RELATED''' packet would be the same person calling on a second line. (eg. a second connection that is made because of something that happened in the first, like an ftp transfer).</li></ul><br />
<br />
::::We normally don't want to do anything special for the response. It is safe to assume that '''a connection that was allowed to be established should be allowed to receive a response'''. This is accomplished with the following '''INPUT chain rule''' that should be there by default on your machines:<br><br />
::::<pre>ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED</pre><br />
<br />
:* '''Rules are applied to:''' '''chains''' (e.g. ''input/output'') and contain information regarding the type of traffic they apply to. For example, '''protocols''' such as ''tcp/udp/icmp'', '''port numbers''' such as ''22 (SSH), 80 (HTTP), 443 (SHTTP)'', '''addresses''', and many other things.<br />
<br />
::Let's look at how these rules would apply to a simple web connection (HTTP - port 80):<br />
::# For the ''request'', the '''source port (sport) for the example in the above diagram is 40112''' and the '''destination port (dport) is 80'''<br />
::# For the ''response'', the '''source port (sport) is 80''' and the '''destination port (dport) is 40112'''<br />
::# Since the '''RELATED,ESTABLISHED''' rule already exists, we are only concerned about <u>'''controlling'''</u> the '''incoming traffic on the server''', which in our example, the '''chain is: INPUT''', the '''protocol is: tcp''', and the '''destination is: port 80'''.<br />
<br />
:* Most other services work in a similar way as discussed above.<br />
<br />
== Adding a rule ==<br />
<br />
'''<source>iptables -I OUTPUT -p tcp -s0/0 -d 0/0 --dport 80 -j DROP</source>'''<br />
<br />
Can be read like this: ''Insert a rule into the iptables OUTPUT chain that will match any tcp packet, with any a source address, any destination address, and a deistination port of 80. Any packet that matches will be dropped.''<br />
<br />
<br />
'''Let's break down the <u>command displayed above</u> to see how it works:'''<br />
<br />
<br />
<br />
{|cellpadding="15" width="60%"<br />
|- valign="top"<br />
| | <span style="font-family:courier; font-weight:bold">-I</span><br />
| | tells iptables to INSERT this line into the OUTPUT policy. This means it will be the first line in the policy. If we used a <span style="font-family:courier; font-weight:bold">-A</span> switch it would have appended the line and it would be the last line of the policy. If you are writing complex iptables rules where multiple matches can occur, it is important that the lines go in the right order. If you follow the -I with a number, the new rule will be inserted at that location in the chain (for example, <code>-I 3 OUTPUT</code> will insert the rule into the 3rd position in the OUTPUT chain, moving the existing rules down as necessary (the old rule #3 will become the new rule #4, for example)<br />
|- valign="top"<br />
|width="75" | '''-p tcp'''<br />
| | tells iptables to only match TCP packets. Alternately, the protocol could be set to '''udp''', '''icmp''', or '''all'''<br />
|- valign="top"<br />
| |'''-s0/0'''<br />
| |specifies the source IP address. 0/0 means a source address of “anywhere.” this has been put into the lab because your ip address will change because it is dynamically assigned. You can change this value if you want to the IP address that has been specifically assigned to your PC<br />
|- valign="top"<br />
| |'''-d0/0'''<br />
| |specifies the destination address. It makes sense that this address is set to “anywhere” because if we want to block all requests to the WWW, we will never know the specific IP address of web server that is trying to be accessed<br />
|- valign="top"<br />
| |'''--dport 80'''<br />
| |tells iptables to look at the destination port in the packet and see if it is equal to 80. Alternately, you can filter based on source addresses using the <code>--sport</code> switch<br />
|- valign="top"<br />
| |'''-j'''<br />
| |means when condition is met, then jump to a particular target – Basic targets are '''ACCEPT''', '''DROP''', '''REJECT''', and '''LOG'''. The available targets depend on which table contains the chain<br />
|- valign="top"<br />
| |'''DROP''' <br />
| |means drop the packet – make it disappear - and do not continue processing rules. '''REJECT''' is similar, but causes an error packet to be sent back to the source host. '''ACCEPT''' causes the packet to be processed. '''LOG''' causes an entry to be made in the system logs showing that the packet was processed. Note that the LOG target is the only one that does not stop rule-checking in the chain - so you can log a packet with one rule, and then use a later rule in the chain to DROP, REJECT, or ACCEPT it<br />
|}<br />
<br />
To play with this:<br />
* Install the Apache web server on lin1 (the package is called httpd).<br />
* Enable and start that service.<br />
* Install elinks (a command-line web browser) and see if you can connect to http://localhost (it should work by default).<br />
* Using Firefox on c7host, check whether you can view the same webpage in lin1 (by default you wont).<br />
* Next, check the iptables rules in lin1 and try to figure out why Firefox could not connect from c7host by reading the output of <code>iptables -L</code> on lin1 carefully looking for clues whether lin1 is letting inbound http traffic (TCP port 80) through.<br />
* If the output of <code>iptables -L</code> on lin1 isn't letting HTTP traffic through, which by default it does not, add a rule to the iptables in lin1 to allow inbound traffic to pass through to Apache (TCP port 80).<br />
* Go back to c7host after verifing lin1 permits http traffic and once again test whether Firefox on c7host displays the webpage (you may need to give Firefox the IP address of lin1 to view the webpage). Now it should.<br />
<br />
If you make such a mess that you don't know what you did any longer, there are a couple of things that can help you get back to normal:<br />
<br />
* iptables --flush will erase all the rules<br />
* Restarting the iptables service will revert all the rules to the defaults.<br />
<br />
= PART 3: YOUR TASKS =<br />
<br />
Use what you learned so far and what you can learn online in order to set up the following:<br />
<br />
# lin1 will allow access to Apache from any source.<br />
# c7host will allow access to SSH from hosts on the 192.168.210.* subnet and deny it from any other source.<br />
<br />
= Lab completion =<br />
<br />
* Make sure you understand what you've done in this lab, so that you're ready to answer questions about it.<br />
* Have notes in your labbook from this lab.<br />
* Show your work to the professor and have them sign your labbook.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Lab_2&diff=139196SRT210 Lab 22019-05-21T19:45:04Z<p>Mark: /* Network settings on lin1 */</p>
<hr />
<div>= Objectives =<br />
<br />
* Set up a nested virtual machine<br />
* Get familiar with basic networking setup and utilities used on Linux<br />
* Understand how the IPtables firewall works and use it to make simple rules<br />
<br />
= PART 1: NESTED VIRTUAL MACHINE =<br />
<br />
Since we're forced to use a Windows machine as the main VM host, we're going to have to set up nested virtualisation. Luckily that's not too difficult.<br />
<br />
* Change the settings for your c7host to have at least 4GB of RAM, and enable "Virtual Intel VT-X/EPT or AMD-V/RVI" under VM/Settings/Processors.<br />
* Install the following packages: qemu-kvm qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer bridge-utils<br />
* Make sure (using <code>systemctl enable</code>) that the libvirtd service starts at boot.<br />
* Those will include both the KVM hypervisor and Virt Manager, which is a graphical tool used to administer it.<br />
* Create a new virtual machine with the following settings:<br />
** Will be installed from the network: https://mirror.senecacollege.ca/centos/7/os/x86_64/ or http://mirror.netflash.net/centos/7/os/x86_64/<br />
** 2GB of RAM<br />
** 10GB of disk<br />
** NAT for networking<br />
** hostname lin1<br />
** Minimal install<br />
<br />
After you're done - you'll have a command-line-only CentOS machine (lin1) running inside a graphical CentOS desktop (c7host).<br />
<br />
= PART 2: BASIC NETWORKING =<br />
<br />
== Simple commands ==<br />
<br />
Use these commands to check the curent network settings on lin1:<br />
<br />
* ip link (show interfaces)<br />
* ip address (the MAC address, IP address, and subnet mask for every interface)<br />
* ip route (the routing table)<br />
* cat /etc/resolv.conf (the DNS server you're configured to query)<br />
* arp -n (the ARP table)<br />
<br />
Note if you're missing a command - you can figure out what package contains in by using <code>yum whatprovides</code><br />
<br />
== New virtual network ==<br />
<br />
By default a KVM setup has a NAT network with a DHCP server. That works nicely out of the box but won't work for us because we'll need to configure network settings manually.<br />
<br />
# Power off lin1<br />
# In the '''Connection Details''' dialog box, select the '''Virtual Networks''' tab<br />
# Click to <u>de-select</u> the '''Autostart (on boot)''' check-box options and click the '''Apply''' button.<br />
# Stop the default network by clicking on the '''stop''' button at the bottom left-side of the dialog box.<br />
# Click the '''add''' button to add a new network configuration.<br />
# Leave the default network name '''network1'''.<br />
# In the next screen, enter the '''new network IP address space''' called: '''192.168.210.0/24'''<br />
# Disable '''DHCPv4'''<br />
# Enable Network Forwarding by Selecting '''Forwarding to physical network''', the destination should be '''Any physical device''' and the mode should be '''NAT'''<br />
<br />
== Network settings on lin1 ==<br />
<br />
* Now if you try to start lin1 - it will tell you that the network "default" is unavailable. Go into the lin1 VM settings and configure the NIC to use "network1" instead.<br />
* After starting the VM you'll find that your network interface is not configured (try all the commands above again to see their output).<br />
* Configure your wired interface by editing the file as described in the steps below.<br />
* Change to the '''/etc/sysconfig/network-scripts''' directory.<br />
* List the contents of this directory. You should see 2 different types of files, network config scripts and network configuration files.<br />
* Look for the configuration file for your interface. It should have the name of the interface in the filename and the interface's MAC address in its contents.<br />
* Edit that file and give it the following settings:<br />
::DEVICE=eth0<br />
::IPADDR=192.168.210.11<br />
::NETMASK=255.255.255.0<br />
::GATEWAY=192.168.210.1<br />
::HWADDR=xx:xx:xx:xx:xx:xx '''# Make sure it's the right MAC address<br />
::DNS1=192.168.210.1 <br />
::BOOTPROTO=static<br />
::ONBOOT=yes<br />
::NM_CONTROLLED=yes<br />
::IPV6INIT=no<br />
* Ask yourself where did the IP address 192.168.210.1 come from and why it's your default gateway and DNS server.<br />
<br />
= PART 2: IPTABLES =<br />
<br />
CentOS comes with firewalld installed by default. We will not be using that, instead we'll do all our firewall work with iptables. Therefore we'll need to uninstall firewalld and install iptables management tools:<br />
<br />
* Use systemctl to stop firewalld and disable it from starting on boot.<br />
* Use yum to uninstall firewalld and install iptables-services<br />
* Use systemctl to start the iptables service and configure it to be started on boot.<br />
* Run <code>iptables -L</code>. We will be learning how to read that mess in the next section.<br />
<br />
IPtables is a complex system, and there's a lot of material this week to cover it. Keep in mind as you're going through the lab that you're trying to learn three things:<br />
<br />
* '''How iptables works'''<br />
* '''How to understand the current state of the firewall'''<br />
* '''How to make useful changes to the firewall'''<br />
<br />
== IPtables overview ==<br />
<br />
We will use an example of setting up a firewall on a web server.<br />
<br />
[[Image:iptables.png]]<br />
<br />
'''There are some important things to be aware of in terms of this diagram:'''<br />
<br />
:*There are '''<u>two sets</u> of IPtables rules (chains) that apply:''' '''OUTPUT/INPUT on the client''' and '''INPUT/OUTPUT on the server'''.<br>It is important to think about trafic from the perspective from the client as well as the server.<br />
<br />
:* '''Outbound traffic is rarely blocked <u>unless</u> there is a security policy to <u>prevent</u> some kind of traffic'''.<br>Even in that case, that security policy is usually performed on a router.<br />
<br />
:* '''Inbound traffic is of two distinct types'''. Our diagram shows:<br />
::# '''New incoming <u>connections</u>''' (what you normally think of as '''<u>inbound traffic</u>'''): the web server receives a '''new incoming connection'''.<br />
::# '''Incoming <u>data</u> that client receives as a response from the server''': the web page that the server sent back in the diagram above.<br />
<br />
::::The analogy would be like making a '''telephone call''':<ul><li>A '''NEW''' packet is like the phone ringing</li><li>An '''ESTABLISHED''' packet is the connection and the packet says "hello", along with any further communication.</li><li>A '''RELATED''' packet would be the same person calling on a second line. (eg. a second connection that is made because of something that happened in the first, like an ftp transfer).</li></ul><br />
<br />
::::We normally don't want to do anything special for the response. It is safe to assume that '''a connection that was allowed to be established should be allowed to receive a response'''. This is accomplished with the following '''INPUT chain rule''' that should be there by default on your machines:<br><br />
::::<pre>ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED</pre><br />
<br />
:* '''Rules are applied to:''' '''chains''' (e.g. ''input/output'') and contain information regarding the type of traffic they apply to. For example, '''protocols''' such as ''tcp/udp/icmp'', '''port numbers''' such as ''22 (SSH), 80 (HTTP), 443 (SHTTP)'', '''addresses''', and many other things.<br />
<br />
::Let's look at how these rules would apply to a simple web connection (HTTP - port 80):<br />
::# For the ''request'', the '''source port (sport) for the example in the above diagram is 40112''' and the '''destination port (dport) is 80'''<br />
::# For the ''response'', the '''source port (sport) is 80''' and the '''destination port (dport) is 40112'''<br />
::# Since the '''RELATED,ESTABLISHED''' rule already exists, we are only concerned about <u>'''controlling'''</u> the '''incoming traffic on the server''', which in our example, the '''chain is: INPUT''', the '''protocol is: tcp''', and the '''destination is: port 80'''.<br />
<br />
:* Most other services work in a similar way as discussed above.<br />
<br />
== Adding a rule ==<br />
<br />
'''<source>iptables -I OUTPUT -p tcp -s0/0 -d 0/0 --dport 80 -j DROP</source>'''<br />
<br />
Can be read like this: ''Insert a rule into the iptables OUTPUT chain that will match any tcp packet, with any a source address, any destination address, and a deistination port of 80. Any packet that matches will be dropped.''<br />
<br />
<br />
'''Let's break down the <u>command displayed above</u> to see how it works:'''<br />
<br />
<br />
<br />
{|cellpadding="15" width="60%"<br />
|- valign="top"<br />
| | <span style="font-family:courier; font-weight:bold">-I</span><br />
| | tells iptables to INSERT this line into the OUTPUT policy. This means it will be the first line in the policy. If we used a <span style="font-family:courier; font-weight:bold">-A</span> switch it would have appended the line and it would be the last line of the policy. If you are writing complex iptables rules where multiple matches can occur, it is important that the lines go in the right order. If you follow the -I with a number, the new rule will be inserted at that location in the chain (for example, <code>-I 3 OUTPUT</code> will insert the rule into the 3rd position in the OUTPUT chain, moving the existing rules down as necessary (the old rule #3 will become the new rule #4, for example)<br />
|- valign="top"<br />
|width="75" | '''-p tcp'''<br />
| | tells iptables to only match TCP packets. Alternately, the protocol could be set to '''udp''', '''icmp''', or '''all'''<br />
|- valign="top"<br />
| |'''-s0/0'''<br />
| |specifies the source IP address. 0/0 means a source address of “anywhere.” this has been put into the lab because your ip address will change because it is dynamically assigned. You can change this value if you want to the IP address that has been specifically assigned to your PC<br />
|- valign="top"<br />
| |'''-d0/0'''<br />
| |specifies the destination address. It makes sense that this address is set to “anywhere” because if we want to block all requests to the WWW, we will never know the specific IP address of web server that is trying to be accessed<br />
|- valign="top"<br />
| |'''--dport 80'''<br />
| |tells iptables to look at the destination port in the packet and see if it is equal to 80. Alternately, you can filter based on source addresses using the <code>--sport</code> switch<br />
|- valign="top"<br />
| |'''-j'''<br />
| |means when condition is met, then jump to a particular target – Basic targets are '''ACCEPT''', '''DROP''', '''REJECT''', and '''LOG'''. The available targets depend on which table contains the chain<br />
|- valign="top"<br />
| |'''DROP''' <br />
| |means drop the packet – make it disappear - and do not continue processing rules. '''REJECT''' is similar, but causes an error packet to be sent back to the source host. '''ACCEPT''' causes the packet to be processed. '''LOG''' causes an entry to be made in the system logs showing that the packet was processed. Note that the LOG target is the only one that does not stop rule-checking in the chain - so you can log a packet with one rule, and then use a later rule in the chain to DROP, REJECT, or ACCEPT it<br />
|}<br />
<br />
To play with this:<br />
* Install the Apache web server on lin1 (the package is called httpd).<br />
* Enable and start that service.<br />
* Install links (a command-line web browser) and see if you can connect to http://localhost (it should work by default).<br />
* Using Firefox on c7host, check whether you can view the same webpage in lin1 (by default you wont).<br />
* Next, check the iptables rules in lin1 and try to figure out why Firefox could not connect from c7host by reading the output of <code>iptables -L</code> on lin1 carefully looking for clues whether lin1 is letting inbound http traffic (TCP port 80) through.<br />
* If the output of <code>iptables -L</code> on lin1 isn't letting HTTP traffic through, which by default it does not, add a rule to the iptables in lin1 to allow inbound traffic to pass through to Apache (TCP port 80).<br />
* Go back to c7host after verifing lin1 permits http traffic and once again test whether Firefox on c7host displays the webpage (you may need to give Firefox the IP address of lin1 to view the webpage). Now it should.<br />
<br />
If you make such a mess that you don't know what you did any longer, there are a couple of things that can help you get back to normal:<br />
<br />
* iptables --flush will erase all the rules<br />
* Restarting the iptables service will revert all the rules to the defaults.<br />
<br />
= PART 3: YOUR TASKS =<br />
<br />
Use what you learned so far and what you can learn online in order to set up the following:<br />
<br />
# lin1 will allow access to Apache from any source.<br />
# c7host will allow access to SSH from hosts on the 192.168.210.* subnet and deny it from any other source.<br />
<br />
= Lab completion =<br />
<br />
* Make sure you understand what you've done in this lab, so that you're ready to answer questions about it.<br />
* Have notes in your labbook from this lab.<br />
* Show your work to the professor and have them sign your labbook.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Lab_2&diff=139195SRT210 Lab 22019-05-21T19:07:22Z<p>Mark: /* PART 3: YOUR TASKS */</p>
<hr />
<div>= Objectives =<br />
<br />
* Set up a nested virtual machine<br />
* Get familiar with basic networking setup and utilities used on Linux<br />
* Understand how the IPtables firewall works and use it to make simple rules<br />
<br />
= PART 1: NESTED VIRTUAL MACHINE =<br />
<br />
Since we're forced to use a Windows machine as the main VM host, we're going to have to set up nested virtualisation. Luckily that's not too difficult.<br />
<br />
* Change the settings for your c7host to have at least 4GB of RAM, and enable "Virtual Intel VT-X/EPT or AMD-V/RVI" under VM/Settings/Processors.<br />
* Install the following packages: qemu-kvm qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer bridge-utils<br />
* Make sure (using <code>systemctl enable</code>) that the libvirtd service starts at boot.<br />
* Those will include both the KVM hypervisor and Virt Manager, which is a graphical tool used to administer it.<br />
* Create a new virtual machine with the following settings:<br />
** Will be installed from the network: https://mirror.senecacollege.ca/centos/7/os/x86_64/ or http://mirror.netflash.net/centos/7/os/x86_64/<br />
** 2GB of RAM<br />
** 10GB of disk<br />
** NAT for networking<br />
** hostname lin1<br />
** Minimal install<br />
<br />
After you're done - you'll have a command-line-only CentOS machine (lin1) running inside a graphical CentOS desktop (c7host).<br />
<br />
= PART 2: BASIC NETWORKING =<br />
<br />
== Simple commands ==<br />
<br />
Use these commands to check the curent network settings on lin1:<br />
<br />
* ip link (show interfaces)<br />
* ip address (the MAC address, IP address, and subnet mask for every interface)<br />
* ip route (the routing table)<br />
* cat /etc/resolv.conf (the DNS server you're configured to query)<br />
* arp -n (the ARP table)<br />
<br />
Note if you're missing a command - you can figure out what package contains in by using <code>yum whatprovides</code><br />
<br />
== New virtual network ==<br />
<br />
By default a KVM setup has a NAT network with a DHCP server. That works nicely out of the box but won't work for us because we'll need to configure network settings manually.<br />
<br />
# Power off lin1<br />
# In the '''Connection Details''' dialog box, select the '''Virtual Networks''' tab<br />
# Click to <u>de-select</u> the '''Autostart (on boot)''' check-box options and click the '''Apply''' button.<br />
# Stop the default network by clicking on the '''stop''' button at the bottom left-side of the dialog box.<br />
# Click the '''add''' button to add a new network configuration.<br />
# Leave the default network name '''network1'''.<br />
# In the next screen, enter the '''new network IP address space''' called: '''192.168.210.0/24'''<br />
# Disable '''DHCPv4'''<br />
# Enable Network Forwarding by Selecting '''Forwarding to physical network''', the destination should be '''Any physical device''' and the mode should be '''NAT'''<br />
<br />
== Network settings on lin1 ==<br />
<br />
* Now if you try to start lin1 - it will tell you that the network "default" is unavailable. Go into the lin1 VM settings and configure the NIC to use "network1" instead.<br />
* After starting the VM you'll find that your network interface is not configured (try all the commands above again to see their output).<br />
* Configure your wired interface by editing the file .<br />
* Change to the '''/etc/sysconfig/network-scripts''' directory.<br />
* List the contents of this directory. You should see 2 different types of files, network config scripts and network configuration files.<br />
* Look for the configuration file for your interface. It should have the name of the interface in the filename and the interface's MAC address in its contents.<br />
* Edit that file and give it the following settings:<br />
::DEVICE=eth0<br />
::IPADDR=192.168.210.11<br />
::NETMASK=255.255.255.0<br />
::GATEWAY=192.168.210.1<br />
::HWADDR=xx:xx:xx:xx:xx:xx '''# Make sure it's the right MAC address<br />
::DNS1=192.168.210.1 <br />
::BOOTPROTO=static<br />
::ONBOOT=yes<br />
::NM_CONTROLLED=yes<br />
::IPV6INIT=no<br />
* Ask yourself where did the IP address 192.168.210.1 come from and why it's your default gateway and DNS server.<br />
<br />
= PART 2: IPTABLES =<br />
<br />
CentOS comes with firewalld installed by default. We will not be using that, instead we'll do all our firewall work with iptables. Therefore we'll need to uninstall firewalld and install iptables management tools:<br />
<br />
* Use systemctl to stop firewalld and disable it from starting on boot.<br />
* Use yum to uninstall firewalld and install iptables-services<br />
* Use systemctl to start the iptables service and configure it to be started on boot.<br />
* Run <code>iptables -L</code>. We will be learning how to read that mess in the next section.<br />
<br />
IPtables is a complex system, and there's a lot of material this week to cover it. Keep in mind as you're going through the lab that you're trying to learn three things:<br />
<br />
* '''How iptables works'''<br />
* '''How to understand the current state of the firewall'''<br />
* '''How to make useful changes to the firewall'''<br />
<br />
== IPtables overview ==<br />
<br />
We will use an example of setting up a firewall on a web server.<br />
<br />
[[Image:iptables.png]]<br />
<br />
'''There are some important things to be aware of in terms of this diagram:'''<br />
<br />
:*There are '''<u>two sets</u> of IPtables rules (chains) that apply:''' '''OUTPUT/INPUT on the client''' and '''INPUT/OUTPUT on the server'''.<br>It is important to think about trafic from the perspective from the client as well as the server.<br />
<br />
:* '''Outbound traffic is rarely blocked <u>unless</u> there is a security policy to <u>prevent</u> some kind of traffic'''.<br>Even in that case, that security policy is usually performed on a router.<br />
<br />
:* '''Inbound traffic is of two distinct types'''. Our diagram shows:<br />
::# '''New incoming <u>connections</u>''' (what you normally think of as '''<u>inbound traffic</u>'''): the web server receives a '''new incoming connection'''.<br />
::# '''Incoming <u>data</u> that client receives as a response from the server''': the web page that the server sent back in the diagram above.<br />
<br />
::::The analogy would be like making a '''telephone call''':<ul><li>A '''NEW''' packet is like the phone ringing</li><li>An '''ESTABLISHED''' packet is the connection and the packet says "hello", along with any further communication.</li><li>A '''RELATED''' packet would be the same person calling on a second line. (eg. a second connection that is made because of something that happened in the first, like an ftp transfer).</li></ul><br />
<br />
::::We normally don't want to do anything special for the response. It is safe to assume that '''a connection that was allowed to be established should be allowed to receive a response'''. This is accomplished with the following '''INPUT chain rule''' that should be there by default on your machines:<br><br />
::::<pre>ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED</pre><br />
<br />
:* '''Rules are applied to:''' '''chains''' (e.g. ''input/output'') and contain information regarding the type of traffic they apply to. For example, '''protocols''' such as ''tcp/udp/icmp'', '''port numbers''' such as ''22 (SSH), 80 (HTTP), 443 (SHTTP)'', '''addresses''', and many other things.<br />
<br />
::Let's look at how these rules would apply to a simple web connection (HTTP - port 80):<br />
::# For the ''request'', the '''source port (sport) for the example in the above diagram is 40112''' and the '''destination port (dport) is 80'''<br />
::# For the ''response'', the '''source port (sport) is 80''' and the '''destination port (dport) is 40112'''<br />
::# Since the '''RELATED,ESTABLISHED''' rule already exists, we are only concerned about <u>'''controlling'''</u> the '''incoming traffic on the server''', which in our example, the '''chain is: INPUT''', the '''protocol is: tcp''', and the '''destination is: port 80'''.<br />
<br />
:* Most other services work in a similar way as discussed above.<br />
<br />
== Adding a rule ==<br />
<br />
'''<source>iptables -I OUTPUT -p tcp -s0/0 -d 0/0 --dport 80 -j DROP</source>'''<br />
<br />
Can be read like this: ''Insert a rule into the iptables OUTPUT chain that will match any tcp packet, with any a source address, any destination address, and a deistination port of 80. Any packet that matches will be dropped.''<br />
<br />
<br />
'''Let's break down the <u>command displayed above</u> to see how it works:'''<br />
<br />
<br />
<br />
{|cellpadding="15" width="60%"<br />
|- valign="top"<br />
| | <span style="font-family:courier; font-weight:bold">-I</span><br />
| | tells iptables to INSERT this line into the OUTPUT policy. This means it will be the first line in the policy. If we used a <span style="font-family:courier; font-weight:bold">-A</span> switch it would have appended the line and it would be the last line of the policy. If you are writing complex iptables rules where multiple matches can occur, it is important that the lines go in the right order. If you follow the -I with a number, the new rule will be inserted at that location in the chain (for example, <code>-I 3 OUTPUT</code> will insert the rule into the 3rd position in the OUTPUT chain, moving the existing rules down as necessary (the old rule #3 will become the new rule #4, for example)<br />
|- valign="top"<br />
|width="75" | '''-p tcp'''<br />
| | tells iptables to only match TCP packets. Alternately, the protocol could be set to '''udp''', '''icmp''', or '''all'''<br />
|- valign="top"<br />
| |'''-s0/0'''<br />
| |specifies the source IP address. 0/0 means a source address of “anywhere.” this has been put into the lab because your ip address will change because it is dynamically assigned. You can change this value if you want to the IP address that has been specifically assigned to your PC<br />
|- valign="top"<br />
| |'''-d0/0'''<br />
| |specifies the destination address. It makes sense that this address is set to “anywhere” because if we want to block all requests to the WWW, we will never know the specific IP address of web server that is trying to be accessed<br />
|- valign="top"<br />
| |'''--dport 80'''<br />
| |tells iptables to look at the destination port in the packet and see if it is equal to 80. Alternately, you can filter based on source addresses using the <code>--sport</code> switch<br />
|- valign="top"<br />
| |'''-j'''<br />
| |means when condition is met, then jump to a particular target – Basic targets are '''ACCEPT''', '''DROP''', '''REJECT''', and '''LOG'''. The available targets depend on which table contains the chain<br />
|- valign="top"<br />
| |'''DROP''' <br />
| |means drop the packet – make it disappear - and do not continue processing rules. '''REJECT''' is similar, but causes an error packet to be sent back to the source host. '''ACCEPT''' causes the packet to be processed. '''LOG''' causes an entry to be made in the system logs showing that the packet was processed. Note that the LOG target is the only one that does not stop rule-checking in the chain - so you can log a packet with one rule, and then use a later rule in the chain to DROP, REJECT, or ACCEPT it<br />
|}<br />
<br />
To play with this:<br />
* Install the Apache web server on lin1 (the package is called httpd).<br />
* Enable and start that service.<br />
* Install links (a command-line web browser) and see if you can connect to http://localhost (it should work by default).<br />
* Using Firefox on c7host, check whether you can view the same webpage in lin1 (by default you wont).<br />
* Next, check the iptables rules in lin1 and try to figure out why Firefox could not connect from c7host by reading the output of <code>iptables -L</code> on lin1 carefully looking for clues whether lin1 is letting inbound http traffic (TCP port 80) through.<br />
* If the output of <code>iptables -L</code> on lin1 isn't letting HTTP traffic through, which by default it does not, add a rule to the iptables in lin1 to allow inbound traffic to pass through to Apache (TCP port 80).<br />
* Go back to c7host after verifing lin1 permits http traffic and once again test whether Firefox on c7host displays the webpage (you may need to give Firefox the IP address of lin1 to view the webpage). Now it should.<br />
<br />
If you make such a mess that you don't know what you did any longer, there are a couple of things that can help you get back to normal:<br />
<br />
* iptables --flush will erase all the rules<br />
* Restarting the iptables service will revert all the rules to the defaults.<br />
<br />
= PART 3: YOUR TASKS =<br />
<br />
Use what you learned so far and what you can learn online in order to set up the following:<br />
<br />
# lin1 will allow access to Apache from any source.<br />
# c7host will allow access to SSH from hosts on the 192.168.210.* subnet and deny it from any other source.<br />
<br />
= Lab completion =<br />
<br />
* Make sure you understand what you've done in this lab, so that you're ready to answer questions about it.<br />
* Have notes in your labbook from this lab.<br />
* Show your work to the professor and have them sign your labbook.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Weekly_Schedule&diff=139194SRT210 Weekly Schedule2019-05-21T12:50:25Z<p>Mark: /* Summer 2019 */</p>
<hr />
<div>= Summer 2019 =<br />
<br />
<br />
<table cellspacing="0" cellpadding="5" width="100%" style="border-top: thin solid black;"><br />
<tr valign="top><br />
<td width="20%" style="border-bottom: thin solid black;font-weight:bold;background-color:#f0f0f5;">Week</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;background-color:#f0f0f5;">Objectives and Tasks</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;background-color:#f0f0f5;">Labs</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;background-color:#f0f0f5;">Other Assessments</td><br />
</tr> <br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 1:'''<br>6 - 10 may</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Course overview</li><br />
<li>Set up host machine for course work (c7host)</li><br />
<li>Offline file access security</li><br />
<li>passwd and shadow files</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_1 | Lab1]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 2:'''<br>13 - 17 may</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Set up a nested virtual machine</li><br />
<li>Get familiar with basic networking setup and utilities used on Linux</li><br />
<li>Understand how the IPtables firewall works and use it to make simple rules</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_2 | Lab2]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Quiz on Lab 1</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 3:'''<br>20 - 24 may</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Understand how port forwarding works and how it relates to security.</li><br />
<li>Set up port forwarding using iptables.</li><br />
<li>Understand fundamental concepts that make up SELinux.</li><br />
<li>Troubleshoot problems caused by SELinux.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_3 | Lab3]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Quiz on Lab 2</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 4:'''<br>27 - 31 may</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Understand the principles of how DNS works.</li><br />
<li>Set up an authoritative DNS server.</li><br />
<li>Test your DNS server to confirm that it works as expected.</li><br />
<li>Configure an operating system to use a specific DNS server.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_4 | Lab4]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Quiz on Lab 3</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 5:'''<br>3 - 7 jun</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Reverse DNS</li><br />
<li>DNS and security</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_4_Part_2 | Lab4 Part 2]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Assignment1 | Assignment 1]] and Quiz on Lab 4</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 6:'''<br>10 - 14 jun</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Practical Midterm test</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_First_Half_Review | Review of labs to date]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"/><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 7:'''<br>17 - 21 jun</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Results of the practical test and late assignments</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;"/><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;background-color:#f0f0f5;">'''Study Week:'''<br>24 - 28 jun</td><br />
<td colspan="3" style="border-bottom: thin solid black;background-color:#f0f0f5;">&nbsp;</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 8:'''<br>1 - 5 jul</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Understand how DHCP works and set up a working server/client.</li><br />
<li>Understand which types of traffic can be captured where, from the point of view of an attacker.</li><br />
<li>Practice capturing traffic, and browsing it using Wireshark.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_5 | Lab5]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 9:'''<br>8 - 12 jul</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Learn some fundamental concepts and terminology used with LDAP.</li><br />
<li>Practice creating users in OpenLDAP.</li><br />
<li>Set up linux machines to authenticate against an OpenLDAP server.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_6 | Lab6]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Quiz on Lab 5</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 10:'''<br>15 - 19 jul</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Understand the basics of public key encryption from a practical point of view.</li><br />
<li>Set up a Certificate Authority.</li><br />
<li>Create certificate+key pairs for servers, signed by your own CA.</li><br />
<li>Set up Apache to serve pages over HTTPS.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_7 | Lab7]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Quiz on Lab 6</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 11:'''<br>22 - 26 jul</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Semi-automated host fingerprint distribution using /etc/skel/</li><br />
<li>Use assymetric encryption (with SSH keys) for password-less SSH authentication.</li><br />
<li>Ditribute SSH public keys manually.</li><br />
<li>Backup using rsync.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_8 | Lab8]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Quiz on Lab 7</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 12:'''<br>jul 29 - 2 aug</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Review and practice for the exam.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_8 | Lab8]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Assignment2 | Assignment 2]] and Quiz on Lab 8</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 13:'''<br>5 - 9 aug</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Practical Final Exam.</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Assignment2 | LATE Assignment 2]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;background-color:#f0f0f5;">'''Exam Week:'''<br>12 - 16 aug</td><br />
<td colspan="3" style="border-bottom: thin solid black;background-color:#f0f0f5;">&nbsp;</td><br />
</tr><br />
</table><br />
<br />
<br />
[[Category:SRT210]]</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Lab_2&diff=139180SRT210 Lab 22019-05-16T19:09:41Z<p>Mark: /* Adding a rule */</p>
<hr />
<div>= Objectives =<br />
<br />
* Set up a nested virtual machine<br />
* Get familiar with basic networking setup and utilities used on Linux<br />
* Understand how the IPtables firewall works and use it to make simple rules<br />
<br />
= PART 1: NESTED VIRTUAL MACHINE =<br />
<br />
Since we're forced to use a Windows machine as the main VM host, we're going to have to set up nested virtualisation. Luckily that's not too difficult.<br />
<br />
* Change the settings for your c7host to have at least 4GB of RAM, and enable "Virtual Intel VT-X/EPT or AMD-V/RVI" under VM/Settings/Processors.<br />
* Install the following packages: qemu-kvm qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer bridge-utils<br />
* Make sure (using <code>systemctl enable</code>) that the libvirtd service starts at boot.<br />
* Those will include both the KVM hypervisor and Virt Manager, which is a graphical tool used to administer it.<br />
* Create a new virtual machine with the following settings:<br />
** Will be installed from the network: https://mirror.senecacollege.ca/centos/7/os/x86_64/ or http://mirror.netflash.net/centos/7/os/x86_64/<br />
** 2GB of RAM<br />
** 10GB of disk<br />
** NAT for networking<br />
** hostname lin1<br />
** Minimal install<br />
<br />
After you're done - you'll have a command-line-only CentOS machine (lin1) running inside a graphical CentOS desktop (c7host).<br />
<br />
= PART 2: BASIC NETWORKING =<br />
<br />
== Simple commands ==<br />
<br />
Use these commands to check the curent network settings on lin1:<br />
<br />
* ip link (show interfaces)<br />
* ip address (the MAC address, IP address, and subnet mask for every interface)<br />
* ip route (the routing table)<br />
* cat /etc/resolv.conf (the DNS server you're configured to query)<br />
* arp -n (the ARP table)<br />
<br />
Note if you're missing a command - you can figure out what package contains in by using <code>yum whatprovides</code><br />
<br />
== New virtual network ==<br />
<br />
By default a KVM setup has a NAT network with a DHCP server. That works nicely out of the box but won't work for us because we'll need to configure network settings manually.<br />
<br />
# Power off lin1<br />
# In the '''Connection Details''' dialog box, select the '''Virtual Networks''' tab<br />
# Click to <u>de-select</u> the '''Autostart (on boot)''' check-box options and click the '''Apply''' button.<br />
# Stop the default network by clicking on the '''stop''' button at the bottom left-side of the dialog box.<br />
# Click the '''add''' button to add a new network configuration.<br />
# Leave the default network name '''network1'''.<br />
# In the next screen, enter the '''new network IP address space''' called: '''192.168.210.0/24'''<br />
# Disable '''DHCPv4'''<br />
# Enable Network Forwarding by Selecting '''Forwarding to physical network''', the destination should be '''Any physical device''' and the mode should be '''NAT'''<br />
<br />
== Network settings on lin1 ==<br />
<br />
* Now if you try to start lin1 - it will tell you that the network "default" is unavailable. Go into the lin1 VM settings and configure the NIC to use "network1" instead.<br />
* After starting the VM you'll find that your network interface is not configured (try all the commands above again to see their output).<br />
* Configure your wired interface by editing the file .<br />
* Change to the '''/etc/sysconfig/network-scripts''' directory.<br />
* List the contents of this directory. You should see 2 different types of files, network config scripts and network configuration files.<br />
* Look for the configuration file for your interface. It should have the name of the interface in the filename and the interface's MAC address in its contents.<br />
* Edit that file and give it the following settings:<br />
::DEVICE=eth0<br />
::IPADDR=192.168.210.11<br />
::NETMASK=255.255.255.0<br />
::GATEWAY=192.168.210.1<br />
::HWADDR=xx:xx:xx:xx:xx:xx '''# Make sure it's the right MAC address<br />
::DNS1=192.168.210.1 <br />
::BOOTPROTO=static<br />
::ONBOOT=yes<br />
::NM_CONTROLLED=yes<br />
::IPV6INIT=no<br />
* Ask yourself where did the IP address 192.168.210.1 come from and why it's your default gateway and DNS server.<br />
<br />
= PART 2: IPTABLES =<br />
<br />
CentOS comes with firewalld installed by default. We will not be using that, instead we'll do all our firewall work with iptables. Therefore we'll need to uninstall firewalld and install iptables management tools:<br />
<br />
* Use systemctl to stop firewalld and disable it from starting on boot.<br />
* Use yum to uninstall firewalld and install iptables-services<br />
* Use systemctl to start the iptables service and configure it to be started on boot.<br />
* Run <code>iptables -L</code>. We will be learning how to read that mess in the next section.<br />
<br />
IPtables is a complex system, and there's a lot of material this week to cover it. Keep in mind as you're going through the lab that you're trying to learn three things:<br />
<br />
* '''How iptables works'''<br />
* '''How to understand the current state of the firewall'''<br />
* '''How to make useful changes to the firewall'''<br />
<br />
== IPtables overview ==<br />
<br />
We will use an example of setting up a firewall on a web server.<br />
<br />
[[Image:iptables.png]]<br />
<br />
'''There are some important things to be aware of in terms of this diagram:'''<br />
<br />
:*There are '''<u>two sets</u> of IPtables rules (chains) that apply:''' '''OUTPUT/INPUT on the client''' and '''INPUT/OUTPUT on the server'''.<br>It is important to think about trafic from the perspective from the client as well as the server.<br />
<br />
:* '''Outbound traffic is rarely blocked <u>unless</u> there is a security policy to <u>prevent</u> some kind of traffic'''.<br>Even in that case, that security policy is usually performed on a router.<br />
<br />
:* '''Inbound traffic is of two distinct types'''. Our diagram shows:<br />
::# '''New incoming <u>connections</u>''' (what you normally think of as '''<u>inbound traffic</u>'''): the web server receives a '''new incoming connection'''.<br />
::# '''Incoming <u>data</u> that client receives as a response from the server''': the web page that the server sent back in the diagram above.<br />
<br />
::::The analogy would be like making a '''telephone call''':<ul><li>A '''NEW''' packet is like the phone ringing</li><li>An '''ESTABLISHED''' packet is the connection and the packet says "hello", along with any further communication.</li><li>A '''RELATED''' packet would be the same person calling on a second line. (eg. a second connection that is made because of something that happened in the first, like an ftp transfer).</li></ul><br />
<br />
::::We normally don't want to do anything special for the response. It is safe to assume that '''a connection that was allowed to be established should be allowed to receive a response'''. This is accomplished with the following '''INPUT chain rule''' that should be there by default on your machines:<br><br />
::::<pre>ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED</pre><br />
<br />
:* '''Rules are applied to:''' '''chains''' (e.g. ''input/output'') and contain information regarding the type of traffic they apply to. For example, '''protocols''' such as ''tcp/udp/icmp'', '''port numbers''' such as ''22 (SSH), 80 (HTTP), 443 (SHTTP)'', '''addresses''', and many other things.<br />
<br />
::Let's look at how these rules would apply to a simple web connection (HTTP - port 80):<br />
::# For the ''request'', the '''source port (sport) for the example in the above diagram is 40112''' and the '''destination port (dport) is 80'''<br />
::# For the ''response'', the '''source port (sport) is 80''' and the '''destination port (dport) is 40112'''<br />
::# Since the '''RELATED,ESTABLISHED''' rule already exists, we are only concerned about <u>'''controlling'''</u> the '''incoming traffic on the server''', which in our example, the '''chain is: INPUT''', the '''protocol is: tcp''', and the '''destination is: port 80'''.<br />
<br />
:* Most other services work in a similar way as discussed above.<br />
<br />
== Adding a rule ==<br />
<br />
'''<source>iptables -I OUTPUT -p tcp -s0/0 -d 0/0 --dport 80 -j DROP</source>'''<br />
<br />
Can be read like this: ''Insert a rule into the iptables OUTPUT chain that will match any tcp packet, with any a source address, any destination address, and a deistination port of 80. Any packet that matches will be dropped.''<br />
<br />
<br />
'''Let's break down the <u>command displayed above</u> to see how it works:'''<br />
<br />
<br />
<br />
{|cellpadding="15" width="60%"<br />
|- valign="top"<br />
| | <span style="font-family:courier; font-weight:bold">-I</span><br />
| | tells iptables to INSERT this line into the OUTPUT policy. This means it will be the first line in the policy. If we used a <span style="font-family:courier; font-weight:bold">-A</span> switch it would have appended the line and it would be the last line of the policy. If you are writing complex iptables rules where multiple matches can occur, it is important that the lines go in the right order. If you follow the -I with a number, the new rule will be inserted at that location in the chain (for example, <code>-I 3 OUTPUT</code> will insert the rule into the 3rd position in the OUTPUT chain, moving the existing rules down as necessary (the old rule #3 will become the new rule #4, for example)<br />
|- valign="top"<br />
|width="75" | '''-p tcp'''<br />
| | tells iptables to only match TCP packets. Alternately, the protocol could be set to '''udp''', '''icmp''', or '''all'''<br />
|- valign="top"<br />
| |'''-s0/0'''<br />
| |specifies the source IP address. 0/0 means a source address of “anywhere.” this has been put into the lab because your ip address will change because it is dynamically assigned. You can change this value if you want to the IP address that has been specifically assigned to your PC<br />
|- valign="top"<br />
| |'''-d0/0'''<br />
| |specifies the destination address. It makes sense that this address is set to “anywhere” because if we want to block all requests to the WWW, we will never know the specific IP address of web server that is trying to be accessed<br />
|- valign="top"<br />
| |'''--dport 80'''<br />
| |tells iptables to look at the destination port in the packet and see if it is equal to 80. Alternately, you can filter based on source addresses using the <code>--sport</code> switch<br />
|- valign="top"<br />
| |'''-j'''<br />
| |means when condition is met, then jump to a particular target – Basic targets are '''ACCEPT''', '''DROP''', '''REJECT''', and '''LOG'''. The available targets depend on which table contains the chain<br />
|- valign="top"<br />
| |'''DROP''' <br />
| |means drop the packet – make it disappear - and do not continue processing rules. '''REJECT''' is similar, but causes an error packet to be sent back to the source host. '''ACCEPT''' causes the packet to be processed. '''LOG''' causes an entry to be made in the system logs showing that the packet was processed. Note that the LOG target is the only one that does not stop rule-checking in the chain - so you can log a packet with one rule, and then use a later rule in the chain to DROP, REJECT, or ACCEPT it<br />
|}<br />
<br />
To play with this:<br />
* Install the Apache web server on lin1 (the package is called httpd).<br />
* Enable and start that service.<br />
* Install links (a command-line web browser) and see if you can connect to http://localhost (it should work by default).<br />
* Using Firefox on c7host, check whether you can view the same webpage in lin1 (by default you wont).<br />
* Next, check the iptables rules in lin1 and try to figure out why Firefox could not connect from c7host by reading the output of <code>iptables -L</code> on lin1 carefully looking for clues whether lin1 is letting inbound http traffic (TCP port 80) through.<br />
* If the output of <code>iptables -L</code> on lin1 isn't letting HTTP traffic through, which by default it does not, add a rule to the iptables in lin1 to allow inbound traffic to pass through to Apache (TCP port 80).<br />
* Go back to c7host after verifing lin1 permits http traffic and once again test whether Firefox on c7host displays the webpage (you may need to give Firefox the IP address of lin1 to view the webpage). Now it should.<br />
<br />
If you make such a mess that you don't know what you did any longer, there are a couple of things that can help you get back to normal:<br />
<br />
* iptables --flush will erase all the rules<br />
* Restarting the iptables service will revert all the rules to the defaults.<br />
<br />
= PART 3: YOUR TASKS =<br />
<br />
Use what you learned so far and what you can learn online in order to set up the following:<br />
<br />
# lin1 will allow access to Apache from any source.<br />
# c7host will allow access to SSH from hosts on the 192.168.210.* subnet and deny it from why other source.<br />
<br />
= Lab completion =<br />
<br />
* Make sure you understand what you've done in this lab, so that you're ready to answer questions about it.<br />
* Have notes in your labbook from this lab.<br />
* Show your work to the professor and have them sign your labbook.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Lab_2&diff=139179SRT210 Lab 22019-05-16T13:00:01Z<p>Mark: /* Adding a rule */</p>
<hr />
<div>= Objectives =<br />
<br />
* Set up a nested virtual machine<br />
* Get familiar with basic networking setup and utilities used on Linux<br />
* Understand how the IPtables firewall works and use it to make simple rules<br />
<br />
= PART 1: NESTED VIRTUAL MACHINE =<br />
<br />
Since we're forced to use a Windows machine as the main VM host, we're going to have to set up nested virtualisation. Luckily that's not too difficult.<br />
<br />
* Change the settings for your c7host to have at least 4GB of RAM, and enable "Virtual Intel VT-X/EPT or AMD-V/RVI" under VM/Settings/Processors.<br />
* Install the following packages: qemu-kvm qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer bridge-utils<br />
* Make sure (using <code>systemctl enable</code>) that the libvirtd service starts at boot.<br />
* Those will include both the KVM hypervisor and Virt Manager, which is a graphical tool used to administer it.<br />
* Create a new virtual machine with the following settings:<br />
** Will be installed from the network: https://mirror.senecacollege.ca/centos/7/os/x86_64/ or http://mirror.netflash.net/centos/7/os/x86_64/<br />
** 2GB of RAM<br />
** 10GB of disk<br />
** NAT for networking<br />
** hostname lin1<br />
** Minimal install<br />
<br />
After you're done - you'll have a command-line-only CentOS machine (lin1) running inside a graphical CentOS desktop (c7host).<br />
<br />
= PART 2: BASIC NETWORKING =<br />
<br />
== Simple commands ==<br />
<br />
Use these commands to check the curent network settings on lin1:<br />
<br />
* ip link (show interfaces)<br />
* ip address (the MAC address, IP address, and subnet mask for every interface)<br />
* ip route (the routing table)<br />
* cat /etc/resolv.conf (the DNS server you're configured to query)<br />
* arp -n (the ARP table)<br />
<br />
Note if you're missing a command - you can figure out what package contains in by using <code>yum whatprovides</code><br />
<br />
== New virtual network ==<br />
<br />
By default a KVM setup has a NAT network with a DHCP server. That works nicely out of the box but won't work for us because we'll need to configure network settings manually.<br />
<br />
# Power off lin1<br />
# In the '''Connection Details''' dialog box, select the '''Virtual Networks''' tab<br />
# Click to <u>de-select</u> the '''Autostart (on boot)''' check-box options and click the '''Apply''' button.<br />
# Stop the default network by clicking on the '''stop''' button at the bottom left-side of the dialog box.<br />
# Click the '''add''' button to add a new network configuration.<br />
# Leave the default network name '''network1'''.<br />
# In the next screen, enter the '''new network IP address space''' called: '''192.168.210.0/24'''<br />
# Disable '''DHCPv4'''<br />
# Enable Network Forwarding by Selecting '''Forwarding to physical network''', the destination should be '''Any physical device''' and the mode should be '''NAT'''<br />
<br />
== Network settings on lin1 ==<br />
<br />
* Now if you try to start lin1 - it will tell you that the network "default" is unavailable. Go into the lin1 VM settings and configure the NIC to use "network1" instead.<br />
* After starting the VM you'll find that your network interface is not configured (try all the commands above again to see their output).<br />
* Configure your wired interface by editing the file .<br />
* Change to the '''/etc/sysconfig/network-scripts''' directory.<br />
* List the contents of this directory. You should see 2 different types of files, network config scripts and network configuration files.<br />
* Look for the configuration file for your interface. It should have the name of the interface in the filename and the interface's MAC address in its contents.<br />
* Edit that file and give it the following settings:<br />
::DEVICE=eth0<br />
::IPADDR=192.168.210.11<br />
::NETMASK=255.255.255.0<br />
::GATEWAY=192.168.210.1<br />
::HWADDR=xx:xx:xx:xx:xx:xx '''# Make sure it's the right MAC address<br />
::DNS1=192.168.210.1 <br />
::BOOTPROTO=static<br />
::ONBOOT=yes<br />
::NM_CONTROLLED=yes<br />
::IPV6INIT=no<br />
* Ask yourself where did the IP address 192.168.210.1 come from and why it's your default gateway and DNS server.<br />
<br />
= PART 2: IPTABLES =<br />
<br />
CentOS comes with firewalld installed by default. We will not be using that, instead we'll do all our firewall work with iptables. Therefore we'll need to uninstall firewalld and install iptables management tools:<br />
<br />
* Use systemctl to stop firewalld and disable it from starting on boot.<br />
* Use yum to uninstall firewalld and install iptables-services<br />
* Use systemctl to start the iptables service and configure it to be started on boot.<br />
* Run <code>iptables -L</code>. We will be learning how to read that mess in the next section.<br />
<br />
IPtables is a complex system, and there's a lot of material this week to cover it. Keep in mind as you're going through the lab that you're trying to learn three things:<br />
<br />
* '''How iptables works'''<br />
* '''How to understand the current state of the firewall'''<br />
* '''How to make useful changes to the firewall'''<br />
<br />
== IPtables overview ==<br />
<br />
We will use an example of setting up a firewall on a web server.<br />
<br />
[[Image:iptables.png]]<br />
<br />
'''There are some important things to be aware of in terms of this diagram:'''<br />
<br />
:*There are '''<u>two sets</u> of IPtables rules (chains) that apply:''' '''OUTPUT/INPUT on the client''' and '''INPUT/OUTPUT on the server'''.<br>It is important to think about trafic from the perspective from the client as well as the server.<br />
<br />
:* '''Outbound traffic is rarely blocked <u>unless</u> there is a security policy to <u>prevent</u> some kind of traffic'''.<br>Even in that case, that security policy is usually performed on a router.<br />
<br />
:* '''Inbound traffic is of two distinct types'''. Our diagram shows:<br />
::# '''New incoming <u>connections</u>''' (what you normally think of as '''<u>inbound traffic</u>'''): the web server receives a '''new incoming connection'''.<br />
::# '''Incoming <u>data</u> that client receives as a response from the server''': the web page that the server sent back in the diagram above.<br />
<br />
::::The analogy would be like making a '''telephone call''':<ul><li>A '''NEW''' packet is like the phone ringing</li><li>An '''ESTABLISHED''' packet is the connection and the packet says "hello", along with any further communication.</li><li>A '''RELATED''' packet would be the same person calling on a second line. (eg. a second connection that is made because of something that happened in the first, like an ftp transfer).</li></ul><br />
<br />
::::We normally don't want to do anything special for the response. It is safe to assume that '''a connection that was allowed to be established should be allowed to receive a response'''. This is accomplished with the following '''INPUT chain rule''' that should be there by default on your machines:<br><br />
::::<pre>ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED</pre><br />
<br />
:* '''Rules are applied to:''' '''chains''' (e.g. ''input/output'') and contain information regarding the type of traffic they apply to. For example, '''protocols''' such as ''tcp/udp/icmp'', '''port numbers''' such as ''22 (SSH), 80 (HTTP), 443 (SHTTP)'', '''addresses''', and many other things.<br />
<br />
::Let's look at how these rules would apply to a simple web connection (HTTP - port 80):<br />
::# For the ''request'', the '''source port (sport) for the example in the above diagram is 40112''' and the '''destination port (dport) is 80'''<br />
::# For the ''response'', the '''source port (sport) is 80''' and the '''destination port (dport) is 40112'''<br />
::# Since the '''RELATED,ESTABLISHED''' rule already exists, we are only concerned about <u>'''controlling'''</u> the '''incoming traffic on the server''', which in our example, the '''chain is: INPUT''', the '''protocol is: tcp''', and the '''destination is: port 80'''.<br />
<br />
:* Most other services work in a similar way as discussed above.<br />
<br />
== Adding a rule ==<br />
<br />
'''<source>iptables -I OUTPUT -p tcp -s0/0 -d 0/0 --dport 80 -j DROP</source>'''<br />
<br />
Can be read like this: ''Insert a rule into the iptables OUTPUT chain that will match any tcp packet, with any a source address, any destination address, and a deistination port of 80. Any packet that matches will be dropped.''<br />
<br />
<br />
'''Let's break down the <u>command displayed above</u> to see how it works:'''<br />
<br />
<br />
<br />
{|cellpadding="15" width="60%"<br />
|- valign="top"<br />
| | <span style="font-family:courier; font-weight:bold">-I</span><br />
| | tells iptables to INSERT this line into the OUTPUT policy. This means it will be the first line in the policy. If we used a <span style="font-family:courier; font-weight:bold">-A</span> switch it would have appended the line and it would be the last line of the policy. If you are writing complex iptables rules where multiple matches can occur, it is important that the lines go in the right order. If you follow the -I with a number, the new rule will be inserted at that location in the chain (for example, <code>-I 3 OUTPUT</code> will insert the rule into the 3rd position in the OUTPUT chain, moving the existing rules down as necessary (the old rule #3 will become the new rule #4, for example)<br />
|- valign="top"<br />
|width="75" | '''-p tcp'''<br />
| | tells iptables to only match TCP packets. Alternately, the protocol could be set to '''udp''', '''icmp''', or '''all'''<br />
|- valign="top"<br />
| |'''-s0/0'''<br />
| |specifies the source IP address. 0/0 means a source address of “anywhere.” this has been put into the lab because your ip address will change because it is dynamically assigned. You can change this value if you want to the IP address that has been specifically assigned to your PC<br />
|- valign="top"<br />
| |'''-d0/0'''<br />
| |specifies the destination address. It makes sense that this address is set to “anywhere” because if we want to block all requests to the WWW, we will never know the specific IP address of web server that is trying to be accessed<br />
|- valign="top"<br />
| |'''--dport 80'''<br />
| |tells iptables to look at the destination port in the packet and see if it is equal to 80. Alternately, you can filter based on source addresses using the <code>--sport</code> switch<br />
|- valign="top"<br />
| |'''-j'''<br />
| |means when condition is met, then jump to a particular target – Basic targets are '''ACCEPT''', '''DROP''', '''REJECT''', and '''LOG'''. The available targets depend on which table contains the chain<br />
|- valign="top"<br />
| |'''DROP''' <br />
| |means drop the packet – make it disappear - and do not continue processing rules. '''REJECT''' is similar, but causes an error packet to be sent back to the source host. '''ACCEPT''' causes the packet to be processed. '''LOG''' causes an entry to be made in the system logs showing that the packet was processed. Note that the LOG target is the only one that does not stop rule-checking in the chain - so you can log a packet with one rule, and then use a later rule in the chain to DROP, REJECT, or ACCEPT it<br />
|}<br />
<br />
To play with this:<br />
* Install the Apache web server on lin1 (the package is called httpd).<br />
* Enable and start that service.<br />
* Install links (a command-line web browser) and see if you can connect to http://localhost (it should work by default).<br />
* Try to use Firefox on c7host to see the same webpage from lin1 (you may need the IP address of lin1). Also, Firefox should not work be able to connect to that same webpage if lin1 wasn't configured to permit HTTP traffic through, which lin1 isn't configured to do by default.<br />
* Check your iptables rules and try to figure out why Firefox cannot connect to lin1 from c7host. Read the output of <code>iptables -L</code> on lin1 carefully looking for clues that iptables on lin1 is letting inbound http traffic (TCP port 80) pass through.<br />
* If the output of <code>iptables -L</code> on lin1 isn't letting HTTP traffic through, which by default configuration it wont, add a rule on lin1 to allow inbound traffic to Apache (TCP port 80).<br />
* Go back to c7host after you verified that lin1 is letting http traffic through and once again verify that Firefox displays the webpage from lin1 (you may need to give Firefox the IP address of lin1).<br />
<br />
If you make such a mess that you don't know what you did any longer, there are a couple of things that can help you get back to normal:<br />
<br />
* iptables --flush will erase all the rules<br />
* Restarting the iptables service will revert all the rules to the defaults.<br />
<br />
= PART 3: YOUR TASKS =<br />
<br />
Use what you learned so far and what you can learn online in order to set up the following:<br />
<br />
# lin1 will allow access to Apache from any source.<br />
# c7host will allow access to SSH from hosts on the 192.168.210.* subnet and deny it from why other source.<br />
<br />
= Lab completion =<br />
<br />
* Make sure you understand what you've done in this lab, so that you're ready to answer questions about it.<br />
* Have notes in your labbook from this lab.<br />
* Show your work to the professor and have them sign your labbook.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Lab_2&diff=139178SRT210 Lab 22019-05-16T12:53:34Z<p>Mark: /* Adding a rule */</p>
<hr />
<div>= Objectives =<br />
<br />
* Set up a nested virtual machine<br />
* Get familiar with basic networking setup and utilities used on Linux<br />
* Understand how the IPtables firewall works and use it to make simple rules<br />
<br />
= PART 1: NESTED VIRTUAL MACHINE =<br />
<br />
Since we're forced to use a Windows machine as the main VM host, we're going to have to set up nested virtualisation. Luckily that's not too difficult.<br />
<br />
* Change the settings for your c7host to have at least 4GB of RAM, and enable "Virtual Intel VT-X/EPT or AMD-V/RVI" under VM/Settings/Processors.<br />
* Install the following packages: qemu-kvm qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer bridge-utils<br />
* Make sure (using <code>systemctl enable</code>) that the libvirtd service starts at boot.<br />
* Those will include both the KVM hypervisor and Virt Manager, which is a graphical tool used to administer it.<br />
* Create a new virtual machine with the following settings:<br />
** Will be installed from the network: https://mirror.senecacollege.ca/centos/7/os/x86_64/ or http://mirror.netflash.net/centos/7/os/x86_64/<br />
** 2GB of RAM<br />
** 10GB of disk<br />
** NAT for networking<br />
** hostname lin1<br />
** Minimal install<br />
<br />
After you're done - you'll have a command-line-only CentOS machine (lin1) running inside a graphical CentOS desktop (c7host).<br />
<br />
= PART 2: BASIC NETWORKING =<br />
<br />
== Simple commands ==<br />
<br />
Use these commands to check the curent network settings on lin1:<br />
<br />
* ip link (show interfaces)<br />
* ip address (the MAC address, IP address, and subnet mask for every interface)<br />
* ip route (the routing table)<br />
* cat /etc/resolv.conf (the DNS server you're configured to query)<br />
* arp -n (the ARP table)<br />
<br />
Note if you're missing a command - you can figure out what package contains in by using <code>yum whatprovides</code><br />
<br />
== New virtual network ==<br />
<br />
By default a KVM setup has a NAT network with a DHCP server. That works nicely out of the box but won't work for us because we'll need to configure network settings manually.<br />
<br />
# Power off lin1<br />
# In the '''Connection Details''' dialog box, select the '''Virtual Networks''' tab<br />
# Click to <u>de-select</u> the '''Autostart (on boot)''' check-box options and click the '''Apply''' button.<br />
# Stop the default network by clicking on the '''stop''' button at the bottom left-side of the dialog box.<br />
# Click the '''add''' button to add a new network configuration.<br />
# Leave the default network name '''network1'''.<br />
# In the next screen, enter the '''new network IP address space''' called: '''192.168.210.0/24'''<br />
# Disable '''DHCPv4'''<br />
# Enable Network Forwarding by Selecting '''Forwarding to physical network''', the destination should be '''Any physical device''' and the mode should be '''NAT'''<br />
<br />
== Network settings on lin1 ==<br />
<br />
* Now if you try to start lin1 - it will tell you that the network "default" is unavailable. Go into the lin1 VM settings and configure the NIC to use "network1" instead.<br />
* After starting the VM you'll find that your network interface is not configured (try all the commands above again to see their output).<br />
* Configure your wired interface by editing the file .<br />
* Change to the '''/etc/sysconfig/network-scripts''' directory.<br />
* List the contents of this directory. You should see 2 different types of files, network config scripts and network configuration files.<br />
* Look for the configuration file for your interface. It should have the name of the interface in the filename and the interface's MAC address in its contents.<br />
* Edit that file and give it the following settings:<br />
::DEVICE=eth0<br />
::IPADDR=192.168.210.11<br />
::NETMASK=255.255.255.0<br />
::GATEWAY=192.168.210.1<br />
::HWADDR=xx:xx:xx:xx:xx:xx '''# Make sure it's the right MAC address<br />
::DNS1=192.168.210.1 <br />
::BOOTPROTO=static<br />
::ONBOOT=yes<br />
::NM_CONTROLLED=yes<br />
::IPV6INIT=no<br />
* Ask yourself where did the IP address 192.168.210.1 come from and why it's your default gateway and DNS server.<br />
<br />
= PART 2: IPTABLES =<br />
<br />
CentOS comes with firewalld installed by default. We will not be using that, instead we'll do all our firewall work with iptables. Therefore we'll need to uninstall firewalld and install iptables management tools:<br />
<br />
* Use systemctl to stop firewalld and disable it from starting on boot.<br />
* Use yum to uninstall firewalld and install iptables-services<br />
* Use systemctl to start the iptables service and configure it to be started on boot.<br />
* Run <code>iptables -L</code>. We will be learning how to read that mess in the next section.<br />
<br />
IPtables is a complex system, and there's a lot of material this week to cover it. Keep in mind as you're going through the lab that you're trying to learn three things:<br />
<br />
* '''How iptables works'''<br />
* '''How to understand the current state of the firewall'''<br />
* '''How to make useful changes to the firewall'''<br />
<br />
== IPtables overview ==<br />
<br />
We will use an example of setting up a firewall on a web server.<br />
<br />
[[Image:iptables.png]]<br />
<br />
'''There are some important things to be aware of in terms of this diagram:'''<br />
<br />
:*There are '''<u>two sets</u> of IPtables rules (chains) that apply:''' '''OUTPUT/INPUT on the client''' and '''INPUT/OUTPUT on the server'''.<br>It is important to think about trafic from the perspective from the client as well as the server.<br />
<br />
:* '''Outbound traffic is rarely blocked <u>unless</u> there is a security policy to <u>prevent</u> some kind of traffic'''.<br>Even in that case, that security policy is usually performed on a router.<br />
<br />
:* '''Inbound traffic is of two distinct types'''. Our diagram shows:<br />
::# '''New incoming <u>connections</u>''' (what you normally think of as '''<u>inbound traffic</u>'''): the web server receives a '''new incoming connection'''.<br />
::# '''Incoming <u>data</u> that client receives as a response from the server''': the web page that the server sent back in the diagram above.<br />
<br />
::::The analogy would be like making a '''telephone call''':<ul><li>A '''NEW''' packet is like the phone ringing</li><li>An '''ESTABLISHED''' packet is the connection and the packet says "hello", along with any further communication.</li><li>A '''RELATED''' packet would be the same person calling on a second line. (eg. a second connection that is made because of something that happened in the first, like an ftp transfer).</li></ul><br />
<br />
::::We normally don't want to do anything special for the response. It is safe to assume that '''a connection that was allowed to be established should be allowed to receive a response'''. This is accomplished with the following '''INPUT chain rule''' that should be there by default on your machines:<br><br />
::::<pre>ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED</pre><br />
<br />
:* '''Rules are applied to:''' '''chains''' (e.g. ''input/output'') and contain information regarding the type of traffic they apply to. For example, '''protocols''' such as ''tcp/udp/icmp'', '''port numbers''' such as ''22 (SSH), 80 (HTTP), 443 (SHTTP)'', '''addresses''', and many other things.<br />
<br />
::Let's look at how these rules would apply to a simple web connection (HTTP - port 80):<br />
::# For the ''request'', the '''source port (sport) for the example in the above diagram is 40112''' and the '''destination port (dport) is 80'''<br />
::# For the ''response'', the '''source port (sport) is 80''' and the '''destination port (dport) is 40112'''<br />
::# Since the '''RELATED,ESTABLISHED''' rule already exists, we are only concerned about <u>'''controlling'''</u> the '''incoming traffic on the server''', which in our example, the '''chain is: INPUT''', the '''protocol is: tcp''', and the '''destination is: port 80'''.<br />
<br />
:* Most other services work in a similar way as discussed above.<br />
<br />
== Adding a rule ==<br />
<br />
'''<source>iptables -I OUTPUT -p tcp -s0/0 -d 0/0 --dport 80 -j DROP</source>'''<br />
<br />
Can be read like this: ''Insert a rule into the iptables OUTPUT chain that will match any tcp packet, with any a source address, any destination address, and a deistination port of 80. Any packet that matches will be dropped.''<br />
<br />
<br />
'''Let's break down the <u>command displayed above</u> to see how it works:'''<br />
<br />
<br />
<br />
{|cellpadding="15" width="60%"<br />
|- valign="top"<br />
| | <span style="font-family:courier; font-weight:bold">-I</span><br />
| | tells iptables to INSERT this line into the OUTPUT policy. This means it will be the first line in the policy. If we used a <span style="font-family:courier; font-weight:bold">-A</span> switch it would have appended the line and it would be the last line of the policy. If you are writing complex iptables rules where multiple matches can occur, it is important that the lines go in the right order. If you follow the -I with a number, the new rule will be inserted at that location in the chain (for example, <code>-I 3 OUTPUT</code> will insert the rule into the 3rd position in the OUTPUT chain, moving the existing rules down as necessary (the old rule #3 will become the new rule #4, for example)<br />
|- valign="top"<br />
|width="75" | '''-p tcp'''<br />
| | tells iptables to only match TCP packets. Alternately, the protocol could be set to '''udp''', '''icmp''', or '''all'''<br />
|- valign="top"<br />
| |'''-s0/0'''<br />
| |specifies the source IP address. 0/0 means a source address of “anywhere.” this has been put into the lab because your ip address will change because it is dynamically assigned. You can change this value if you want to the IP address that has been specifically assigned to your PC<br />
|- valign="top"<br />
| |'''-d0/0'''<br />
| |specifies the destination address. It makes sense that this address is set to “anywhere” because if we want to block all requests to the WWW, we will never know the specific IP address of web server that is trying to be accessed<br />
|- valign="top"<br />
| |'''--dport 80'''<br />
| |tells iptables to look at the destination port in the packet and see if it is equal to 80. Alternately, you can filter based on source addresses using the <code>--sport</code> switch<br />
|- valign="top"<br />
| |'''-j'''<br />
| |means when condition is met, then jump to a particular target – Basic targets are '''ACCEPT''', '''DROP''', '''REJECT''', and '''LOG'''. The available targets depend on which table contains the chain<br />
|- valign="top"<br />
| |'''DROP''' <br />
| |means drop the packet – make it disappear - and do not continue processing rules. '''REJECT''' is similar, but causes an error packet to be sent back to the source host. '''ACCEPT''' causes the packet to be processed. '''LOG''' causes an entry to be made in the system logs showing that the packet was processed. Note that the LOG target is the only one that does not stop rule-checking in the chain - so you can log a packet with one rule, and then use a later rule in the chain to DROP, REJECT, or ACCEPT it<br />
|}<br />
<br />
To play with this:<br />
* Install the Apache web server on lin1 (the package is called httpd).<br />
* Enable and start that service.<br />
* Install links (a command-line web browser) and see if you can connect to http://localhost (it should work by default).<br />
* Try to use Firefox on c7host to see the same webpage from lin1 (it should not work by default).<br />
* Check your iptables rules and try to figure out why Firefox cannot connect to lin1 from c7host. Read the output of <code>iptables -L</code> on lin1 carefully looking for clues that iptables on lin1 is letting inbound http traffic (TCP port 80) pass through.<br />
* If the output of <code>iptables -L</code> on lin1 isn't letting HTTP traffic through, which by default configuration it wont, add a rule on lin1 to allow inbound traffic to Apache (TCP port 80).<br />
<br />
If you make such a mess that you don't know what you did any longer, there are a couple of things that can help you get back to normal:<br />
<br />
* iptables --flush will erase all the rules<br />
* Restarting the iptables service will revert all the rules to the defaults.<br />
<br />
= PART 3: YOUR TASKS =<br />
<br />
Use what you learned so far and what you can learn online in order to set up the following:<br />
<br />
# lin1 will allow access to Apache from any source.<br />
# c7host will allow access to SSH from hosts on the 192.168.210.* subnet and deny it from why other source.<br />
<br />
= Lab completion =<br />
<br />
* Make sure you understand what you've done in this lab, so that you're ready to answer questions about it.<br />
* Have notes in your labbook from this lab.<br />
* Show your work to the professor and have them sign your labbook.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Lab_1&diff=139173SRT210 Lab 12019-05-14T01:58:31Z<p>Mark: /* Resetting the root password */</p>
<hr />
<div>= Objectives =<br />
<br />
* Get an overview of the course, faculty, and expectations.<br />
* Set up host virtual machine to use in the course.<br />
* Understand offline file access security<br />
* Understand and modify passwd and shadow files<br />
<br />
= Introduction =<br />
<br />
* The course is made primarily of labs. It will contain traditional instruction but only enough to get you started. Use the rest of the time to practice what you're supposed to be learning and ask questions when you get stuck or when something doesn't make sense.<br />
* We'll typically have one week for each lab. The lab is due in class, and needs to be checked by the professor before class is over. That means you should plan to have everything done by the middle of the class.<br />
* Make the best out of your labbook. Not only is it a record of your progress (and your marks for the labs) but it's a large set of notes you'll be able to use at all the assessments.<br />
* Everything in the labbook must be hand-written (by you) and every page must have your name on it. If I catch you using someone else's notes during an assessment - that will be treated as plagiarism.<br />
* Speaking of plagiarism - it will not be tolerated in this course. You're encouraged to discuss and help each other (within reason) during labs, but all other assessed work must be completed independently.<br />
* The lab instructions are written for the lab environment at school, but ask your professor if you can use your own host for the coursework and assessments. Generally speaking it should be possible.<br />
* You do '''not''' need the following items which are listed in the course outline: USB stick; raspberry pi, case, cable, and power supply; network cable; SD card; and wireless adapter.<br />
<br />
= PART 1: HOST VIRTUAL MACHINE =<br />
<br />
== Overview ==<br />
<br />
You'll use the VMware on our lab machines as a hypervisor for your host. Typically you have one hypervisor running a bunch of VMs, but for securitty reasons in our lab environment we'll need to use nested virtualisation.<br />
<br />
That means the VMware hypervisor will run on the real hardware (the lab machine) and we'll set up a second hypervisor in one VMware VM, which will host several other VMs.<br />
<br />
== Create Host VM ==<br />
<br />
Make sure your SSD drive has a single NTFS partition taking up the whole space.<br />
<br />
Start VMware workstation and create a new virtual machine, with the following specifications:<br />
<br />
* Install from the CentOS 7 iso.<br />
* Set the hostname to matrixusernameVMhost (notice that VM is in capitals but everything else is lowercase).<br />
* Store the virtual machine files on your SSD drive.<br />
* Set up the virtual disk to be up to 180GB in size, a single file.<br />
* Set up the network adapter to be in bridged mode.<br />
<br />
== Install CentOS ==<br />
<br />
During the CentOS installation, make sure to follow these instructions:<br />
<br />
* Set the software selection to Gnome Desktop<br />
* Configure the "partition" layout by starting from the defaults:<br />
** 20GB for /<br />
** 40GB for /home<br />
** The rest (about 117GB) for /var/lib/libvirt/images<br />
* Set the hostname to c7host.<br />
* The network should be connected on boot, as a dhcp client for now.<br />
* Set the root password to something different from your regular user password.<br />
* Create a regular user with the same username as your matrix (MySeneca) username. Set the password to anything you like, as long as it's different from the root password.<br />
<br />
Once the installation is complete your andrewVMhost virtual machine should boot into CentOS when it's powered on, you should be able to log in with your username, and browse the internet using Firefox.<br />
<br />
== Create "secret" files ==<br />
<br />
Create a simple text file in your user's home directory called secrets.txt and put some text in that file.<br />
<br />
Create another file secrets-root.txt in the root's home directory and put some text in that file as well.<br />
<br />
Notice how it appears that you need your user's password in order to log in and access the user's secrets.txt and the root password to access secrets-root.txt<br />
<br />
= PART 2: OFFLINE ACCESS SECURITY =<br />
<br />
The short version of this section is that with access to the physical machine (or the virtual disk images in our case) there is practically nothing you can do to secure a system. We'll look at a couple of simple examples to illustrate this point.<br />
<br />
Download the latest SystemRescueCd ISO file on windows and configure your host virtual machine to boot from that file.<br />
<br />
== Access to files ==<br />
<br />
* Notice that when the machine boots from the systemrescuecd it does not ask for a password. You just press enter a few times and you are logged in as root, with full control over the system.<br />
* If you can figure out the device file associated with the filesystems in your c7host, you can easily access (read or write) any files in there. Run <code>blkid</code> and see which block devices ring a bell.<br />
* Then create a couple of directories under /mnt: centos-root and centos-home. <br />
* Then mount the two filesystems you found into those directories.<br />
* At this point you'll have unrestricted access to all the files inside the root and home logical volumes you created when you installed CentOS.<br />
* Find the secrets.txt and secrets-root.txt files and read their contents. Modify those files to include the line "Please secure your system!"<br />
* Shut down your VM (properly), disconnect the DVD drive, and boot back into c7host. Check your secret files. Notice that you can't get to them until you log in with a password.<br />
<br />
Practice the above by looking for other files that might be of interest. Configuration files, databases, .htaccess files, etc.<br />
<br />
== Resetting the root password ==<br />
<br />
A variation of the file access above is a specific example of changing a file which contains the root password.<br />
<br />
* Boot from SystemRescueCd again and mount your c7host root filesystem.<br />
* Have a look at the etc/passwd file. That has a list of all the users on c7host.<br />
* Have a look at the etc/shadow file. This file has the salted and hashed passwords for all the users that have a password.<br />
* You should understand the structure of both files, epecially:<br />
** username<br />
** UID<br />
** GID<br />
** home directory<br />
** shell<br />
** hashed password<br />
* Replace the hashed password field for the root user with nothing. After editing the line for <code>root</code> should look like this:<code>root:::::::</code><br />
* Reboot into CentOS and try to log in.<br />
<br />
{{Admon/important|SELinux|Depending on how you edited your file: at this point you may not be able to log in as any user with any password. The root password has been removed but SELinux is "securing" your system and will not allow the login process to read the shadow file, therefore you can't log in. We'll need to fix this.}}<br />
<br />
* Reboot your VM and at the boot prompt press <code>e</code> (for Edit).<br />
* Scroll down to the line that starts with <code>linux16</code>. These are the parameters passed to the kernel when it's started.<br />
* At the end of that line add <code>enforcing=0</code><br />
* Press <code>Ctrl-x</code> to boot the system.<br />
* Now you should be able to log in, and you'll get a message about some SELinux problems.<br />
* One of those messages will suggest that you run <code>restorecon -v /etc/shadow</code>. Do that as root (notice you don't need to type in a root password any more).<br />
* Now you can disconnect your DVD drive, reboot, and log in normally.<br />
<br />
SELinux added steps to the process, but it's nothing more than a distraction. At the end of the day - you should have figured out that as long as you control the disk image, you have full control over its contents. <br />
<br />
=== The same using CentOS ISO ===<br />
<br />
You can accomplish the same thing you did above by using the CentOS ISO instead of SystemRescueCd. It will be easier because you won't need to reset the SELinux context on the shadow file.<br />
<br />
* Set up your VM to boot from the CentOS installation ISO.<br />
* At the boot prompt choose Troubleshooting/Rescue a CentOS system.<br />
* When it boots up, choose option 1.<br />
* Notice that the VM's root filesystem has been mounted for you automatically. <br />
* Remove your regular user's password from the shadow file.<br />
* Disconnect the DVD drive, reboot, and log in.<br />
<br />
After you're done with this section - reset both your root's and regular user's passwords to something reasonable.<br />
<br />
= Lab completion =<br />
<br />
* Make sure you understand what you've done in this lab, so that you're ready to answer questions about it.<br />
* Have notes in your labbook from this lab.<br />
* Show your work to the professor and have them sign your labbook.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Lab_1&diff=139172SRT210 Lab 12019-05-13T14:50:34Z<p>Mark: /* Overview */</p>
<hr />
<div>= Objectives =<br />
<br />
* Get an overview of the course, faculty, and expectations.<br />
* Set up host virtual machine to use in the course.<br />
* Understand offline file access security<br />
* Understand and modify passwd and shadow files<br />
<br />
= Introduction =<br />
<br />
* The course is made primarily of labs. It will contain traditional instruction but only enough to get you started. Use the rest of the time to practice what you're supposed to be learning and ask questions when you get stuck or when something doesn't make sense.<br />
* We'll typically have one week for each lab. The lab is due in class, and needs to be checked by the professor before class is over. That means you should plan to have everything done by the middle of the class.<br />
* Make the best out of your labbook. Not only is it a record of your progress (and your marks for the labs) but it's a large set of notes you'll be able to use at all the assessments.<br />
* Everything in the labbook must be hand-written (by you) and every page must have your name on it. If I catch you using someone else's notes during an assessment - that will be treated as plagiarism.<br />
* Speaking of plagiarism - it will not be tolerated in this course. You're encouraged to discuss and help each other (within reason) during labs, but all other assessed work must be completed independently.<br />
* The lab instructions are written for the lab environment at school, but ask your professor if you can use your own host for the coursework and assessments. Generally speaking it should be possible.<br />
* You do '''not''' need the following items which are listed in the course outline: USB stick; raspberry pi, case, cable, and power supply; network cable; SD card; and wireless adapter.<br />
<br />
= PART 1: HOST VIRTUAL MACHINE =<br />
<br />
== Overview ==<br />
<br />
You'll use the VMware on our lab machines as a hypervisor for your host. Typically you have one hypervisor running a bunch of VMs, but for securitty reasons in our lab environment we'll need to use nested virtualisation.<br />
<br />
That means the VMware hypervisor will run on the real hardware (the lab machine) and we'll set up a second hypervisor in one VMware VM, which will host several other VMs.<br />
<br />
== Create Host VM ==<br />
<br />
Make sure your SSD drive has a single NTFS partition taking up the whole space.<br />
<br />
Start VMware workstation and create a new virtual machine, with the following specifications:<br />
<br />
* Install from the CentOS 7 iso.<br />
* Set the hostname to matrixusernameVMhost (notice that VM is in capitals but everything else is lowercase).<br />
* Store the virtual machine files on your SSD drive.<br />
* Set up the virtual disk to be up to 180GB in size, a single file.<br />
* Set up the network adapter to be in bridged mode.<br />
<br />
== Install CentOS ==<br />
<br />
During the CentOS installation, make sure to follow these instructions:<br />
<br />
* Set the software selection to Gnome Desktop<br />
* Configure the "partition" layout by starting from the defaults:<br />
** 20GB for /<br />
** 40GB for /home<br />
** The rest (about 117GB) for /var/lib/libvirt/images<br />
* Set the hostname to c7host.<br />
* The network should be connected on boot, as a dhcp client for now.<br />
* Set the root password to something different from your regular user password.<br />
* Create a regular user with the same username as your matrix (MySeneca) username. Set the password to anything you like, as long as it's different from the root password.<br />
<br />
Once the installation is complete your andrewVMhost virtual machine should boot into CentOS when it's powered on, you should be able to log in with your username, and browse the internet using Firefox.<br />
<br />
== Create "secret" files ==<br />
<br />
Create a simple text file in your user's home directory called secrets.txt and put some text in that file.<br />
<br />
Create another file secrets-root.txt in the root's home directory and put some text in that file as well.<br />
<br />
Notice how it appears that you need your user's password in order to log in and access the user's secrets.txt and the root password to access secrets-root.txt<br />
<br />
= PART 2: OFFLINE ACCESS SECURITY =<br />
<br />
The short version of this section is that with access to the physical machine (or the virtual disk images in our case) there is practically nothing you can do to secure a system. We'll look at a couple of simple examples to illustrate this point.<br />
<br />
Download the latest SystemRescueCd ISO file on windows and configure your host virtual machine to boot from that file.<br />
<br />
== Access to files ==<br />
<br />
* Notice that when the machine boots from the systemrescuecd it does not ask for a password. You just press enter a few times and you are logged in as root, with full control over the system.<br />
* If you can figure out the device file associated with the filesystems in your c7host, you can easily access (read or write) any files in there. Run <code>blkid</code> and see which block devices ring a bell.<br />
* Then create a couple of directories under /mnt: centos-root and centos-home. <br />
* Then mount the two filesystems you found into those directories.<br />
* At this point you'll have unrestricted access to all the files inside the root and home logical volumes you created when you installed CentOS.<br />
* Find the secrets.txt and secrets-root.txt files and read their contents. Modify those files to include the line "Please secure your system!"<br />
* Shut down your VM (properly), disconnect the DVD drive, and boot back into c7host. Check your secret files. Notice that you can't get to them until you log in with a password.<br />
<br />
Practice the above by looking for other files that might be of interest. Configuration files, databases, .htaccess files, etc.<br />
<br />
== Resetting the root password ==<br />
<br />
A variation of the file access above is a specific example of changing a file which contains the root password.<br />
<br />
* Boot from SystemRescueCd again and mount your c7host root filesystem.<br />
* Have a look at the etc/passwd file. That has a list of all the users on c7host.<br />
* Have a look at the etc/shadow file. This file has the salted and hashed passwords for all the users that have a password.<br />
* You should understand the structure of both files, epecially:<br />
** username<br />
** UID<br />
** GID<br />
** home directory<br />
** shell<br />
** hashed password<br />
* Replace the hashed password field for the root user with nothing.<br />
* Reboot into CentOS and try to log in.<br />
<br />
{{Admon/important|SELinux|Depending on how you edited your file: at this point you may not be able to log in as any user with any password. The root password has been removed but SELinux is "securing" your system and will not allow the login process to read the shadow file, therefore you can't log in. We'll need to fix this.}}<br />
<br />
* Reboot your VM and at the boot prompt press <code>e</code> (for Edit).<br />
* Scroll down to the line that starts with <code>linux16</code>. These are the parameters passed to the kernel when it's started.<br />
* At the end of that line add <code>enforcing=0</code><br />
* Press <code>Ctrl-x</code> to boot the system.<br />
* Now you should be able to log in, and you'll get a message about some SELinux problems.<br />
* One of those messages will suggest that you run <code>restorecon -v /etc/shadow</code>. Do that as root (notice you don't need to type in a root password any more).<br />
* Now you can disconnect your DVD drive, reboot, and log in normally.<br />
<br />
SELinux added steps to the process, but it's nothing more than a distraction. At the end of the day - you should have figured out that as long as you control the disk image, you have full control over its contents. <br />
<br />
=== The same using CentOS ISO ===<br />
<br />
You can accomplish the same thing you did above by using the CentOS ISO instead of SystemRescueCd. It will be easier because you won't need to reset the SELinux context on the shadow file.<br />
<br />
* Set up your VM to boot from the CentOS installation ISO.<br />
* At the boot prompt choose Troubleshooting/Rescue a CentOS system.<br />
* When it boots up, choose option 1.<br />
* Notice that the VM's root filesystem has been mounted for you automatically. <br />
* Remove your regular user's password from the shadow file.<br />
* Disconnect the DVD drive, reboot, and log in.<br />
<br />
After you're done with this section - reset both your root's and regular user's passwords to something reasonable.<br />
<br />
= Lab completion =<br />
<br />
* Make sure you understand what you've done in this lab, so that you're ready to answer questions about it.<br />
* Have notes in your labbook from this lab.<br />
* Show your work to the professor and have them sign your labbook.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210&diff=139164SRT2102019-05-09T19:57:48Z<p>Mark: /* Required Materials (for second class) */</p>
<hr />
<div>{| style="float: right; margin: 0 0 3em 2em; border: 1px solid black;"<br />
!style="background: #cccccc"| Quick Links<br />
|-<br />
|<div style="background:#ffff00">[[SRT210_Weekly_Schedule | Weekly Schedule]]</div>[https://ict.senecacollege.ca/course/srt210 Course Outline]<br />
|-<br />
!style="background: #cccccc"| Assignments<br />
|-<br />
|[[SRT210_Assignment1 | Assignment 1]]<br />
[[SRT210_Assignment2 | Assignment 2]]<br />
|}<br />
<br />
= Welcome to SRT210 - ''The Pragmatic Art of Administration'' =<br />
{| width="100%" align="right" cellpadding="10"<br />
|- valign="top"<br />
| width="55%"|<br />
== What This Course is About ==<br />
<br />
The more you understand about how a system works - the better you'll be prepared to validate its security and make a plan to keep it as secure as the organisation requires.<br />
<br />
In this course you'll get a hands-on overview of several very common systems used on private networks and the internet today.<br />
<br />
== Learning by Doing ==<br />
<br />
Most of the learning in this course occurs through the hands-on problem solving that takes place in the labs and assignments.<br />
<br />
<u>Requirements for Success</u><br />
<br />
:* It is very important to stay up-to-date with the coursework, and to practice until you have confidently mastered each task.<br />
<br />
:* The notes that you make during the labs and assignments are your reference material for the quizzes, tests, and assignments. Take really good notes, and if you have questions, experiment and consult with your professor.<br />
<br />
:* Carefully read ALL lab instructions and check your work regularly. Since you'll have the administrator password for your systems - you have full control over them and can damage them beyond repair with a single mistyped command.<br />
<br />
== Course Faculty ==<br />
<br />
'''During the <b>Summer 2019</b> semester, SRT210 is taught by:'''<br />
<br />
| width="40% |<br />
<br />
==Required Materials (for second class)==<br />
<table cellpadding="10" cellspacing="0" width="100%"><br />
<tr><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:ssd.png|left|95px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;padding-top:25px;padding-bottom:25px;">'''Solid State Drive (SSD)'''</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;">'''Minimum Capacity:''' 240 GB</td></tr><br />
<tr valign="top"><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:blank-cd.png|left|50px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;">'''CentOS 7 Full Install<br>DVD Image'''</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;">[https://mirror.senecacollege.ca/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1810.iso Download at Seneca Lab]<br>[http://mirror.netflash.net/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1810.iso Download from Home]</td></tr><br />
<tr valign="top"><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:blank-cd.png|left|50px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;">'''SystemRescueCd<br>CD Image'''</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;">[http://cs.senecacollege.ca/~andrew.smith/srt210/systemrescuecd-x86-5.3.2.iso Download at Seneca Lab]</td></tr><br />
<tr><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:log-book.png|left|44px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;">'''Lab Log-book'''<br> <!-- (download &amp; print<br>Both sides per lab permitted)--></td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;"> <!--[[:File:19b-SRT210_logbook.pdf|Download PDF]][[:File:SRT210_logbook.pdf|Download PDF]]</td></tr> --><br />
'''(Update: May 7 2019): Will be Handed Out during Week 2'''<br />
</table><br />
|}<br />
{|cellpadding="15" width="70%"<br />
|- valign="top"<br />
|[[Image:MarkFernandes.jpg|thumb|left|185px|<b>Mark Fernandes</b><br />Months: '''May''' and '''Jun'''<br />mark.fernandes@senecacollege.ca<br />[https://scs.senecac.on.ca/~mark.fernandes/Schedule.html Mark's schedule] ]]<br />
|[[Image:andrew.jpg|thumb|left|185px|<b>Andrew Smith</b><br />Months: '''Jul''' and '''Aug'''<br />andrew.smith@senecacollege.ca<br />[http://littlesvr.ca/currentposition.php Andrew's schedule] ]]<br />
|}<br />
<br />
== Wiki Participation ==<br />
<br />
* You can edit these pages! Please feel free to fix typos or add links to additional resources. Please use this capability responsibly.<br />
<br />
<br />
[[Category:OPS235]]</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210&diff=139163SRT2102019-05-09T19:56:45Z<p>Mark: /* Required Materials (for second class) */</p>
<hr />
<div>{| style="float: right; margin: 0 0 3em 2em; border: 1px solid black;"<br />
!style="background: #cccccc"| Quick Links<br />
|-<br />
|<div style="background:#ffff00">[[SRT210_Weekly_Schedule | Weekly Schedule]]</div>[https://ict.senecacollege.ca/course/srt210 Course Outline]<br />
|-<br />
!style="background: #cccccc"| Assignments<br />
|-<br />
|[[SRT210_Assignment1 | Assignment 1]]<br />
[[SRT210_Assignment2 | Assignment 2]]<br />
|}<br />
<br />
= Welcome to SRT210 - ''The Pragmatic Art of Administration'' =<br />
{| width="100%" align="right" cellpadding="10"<br />
|- valign="top"<br />
| width="55%"|<br />
== What This Course is About ==<br />
<br />
The more you understand about how a system works - the better you'll be prepared to validate its security and make a plan to keep it as secure as the organisation requires.<br />
<br />
In this course you'll get a hands-on overview of several very common systems used on private networks and the internet today.<br />
<br />
== Learning by Doing ==<br />
<br />
Most of the learning in this course occurs through the hands-on problem solving that takes place in the labs and assignments.<br />
<br />
<u>Requirements for Success</u><br />
<br />
:* It is very important to stay up-to-date with the coursework, and to practice until you have confidently mastered each task.<br />
<br />
:* The notes that you make during the labs and assignments are your reference material for the quizzes, tests, and assignments. Take really good notes, and if you have questions, experiment and consult with your professor.<br />
<br />
:* Carefully read ALL lab instructions and check your work regularly. Since you'll have the administrator password for your systems - you have full control over them and can damage them beyond repair with a single mistyped command.<br />
<br />
== Course Faculty ==<br />
<br />
'''During the <b>Summer 2019</b> semester, SRT210 is taught by:'''<br />
<br />
| width="40% |<br />
<br />
==Required Materials (for second class)==<br />
<table cellpadding="10" cellspacing="0" width="100%"><br />
<tr><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:ssd.png|left|95px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;padding-top:25px;padding-bottom:25px;">'''Solid State Drive (SSD)'''</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;">'''Minimum Capacity:''' 240 GB</td></tr><br />
<tr valign="top"><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:blank-cd.png|left|50px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;">'''CentOS 7 Full Install<br>DVD Image'''</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;">[https://mirror.senecacollege.ca/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1810.iso Download at Seneca Lab]<br>[http://mirror.netflash.net/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1810.iso Download from Home]</td></tr><br />
<tr valign="top"><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:blank-cd.png|left|50px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;">'''SystemRescueCd<br>CD Image'''</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;">[http://cs.senecacollege.ca/~andrew.smith/srt210/systemrescuecd-x86-5.3.2.iso Download at Seneca Lab]</td></tr><br />
<tr><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:log-book.png|left|44px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;">'''Lab Log-book'''<!-- <br>(download &amp; print<br>Both sides per lab permitted)</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;"> [[:File:19b-SRT210_logbook.pdf|Download PDF]][[:File:SRT210_logbook.pdf|Download PDF]]</td></tr> --><br />
'''(Update: May 7 2019): Will be Handed Out during Week 2'''<br />
</table><br />
|}<br />
{|cellpadding="15" width="70%"<br />
|- valign="top"<br />
|[[Image:MarkFernandes.jpg|thumb|left|185px|<b>Mark Fernandes</b><br />Months: '''May''' and '''Jun'''<br />mark.fernandes@senecacollege.ca<br />[https://scs.senecac.on.ca/~mark.fernandes/Schedule.html Mark's schedule] ]]<br />
|[[Image:andrew.jpg|thumb|left|185px|<b>Andrew Smith</b><br />Months: '''Jul''' and '''Aug'''<br />andrew.smith@senecacollege.ca<br />[http://littlesvr.ca/currentposition.php Andrew's schedule] ]]<br />
|}<br />
<br />
== Wiki Participation ==<br />
<br />
* You can edit these pages! Please feel free to fix typos or add links to additional resources. Please use this capability responsibly.<br />
<br />
<br />
[[Category:OPS235]]</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=File:19b-SRT210_logbook.pdf&diff=139161File:19b-SRT210 logbook.pdf2019-05-09T18:46:55Z<p>Mark: </p>
<hr />
<div></div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210&diff=139160SRT2102019-05-09T18:45:51Z<p>Mark: /* Required Materials (for second class) */</p>
<hr />
<div>{| style="float: right; margin: 0 0 3em 2em; border: 1px solid black;"<br />
!style="background: #cccccc"| Quick Links<br />
|-<br />
|<div style="background:#ffff00">[[SRT210_Weekly_Schedule | Weekly Schedule]]</div>[https://ict.senecacollege.ca/course/srt210 Course Outline]<br />
|-<br />
!style="background: #cccccc"| Assignments<br />
|-<br />
|[[SRT210_Assignment1 | Assignment 1]]<br />
[[SRT210_Assignment2 | Assignment 2]]<br />
|}<br />
<br />
= Welcome to SRT210 - ''The Pragmatic Art of Administration'' =<br />
{| width="100%" align="right" cellpadding="10"<br />
|- valign="top"<br />
| width="55%"|<br />
== What This Course is About ==<br />
<br />
The more you understand about how a system works - the better you'll be prepared to validate its security and make a plan to keep it as secure as the organisation requires.<br />
<br />
In this course you'll get a hands-on overview of several very common systems used on private networks and the internet today.<br />
<br />
== Learning by Doing ==<br />
<br />
Most of the learning in this course occurs through the hands-on problem solving that takes place in the labs and assignments.<br />
<br />
<u>Requirements for Success</u><br />
<br />
:* It is very important to stay up-to-date with the coursework, and to practice until you have confidently mastered each task.<br />
<br />
:* The notes that you make during the labs and assignments are your reference material for the quizzes, tests, and assignments. Take really good notes, and if you have questions, experiment and consult with your professor.<br />
<br />
:* Carefully read ALL lab instructions and check your work regularly. Since you'll have the administrator password for your systems - you have full control over them and can damage them beyond repair with a single mistyped command.<br />
<br />
== Course Faculty ==<br />
<br />
'''During the <b>Summer 2019</b> semester, SRT210 is taught by:'''<br />
<br />
| width="40% |<br />
<br />
==Required Materials (for second class)==<br />
<table cellpadding="10" cellspacing="0" width="100%"><br />
<tr><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:ssd.png|left|95px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;padding-top:25px;padding-bottom:25px;">'''Solid State Drive (SSD)'''</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;">'''Minimum Capacity:''' 240 GB</td></tr><br />
<tr valign="top"><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:blank-cd.png|left|50px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;">'''CentOS 7 Full Install<br>DVD Image'''</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;">[https://mirror.senecacollege.ca/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1810.iso Download at Seneca Lab]<br>[http://mirror.netflash.net/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1810.iso Download from Home]</td></tr><br />
<tr valign="top"><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:blank-cd.png|left|50px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;">'''SystemRescueCd<br>CD Image'''</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;">[http://cs.senecacollege.ca/~andrew.smith/srt210/systemrescuecd-x86-5.3.2.iso Download at Seneca Lab]</td></tr><br />
<tr><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:log-book.png|left|44px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;">'''Lab Log-book'''<br>(download &amp; print<br>Both sides per lab permitted)</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;">[[:File:19b-SRT210_logbook.pdf|Download PDF]]<!-- [[:File:SRT210_logbook.pdf|Download PDF]]</td></tr> --><br />
'''(Update: May 7 2019): Will be Handed Out during Week 2'''<br />
</table><br />
|}<br />
{|cellpadding="15" width="70%"<br />
|- valign="top"<br />
|[[Image:MarkFernandes.jpg|thumb|left|185px|<b>Mark Fernandes</b><br />Months: '''May''' and '''Jun'''<br />mark.fernandes@senecacollege.ca<br />[https://scs.senecac.on.ca/~mark.fernandes/Schedule.html Mark's schedule] ]]<br />
|[[Image:andrew.jpg|thumb|left|185px|<b>Andrew Smith</b><br />Months: '''Jul''' and '''Aug'''<br />andrew.smith@senecacollege.ca<br />[http://littlesvr.ca/currentposition.php Andrew's schedule] ]]<br />
|}<br />
<br />
== Wiki Participation ==<br />
<br />
* You can edit these pages! Please feel free to fix typos or add links to additional resources. Please use this capability responsibly.<br />
<br />
<br />
[[Category:OPS235]]</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Lab_1&diff=139152SRT210 Lab 12019-05-08T15:02:31Z<p>Mark: /* Install CentOS */</p>
<hr />
<div>= Objectives =<br />
<br />
* Get an overview of the course, faculty, and expectations.<br />
* Set up host virtual machine to use in the course.<br />
* Understand offline file access security<br />
* Understand and modify passwd and shadow files<br />
<br />
= Introduction =<br />
<br />
* The course is made primarily of labs. It will contain traditional instruction but only enough to get you started. Use the rest of the time to practice what you're supposed to be learning and ask questions when you get stuck or when something doesn't make sense.<br />
* We'll typically have one week for each lab. The lab is due in class, and needs to be checked by the professor before class is over. That means you should plan to have everything done by the middle of the class.<br />
* Make the best out of your labbook. Not only is it a record of your progress (and your marks for the labs) but it's a large set of notes you'll be able to use at all the assessments.<br />
* Everything in the labbook must be hand-written (by you) and every page must have your name on it. If I catch you using someone else's notes during an assessment - that will be treated as plagiarism.<br />
* Speaking of plagiarism - it will not be tolerated in this course. You're encouraged to discuss and help each other (within reason) during labs, but all other assessed work must be completed independently.<br />
* The lab instructions are written for the lab environment at school, but ask your professor if you can use your own host for the coursework and assessments. Generally speaking it should be possible.<br />
* You do '''not''' need the following items which are listed in the course outline: USB stick; raspberry pi, case, cable, and power supply; network cable; SD card; and wireless adapter.<br />
<br />
= PART 1: HOST VIRTUAL MACHINE =<br />
<br />
== Overview ==<br />
<br />
You'll use the Vmware on our lab machines as a hypervisor for your host. Typically you have one hypervisor running a bunch of VMs, but for securitty reasons in our lab environment we'll need to use nested virtualisation.<br />
<br />
That means the VMware hypervisor will run on the real hardware (the lab machine) and we'll set up a second hypervisor in one VMware VM, which will host several other VMs.<br />
<br />
== Create Host VM ==<br />
<br />
Make sure your SSD drive has a single NTFS partition taking up the whole space.<br />
<br />
Start VMware workstation and create a new virtual machine, with the following specifications:<br />
<br />
* Install from the CentOS 7 iso.<br />
* Set the hostname to matrixusernameVMhost (notice that VM is in capitals but everything else is lowercase).<br />
* Store the virtual machine files on your SSD drive.<br />
* Set up the virtual disk to be up to 180GB in size, a single file.<br />
* Set up the network adapter to be in bridged mode.<br />
<br />
== Install CentOS ==<br />
<br />
During the CentOS installation, make sure to follow these instructions:<br />
<br />
* Set the software selection to Gnome Desktop<br />
* Configure the "partition" layout by starting from the defaults:<br />
** 20GB for /<br />
** 40GB for /home<br />
** The rest (about 117GB) for /var/lib/libvirt/images<br />
* Set the hostname to c7host.<br />
* The network should be connected on boot, as a dhcp client for now.<br />
* Set the root password to something different from your regular user password.<br />
* Create a regular user with the same username as your matrix (MySeneca) username. Set the password to anything you like, as long as it's different from the root password.<br />
<br />
Once the installation is complete your andrewVMhost virtual machine should boot into CentOS when it's powered on, you should be able to log in with your username, and browse the internet using Firefox.<br />
<br />
== Create "secret" files ==<br />
<br />
Create a simple text file in your user's home directory called secrets.txt and put some text in that file.<br />
<br />
Create another file secrets-root.txt in the root's home directory and put some text in that file as well.<br />
<br />
Notice how it appears that you need your user's password in order to log in and access the user's secrets.txt and the root password to access secrets-root.txt<br />
<br />
= PART 2: OFFLINE ACCESS SECURITY =<br />
<br />
The short version of this section is that with access to the physical machine (or the virtual disk images in our case) there is practically nothing you can do to secure a system. We'll look at a couple of simple examples to illustrate this point.<br />
<br />
Download the latest SystemRescueCd ISO file on windows and configure your host virtual machine to boot from that file.<br />
<br />
== Access to files ==<br />
<br />
* Notice that when the machine boots from the systemrescuecd it does not ask for a password. You just press enter a few times and you are logged in as root, with full control over the system.<br />
* If you can figure out the device file associated with the filesystems in your c7host, you can easily access (read or write) any files in there. Run <code>blkid</code> and see which block devices ring a bell.<br />
* Then create a couple of directories under /mnt: centos-root and centos-home. <br />
* Then mount the two filesystems you found into those directories.<br />
* At this point you'll have unrestricted access to all the files inside the root and home logical volumes you created when you installed CentOS.<br />
* Find the secrets.txt and secrets-root.txt files and read their contents. Modify those files to include the line "Please secure your system!"<br />
* Shut down your VM (properly), disconnect the DVD drive, and boot back into c7host. Check your secret files. Notice that you can't get to them until you log in with a password.<br />
<br />
Practice the above by looking for other files that might be of interest. Configuration files, databases, .htaccess files, etc.<br />
<br />
== Resetting the root password ==<br />
<br />
A variation of the file access above is a specific example of changing a file which contains the root password.<br />
<br />
* Boot from SystemRescueCd again and mount your c7host root filesystem.<br />
* Have a look at the etc/passwd file. That has a list of all the users on c7host.<br />
* Have a look at the etc/shadow file. This file has the salted and hashed passwords for all the users that have a password.<br />
* You should understand the structure of both files, epecially:<br />
** username<br />
** UID<br />
** GID<br />
** home directory<br />
** shell<br />
** hashed password<br />
* Replace the hashed password field for the root user with nothing.<br />
* Reboot into CentOS and try to log in.<br />
<br />
{{Admon/important|SELinux|Depending on how you edited your file: at this point you may not be able to log in as any user with any password. The root password has been removed but SELinux is "securing" your system and will not allow the login process to read the shadow file, therefore you can't log in. We'll need to fix this.}}<br />
<br />
* Reboot your VM and at the boot prompt press <code>e</code> (for Edit).<br />
* Scroll down to the line that starts with <code>linux16</code>. These are the parameters passed to the kernel when it's started.<br />
* At the end of that line add <code>enforcing=0</code><br />
* Press <code>Ctrl-x</code> to boot the system.<br />
* Now you should be able to log in, and you'll get a message about some SELinux problems.<br />
* One of those messages will suggest that you run <code>restorecon -v /etc/shadow</code>. Do that as root (notice you don't need to type in a root password any more).<br />
* Now you can disconnect your DVD drive, reboot, and log in normally.<br />
<br />
SELinux added steps to the process, but it's nothing more than a distraction. At the end of the day - you should have figured out that as long as you control the disk image, you have full control over its contents. <br />
<br />
=== The same using CentOS ISO ===<br />
<br />
You can accomplish the same thing you did above by using the CentOS ISO instead of SystemRescueCd. It will be easier because you won't need to reset the SELinux context on the shadow file.<br />
<br />
* Set up your VM to boot from the CentOS installation ISO.<br />
* At the boot prompt choose Troubleshooting/Rescue a CentOS system.<br />
* When it boots up, choose option 1.<br />
* Notice that the VM's root filesystem has been mounted for you automatically. <br />
* Remove your regular user's password from the shadow file.<br />
* Disconnect the DVD drive, reboot, and log in.<br />
<br />
After you're done with this section - reset both your root's and regular user's passwords to something reasonable.<br />
<br />
= Lab completion =<br />
<br />
* Make sure you understand what you've done in this lab, so that you're ready to answer questions about it.<br />
* Have notes in your labbook from this lab.<br />
* Show your work to the professor and have them sign your labbook.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Lab_1&diff=139151SRT210 Lab 12019-05-08T12:14:32Z<p>Mark: /* Introduction */</p>
<hr />
<div>= Objectives =<br />
<br />
* Get an overview of the course, faculty, and expectations.<br />
* Set up host virtual machine to use in the course.<br />
* Understand offline file access security<br />
* Understand and modify passwd and shadow files<br />
<br />
= Introduction =<br />
<br />
* The course is made primarily of labs. It will contain traditional instruction but only enough to get you started. Use the rest of the time to practice what you're supposed to be learning and ask questions when you get stuck or when something doesn't make sense.<br />
* We'll typically have one week for each lab. The lab is due in class, and needs to be checked by the professor before class is over. That means you should plan to have everything done by the middle of the class.<br />
* Make the best out of your labbook. Not only is it a record of your progress (and your marks for the labs) but it's a large set of notes you'll be able to use at all the assessments.<br />
* Everything in the labbook must be hand-written (by you) and every page must have your name on it. If I catch you using someone else's notes during an assessment - that will be treated as plagiarism.<br />
* Speaking of plagiarism - it will not be tolerated in this course. You're encouraged to discuss and help each other (within reason) during labs, but all other assessed work must be completed independently.<br />
* The lab instructions are written for the lab environment at school, but ask your professor if you can use your own host for the coursework and assessments. Generally speaking it should be possible.<br />
* You do '''not''' need the following items which are listed in the course outline: USB stick; raspberry pi, case, cable, and power supply; network cable; SD card; and wireless adapter.<br />
<br />
= PART 1: HOST VIRTUAL MACHINE =<br />
<br />
== Overview ==<br />
<br />
You'll use the Vmware on our lab machines as a hypervisor for your host. Typically you have one hypervisor running a bunch of VMs, but for securitty reasons in our lab environment we'll need to use nested virtualisation.<br />
<br />
That means the VMware hypervisor will run on the real hardware (the lab machine) and we'll set up a second hypervisor in one VMware VM, which will host several other VMs.<br />
<br />
== Create Host VM ==<br />
<br />
Make sure your SSD drive has a single NTFS partition taking up the whole space.<br />
<br />
Start VMware workstation and create a new virtual machine, with the following specifications:<br />
<br />
* Install from the CentOS 7 iso.<br />
* Set the hostname to matrixusernameVMhost (notice that VM is in capitals but everything else is lowercase).<br />
* Store the virtual machine files on your SSD drive.<br />
* Set up the virtual disk to be up to 180GB in size, a single file.<br />
* Set up the network adapter to be in bridged mode.<br />
<br />
== Install CentOS ==<br />
<br />
During the CentOS installation, make sure to follow these instructions:<br />
<br />
* Set the software selection to Gnome Desktop<br />
* Configure the "partition" layout by starting from the defaults:<br />
** 20GB for /<br />
** 40GB for /home<br />
** The rest (about 117GB) for /var/lib/libvirt/images<br />
* Set the hostname to c7host.<br />
* The network should be connected on boot, as a dhcp client for now.<br />
* Set the root password to something different from your regular user password.<br />
* Create a regular user with the same username as your matrix username. Set the password to anything you like, as long as it's different from the root password.<br />
<br />
Once the installation is complete your andrewVMhost virtual machine should boot into CentOS when it's powered on, you should be able to log in with your username, and browse the internet using Firefox.<br />
<br />
== Create "secret" files ==<br />
<br />
Create a simple text file in your user's home directory called secrets.txt and put some text in that file.<br />
<br />
Create another file secrets-root.txt in the root's home directory and put some text in that file as well.<br />
<br />
Notice how it appears that you need your user's password in order to log in and access the user's secrets.txt and the root password to access secrets-root.txt<br />
<br />
= PART 2: OFFLINE ACCESS SECURITY =<br />
<br />
The short version of this section is that with access to the physical machine (or the virtual disk images in our case) there is practically nothing you can do to secure a system. We'll look at a couple of simple examples to illustrate this point.<br />
<br />
Download the latest SystemRescueCd ISO file on windows and configure your host virtual machine to boot from that file.<br />
<br />
== Access to files ==<br />
<br />
* Notice that when the machine boots from the systemrescuecd it does not ask for a password. You just press enter a few times and you are logged in as root, with full control over the system.<br />
* If you can figure out the device file associated with the filesystems in your c7host, you can easily access (read or write) any files in there. Run <code>blkid</code> and see which block devices ring a bell.<br />
* Then create a couple of directories under /mnt: centos-root and centos-home. <br />
* Then mount the two filesystems you found into those directories.<br />
* At this point you'll have unrestricted access to all the files inside the root and home logical volumes you created when you installed CentOS.<br />
* Find the secrets.txt and secrets-root.txt files and read their contents. Modify those files to include the line "Please secure your system!"<br />
* Shut down your VM (properly), disconnect the DVD drive, and boot back into c7host. Check your secret files. Notice that you can't get to them until you log in with a password.<br />
<br />
Practice the above by looking for other files that might be of interest. Configuration files, databases, .htaccess files, etc.<br />
<br />
== Resetting the root password ==<br />
<br />
A variation of the file access above is a specific example of changing a file which contains the root password.<br />
<br />
* Boot from SystemRescueCd again and mount your c7host root filesystem.<br />
* Have a look at the etc/passwd file. That has a list of all the users on c7host.<br />
* Have a look at the etc/shadow file. This file has the salted and hashed passwords for all the users that have a password.<br />
* You should understand the structure of both files, epecially:<br />
** username<br />
** UID<br />
** GID<br />
** home directory<br />
** shell<br />
** hashed password<br />
* Replace the hashed password field for the root user with nothing.<br />
* Reboot into CentOS and try to log in.<br />
<br />
{{Admon/important|SELinux|Depending on how you edited your file: at this point you may not be able to log in as any user with any password. The root password has been removed but SELinux is "securing" your system and will not allow the login process to read the shadow file, therefore you can't log in. We'll need to fix this.}}<br />
<br />
* Reboot your VM and at the boot prompt press <code>e</code> (for Edit).<br />
* Scroll down to the line that starts with <code>linux16</code>. These are the parameters passed to the kernel when it's started.<br />
* At the end of that line add <code>enforcing=0</code><br />
* Press <code>Ctrl-x</code> to boot the system.<br />
* Now you should be able to log in, and you'll get a message about some SELinux problems.<br />
* One of those messages will suggest that you run <code>restorecon -v /etc/shadow</code>. Do that as root (notice you don't need to type in a root password any more).<br />
* Now you can disconnect your DVD drive, reboot, and log in normally.<br />
<br />
SELinux added steps to the process, but it's nothing more than a distraction. At the end of the day - you should have figured out that as long as you control the disk image, you have full control over its contents. <br />
<br />
=== The same using CentOS ISO ===<br />
<br />
You can accomplish the same thing you did above by using the CentOS ISO instead of SystemRescueCd. It will be easier because you won't need to reset the SELinux context on the shadow file.<br />
<br />
* Set up your VM to boot from the CentOS installation ISO.<br />
* At the boot prompt choose Troubleshooting/Rescue a CentOS system.<br />
* When it boots up, choose option 1.<br />
* Notice that the VM's root filesystem has been mounted for you automatically. <br />
* Remove your regular user's password from the shadow file.<br />
* Disconnect the DVD drive, reboot, and log in.<br />
<br />
After you're done with this section - reset both your root's and regular user's passwords to something reasonable.<br />
<br />
= Lab completion =<br />
<br />
* Make sure you understand what you've done in this lab, so that you're ready to answer questions about it.<br />
* Have notes in your labbook from this lab.<br />
* Show your work to the professor and have them sign your labbook.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Weekly_Schedule&diff=139149SRT210 Weekly Schedule2019-05-07T18:39:53Z<p>Mark: </p>
<hr />
<div>= Summer 2019 =<br />
<br />
<br />
<table cellspacing="0" cellpadding="5" width="100%" style="border-top: thin solid black;"><br />
<tr valign="top><br />
<td width="20%" style="border-bottom: thin solid black;font-weight:bold;background-color:#f0f0f5;">Week</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;background-color:#f0f0f5;">Objectives and Tasks</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;background-color:#f0f0f5;">Labs</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;background-color:#f0f0f5;">Other Assessments</td><br />
</tr> <br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 1:'''<br>6 - 10 may</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Course overview</li><br />
<li>Set up host machine for course work (c7host)</li><br />
<li>Offline file access security</li><br />
<li>passwd and shadow files</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_1 | Lab1]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 2:'''<br>13 - 17 may</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Set up a nested virtual machine</li><br />
<li>Get familiar with basic networking setup and utilities used on Linux</li><br />
<li>Understand how the IPtables firewall works and use it to make simple rules</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_2 | Lab2]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Quiz on Lab 1</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 3:'''<br>20 - 24 may</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Understand how port forwarding works and how it relates to security.</li><br />
<li>Set up port forwarding using iptables.</li><br />
<li>Understand fundamental concepts that make up SELinux.</li><br />
<li>Troubleshoot problems caused by SELinux.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_3 | Lab3]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Quiz on Lab 2</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 4:'''<br>27 - 31 may</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Understand the principles of how DNS works.</li><br />
<li>Set up an authoritative DNS server.</li><br />
<li>Test your DNS server to confirm that it works as expected.</li><br />
<li>Configure an operating system to use a specific DNS server.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_4 | Lab4]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Quiz on Lab 3</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 5:'''<br>3 - 7 jun</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Reverse DNS</li><br />
<li>DNS and security</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_4_Part_2 | Lab4 Part 2]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Assignment1 | Assignment 1]] and Quiz on Lab 4</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 6:'''<br>10 - 14 jun</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Practical Midterm test</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_First_Half_Review | Review of labs to date]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"/><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 7:'''<br>17 - 21 jun</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Results of the practical test and late assignments</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;"/><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;background-color:#f0f0f5;">'''Study Week:'''<br>24 - 28 jun</td><br />
<td colspan="3" style="border-bottom: thin solid black;background-color:#f0f0f5;">&nbsp;</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 8:'''<br>1 - 5 jul</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Understand how DHCP works and set up a working server/client.</li><br />
<li>Understand which types of traffic can be captured where, from the point of view of an attacker.</li><br />
<li>Practice capturing traffic, and browsing it using Wireshark.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_5 | Lab5]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 9:'''<br>8 - 12 jul</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Learn some fundamental concepts and terminology used with LDAP.</li><br />
<li>Practice creating users in OpenLDAP.</li><br />
<li>Set up linux machines to authenticate against an OpenLDAP server.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_6 | Lab6]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Quiz on Lab 5</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 10:'''<br>15 - 19 jul</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Understand the basics of public key encryption from a practical point of view.</li><br />
<li>Set up a Certificate Authority.</li><br />
<li>Create certificate+key pairs for servers, signed by your own CA.</li><br />
<li>Set up Apache to serve pages over HTTPS.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_7 | Lab7]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Quiz on Lab 6</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 11:'''<br>22 - 26 jul</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Semi-automated host fingerprint distribution using /etc/skel/</li><br />
<li>Use assymetric encryption (with SSH keys) for password-less SSH authentication.</li><br />
<li>Ditribute SSH public keys manually.</li><br />
<li>Backup using rsync.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_8 | Lab8]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Quiz on Lab 7</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 12:'''<br>jul 29 - 2 aug</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Review and practice for the exam.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_8 | Lab8]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Assignment2 | Assignment 2]] and Quiz on Lab 8</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 13:'''<br>5 - 9 aug</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Practical Final Exam.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Assignment2 | LATE Assignment 2]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;background-color:#f0f0f5;">'''Exam Week:'''<br>12 - 16 aug</td><br />
<td colspan="3" style="border-bottom: thin solid black;background-color:#f0f0f5;">&nbsp;</td><br />
</tr><br />
</table><br />
<br />
<br />
[[Category:SRT210]]</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210&diff=139148SRT2102019-05-07T18:28:01Z<p>Mark: </p>
<hr />
<div>{| style="float: right; margin: 0 0 3em 2em; border: 1px solid black;"<br />
!style="background: #cccccc"| Quick Links<br />
|-<br />
|<div style="background:#ffff00">[[SRT210_Weekly_Schedule | Weekly Schedule]]</div>[https://ict.senecacollege.ca/course/srt210 Course Outline]<br />
|-<br />
!style="background: #cccccc"| Assignments<br />
|-<br />
|[[SRT210_Assignment1 | Assignment 1]]<br />
[[SRT210_Assignment2 | Assignment 2]]<br />
|}<br />
<br />
= Welcome to SRT210 - ''The Pragmatic Art of Administration'' =<br />
{| width="100%" align="right" cellpadding="10"<br />
|- valign="top"<br />
| width="55%"|<br />
== What This Course is About ==<br />
<br />
The more you understand about how a system works - the better you'll be prepared to validate its security and make a plan to keep it as secure as the organisation requires.<br />
<br />
In this course you'll get a hands-on overview of several very common systems used on private networks and the internet today.<br />
<br />
== Learning by Doing ==<br />
<br />
Most of the learning in this course occurs through the hands-on problem solving that takes place in the labs and assignments.<br />
<br />
<u>Requirements for Success</u><br />
<br />
:* It is very important to stay up-to-date with the coursework, and to practice until you have confidently mastered each task.<br />
<br />
:* The notes that you make during the labs and assignments are your reference material for the quizzes, tests, and assignments. Take really good notes, and if you have questions, experiment and consult with your professor.<br />
<br />
:* Carefully read ALL lab instructions and check your work regularly. Since you'll have the administrator password for your systems - you have full control over them and can damage them beyond repair with a single mistyped command.<br />
<br />
== Course Faculty ==<br />
<br />
'''During the <b>Summer 2019</b> semester, SRT210 is taught by:'''<br />
<br />
| width="40% |<br />
<br />
==Required Materials (for second class)==<br />
<table cellpadding="10" cellspacing="0" width="100%"><br />
<tr><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:ssd.png|left|95px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;padding-top:25px;padding-bottom:25px;">'''Solid State Drive (SSD)'''</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;">'''Minimum Capacity:''' 240 GB</td></tr><br />
<tr valign="top"><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:blank-cd.png|left|50px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;">'''CentOS 7 Full Install<br>DVD Image'''</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;">[https://mirror.senecacollege.ca/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1810.iso Download at Seneca Lab]<br>[http://mirror.netflash.net/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1810.iso Download from Home]</td></tr><br />
<tr valign="top"><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:blank-cd.png|left|50px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;">'''SystemRescueCd<br>CD Image'''</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;">[http://cs.senecacollege.ca/~andrew.smith/srt210/systemrescuecd-x86-5.3.2.iso Download at Seneca Lab]</td></tr><br />
<tr><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:log-book.png|left|44px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;">'''Lab Log-book'''<br>(download &amp; print<br>Both sides per lab permitted)</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;"><!-- [[:File:SRT210_logbook.pdf|Download PDF]]</td></tr> --><br />
'''(Update: May 7 2019): Will be Handed Out during Week 2'''<br />
</table><br />
|}<br />
{|cellpadding="15" width="70%"<br />
|- valign="top"<br />
|[[Image:MarkFernandes.jpg|thumb|left|185px|<b>Mark Fernandes</b><br />Months: '''May''' and '''Jun'''<br />mark.fernandes@senecacollege.ca<br />[https://scs.senecac.on.ca/~mark.fernandes/Schedule.html Mark's schedule] ]]<br />
|[[Image:andrew.jpg|thumb|left|185px|<b>Andrew Smith</b><br />Months: '''Jul''' and '''Aug'''<br />andrew.smith@senecacollege.ca<br />[http://littlesvr.ca/currentposition.php Andrew's schedule] ]]<br />
|}<br />
<br />
== Wiki Participation ==<br />
<br />
* You can edit these pages! Please feel free to fix typos or add links to additional resources. Please use this capability responsibly.<br />
<br />
<br />
[[Category:OPS235]]</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Assignment2_2019-1&diff=139147SRT210 Assignment2 2019-12019-05-07T18:23:22Z<p>Mark: </p>
<hr />
<div>Due date: 7th of august<br />
'''(Update: May 7 2019): Additional requirements will be added at a later date'''<br />
<br />
Late penalties: 10% per day, including weekends and holidays. Must be submitted before the exam week starts.<br />
<br />
= Part 1: VPN setup =<br />
<br />
For this assignment you are to set up a VPN server that will allow you to securely access resources inside your virtual networks from anywhere in the world.<br />
<br />
When you've set everything up correctly: you should be able to use a VPN client outside your hypervisor to connect to c7host and access all of the hosts in your virtual networks by hostname. For a 20% bonus set it up so you can log in with credentials from your LDAP server.<br />
<br />
There is more than one VPN server available on Linux. You may choose whichever you find is easiest for you to complete the assignment. Document the steps you took to do the setup, particularly including:<br />
<br />
* What IP addresses will VPN clients get. Why did you choose that range?<br />
* How traffic will be routed outside the VPN subnet.<br />
* How VPN clients will resolve hostnames both on your virtual networks and on the internet.<br />
* How you configure the VPN clinets.<br />
<br />
If it helps - you can include screenshots in your report.<br />
<br />
= Part 2: Security =<br />
<br />
Pretend that your virtual network has valuable resources on it (servers/services/data) that should only be accessible by employees of a specific organisation. Describe how using a VPN to access thouse resources makes them easier to secure compared to having those resources accessible via internet-routable IP addresses and secured individially.<br />
<br />
Is it easier or more difficult to set up? What's the difference in terms of vectors available for attack? What about the encryption strength of the VPN versus the service you're comparing its security with?<br />
<br />
You may choose any combination of servers, services, and data (use at least two different ones) that you like to make your point. If you find that a VPN is not particularly helpful to secure the services you chose: you can still get your marks if you thoroughly explain why not.<br />
<br />
= Report =<br />
<br />
Submit a report that addresses all of the points in part 1 and part 2 of the assignment. The report should be at least two pages long, not including screenshots, titles, and other fluff.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Assignment1&diff=139146SRT210 Assignment12019-05-07T18:21:59Z<p>Mark: /* Assignment 1 */</p>
<hr />
<div>= Assignment 1 =<br />
<br />
Due date: 7th of June<br />
'''(Update: May 7 2019): Additional requirements will be added at a later date'''<br />
<br />
Late penalties: 10% per day, including weekends and holidays<br />
<br />
== Part 1: Set up and routing (10 marks) ==<br />
<br />
# Complete labs 1 through 4. (but note the previous announcement about forwarding port 80)<br />
# Create a new virtual network named asg1, with a subnet that has a 192.168.X network address, where X is the last two digits of your Seneca student number. Do not use DHCP on this network.<br />
# Create a new virtual machine and install CentOS in it as a minimal install.<br />
# Set up the new virtual machine to have the hostname lin1a1, and two network interfaces:<br />
#* Both should be virtio type of virtual devices<br />
#* One on the asg1 network with the IP address 192.168.X.50<br />
#* One on the network1 network with the IP address 192.168.210.20<br />
# Note that you can only have one default gateway on a system, and your default gateway should be c7host on the 192.168.210 subnet.<br />
# Confirm that your new VM can communicate with both the internet and with hosts on the network1 network.<br />
# Create another VM, named lin2a1, with one network interface and IP address 192.168.X.51<br />
# The second VM should be able to access machines on the asg1 network but not on the network1 network.<br />
# Configure the second VM to be able to access the internet and the network1 network via lin1a1. You'll need to enable IP forwarding and masquerading on the correct interface in the correct machine.<br />
# Configure both VMs to be able to connect to c7host.yourmysenecaid.ops, lin1.yourmysenecaid.ops, and lin2.yourmysenecaid.ops by hostname (don't be tempted to set up another DNS server, use what you already have)<br />
# Note: make sure that you start from the default iptables-services rules. You'll lose marks if you don't have a functional firewall on lin1a1 and lin2a1.<br />
<br />
== Part 2: SSH brute-force attack (10 marks) ==<br />
<br />
# Create at least 5 users on lin2, give some of them simple/common names (like "john") and simple or relatively-simple passwords. If you have a complex root password - you might want to change that to something simpler too.<br />
# Find some software to perform a brute-force SSH login attack on lin2 from lin2a2.<br />
# Run the attack. Record how long it took, and what the results were. If it fails to find usable credentials for you - make sure you have an explanation for why that was.<br />
<br />
== Part 3: Report (10 marks) ==<br />
<br />
Write a report, where you describe (in your own words):<br />
* What you were trying to accomplish.<br />
* What you had to do to set everything up (most important are the networking, routing, and firewall configurations).<br />
* Describe how the tool you chose for Part 2 works, how you used it, and why it gave you the results that it gave you.<br />
* Describe at least two ways to make brute-force SSH attacks less likely to be successful.<br />
* Describe any challenges you ran into and how you solved them.<br />
<br />
Screenshots might be helpful but are not required for the report. The report should be at least two pages long, not including screenshots, titles, and other fluff.<br />
<br />
== Submit ==<br />
<br />
Submit the report on Blackboard.</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Weekly_Schedule&diff=139145SRT210 Weekly Schedule2019-05-07T18:16:51Z<p>Mark: /* Summer 2019 */</p>
<hr />
<div>= Summer 2019 =<br />
<br />
<table cellspacing="0" cellpadding="5" width="100%" style="border-top: thin solid black;"><br />
<tr valign="top><br />
<td width="20%" style="border-bottom: thin solid black;font-weight:bold;background-color:#f0f0f5;">Week</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;background-color:#f0f0f5;">Objectives and Tasks</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;background-color:#f0f0f5;">Labs</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;background-color:#f0f0f5;">Other Assessments</td><br />
</tr> <br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 1:'''<br>6 - 10 may</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Course overview</li><br />
<li>Set up host machine for course work (c7host)</li><br />
<li>Offline file access security</li><br />
<li>passwd and shadow files</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_1 | Lab1]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 2:'''<br>13 - 17 may</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Set up a nested virtual machine</li><br />
<li>Get familiar with basic networking setup and utilities used on Linux</li><br />
<li>Understand how the IPtables firewall works and use it to make simple rules</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_2 | Lab2]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 3:'''<br>20 - 24 may</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Understand how port forwarding works and how it relates to security.</li><br />
<li>Set up port forwarding using iptables.</li><br />
<li>Understand fundamental concepts that make up SELinux.</li><br />
<li>Troubleshoot problems caused by SELinux.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_3 | Lab3]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 4:'''<br>27 - 31 may</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Understand the principles of how DNS works.</li><br />
<li>Set up an authoritative DNS server.</li><br />
<li>Test your DNS server to confirm that it works as expected.</li><br />
<li>Configure an operating system to use a specific DNS server.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_4 | Lab4]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 5:'''<br>3 - 7 jun</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Reverse DNS</li><br />
<li>DNS and security</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_4_Part_2 | Lab4 Part 2]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Assignment1 | Assignment 1]]</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 6:'''<br>10 - 14 jun</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Practical Midterm test</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_First_Half_Review | Review of labs to date]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"/><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 7:'''<br>17 - 21 jun</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Results of the practical test and late assignments</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;"/><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;background-color:#f0f0f5;">'''Study Week:'''<br>24 - 28 jun</td><br />
<td colspan="3" style="border-bottom: thin solid black;background-color:#f0f0f5;">&nbsp;</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 8:'''<br>1 - 5 jul</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Understand how DHCP works and set up a working server/client.</li><br />
<li>Understand which types of traffic can be captured where, from the point of view of an attacker.</li><br />
<li>Practice capturing traffic, and browsing it using Wireshark.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_5 | Lab5]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 9:'''<br>8 - 12 jul</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Learn some fundamental concepts and terminology used with LDAP.</li><br />
<li>Practice creating users in OpenLDAP.</li><br />
<li>Set up linux machines to authenticate against an OpenLDAP server.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_6 | Lab6]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 10:'''<br>15 - 19 jul</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Understand the basics of public key encryption from a practical point of view.</li><br />
<li>Set up a Certificate Authority.</li><br />
<li>Create certificate+key pairs for servers, signed by your own CA.</li><br />
<li>Set up Apache to serve pages over HTTPS.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_7 | Lab7]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 11:'''<br>22 - 26 jul</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Semi-automated host fingerprint distribution using /etc/skel/</li><br />
<li>Use assymetric encryption (with SSH keys) for password-less SSH authentication.</li><br />
<li>Ditribute SSH public keys manually.</li><br />
<li>Backup using rsync.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_8 | Lab8]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 12:'''<br>jul 29 - 2 aug</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Review and practice for the exam.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_8 | Lab8]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Assignment2 | Assignment 2]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 13:'''<br>5 - 9 aug</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Practical Final Exam.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Assignment2 | LATE Assignment 2]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;background-color:#f0f0f5;">'''Exam Week:'''<br>12 - 16 aug</td><br />
<td colspan="3" style="border-bottom: thin solid black;background-color:#f0f0f5;">&nbsp;</td><br />
</tr><br />
</table><br />
<br />
[[Category:SRT210]]</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210_Weekly_Schedule&diff=139143SRT210 Weekly Schedule2019-05-07T15:34:35Z<p>Mark: /* Winter 2019 */</p>
<hr />
<div>= Summer 2019 =<br />
<br />
<table cellspacing="0" cellpadding="5" width="100%" style="border-top: thin solid black;"><br />
<tr valign="top><br />
<td width="20%" style="border-bottom: thin solid black;font-weight:bold;background-color:#f0f0f5;">Week</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;background-color:#f0f0f5;">Objectives and Tasks</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;background-color:#f0f0f5;">Labs</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;background-color:#f0f0f5;">Other Assessments</td><br />
</tr> <br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 1:'''<br>6 - 10 may</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Course overview</li><br />
<li>Set up host machine for course work (c7host)</li><br />
<li>Offline file access security</li><br />
<li>passwd and shadow files</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_1 | Lab1]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 2:'''<br>13 - 17 may</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Set up a nested virtual machine</li><br />
<li>Get familiar with basic networking setup and utilities used on Linux</li><br />
<li>Understand how the IPtables firewall works and use it to make simple rules</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_2 | Lab2]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 3:'''<br>20 - 24 may</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Understand how port forwarding works and how it relates to security.</li><br />
<li>Set up port forwarding using iptables.</li><br />
<li>Understand fundamental concepts that make up SELinux.</li><br />
<li>Troubleshoot problems caused by SELinux.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_3 | Lab3]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 4:'''<br>27 - 31 may</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Understand the principles of how DNS works.</li><br />
<li>Set up an authoritative DNS server.</li><br />
<li>Test your DNS server to confirm that it works as expected.</li><br />
<li>Configure an operating system to use a specific DNS server.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_4 | Lab4]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 5:'''<br>3 - 7 jun</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Reverse DNS</li><br />
<li>DNS and security</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_4_Part_2 | Lab4 Part 2]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Assignment1 | Assignment 1]]</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 6:'''<br>10 - 14 jun</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Review and practice for the test</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_First_Half_Review | Review of labs to date]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">Practical Midterm test</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 7:'''<br>17 - 21 jun</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Results of the practical test and late assignments</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;/><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;background-color:#f0f0f5;">'''Study Week:'''<br>24 - 28 jun</td><br />
<td colspan="3" style="border-bottom: thin solid black;background-color:#f0f0f5;">&nbsp;</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 8:'''<br>1 - 5 jul</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Understand how DHCP works and set up a working server/client.</li><br />
<li>Understand which types of traffic can be captured where, from the point of view of an attacker.</li><br />
<li>Practice capturing traffic, and browsing it using Wireshark.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_5 | Lab5]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 9:'''<br>8 - 12 jul</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Learn some fundamental concepts and terminology used with LDAP.</li><br />
<li>Practice creating users in OpenLDAP.</li><br />
<li>Set up linux machines to authenticate against an OpenLDAP server.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_6 | Lab6]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 10:'''<br>15 - 19 jul</td><br />
<td style="border-bottom: thin solid black;"></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_6 | Lab6]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 11:'''<br>22 - 26 jul</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Understand the basics of public key encryption from a practical point of view.</li><br />
<li>Set up a Certificate Authority.</li><br />
<li>Create certificate+key pairs for servers, signed by your own CA.</li><br />
<li>Set up Apache to serve pages over HTTPS.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_7 | Lab7]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 12:'''<br>jul 29 - 2 aug</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Semi-automated host fingerprint distribution using /etc/skel/</li><br />
<li>Use assymetric encryption (with SSH keys) for password-less SSH authentication.</li><br />
<li>Ditribute SSH public keys manually.</li><br />
<li>Backup using rsync.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Lab_8 | Lab8]]</td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;">'''Week 13:'''<br>5 - 9 aug</td><br />
<td style="border-bottom: thin solid black;"><br />
<ul><br />
<li>Review and practice for the exam.</li><br />
</ul></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;"></td><br />
<td style="border-bottom: thin solid black;font-weight:bold;">[[SRT210_Assignment2 | Assignment 2]]</td><br />
</tr><br />
<tr valign="top"><br />
<td width="20%" style="border-bottom: thin solid black;background-color:#f0f0f5;">'''Exam Week:'''<br>12 - 16 aug</td><br />
<td colspan="3" style="border-bottom: thin solid black;background-color:#f0f0f5;">&nbsp;</td><br />
</tr><br />
</table><br />
<br />
[[Category:SRT210]]</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210&diff=139142SRT2102019-05-07T15:11:55Z<p>Mark: /* Welcome to SRT210 - The Pragmatic Art of Administration */</p>
<hr />
<div>{| style="float: right; margin: 0 0 3em 2em; border: 1px solid black;"<br />
!style="background: #cccccc"| Quick Links<br />
|-<br />
|<div style="background:#ffff00">[[SRT210_Weekly_Schedule | Weekly Schedule]]</div>[https://ict.senecacollege.ca/course/srt210 Course Outline]<br />
|-<br />
!style="background: #cccccc"| Assignments<br />
|-<br />
|[[SRT210_Assignment1 | Assignment 1]]<br />
[[SRT210_Assignment2 | Assignment 2]]<br />
|}<br />
<br />
= Welcome to SRT210 - ''The Pragmatic Art of Administration'' =<br />
{| width="100%" align="right" cellpadding="10"<br />
|- valign="top"<br />
| width="55%"|<br />
== What This Course is About ==<br />
<br />
The more you understand about how a system works - the better you'll be prepared to validate its security and make a plan to keep it as secure as the organisation requires.<br />
<br />
In this course you'll get a hands-on overview of several very common systems used on private networks and the internet today.<br />
<br />
== Learning by Doing ==<br />
<br />
Most of the learning in this course occurs through the hands-on problem solving that takes place in the labs and assignments.<br />
<br />
<u>Requirements for Success</u><br />
<br />
:* It is very important to stay up-to-date with the coursework, and to practice until you have confidently mastered each task.<br />
<br />
:* The notes that you make during the labs and assignments are your reference material for the quizzes, tests, and assignments. Take really good notes, and if you have questions, experiment and consult with your professor.<br />
<br />
:* Carefully read ALL lab instructions and check your work regularly. Since you'll have the administrator password for your systems - you have full control over them and can damage them beyond repair with a single mistyped command.<br />
<br />
== Course Faculty ==<br />
<br />
'''During the <b>Summer 2019</b> semester, SRT210 is taught by:'''<br />
<br />
| width="40% |<br />
<br />
==Required Materials (for second class)==<br />
<table cellpadding="10" cellspacing="0" width="100%"><br />
<tr><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:ssd.png|left|95px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;padding-top:25px;padding-bottom:25px;">'''Solid State Drive (SSD)'''</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;">'''Minimum Capacity:''' 240 GB</td></tr><br />
<tr valign="top"><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:blank-cd.png|left|50px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;">'''CentOS 7 Full Install<br>DVD Image'''</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;">[https://mirror.senecacollege.ca/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1810.iso Download at Seneca Lab]<br>[http://mirror.netflash.net/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1810.iso Download from Home]</td></tr><br />
<tr valign="top"><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:blank-cd.png|left|50px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;">'''SystemRescueCd<br>CD Image'''</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;">[http://cs.senecacollege.ca/~andrew.smith/srt210/systemrescuecd-x86-5.3.2.iso Download at Seneca Lab]</td></tr><br />
<tr><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:log-book.png|left|44px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;">'''Lab Log-book'''<br>(download &amp; print<br>Both sides per lab permitted)</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;">[[:File:SRT210_logbook.pdf|Download PDF]]</td></tr><br />
</table><br />
|}<br />
{|cellpadding="15" width="70%"<br />
|- valign="top"<br />
|[[Image:MarkFernandes.jpg|thumb|left|185px|<b>Mark Fernandes</b><br />Months: '''May''' and '''Jun'''<br />mark.fernandes@senecacollege.ca<br />[https://scs.senecac.on.ca/~mark.fernandes/Schedule.html Mark's schedule] ]]<br />
|[[Image:andrew.jpg|thumb|left|185px|<b>Andrew Smith</b><br />Months: '''Jul''' and '''Aug'''<br />andrew.smith@senecacollege.ca<br />[http://littlesvr.ca/currentposition.php Andrew's schedule] ]]<br />
|}<br />
<br />
== Wiki Participation ==<br />
<br />
* You can edit these pages! Please feel free to fix typos or add links to additional resources. Please use this capability responsibly.<br />
<br />
<br />
[[Category:OPS235]]</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=SRT210&diff=139141SRT2102019-05-07T15:02:14Z<p>Mark: /* Course Faculty */</p>
<hr />
<div>{| style="float: right; margin: 0 0 3em 2em; border: 1px solid black;"<br />
!style="background: #cccccc"| Quick Links<br />
|-<br />
|<div style="background:#ffff00">[[SRT210_Weekly_Schedule | Weekly Schedule]]</div>[https://ict.senecacollege.ca/course/srt210 Course Outline]<br />
|-<br />
!style="background: #cccccc"| Assignments<br />
|-<br />
|[[SRT210_Assignment1 | Assignment 1]]<br />
[[SRT210_Assignment2 | Assignment 2]]<br />
|}<br />
<br />
= Welcome to SRT210 - ''The Pragmatic Art of Administration'' =<br />
{| width="100%" align="right" cellpadding="10"<br />
|- valign="top"<br />
| width="55%"|<br />
== What This Course is About ==<br />
<br />
The more you understand about how a system works - the better you'll be prepared to validate its security and make a plan to keep it as secure as the organisation requires.<br />
<br />
In this course you'll get a hands-on overview of several very common systems used on private networks and the internet today.<br />
<br />
== Learning by Doing ==<br />
<br />
Most of the learning in this course occurs through the hands-on problem solving that takes place in the labs and assignments.<br />
<br />
<u>Requirements for Success</u><br />
<br />
:* It is very important to stay up-to-date with the coursework, and to practice until you have confidently mastered each task.<br />
<br />
:* The notes that you make during the labs and assignments are your reference material for the quizzes, tests, and assignments. Take really good notes, and if you have questions, experiment and consult with your professor.<br />
<br />
:* Carefully read ALL lab instructions and check your work regularly. Since you'll have the administrator password for your systems - you have full control over them and can damage them beyond repair with a single mistyped command.<br />
<br />
== Course Faculty ==<br />
<br />
'''During the <b>Summer 2019</b> semester, SRT210 is taught by:'''<br />
<br />
| width="40% |<br />
<br />
==Required Materials (for second class)==<br />
<table cellpadding="10" cellspacing="0" width="100%"><br />
<tr><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:ssd.png|left|95px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;padding-top:25px;padding-bottom:25px;">'''Solid State Drive (SSD)'''</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;">'''Minimum Capacity:''' 240 GB</td></tr><br />
<tr valign="top"><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:blank-cd.png|left|50px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;">'''CentOS 7 Full Install<br>DVD Image'''</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;">[https://mirror.senecacollege.ca/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1810.iso Download at Seneca Lab]<br>[http://mirror.netflash.net/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1810.iso Download from Home]</td></tr><br />
<tr valign="top"><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:blank-cd.png|left|50px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;">'''SystemRescueCd<br>CD Image'''</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;">[http://cs.senecacollege.ca/~andrew.smith/srt210/systemrescuecd-x86-5.3.2.iso Download at Seneca Lab]</td></tr><br />
<tr><td width="10%" style="border-bottom: thin solid #cccccc;">[[Image:log-book.png|left|44px]]</td><td width="20%" style="border-bottom: thin solid #cccccc;">'''Lab Log-book'''<br>(download &amp; print<br>Both sides per lab permitted)</td><td width="20%" style="border-bottom: thin solid #cccccc;text-align:right;">[[:File:SRT210_logbook.pdf|Download PDF]]</td></tr><br />
</table><br />
|}<br />
{|cellpadding="15" width="70%"<br />
|- valign="top"<br />
|[[Image:andrew.jpg|thumb|left|185px|<b>Andrew Smith</b><br />Sections '''A''' and '''B'''<br />andrew.smith@senecacollege.ca<br />[http://littlesvr.ca/currentposition.php Andrew's schedule] ]]<br />
|}<br />
<br />
== Wiki Participation ==<br />
<br />
* You can edit these pages! Please feel free to fix typos or add links to additional resources. Please use this capability responsibly.<br />
<br />
<br />
[[Category:OPS235]]</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=OPS235_Short-Term&diff=134049OPS235 Short-Term2018-05-17T21:41:34Z<p>Mark: /* Current: Winter 2018 Semester */</p>
<hr />
<div><br />
== USEFUL INFORMATION FOR INSTRUCTORS (ALL SEMESTERS - PLEASE READ!)==<br />
<br />
#In the '''lab 1 instructions for SSD''', students are instructed to download the image to their windows machine (i.e. Downloads), then create a '''VM template, then edit it with instructions:'''<br><br><span style="background-color:yellow;">In this setup dialog box, click the options tab and then click the Advanced option at the bottom of the list. On the right-hand side, click the checkbox to enable the option to Boot with EFI instead of BIOS.<br>Then click on the Hardware tab, and then select the CD/DVD (IDE) device and select in the right-side select the radio button for the use ISO Image file. Click the Browse button and specify the path of your downloaded Centos7 Full install DVD (most likely file is contained in your Downloads folder). Click Processors, and click the check-box to enable Virtual Intel VT-X/EPT or AMD-V/RVI. When finished, click on the OK button. </span><br><br>Many students have done this for more than 3-4 semesters with their SSDs. Generally no problems encountered. '''Occasionally, students do not follow instructions and forget to set virtualisation for host VM with would affect nested VMs using KVM in lab2...'''. Examples: Can't edit Grub boot file, VMs cannot be installed properly in KVM, Installed VMs in KVM cannot be started, etc.<br><br>The instructions are there. '''I usually do install with students for lab1 Investigation 1 with students (only time I do lab with students) to help them get on the right track'''.<br><br><br />
# Subject: RE: '''How to allow students to obtain free VMware Workstation 12 Pro for use at home''' (eg. SSDs)<br><br>'''*** REQUIRED FOR INSTRUCTORS TO DO THEMSELVES - NO ONE WILL DO THIS FOR YOU ***'''<br><br>Students are entitled to free licensed version of VMware Workstation 12 Pro.<br>It is available for ALL OPS235 / OPS335 students, but particularly useful for students that have SSD drive and want to work from home of notebook computer. You, as an instructor NEED to send Clive (e-mail:<br>clive.beetge@senecacollege.ca) with just usernames (can be done via Blackboard or moodle) students. I recommend you also post an announcement for your student like this:<br><br><blockquote>''"All OPS235/OPS335 students in my course is allowed a free version of VMware Workstation 12 Pro for their personal use. This particularly useful for students that have Solid State Drives and want to work on OPS235 labs at homeusing VMware Workstation 12 Pro. I have e-mailed the administrator your seneca userid, and you should be getting an email with a long subject line.<br><br>WARNING: Check your quarantine and spam filters to see if this email gets trapped since spam filters may automatically trap suspicious emails with long subject lines.<br><br>Open that e-mail to obtain your VMware Workstation 12 Pro software and registration key.<br><br>FYI<br>Insructor's Name"''</blockquote><br><br>'''NOTE:''' If students cannot access this information from their email, and if Clive has created their accounts, they can use the link and following instructions to obtain their program:<br>https://e5.onthehub.com/WebStore/Welcome.aspx?ws=d529a1f1-b430-e511-940e-b8ca3a5db7a1&vsro=8<br><br><br />
# It is possible to run VMware VMs from the command line using the following steps <syntaxhighlight lang="bash">Create a directory for links to your VMware VMs<br />
# mkdir ~/links<br />
# cd links <br />
# ln -s /path/to/VMs/file.vmx<br />
<br />
Use vmrun to start/stop/list/getGuestIPAddress/listProcessesInGuest<br />
# vmrun | less<br />
# vmrun -T ws start ~/links/name-of-CentOS-VM-link.vmx [gui|nogui]<br />
# vmrun list<br />
# vmrun -T ws getGuestIPAddress ~/links/name-of-CentOS-VM-link.vmx<br />
# ssh user@address-got-from-line-above<br />
# vmrun -T ws -gu <guest-user> -gp <guest-password> listProcessesInGuest ~/links/name-of-CentOS-VM-link.vmx</syntaxhighlight>In case you get an error message about Guest Additions not being installed, you have to rerun <code>vmrun installTools ~/links/name-of-CentOS-VM-link</code> and, during the Guest Additions installation, choose yes to automatic kernel modules (default during installation is no), see: [ [https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2050592 Known issue about Guest Additions not being loaded despite being installed] ] and [ [https://www.vmware.com/pdf/vix162_vmrun_command.pdf (PDF) manual for vmrun ] ] for additional information.<br />
# When updating packages if you abort suddenly, then you might end up with a broken package database. <br />
## In that case, you can fix a broken yum package system using the following blog post: [ [https://wphosting.tv/how-to-fix-duplicate-packages-in-yum/ How to fix duplicate packages in yum] ].<br>Good to know and include somewhere (OPS235 future content update).<br />
## This might another set of steps to follow:<syntaxhighlight lang="bash"># yum-complete-transaction<br />
# yum check | tee /tmp/yum-check.log <br />
# yum update --skip-broken<br />
# package-cleanup --problems<br />
# package-cleanup --dupes<br />
# package-cleanup --cleandupes<br />
# yum install initial-setup initial-setup-gui gnome-initial-setup<br />
# yum update<br />
# reboot</syntaxhighlight><br /><br /><br />
# VMware on Linux requires Secure Boot to be disabled on the Linux host otherwise VMware cannot run CentOS VMs: [ [https://communities.vmware.com/message/2461448#2461448 Comment #5 talks about disabling Secure Boot to make VMware on Linux boot VMs] ].<br />
<br />
= Current: Winter 2018 Semester =<br />
# It appears that doing yum update after May 2018 reintroduces the GRUB issue mentioned in '''#3''' of '''Fall 2017''' below for removable HDD on HP machines. A possible solution, since the one proposed in the earlier solution does not work, might be (to be confirmed whether the solution linked to here resolves the issue) https://noobient.com/post/165797742756/fixing-the-efi-bootloader-on-centos-7<br />
<br />
= Fall 2017 Semester=<br />
<br />
# '''Network glitch corrected by Mehrdad where network install (URL copy from Belmont) hung up install due to missing software repository'''.<br>'''Cause''': due to firewall protocol system implementation in Spring/Summer, it blocked the "yum" protocol, and now has been <u>'''fixed'''</u> system-wide.<br><br>'''FYI:''' '''Murray Saul''' verified that the fix worked by successfully created a VM via network install.<br><br><br />
# <span style="color:red;">'''ATTENTION:'''</span> Mehrdad mentioned that possibly in the next semester (or eventually), the belmont server URLs will be removed. The alternative (and eventual replacement) that affects OPS235/OPS335 is: mirror.senecacollege.ca/centos/7/os/x86_64/<br>Therefore, this corrections should be made for OPS235 and OPS335 labs for the Winter 2018 startup prior to classes.<br><br><br />
# <span style="color:red;">'''ATTENTION:'''</span> Verify your CentOS release version using '''rpm -qa centos-release'''. If it is '''1708''' <u>and</u> you are using a '''removable hard drive''' with boot issues then do the following: copy '''grubx64.efi''' from [http://mirror.centos.org/centos/7/os/x86_64/EFI/BOOT/ CentOS EFI/BOOT site here] into your /boot/efi/EFI/BOOT directory of your hard drive. To get to that directory of your hard drive you would need to boot from a live CentOS USB or CD/DVD and mount the /boot partition of your HDD. Try to do this yourself, otherwise ask for help from the lab tutor or instructor. You would also need to refresh your grub configuration using help from [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/System_Administrators_Guide/index.html RedHat], [https://wiki.centos.org/HowTos/Grub2 CentOS] and [http://www.gnu.org/software/grub/manual/grub.html Grub] or use the following [[File:grub.cfg]] for help. This directory tree is known to work<br><br><syntaxhighlight lang="bash"><br />
/boot/efi/EFI/<br />
├── BOOT<br />
│ ├── BOOTX64.EFI<br />
│ ├── fbx64.efi<br />
│ ├── grub.cfg <=== NEW: MUST BE PRESENT (create using grub2-mkconfig -o filename)<br />
│ └── grubx64.efi <=== NEW: MUST BE PRESENT (get using link CentOS EFI/BOOT in text above)<br />
└── centos<br />
├── BOOT.CSV<br />
├── BOOTX64.CSV<br />
├── fonts<br />
│ └── unicode.pf2<br />
├── grub.cfg<br />
├── grubenv<br />
├── grubx64.efi<br />
├── mmx64.efi<br />
├── shim.efi<br />
├── shimx64-centos.efi<br />
└── shimx64.efi<br />
</syntaxhighlight><br><br><br />
# In Lab2 (both versions), change from downloading raw image file (.img) to qcow2 file, and call it sample_test_image to get student to launch and login a sample version for exposure for future practical tests.<br><br><br />
# For next semester add in procedure for SSDs to create a duplicate image file for c7host in case the original is corrupted. Should also include warning about properly unmounting SSD device prior to removing from computer<br><br><br />
<br />
= Winter / Summer 2017=<br />
<br />
# There seems to be a procedure that works if you are booting Centos7 from your removable SATA drive in your labs and it doesn't connect to the Internet...<br>Note: If you cannot connect, you should see on the top right-hand corner before you login such as: '''<span style="font-size:1.5em;font-family:monospace;">[...]</span>'''<br>This means there is no Internet connection.<br><br>If that is the case, perform the following steps:<br><ol type="a"><li> Quickly press the power button (do not hold it down!). This should put it in suspend mode. You can confirm it is in suspend mode if the blue power light is flashing.</li><li>Wait a few seconds, then press the power button again. This will go out of suspend mode. You can confirm is is not in suspend mode if blue power light is solid (not flashing).</li><li>In a few seconds, the symbol on the top right-hand side should appear like: <span style="border-color:black;border-width:2px;border-style:solid;"> &nbsp; &nbsp; </span>.<br>This symbol means that you can connect to the Internet.</li></ol><br><br><br />
# A problem with kernel panic discussed on this thread and is on going as of Jan 10, 2017 (solved but Mark F. is facing difficulties after performing an aborted upgrade on my centos1-like VM which I was using for teaching ULI101. This solution doesn't help Mark but the advice given on this thread might be relevant to some). Here is link: [ [https://www.centos.org/forums/viewtopic.php?f=47&t=51911&start=10 Kernel panic at restart after so update] ]<br /><br /><br />
# We keep (but rename to something more appropriate) the existing HDD option in OPS235 labs because some students are requesting to install CentOS on their laptop (dual boot or single boot) and so continue doing the lab with all 3VMs on the laptop itself. So no VMs inside a VM stuff for them, except maybe name the labs from external HDD to 'using your own laptop' or some such.<br /><br /><br />
# In case a yum update goes wrong and the advice given by the next run of yum update does not work in making the VM boot into GNOME, then try the following: '''yum install initial-setup initial-setup-gui gnome-initial-setup'''. You might have to reboot and agree to the license conditions at firstboot. <br /><br /><br />
# Nested virtualization is incredibly slow if the host VM (VMware c7host) is using the default number of processor cores (1). Since all processing is done under c7host, it is safe to share all of your cores with Windows and VMware (c7host).<br /><br /><br />
<br />
=Fall 2016=<br />
<br />
# Lab 1: Unusual problem of network not showing up in c7host VM. Happened because I had not enabled a second network adapter in VMware Workstation Pro (use Team as the type).<br><br><br />
# Change all VM sizes to be at least 20GB because some (lab 2 VMs) still say 15GB and they cause problems during installation for CentOS 7.2<br><br><br />
# Keep consistent lab1 checking scripts for ALL OPS235 instructors (This semester was exception for Mark F., due to caching problem showing older partitions for previous semester).<br><br><br />
# I think in future (based on scripting questions I gave on midterm) that we will need to add to the questions section of the labs something to do with shell scripting - even a simple walk-through. This can be incorporated into future quizzes.<br><br><br />
# VMware gets odd naming for interfaces, for example ifconfig in VMware on CentOS 7 I get this (among other network setup). The problem is they've switched from the interface naming. There is a workaround in CentOS FAQ: https://wiki.centos.org/FAQ/CentOS7<code>eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 </code><br><br><br />
# I noticed that some students have a different volume group name for centos2 than centos_centos2<br>I suspect it is that students didn't follow instructions when creating the centos2 VM by specifying the correct hostname: centos2<br>This could be corrected by including centos2 being checked for correct hostname in lab2 checking script, but not time to do that for this semester.<br><br><br />
# Add youtube video on how LVM works for lab5 notes<br><br><br />
# Check learning outcomes and topic outline match for OPS235 course<br><br><br />
# For OPS235 Assignment #2, remove references to chkconfig command (deprecated), should use systemctl status service-name<br><br><br />
<br />
<br />
<br />
== CentOS 7 VM (VMware) Known Issues ==<br />
HP Z230 machines on campus<br />
# Not getting network interface in CentOS (VMware network configured to using NAT). Solved (sometimes) by adding another network interface and setting that interface to VMnet8<br />
# USB failure from Windows host. Could this be due to bad USB cable, but one student reported Windows on HP Z230 automatically unmounts the USB drive while the VM was running thereby freezing CentOS in VMware<br />
<br />
== Lab 5 suggestion (received from a student) ==<br />
<br />
Create a virtual disk /dev/vda in centos2 and use that virtual disk (vda) instead of /dev/sda (so use '''fdisk /dev/vda''' instead of using '''fdisk /dev/sda'''). This makes Lab 5 easier to handle accidental corruption students might make while doing that lab thereby destroying their centos2. This might require Lab 5 checker script to be tweaked to work with /dev/vda.<br />
<br />
== Lab 7 Issue ==<br />
<br />
Some students could only get their labs to work with the browser after they did this:<br />
<br />
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT<br />
<br />
== Assignment 2 ==<br />
<br />
chkconfig gives an error message telling students to use:<br />
# systemctl list-dependents httpd<br />
# systemctl list-dependents mysql<br />
<br />
=Previous Semesters=<br />
<br />
Summer 2016 (Refer to previous semesters below)=<br />
<br />
# No entries<br />
<br />
<br />
==Winter 2016==<br />
<br />
# '''<span style="color:red">N.B. - On "TODO list"</span>''' - '''LAB 1 - Picture under part 2''' - The picture called "Partition Verification" shows a LVM setup, but the instructions ask specifically for a standard partition setup.<br><br><br />
# '''<span style="color:red">FIXED BUT REQUIRES VERIFICATION THAT FIX WORKED</span>''' - '''LAB 1 - Investigation 3 - Part 2 - Questions 21''' - Not important but, report3.bash script uses the command "cat /root/install.log >> installation_report.html", the file /root/install.log does not exist on centos7 install.<br><br><br />
#'''<span style="color:red">N.B. On List for Murray Saul to work on during non-contact period</span>''' - "tweak" '''lab2check2.bash''' to provide additional checks including xml dumps to home directory for all VMs and reminder from script to back those items to USB key. Also should check if '''centos2''' has '''/ for 8 GB and /home for 2GB'''. I read somewhere that '''xfs can mess up with LVM which we talk about in lab5'''. For next time, I will '''add in requirement in lab2 signoff that students show for all VMs the /etc/fstab to ensure ext4 fs'''. Perhaps checking script can be modified next time to check for that... Good idea to '''expand shell script check for ALL labs. Student would be required to show same information PLUS the results from running the checking shell script'''.<br><br><br />
#'''<span style="color:red">N.B. On List for Murray Saul to work on during non-contact period</span>''' - It would be nice to rearrange the content for lab5 to '''discuss df -h and space concerns <u>first</u>, then flow into LVM. This would provide a better "flow" to reinforce student understanding'''. Shell script at end would remain at end to show how to use crontab to automate (flag) space issues.<br><br><br />
#'''<span style="color:red">N.B. On List for Murray Saul to work on during non-contact period</span>''' - Good idea to '''review study questions at end of each lab''' to see if they are applicable to each lab.<br><br><br />
#Would be neat to '''create prezi slide shows for each lab preparation (for class)'''. This would be in sync with OPS335 course. Online slides can be exported to PDF files as well.<br><br><br />
#'''<span style="color:red">N.B. On List for Murray Saul to work on during non-contact period</span>''' - Would be helpful for a script or program to check all links in all OPS235 (OPS335, etc) WIKIs to check for non-working links. This would allow course overseer to run just prior to the start of the semester and be incorporated into the startup checklist.<br><br><br />
#'''<span style="color:red">N.B. On List for Murray Saul to work on during non-contact period</span>''' - Some students note different vg name (like centos instead of centos_centos2). Solution is to get students to issue vgs to obtain vg name. Should investigate why this is happening to prevent (eg. shell script check at end of a lab).<br><br><br />
#'''<span style="color:red">N.B. On List for Murray Saul to work on during non-contact period</span>''' - Check '''mailx''' package when installed (lab5 example) for OPS235 to see why not sending mail to demo that script works for a lower threshold point for file space usage.<br><br><br />
#'''<span style="color:red">N.B. On List for Murray Saul to work on during non-contact period</span>''' - Method to better explain in lab7 tunnelling via local ports (eg. show some command of available ports, etc) - example:<br>'''sysctl net.ipv4.ip_local_port_range'''<br>net.ipv4.ip_local_port_range = 32768 61000<br>(But where does that fit in with using 20808?)<br />
<br />
<br />
== Summer 2015 ==<br />
# '''LAB 1 - Installing NON-GUI version of Linux OS:''' A lot of students ran into the same problem with lab 1, that is they didn't pay close enough attention to the instructions and installed the OS without a GUI. But that is no flaw in your wiki, just the tendency of students to rush through things. I have done my best to enforce that they should read all the instructions carefully BEFORE they start on the labs.<br><br><br />
# '''LAB2 - Backup Script demo:''' Current VM backup script should also allow for backing up xml configuration files.<br><br><br />
# '''LAB - LVM:''' Current VM backup script does not factor in virtual hard drive images. May be a good idea to add this to the backup script, so students can be encouraged to run backup scripts.<br><br><br />
# The wget http://belmont.senecac.on.ca/centos/7/isos/x86_64/CentOS-7-x86_64-LiveGNOME-1503.iso command is still not working<br><br><br />
# When students issue the “service iptables restart” command it returns a message that says the service is dead and not running. Yet, I’ve tested the iptables themselves by adding a few rules and they are certainly still working. I’m really not sure what exactly is going on. Perhaps it’s just a glitch in CentOS7?<br><br><br />
# The virtualization software also seems to need a system reboot before the virtual network will come into effect. Simply restarting the virt-manager or the libvirtd service doesn’t seem to do it. So, again, rebooting the system is the way to go to make sure the virtual default NAT network becomes visible for new VMs.<br><br><br />
# Some students in lab2 may not be performing the correct steps in creating VMS (image paths and types). A shell script to be run to check this would be useful, but may need release time to create a comprehensive and user-friendly shell script.<br><br><br />
<br />
== Winter 2015 ==<br />
* Winter 2015: [[OPS235 - Short-term - Older Issues]]<br />
<br />
<br />
== Additional Resources / Navigation ==<br />
<br />
:* [[OPS235 - Curriculum Discussion |OPS235 - Curriculum Discussion]]<br />
:* [http://zenit.senecac.on.ca/wiki/index.php/OPS OPS Stream Discussion]<br />
:* [[CNS / CTY Curriculum Development]]<br />
<br />
[[Category:Curriculum, OPS Stream]]</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=OPS235_Short-Term&diff=134048OPS235 Short-Term2018-05-17T21:36:27Z<p>Mark: /* Current: Winter 2018 Semester */</p>
<hr />
<div><br />
== USEFUL INFORMATION FOR INSTRUCTORS (ALL SEMESTERS - PLEASE READ!)==<br />
<br />
#In the '''lab 1 instructions for SSD''', students are instructed to download the image to their windows machine (i.e. Downloads), then create a '''VM template, then edit it with instructions:'''<br><br><span style="background-color:yellow;">In this setup dialog box, click the options tab and then click the Advanced option at the bottom of the list. On the right-hand side, click the checkbox to enable the option to Boot with EFI instead of BIOS.<br>Then click on the Hardware tab, and then select the CD/DVD (IDE) device and select in the right-side select the radio button for the use ISO Image file. Click the Browse button and specify the path of your downloaded Centos7 Full install DVD (most likely file is contained in your Downloads folder). Click Processors, and click the check-box to enable Virtual Intel VT-X/EPT or AMD-V/RVI. When finished, click on the OK button. </span><br><br>Many students have done this for more than 3-4 semesters with their SSDs. Generally no problems encountered. '''Occasionally, students do not follow instructions and forget to set virtualisation for host VM with would affect nested VMs using KVM in lab2...'''. Examples: Can't edit Grub boot file, VMs cannot be installed properly in KVM, Installed VMs in KVM cannot be started, etc.<br><br>The instructions are there. '''I usually do install with students for lab1 Investigation 1 with students (only time I do lab with students) to help them get on the right track'''.<br><br><br />
# Subject: RE: '''How to allow students to obtain free VMware Workstation 12 Pro for use at home''' (eg. SSDs)<br><br>'''*** REQUIRED FOR INSTRUCTORS TO DO THEMSELVES - NO ONE WILL DO THIS FOR YOU ***'''<br><br>Students are entitled to free licensed version of VMware Workstation 12 Pro.<br>It is available for ALL OPS235 / OPS335 students, but particularly useful for students that have SSD drive and want to work from home of notebook computer. You, as an instructor NEED to send Clive (e-mail:<br>clive.beetge@senecacollege.ca) with just usernames (can be done via Blackboard or moodle) students. I recommend you also post an announcement for your student like this:<br><br><blockquote>''"All OPS235/OPS335 students in my course is allowed a free version of VMware Workstation 12 Pro for their personal use. This particularly useful for students that have Solid State Drives and want to work on OPS235 labs at homeusing VMware Workstation 12 Pro. I have e-mailed the administrator your seneca userid, and you should be getting an email with a long subject line.<br><br>WARNING: Check your quarantine and spam filters to see if this email gets trapped since spam filters may automatically trap suspicious emails with long subject lines.<br><br>Open that e-mail to obtain your VMware Workstation 12 Pro software and registration key.<br><br>FYI<br>Insructor's Name"''</blockquote><br><br>'''NOTE:''' If students cannot access this information from their email, and if Clive has created their accounts, they can use the link and following instructions to obtain their program:<br>https://e5.onthehub.com/WebStore/Welcome.aspx?ws=d529a1f1-b430-e511-940e-b8ca3a5db7a1&vsro=8<br><br><br />
# It is possible to run VMware VMs from the command line using the following steps <syntaxhighlight lang="bash">Create a directory for links to your VMware VMs<br />
# mkdir ~/links<br />
# cd links <br />
# ln -s /path/to/VMs/file.vmx<br />
<br />
Use vmrun to start/stop/list/getGuestIPAddress/listProcessesInGuest<br />
# vmrun | less<br />
# vmrun -T ws start ~/links/name-of-CentOS-VM-link.vmx [gui|nogui]<br />
# vmrun list<br />
# vmrun -T ws getGuestIPAddress ~/links/name-of-CentOS-VM-link.vmx<br />
# ssh user@address-got-from-line-above<br />
# vmrun -T ws -gu <guest-user> -gp <guest-password> listProcessesInGuest ~/links/name-of-CentOS-VM-link.vmx</syntaxhighlight>In case you get an error message about Guest Additions not being installed, you have to rerun <code>vmrun installTools ~/links/name-of-CentOS-VM-link</code> and, during the Guest Additions installation, choose yes to automatic kernel modules (default during installation is no), see: [ [https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2050592 Known issue about Guest Additions not being loaded despite being installed] ] and [ [https://www.vmware.com/pdf/vix162_vmrun_command.pdf (PDF) manual for vmrun ] ] for additional information.<br />
# When updating packages if you abort suddenly, then you might end up with a broken package database. <br />
## In that case, you can fix a broken yum package system using the following blog post: [ [https://wphosting.tv/how-to-fix-duplicate-packages-in-yum/ How to fix duplicate packages in yum] ].<br>Good to know and include somewhere (OPS235 future content update).<br />
## This might another set of steps to follow:<syntaxhighlight lang="bash"># yum-complete-transaction<br />
# yum check | tee /tmp/yum-check.log <br />
# yum update --skip-broken<br />
# package-cleanup --problems<br />
# package-cleanup --dupes<br />
# package-cleanup --cleandupes<br />
# yum install initial-setup initial-setup-gui gnome-initial-setup<br />
# yum update<br />
# reboot</syntaxhighlight><br /><br /><br />
# VMware on Linux requires Secure Boot to be disabled on the Linux host otherwise VMware cannot run CentOS VMs: [ [https://communities.vmware.com/message/2461448#2461448 Comment #5 talks about disabling Secure Boot to make VMware on Linux boot VMs] ].<br />
<br />
= Current: Winter 2018 Semester =<br />
# It appears that doing yum update after May 2018 reintroduces the GRUB issue mentioned in '''#3''' of '''Fall 2017''' below for removable HDD on HP machines. A possible solution might be (to be confirmed whether the solution linked to here resolves the issue) https://noobient.com/post/165797742756/fixing-the-efi-bootloader-on-centos-7<br />
<br />
= Fall 2017 Semester=<br />
<br />
# '''Network glitch corrected by Mehrdad where network install (URL copy from Belmont) hung up install due to missing software repository'''.<br>'''Cause''': due to firewall protocol system implementation in Spring/Summer, it blocked the "yum" protocol, and now has been <u>'''fixed'''</u> system-wide.<br><br>'''FYI:''' '''Murray Saul''' verified that the fix worked by successfully created a VM via network install.<br><br><br />
# <span style="color:red;">'''ATTENTION:'''</span> Mehrdad mentioned that possibly in the next semester (or eventually), the belmont server URLs will be removed. The alternative (and eventual replacement) that affects OPS235/OPS335 is: mirror.senecacollege.ca/centos/7/os/x86_64/<br>Therefore, this corrections should be made for OPS235 and OPS335 labs for the Winter 2018 startup prior to classes.<br><br><br />
# <span style="color:red;">'''ATTENTION:'''</span> Verify your CentOS release version using '''rpm -qa centos-release'''. If it is '''1708''' <u>and</u> you are using a '''removable hard drive''' with boot issues then do the following: copy '''grubx64.efi''' from [http://mirror.centos.org/centos/7/os/x86_64/EFI/BOOT/ CentOS EFI/BOOT site here] into your /boot/efi/EFI/BOOT directory of your hard drive. To get to that directory of your hard drive you would need to boot from a live CentOS USB or CD/DVD and mount the /boot partition of your HDD. Try to do this yourself, otherwise ask for help from the lab tutor or instructor. You would also need to refresh your grub configuration using help from [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/System_Administrators_Guide/index.html RedHat], [https://wiki.centos.org/HowTos/Grub2 CentOS] and [http://www.gnu.org/software/grub/manual/grub.html Grub] or use the following [[File:grub.cfg]] for help. This directory tree is known to work<br><br><syntaxhighlight lang="bash"><br />
/boot/efi/EFI/<br />
├── BOOT<br />
│ ├── BOOTX64.EFI<br />
│ ├── fbx64.efi<br />
│ ├── grub.cfg <=== NEW: MUST BE PRESENT (create using grub2-mkconfig -o filename)<br />
│ └── grubx64.efi <=== NEW: MUST BE PRESENT (get using link CentOS EFI/BOOT in text above)<br />
└── centos<br />
├── BOOT.CSV<br />
├── BOOTX64.CSV<br />
├── fonts<br />
│ └── unicode.pf2<br />
├── grub.cfg<br />
├── grubenv<br />
├── grubx64.efi<br />
├── mmx64.efi<br />
├── shim.efi<br />
├── shimx64-centos.efi<br />
└── shimx64.efi<br />
</syntaxhighlight><br><br><br />
# In Lab2 (both versions), change from downloading raw image file (.img) to qcow2 file, and call it sample_test_image to get student to launch and login a sample version for exposure for future practical tests.<br><br><br />
# For next semester add in procedure for SSDs to create a duplicate image file for c7host in case the original is corrupted. Should also include warning about properly unmounting SSD device prior to removing from computer<br><br><br />
<br />
= Winter / Summer 2017=<br />
<br />
# There seems to be a procedure that works if you are booting Centos7 from your removable SATA drive in your labs and it doesn't connect to the Internet...<br>Note: If you cannot connect, you should see on the top right-hand corner before you login such as: '''<span style="font-size:1.5em;font-family:monospace;">[...]</span>'''<br>This means there is no Internet connection.<br><br>If that is the case, perform the following steps:<br><ol type="a"><li> Quickly press the power button (do not hold it down!). This should put it in suspend mode. You can confirm it is in suspend mode if the blue power light is flashing.</li><li>Wait a few seconds, then press the power button again. This will go out of suspend mode. You can confirm is is not in suspend mode if blue power light is solid (not flashing).</li><li>In a few seconds, the symbol on the top right-hand side should appear like: <span style="border-color:black;border-width:2px;border-style:solid;"> &nbsp; &nbsp; </span>.<br>This symbol means that you can connect to the Internet.</li></ol><br><br><br />
# A problem with kernel panic discussed on this thread and is on going as of Jan 10, 2017 (solved but Mark F. is facing difficulties after performing an aborted upgrade on my centos1-like VM which I was using for teaching ULI101. This solution doesn't help Mark but the advice given on this thread might be relevant to some). Here is link: [ [https://www.centos.org/forums/viewtopic.php?f=47&t=51911&start=10 Kernel panic at restart after so update] ]<br /><br /><br />
# We keep (but rename to something more appropriate) the existing HDD option in OPS235 labs because some students are requesting to install CentOS on their laptop (dual boot or single boot) and so continue doing the lab with all 3VMs on the laptop itself. So no VMs inside a VM stuff for them, except maybe name the labs from external HDD to 'using your own laptop' or some such.<br /><br /><br />
# In case a yum update goes wrong and the advice given by the next run of yum update does not work in making the VM boot into GNOME, then try the following: '''yum install initial-setup initial-setup-gui gnome-initial-setup'''. You might have to reboot and agree to the license conditions at firstboot. <br /><br /><br />
# Nested virtualization is incredibly slow if the host VM (VMware c7host) is using the default number of processor cores (1). Since all processing is done under c7host, it is safe to share all of your cores with Windows and VMware (c7host).<br /><br /><br />
<br />
=Fall 2016=<br />
<br />
# Lab 1: Unusual problem of network not showing up in c7host VM. Happened because I had not enabled a second network adapter in VMware Workstation Pro (use Team as the type).<br><br><br />
# Change all VM sizes to be at least 20GB because some (lab 2 VMs) still say 15GB and they cause problems during installation for CentOS 7.2<br><br><br />
# Keep consistent lab1 checking scripts for ALL OPS235 instructors (This semester was exception for Mark F., due to caching problem showing older partitions for previous semester).<br><br><br />
# I think in future (based on scripting questions I gave on midterm) that we will need to add to the questions section of the labs something to do with shell scripting - even a simple walk-through. This can be incorporated into future quizzes.<br><br><br />
# VMware gets odd naming for interfaces, for example ifconfig in VMware on CentOS 7 I get this (among other network setup). The problem is they've switched from the interface naming. There is a workaround in CentOS FAQ: https://wiki.centos.org/FAQ/CentOS7<code>eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 </code><br><br><br />
# I noticed that some students have a different volume group name for centos2 than centos_centos2<br>I suspect it is that students didn't follow instructions when creating the centos2 VM by specifying the correct hostname: centos2<br>This could be corrected by including centos2 being checked for correct hostname in lab2 checking script, but not time to do that for this semester.<br><br><br />
# Add youtube video on how LVM works for lab5 notes<br><br><br />
# Check learning outcomes and topic outline match for OPS235 course<br><br><br />
# For OPS235 Assignment #2, remove references to chkconfig command (deprecated), should use systemctl status service-name<br><br><br />
<br />
<br />
<br />
== CentOS 7 VM (VMware) Known Issues ==<br />
HP Z230 machines on campus<br />
# Not getting network interface in CentOS (VMware network configured to using NAT). Solved (sometimes) by adding another network interface and setting that interface to VMnet8<br />
# USB failure from Windows host. Could this be due to bad USB cable, but one student reported Windows on HP Z230 automatically unmounts the USB drive while the VM was running thereby freezing CentOS in VMware<br />
<br />
== Lab 5 suggestion (received from a student) ==<br />
<br />
Create a virtual disk /dev/vda in centos2 and use that virtual disk (vda) instead of /dev/sda (so use '''fdisk /dev/vda''' instead of using '''fdisk /dev/sda'''). This makes Lab 5 easier to handle accidental corruption students might make while doing that lab thereby destroying their centos2. This might require Lab 5 checker script to be tweaked to work with /dev/vda.<br />
<br />
== Lab 7 Issue ==<br />
<br />
Some students could only get their labs to work with the browser after they did this:<br />
<br />
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT<br />
<br />
== Assignment 2 ==<br />
<br />
chkconfig gives an error message telling students to use:<br />
# systemctl list-dependents httpd<br />
# systemctl list-dependents mysql<br />
<br />
=Previous Semesters=<br />
<br />
Summer 2016 (Refer to previous semesters below)=<br />
<br />
# No entries<br />
<br />
<br />
==Winter 2016==<br />
<br />
# '''<span style="color:red">N.B. - On "TODO list"</span>''' - '''LAB 1 - Picture under part 2''' - The picture called "Partition Verification" shows a LVM setup, but the instructions ask specifically for a standard partition setup.<br><br><br />
# '''<span style="color:red">FIXED BUT REQUIRES VERIFICATION THAT FIX WORKED</span>''' - '''LAB 1 - Investigation 3 - Part 2 - Questions 21''' - Not important but, report3.bash script uses the command "cat /root/install.log >> installation_report.html", the file /root/install.log does not exist on centos7 install.<br><br><br />
#'''<span style="color:red">N.B. On List for Murray Saul to work on during non-contact period</span>''' - "tweak" '''lab2check2.bash''' to provide additional checks including xml dumps to home directory for all VMs and reminder from script to back those items to USB key. Also should check if '''centos2''' has '''/ for 8 GB and /home for 2GB'''. I read somewhere that '''xfs can mess up with LVM which we talk about in lab5'''. For next time, I will '''add in requirement in lab2 signoff that students show for all VMs the /etc/fstab to ensure ext4 fs'''. Perhaps checking script can be modified next time to check for that... Good idea to '''expand shell script check for ALL labs. Student would be required to show same information PLUS the results from running the checking shell script'''.<br><br><br />
#'''<span style="color:red">N.B. On List for Murray Saul to work on during non-contact period</span>''' - It would be nice to rearrange the content for lab5 to '''discuss df -h and space concerns <u>first</u>, then flow into LVM. This would provide a better "flow" to reinforce student understanding'''. Shell script at end would remain at end to show how to use crontab to automate (flag) space issues.<br><br><br />
#'''<span style="color:red">N.B. On List for Murray Saul to work on during non-contact period</span>''' - Good idea to '''review study questions at end of each lab''' to see if they are applicable to each lab.<br><br><br />
#Would be neat to '''create prezi slide shows for each lab preparation (for class)'''. This would be in sync with OPS335 course. Online slides can be exported to PDF files as well.<br><br><br />
#'''<span style="color:red">N.B. On List for Murray Saul to work on during non-contact period</span>''' - Would be helpful for a script or program to check all links in all OPS235 (OPS335, etc) WIKIs to check for non-working links. This would allow course overseer to run just prior to the start of the semester and be incorporated into the startup checklist.<br><br><br />
#'''<span style="color:red">N.B. On List for Murray Saul to work on during non-contact period</span>''' - Some students note different vg name (like centos instead of centos_centos2). Solution is to get students to issue vgs to obtain vg name. Should investigate why this is happening to prevent (eg. shell script check at end of a lab).<br><br><br />
#'''<span style="color:red">N.B. On List for Murray Saul to work on during non-contact period</span>''' - Check '''mailx''' package when installed (lab5 example) for OPS235 to see why not sending mail to demo that script works for a lower threshold point for file space usage.<br><br><br />
#'''<span style="color:red">N.B. On List for Murray Saul to work on during non-contact period</span>''' - Method to better explain in lab7 tunnelling via local ports (eg. show some command of available ports, etc) - example:<br>'''sysctl net.ipv4.ip_local_port_range'''<br>net.ipv4.ip_local_port_range = 32768 61000<br>(But where does that fit in with using 20808?)<br />
<br />
<br />
== Summer 2015 ==<br />
# '''LAB 1 - Installing NON-GUI version of Linux OS:''' A lot of students ran into the same problem with lab 1, that is they didn't pay close enough attention to the instructions and installed the OS without a GUI. But that is no flaw in your wiki, just the tendency of students to rush through things. I have done my best to enforce that they should read all the instructions carefully BEFORE they start on the labs.<br><br><br />
# '''LAB2 - Backup Script demo:''' Current VM backup script should also allow for backing up xml configuration files.<br><br><br />
# '''LAB - LVM:''' Current VM backup script does not factor in virtual hard drive images. May be a good idea to add this to the backup script, so students can be encouraged to run backup scripts.<br><br><br />
# The wget http://belmont.senecac.on.ca/centos/7/isos/x86_64/CentOS-7-x86_64-LiveGNOME-1503.iso command is still not working<br><br><br />
# When students issue the “service iptables restart” command it returns a message that says the service is dead and not running. Yet, I’ve tested the iptables themselves by adding a few rules and they are certainly still working. I’m really not sure what exactly is going on. Perhaps it’s just a glitch in CentOS7?<br><br><br />
# The virtualization software also seems to need a system reboot before the virtual network will come into effect. Simply restarting the virt-manager or the libvirtd service doesn’t seem to do it. So, again, rebooting the system is the way to go to make sure the virtual default NAT network becomes visible for new VMs.<br><br><br />
# Some students in lab2 may not be performing the correct steps in creating VMS (image paths and types). A shell script to be run to check this would be useful, but may need release time to create a comprehensive and user-friendly shell script.<br><br><br />
<br />
== Winter 2015 ==<br />
* Winter 2015: [[OPS235 - Short-term - Older Issues]]<br />
<br />
<br />
== Additional Resources / Navigation ==<br />
<br />
:* [[OPS235 - Curriculum Discussion |OPS235 - Curriculum Discussion]]<br />
:* [http://zenit.senecac.on.ca/wiki/index.php/OPS OPS Stream Discussion]<br />
:* [[CNS / CTY Curriculum Development]]<br />
<br />
[[Category:Curriculum, OPS Stream]]</div>Markhttps://wiki.cdot.senecacollege.ca/w/index.php?title=OPS235_Short-Term&diff=134047OPS235 Short-Term2018-05-17T21:35:29Z<p>Mark: /* Current: Winter 2018 Semester */</p>
<hr />
<div><br />
== USEFUL INFORMATION FOR INSTRUCTORS (ALL SEMESTERS - PLEASE READ!)==<br />
<br />
#In the '''lab 1 instructions for SSD''', students are instructed to download the image to their windows machine (i.e. Downloads), then create a '''VM template, then edit it with instructions:'''<br><br><span style="background-color:yellow;">In this setup dialog box, click the options tab and then click the Advanced option at the bottom of the list. On the right-hand side, click the checkbox to enable the option to Boot with EFI instead of BIOS.<br>Then click on the Hardware tab, and then select the CD/DVD (IDE) device and select in the right-side select the radio button for the use ISO Image file. Click the Browse button and specify the path of your downloaded Centos7 Full install DVD (most likely file is contained in your Downloads folder). Click Processors, and click the check-box to enable Virtual Intel VT-X/EPT or AMD-V/RVI. When finished, click on the OK button. </span><br><br>Many students have done this for more than 3-4 semesters with their SSDs. Generally no problems encountered. '''Occasionally, students do not follow instructions and forget to set virtualisation for host VM with would affect nested VMs using KVM in lab2...'''. Examples: Can't edit Grub boot file, VMs cannot be installed properly in KVM, Installed VMs in KVM cannot be started, etc.<br><br>The instructions are there. '''I usually do install with students for lab1 Investigation 1 with students (only time I do lab with students) to help them get on the right track'''.<br><br><br />
# Subject: RE: '''How to allow students to obtain free VMware Workstation 12 Pro for use at home''' (eg. SSDs)<br><br>'''*** REQUIRED FOR INSTRUCTORS TO DO THEMSELVES - NO ONE WILL DO THIS FOR YOU ***'''<br><br>Students are entitled to free licensed version of VMware Workstation 12 Pro.<br>It is available for ALL OPS235 / OPS335 students, but particularly useful for students that have SSD drive and want to work from home of notebook computer. You, as an instructor NEED to send Clive (e-mail:<br>clive.beetge@senecacollege.ca) with just usernames (can be done via Blackboard or moodle) students. I recommend you also post an announcement for your student like this:<br><br><blockquote>''"All OPS235/OPS335 students in my course is allowed a free version of VMware Workstation 12 Pro for their personal use. This particularly useful for students that have Solid State Drives and want to work on OPS235 labs at homeusing VMware Workstation 12 Pro. I have e-mailed the administrator your seneca userid, and you should be getting an email with a long subject line.<br><br>WARNING: Check your quarantine and spam filters to see if this email gets trapped since spam filters may automatically trap suspicious emails with long subject lines.<br><br>Open that e-mail to obtain your VMware Workstation 12 Pro software and registration key.<br><br>FYI<br>Insructor's Name"''</blockquote><br><br>'''NOTE:''' If students cannot access this information from their email, and if Clive has created their accounts, they can use the link and following instructions to obtain their program:<br>https://e5.onthehub.com/WebStore/Welcome.aspx?ws=d529a1f1-b430-e511-940e-b8ca3a5db7a1&vsro=8<br><br><br />
# It is possible to run VMware VMs from the command line using the following steps <syntaxhighlight lang="bash">Create a directory for links to your VMware VMs<br />
# mkdir ~/links<br />
# cd links <br />
# ln -s /path/to/VMs/file.vmx<br />
<br />
Use vmrun to start/stop/list/getGuestIPAddress/listProcessesInGuest<br />
# vmrun | less<br />
# vmrun -T ws start ~/links/name-of-CentOS-VM-link.vmx [gui|nogui]<br />
# vmrun list<br />
# vmrun -T ws getGuestIPAddress ~/links/name-of-CentOS-VM-link.vmx<br />
# ssh user@address-got-from-line-above<br />
# vmrun -T ws -gu <guest-user> -gp <guest-password> listProcessesInGuest ~/links/name-of-CentOS-VM-link.vmx</syntaxhighlight>In case you get an error message about Guest Additions not being installed, you have to rerun <code>vmrun installTools ~/links/name-of-CentOS-VM-link</code> and, during the Guest Additions installation, choose yes to automatic kernel modules (default during installation is no), see: [ [https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2050592 Known issue about Guest Additions not being loaded despite being installed] ] and [ [https://www.vmware.com/pdf/vix162_vmrun_command.pdf (PDF) manual for vmrun ] ] for additional information.<br />
# When updating packages if you abort suddenly, then you might end up with a broken package database. <br />
## In that case, you can fix a broken yum package system using the following blog post: [ [https://wphosting.tv/how-to-fix-duplicate-packages-in-yum/ How to fix duplicate packages in yum] ].<br>Good to know and include somewhere (OPS235 future content update).<br />
## This might another set of steps to follow:<syntaxhighlight lang="bash"># yum-complete-transaction<br />
# yum check | tee /tmp/yum-check.log <br />
# yum update --skip-broken<br />
# package-cleanup --problems<br />
# package-cleanup --dupes<br />
# package-cleanup --cleandupes<br />
# yum install initial-setup initial-setup-gui gnome-initial-setup<br />
# yum update<br />
# reboot</syntaxhighlight><br /><br /><br />
# VMware on Linux requires Secure Boot to be disabled on the Linux host otherwise VMware cannot run CentOS VMs: [ [https://communities.vmware.com/message/2461448#2461448 Comment #5 talks about disabling Secure Boot to make VMware on Linux boot VMs] ].<br />
<br />
= Current: Winter 2018 Semester =<br />
# It appears that doing yum update after May 2018 reintroduces the GRUB issue below for removable HDD on HP machines. A possible solution might be (to be confirmed whether the solution linked to here resolves the issue) https://noobient.com/post/165797742756/fixing-the-efi-bootloader-on-centos-7<br />
<br />
= Fall 2017 Semester=<br />
<br />
# '''Network glitch corrected by Mehrdad where network install (URL copy from Belmont) hung up install due to missing software repository'''.<br>'''Cause''': due to firewall protocol system implementation in Spring/Summer, it blocked the "yum" protocol, and now has been <u>'''fixed'''</u> system-wide.<br><br>'''FYI:''' '''Murray Saul''' verified that the fix worked by successfully created a VM via network install.<br><br><br />
# <span style="color:red;">'''ATTENTION:'''</span> Mehrdad mentioned that possibly in the next semester (or eventually), the belmont server URLs will be removed. The alternative (and eventual replacement) that affects OPS235/OPS335 is: mirror.senecacollege.ca/centos/7/os/x86_64/<br>Therefore, this corrections should be made for OPS235 and OPS335 labs for the Winter 2018 startup prior to classes.<br><br><br />
# <span style="color:red;">'''ATTENTION:'''</span> Verify your CentOS release version using '''rpm -qa centos-release'''. If it is '''1708''' <u>and</u> you are using a '''removable hard drive''' with boot issues then do the following: copy '''grubx64.efi''' from [http://mirror.centos.org/centos/7/os/x86_64/EFI/BOOT/ CentOS EFI/BOOT site here] into your /boot/efi/EFI/BOOT directory of your hard drive. To get to that directory of your hard drive you would need to boot from a live CentOS USB or CD/DVD and mount the /boot partition of your HDD. Try to do this yourself, otherwise ask for help from the lab tutor or instructor. You would also need to refresh your grub configuration using help from [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/System_Administrators_Guide/index.html RedHat], [https://wiki.centos.org/HowTos/Grub2 CentOS] and [http://www.gnu.org/software/grub/manual/grub.html Grub] or use the following [[File:grub.cfg]] for help. This directory tree is known to work<br><br><syntaxhighlight lang="bash"><br />
/boot/efi/EFI/<br />
├── BOOT<br />
│ ├── BOOTX64.EFI<br />
│ ├── fbx64.efi<br />
│ ├── grub.cfg <=== NEW: MUST BE PRESENT (create using grub2-mkconfig -o filename)<br />
│ └── grubx64.efi <=== NEW: MUST BE PRESENT (get using link CentOS EFI/BOOT in text above)<br />
└── centos<br />
├── BOOT.CSV<br />
├── BOOTX64.CSV<br />
├── fonts<br />
│ └── unicode.pf2<br />
├── grub.cfg<br />
├── grubenv<br />
├── grubx64.efi<br />
├── mmx64.efi<br />
├── shim.efi<br />
├── shimx64-centos.efi<br />
└── shimx64.efi<br />
</syntaxhighlight><br><br><br />
# In Lab2 (both versions), change from downloading raw image file (.img) to qcow2 file, and call it sample_test_image to get student to launch and login a sample version for exposure for future practical tests.<br><br><br />
# For next semester add in procedure for SSDs to create a duplicate image file for c7host in case the original is corrupted. Should also include warning about properly unmounting SSD device prior to removing from computer<br><br><br />
<br />
= Winter / Summer 2017=<br />
<br />
# There seems to be a procedure that works if you are booting Centos7 from your removable SATA drive in your labs and it doesn't connect to the Internet...<br>Note: If you cannot connect, you should see on the top right-hand corner before you login such as: '''<span style="font-size:1.5em;font-family:monospace;">[...]</span>'''<br>This means there is no Internet connection.<br><br>If that is the case, perform the following steps:<br><ol type="a"><li> Quickly press the power button (do not hold it down!). This should put it in suspend mode. You can confirm it is in suspend mode if the blue power light is flashing.</li><li>Wait a few seconds, then press the power button again. This will go out of suspend mode. You can confirm is is not in suspend mode if blue power light is solid (not flashing).</li><li>In a few seconds, the symbol on the top right-hand side should appear like: <span style="border-color:black;border-width:2px;border-style:solid;"> &nbsp; &nbsp; </span>.<br>This symbol means that you can connect to the Internet.</li></ol><br><br><br />
# A problem with kernel panic discussed on this thread and is on going as of Jan 10, 2017 (solved but Mark F. is facing difficulties after performing an aborted upgrade on my centos1-like VM which I was using for teaching ULI101. This solution doesn't help Mark but the advice given on this thread might be relevant to some). Here is link: [ [https://www.centos.org/forums/viewtopic.php?f=47&t=51911&start=10 Kernel panic at restart after so update] ]<br /><br /><br />
# We keep (but rename to something more appropriate) the existing HDD option in OPS235 labs because some students are requesting to install CentOS on their laptop (dual boot or single boot) and so continue doing the lab with all 3VMs on the laptop itself. So no VMs inside a VM stuff for them, except maybe name the labs from external HDD to 'using your own laptop' or some such.<br /><br /><br />
# In case a yum update goes wrong and the advice given by the next run of yum update does not work in making the VM boot into GNOME, then try the following: '''yum install initial-setup initial-setup-gui gnome-initial-setup'''. You might have to reboot and agree to the license conditions at firstboot. <br /><br /><br />
# Nested virtualization is incredibly slow if the host VM (VMware c7host) is using the default number of processor cores (1). Since all processing is done under c7host, it is safe to share all of your cores with Windows and VMware (c7host).<br /><br /><br />
<br />
=Fall 2016=<br />
<br />
# Lab 1: Unusual problem of network not showing up in c7host VM. Happened because I had not enabled a second network adapter in VMware Workstation Pro (use Team as the type).<br><br><br />
# Change all VM sizes to be at least 20GB because some (lab 2 VMs) still say 15GB and they cause problems during installation for CentOS 7.2<br><br><br />
# Keep consistent lab1 checking scripts for ALL OPS235 instructors (This semester was exception for Mark F., due to caching problem showing older partitions for previous semester).<br><br><br />
# I think in future (based on scripting questions I gave on midterm) that we will need to add to the questions section of the labs something to do with shell scripting - even a simple walk-through. This can be incorporated into future quizzes.<br><br><br />
# VMware gets odd naming for interfaces, for example ifconfig in VMware on CentOS 7 I get this (among other network setup). The problem is they've switched from the interface naming. There is a workaround in CentOS FAQ: https://wiki.centos.org/FAQ/CentOS7<code>eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 </code><br><br><br />
# I noticed that some students have a different volume group name for centos2 than centos_centos2<br>I suspect it is that students didn't follow instructions when creating the centos2 VM by specifying the correct hostname: centos2<br>This could be corrected by including centos2 being checked for correct hostname in lab2 checking script, but not time to do that for this semester.<br><br><br />
# Add youtube video on how LVM works for lab5 notes<br><br><br />
# Check learning outcomes and topic outline match for OPS235 course<br><br><br />
# For OPS235 Assignment #2, remove references to chkconfig command (deprecated), should use systemctl status service-name<br><br><br />
<br />
<br />
<br />
== CentOS 7 VM (VMware) Known Issues ==<br />
HP Z230 machines on campus<br />
# Not getting network interface in CentOS (VMware network configured to using NAT). Solved (sometimes) by adding another network interface and setting that interface to VMnet8<br />
# USB failure from Windows host. Could this be due to bad USB cable, but one student reported Windows on HP Z230 automatically unmounts the USB drive while the VM was running thereby freezing CentOS in VMware<br />
<br />
== Lab 5 suggestion (received from a student) ==<br />
<br />
Create a virtual disk /dev/vda in centos2 and use that virtual disk (vda) instead of /dev/sda (so use '''fdisk /dev/vda''' instead of using '''fdisk /dev/sda'''). This makes Lab 5 easier to handle accidental corruption students might make while doing that lab thereby destroying their centos2. This might require Lab 5 checker script to be tweaked to work with /dev/vda.<br />
<br />
== Lab 7 Issue ==<br />
<br />
Some students could only get their labs to work with the browser after they did this:<br />
<br />
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT<br />
<br />
== Assignment 2 ==<br />
<br />
chkconfig gives an error message telling students to use:<br />
# systemctl list-dependents httpd<br />
# systemctl list-dependents mysql<br />
<br />
=Previous Semesters=<br />
<br />
Summer 2016 (Refer to previous semesters below)=<br />
<br />
# No entries<br />
<br />
<br />
==Winter 2016==<br />
<br />
# '''<span style="color:red">N.B. - On "TODO list"</span>''' - '''LAB 1 - Picture under part 2''' - The picture called "Partition Verification" shows a LVM setup, but the instructions ask specifically for a standard partition setup.<br><br><br />
# '''<span style="color:red">FIXED BUT REQUIRES VERIFICATION THAT FIX WORKED</span>''' - '''LAB 1 - Investigation 3 - Part 2 - Questions 21''' - Not important but, report3.bash script uses the command "cat /root/install.log >> installation_report.html", the file /root/install.log does not exist on centos7 install.<br><br><br />
#'''<span style="color:red">N.B. On List for Murray Saul to work on during non-contact period</span>''' - "tweak" '''lab2check2.bash''' to provide additional checks including xml dumps to home directory for all VMs and reminder from script to back those items to USB key. Also should check if '''centos2''' has '''/ for 8 GB and /home for 2GB'''. I read somewhere that '''xfs can mess up with LVM which we talk about in lab5'''. For next time, I will '''add in requirement in lab2 signoff that students show for all VMs the /etc/fstab to ensure ext4 fs'''. Perhaps checking script can be modified next time to check for that... Good idea to '''expand shell script check for ALL labs. Student would be required to show same information PLUS the results from running the checking shell script'''.<br><br><br />
#'''<span style="color:red">N.B. On List for Murray Saul to work on during non-contact period</span>''' - It would be nice to rearrange the content for lab5 to '''discuss df -h and space concerns <u>first</u>, then flow into LVM. This would provide a better "flow" to reinforce student understanding'''. Shell script at end would remain at end to show how to use crontab to automate (flag) space issues.<br><br><br />
#'''<span style="color:red">N.B. On List for Murray Saul to work on during non-contact period</span>''' - Good idea to '''review study questions at end of each lab''' to see if they are applicable to each lab.<br><br><br />
#Would be neat to '''create prezi slide shows for each lab preparation (for class)'''. This would be in sync with OPS335 course. Online slides can be exported to PDF files as well.<br><br><br />
#'''<span style="color:red">N.B. On List for Murray Saul to work on during non-contact period</span>''' - Would be helpful for a script or program to check all links in all OPS235 (OPS335, etc) WIKIs to check for non-working links. This would allow course overseer to run just prior to the start of the semester and be incorporated into the startup checklist.<br><br><br />
#'''<span style="color:red">N.B. On List for Murray Saul to work on during non-contact period</span>''' - Some students note different vg name (like centos instead of centos_centos2). Solution is to get students to issue vgs to obtain vg name. Should investigate why this is happening to prevent (eg. shell script check at end of a lab).<br><br><br />
#'''<span style="color:red">N.B. On List for Murray Saul to work on during non-contact period</span>''' - Check '''mailx''' package when installed (lab5 example) for OPS235 to see why not sending mail to demo that script works for a lower threshold point for file space usage.<br><br><br />
#'''<span style="color:red">N.B. On List for Murray Saul to work on during non-contact period</span>''' - Method to better explain in lab7 tunnelling via local ports (eg. show some command of available ports, etc) - example:<br>'''sysctl net.ipv4.ip_local_port_range'''<br>net.ipv4.ip_local_port_range = 32768 61000<br>(But where does that fit in with using 20808?)<br />
<br />
<br />
== Summer 2015 ==<br />
# '''LAB 1 - Installing NON-GUI version of Linux OS:''' A lot of students ran into the same problem with lab 1, that is they didn't pay close enough attention to the instructions and installed the OS without a GUI. But that is no flaw in your wiki, just the tendency of students to rush through things. I have done my best to enforce that they should read all the instructions carefully BEFORE they start on the labs.<br><br><br />
# '''LAB2 - Backup Script demo:''' Current VM backup script should also allow for backing up xml configuration files.<br><br><br />
# '''LAB - LVM:''' Current VM backup script does not factor in virtual hard drive images. May be a good idea to add this to the backup script, so students can be encouraged to run backup scripts.<br><br><br />
# The wget http://belmont.senecac.on.ca/centos/7/isos/x86_64/CentOS-7-x86_64-LiveGNOME-1503.iso command is still not working<br><br><br />
# When students issue the “service iptables restart” command it returns a message that says the service is dead and not running. Yet, I’ve tested the iptables themselves by adding a few rules and they are certainly still working. I’m really not sure what exactly is going on. Perhaps it’s just a glitch in CentOS7?<br><br><br />
# The virtualization software also seems to need a system reboot before the virtual network will come into effect. Simply restarting the virt-manager or the libvirtd service doesn’t seem to do it. So, again, rebooting the system is the way to go to make sure the virtual default NAT network becomes visible for new VMs.<br><br><br />
# Some students in lab2 may not be performing the correct steps in creating VMS (image paths and types). A shell script to be run to check this would be useful, but may need release time to create a comprehensive and user-friendly shell script.<br><br><br />
<br />
== Winter 2015 ==<br />
* Winter 2015: [[OPS235 - Short-term - Older Issues]]<br />
<br />
<br />
== Additional Resources / Navigation ==<br />
<br />
:* [[OPS235 - Curriculum Discussion |OPS235 - Curriculum Discussion]]<br />
:* [http://zenit.senecac.on.ca/wiki/index.php/OPS OPS Stream Discussion]<br />
:* [[CNS / CTY Curriculum Development]]<br />
<br />
[[Category:Curriculum, OPS Stream]]</div>Mark