https://wiki.cdot.senecacollege.ca/w/api.php?action=feedcontributions&user=Mgiunta&feedformat=atomCDOT Wiki - User contributions [en]2024-03-29T07:50:29ZUser contributionsMediaWiki 1.30.0https://wiki.cdot.senecacollege.ca/w/index.php?title=OPS335_Weekly_Schedule&diff=74776OPS335 Weekly Schedule2011-11-24T15:54:23Z<p>Mgiunta: </p>
<hr />
<div>[[Category:OPS335]]<br />
{{Admon/important|The course schedule, labs, and links are subject to change.|Check with your professor for details and changes specific to your section.}}<br />
{{Admon/important|-Lab submissions-|<br />
'''Paul Whalen:''' Should be sent with the subject line '''''OPS335X_labY'''''. Replace X with your section number and Y represents the lab #.<br />
<br />
'''Ryan Lockhart:''' Should be sent with the subject line '''''OPS335_lab#'''''. Replace # with the lab number.|}}<br />
{|width="100%" border="1" cellspacing="2"<br />
! Week !! Objectives and Tasks !! Assigned Reading !! Labs / Exercises<br />
|-<br />
|'''Week 1'''<br />
September 5-9<br />
|<br />
Introduction to OPS335<br />
*outline, policies, assignments, labs, midterm test, quizzes, exam, email<br />
*Fedora Project Overview<br />
<br />
|<br />
*Chapter One - Where to Start<br />
* [http://docs.fedoraproject.org/en-US/Fedora/13/html/Installation_Guide/ Fedora 13 Installation Guide]<br />
** [http://docs.fedoraproject.org/en-US/Fedora/13/html/Installation_Guide/pt-Preparing_for_Installation.html Installation]<br />
** [http://docs.fedoraproject.org/en-US/Fedora/13/html/Installation_Guide/ch-grub.html GRUB Boot Loader]<br />
** [http://docs.fedoraproject.org/en-US/Fedora/13/html/Installation_Guide/s1-diskpartitioning-x86.html Partitioning for Fedora]<br />
<br />
|[[OPS335 Lab 0|Lab 0]]<br />
*Fedora Installation<br />
|-<br />
|'''Week 2'''<br />
September 12-16<br />
|<br />
Basic Networking<br />
*ifconfig, aliasing, route, iptables, ping, configuring a gateway, ip forwarding, masquerading, interface aliasing<br />
|<br />
<br />
* Chapter 14 - TCP/IP Networking<br />
|[[OPS335 Lab 1|Lab 1]]<br />
*Configuring a Gateway<br />
|-<br />
|'''Week 3'''<br />
September 19-23<br />
|<br />
Packet Filtering<br />
*iptables<br />
|<br />
<br />
* Chapter 22 - Security<br />
*[https://cs.senecac.on.ca/~paul.whalen/my-iptables.pdf iptables.pdf]<br />
|[[OPS335 Lab 2|Lab 2]]<br />
*Packet Filtering<br />
|-<br />
|'''Week 4'''<br />
September 26-30<br />
|<br />
DNS<br />
*nslookup, dig, host, /etc/resolv.conf, /etc/hosts, /etc/named.conf<br />
<br />
|<br />
<br />
*Chapter 17 - DNS: The Domain Name System<br />
|<br />
[[OPS335 Lab 3|Lab 3]]<br />
*DNS Setup<br />
|-<br />
|'''Week 5'''<br />
October 3-7<br />
|<br />
Mail<br />
*postfix, smtp, imap, pop, mailx<br />
*Assignment #1 handed out<br />
<br />
| <br />
*Chapter 20 - Electronic Mail<br />
|[[OPS335 Lab 4|Lab 4]]<br />
*Postfix Mail Configuration<br />
|-<br />
|'''Week 6'''<br />
October 10-14<br />
|<br />
Web Servers<br />
*apache installation and configuration<br />
*Quiz #1 & Review<br />
<br />
<br />
| <br />
*Chapter 23 - Web Hosting<br />
|[[OPS335 Lab 5|Lab 5]]<br />
*Apache Install/Config<br />
|-<br />
|'''Week 7'''<br />
October 17-21<br />
|<br />
*Midterm Test<br />
*Assignment #1 due<br />
<br />
|<br />
<br />
|<br />
*Assignment #1 Due<br />
|-<br />
!colspan="4"|Study Week<br />
|-<br />
|'''Week 8'''<br />
October 31-November 4<br />
|<br />
FTP Server<br />
<br />
<br />
|<br />
<br />
|[[OPS335 Lab 6|Lab 6]]<br />
*VSFTP Server Setup<br />
|-<br />
|'''Week 9'''<br />
November 7-11<br />
|<br />
NFS with Automount<br />
*exportfs, showmount, /etc/exports,autofs, auto.master<br />
<br />
|<br />
*Chapter 18 - The Network File System<br />
<br />
|[[OPS335 Lab 7|Lab 7]]<br />
*NFS Setup<br />
|-<br />
|'''Week 10'''<br />
November 14-18<br />
|<br />
NIS<br />
<br />
*ypserv, ypbind, ypcat<br />
|<br />
*Chapter 19 - Sharing System Files<br />
<br />
|[[OPS335 Lab 8|Lab 8]]<br />
*NIS Configuration<br />
|-<br />
|'''Week 11'''<br />
November 21-15<br />
|<br />
SAMBA<br />
*smbclient, smbmount (mount -t cifs), smbpasswd, smb.conf<br />
|<br />
*Chapter 30 - Cooperating with Windows <br />
|[[OPS335 Lab 9|Lab 9]]<br />
*Samba Servers and Clients<br />
|-<br />
|'''Week 12'''<br />
November 28-December 2<br />
|<br />
Backup/Restore<br />
*tar, cpio, dump/restore, wget, netcat, ssh, scp, rsync, cron, at<br />
<br />
|<br />
*Chapter 10 - Backups<br />
|[[OPS335 Lab 10|Lab 10]]<br />
*Automating Backups<br />
<br />
|-<br />
|'''Week 13'''<br />
December 5-9<br />
|<br />
*Quiz #2 & Review<br />
*Assignment #2 due<br />
<br />
<br />
|<br />
|<br />
*Assignment #2<br />
*Outstanding Labs<br />
|-<br />
!colspan="4"|Exam Week<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
[[OPS335 Resources]]</div>Mgiuntahttps://wiki.cdot.senecacollege.ca/w/index.php?title=OPS335_Weekly_Schedule&diff=74775OPS335 Weekly Schedule2011-11-24T15:43:36Z<p>Mgiunta: </p>
<hr />
<div>[[Category:OPS335]]<br />
{{Admon/important|The course schedule, labs, and links are subject to change.|Check with your professor for details and changes specific to your section.}}<br />
{{Admon/important|-Lab submissions-<br />
Should be sent with the subject line ''OPS335X_labY''.| Replace X with your section number and Y represents the lab #.}}<br />
{|width="100%" border="1" cellspacing="2"<br />
! Week !! Objectives and Tasks !! Assigned Reading !! Labs / Exercises<br />
|-<br />
|'''Week 1'''<br />
September 5-9<br />
|<br />
Introduction to OPS335<br />
*outline, policies, assignments, labs, midterm test, quizzes, exam, email<br />
*Fedora Project Overview<br />
<br />
|<br />
*Chapter One - Where to Start<br />
* [http://docs.fedoraproject.org/en-US/Fedora/13/html/Installation_Guide/ Fedora 13 Installation Guide]<br />
** [http://docs.fedoraproject.org/en-US/Fedora/13/html/Installation_Guide/pt-Preparing_for_Installation.html Installation]<br />
** [http://docs.fedoraproject.org/en-US/Fedora/13/html/Installation_Guide/ch-grub.html GRUB Boot Loader]<br />
** [http://docs.fedoraproject.org/en-US/Fedora/13/html/Installation_Guide/s1-diskpartitioning-x86.html Partitioning for Fedora]<br />
<br />
|[[OPS335 Lab 0|Lab 0]]<br />
*Fedora Installation<br />
|-<br />
|'''Week 2'''<br />
September 12-16<br />
|<br />
Basic Networking<br />
*ifconfig, aliasing, route, iptables, ping, configuring a gateway, ip forwarding, masquerading, interface aliasing<br />
|<br />
<br />
* Chapter 14 - TCP/IP Networking<br />
|[[OPS335 Lab 1|Lab 1]]<br />
*Configuring a Gateway<br />
|-<br />
|'''Week 3'''<br />
September 19-23<br />
|<br />
Packet Filtering<br />
*iptables<br />
|<br />
<br />
* Chapter 22 - Security<br />
*[https://cs.senecac.on.ca/~paul.whalen/my-iptables.pdf iptables.pdf]<br />
|[[OPS335 Lab 2|Lab 2]]<br />
*Packet Filtering<br />
|-<br />
|'''Week 4'''<br />
September 26-30<br />
|<br />
DNS<br />
*nslookup, dig, host, /etc/resolv.conf, /etc/hosts, /etc/named.conf<br />
<br />
|<br />
<br />
*Chapter 17 - DNS: The Domain Name System<br />
|<br />
[[OPS335 Lab 3|Lab 3]]<br />
*DNS Setup<br />
|-<br />
|'''Week 5'''<br />
October 3-7<br />
|<br />
Mail<br />
*postfix, smtp, imap, pop, mailx<br />
*Assignment #1 handed out<br />
<br />
| <br />
*Chapter 20 - Electronic Mail<br />
|[[OPS335 Lab 4|Lab 4]]<br />
*Postfix Mail Configuration<br />
|-<br />
|'''Week 6'''<br />
October 10-14<br />
|<br />
Web Servers<br />
*apache installation and configuration<br />
*Quiz #1 & Review<br />
<br />
<br />
| <br />
*Chapter 23 - Web Hosting<br />
|[[OPS335 Lab 5|Lab 5]]<br />
*Apache Install/Config<br />
|-<br />
|'''Week 7'''<br />
October 17-21<br />
|<br />
*Midterm Test<br />
*Assignment #1 due<br />
<br />
|<br />
<br />
|<br />
*Assignment #1 Due<br />
|-<br />
!colspan="4"|Study Week<br />
|-<br />
|'''Week 8'''<br />
October 31-November 4<br />
|<br />
FTP Server<br />
<br />
<br />
|<br />
<br />
|[[OPS335 Lab 6|Lab 6]]<br />
*VSFTP Server Setup<br />
|-<br />
|'''Week 9'''<br />
November 7-11<br />
|<br />
NFS with Automount<br />
*exportfs, showmount, /etc/exports,autofs, auto.master<br />
<br />
|<br />
*Chapter 18 - The Network File System<br />
<br />
|[[OPS335 Lab 7|Lab 7]]<br />
*NFS Setup<br />
|-<br />
|'''Week 10'''<br />
November 14-18<br />
|<br />
NIS<br />
<br />
*ypserv, ypbind, ypcat<br />
|<br />
*Chapter 19 - Sharing System Files<br />
<br />
|[[OPS335 Lab 8|Lab 8]]<br />
*NIS Configuration<br />
|-<br />
|'''Week 11'''<br />
November 21-15<br />
|<br />
SAMBA<br />
*smbclient, smbmount (mount -t cifs), smbpasswd, smb.conf<br />
|<br />
*Chapter 30 - Cooperating with Windows <br />
|[[OPS335 Lab 9|Lab 9]]<br />
*Samba Servers and Clients<br />
|-<br />
|'''Week 12'''<br />
November 28-December 2<br />
|<br />
Backup/Restore<br />
*tar, cpio, dump/restore, wget, netcat, ssh, scp, rsync, cron, at<br />
<br />
|<br />
*Chapter 10 - Backups<br />
|[[OPS335 Lab 10|Lab 10]]<br />
*Automating Backups<br />
<br />
|-<br />
|'''Week 13'''<br />
December 5-9<br />
|<br />
*Quiz #2 & Review<br />
*Assignment #2 due<br />
<br />
<br />
|<br />
|<br />
*Assignment #2<br />
*Outstanding Labs<br />
|-<br />
!colspan="4"|Exam Week<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
[[OPS335 Resources]]</div>Mgiuntahttps://wiki.cdot.senecacollege.ca/w/index.php?title=OPS335_Weekly_Schedule&diff=74774OPS335 Weekly Schedule2011-11-24T15:40:36Z<p>Mgiunta: </p>
<hr />
<div>[[Category:OPS335]]<br />
{{Admon/important|The course schedule, labs, and links are subject to change.|Check with your professor for details and changes specific to your section.}}<br />
{{Admon/important|Lab submissions should be sent with the subject line ''OPS335_labX''.| Replace X with the lab number.}}<br />
{|width="100%" border="1" cellspacing="2"<br />
! Week !! Objectives and Tasks !! Assigned Reading !! Labs / Exercises<br />
|-<br />
|'''Week 1'''<br />
September 5-9<br />
|<br />
Introduction to OPS335<br />
*outline, policies, assignments, labs, midterm test, quizzes, exam, email<br />
*Fedora Project Overview<br />
<br />
|<br />
*Chapter One - Where to Start<br />
* [http://docs.fedoraproject.org/en-US/Fedora/13/html/Installation_Guide/ Fedora 13 Installation Guide]<br />
** [http://docs.fedoraproject.org/en-US/Fedora/13/html/Installation_Guide/pt-Preparing_for_Installation.html Installation]<br />
** [http://docs.fedoraproject.org/en-US/Fedora/13/html/Installation_Guide/ch-grub.html GRUB Boot Loader]<br />
** [http://docs.fedoraproject.org/en-US/Fedora/13/html/Installation_Guide/s1-diskpartitioning-x86.html Partitioning for Fedora]<br />
<br />
|[[OPS335 Lab 0|Lab 0]]<br />
*Fedora Installation<br />
|-<br />
|'''Week 2'''<br />
September 12-16<br />
|<br />
Basic Networking<br />
*ifconfig, aliasing, route, iptables, ping, configuring a gateway, ip forwarding, masquerading, interface aliasing<br />
|<br />
<br />
* Chapter 14 - TCP/IP Networking<br />
|[[OPS335 Lab 1|Lab 1]]<br />
*Configuring a Gateway<br />
|-<br />
|'''Week 3'''<br />
September 19-23<br />
|<br />
Packet Filtering<br />
*iptables<br />
|<br />
<br />
* Chapter 22 - Security<br />
*[https://cs.senecac.on.ca/~paul.whalen/my-iptables.pdf iptables.pdf]<br />
|[[OPS335 Lab 2|Lab 2]]<br />
*Packet Filtering<br />
|-<br />
|'''Week 4'''<br />
September 26-30<br />
|<br />
DNS<br />
*nslookup, dig, host, /etc/resolv.conf, /etc/hosts, /etc/named.conf<br />
<br />
|<br />
<br />
*Chapter 17 - DNS: The Domain Name System<br />
|<br />
[[OPS335 Lab 3|Lab 3]]<br />
*DNS Setup<br />
|-<br />
|'''Week 5'''<br />
October 3-7<br />
|<br />
Mail<br />
*postfix, smtp, imap, pop, mailx<br />
*Assignment #1 handed out<br />
<br />
| <br />
*Chapter 20 - Electronic Mail<br />
|[[OPS335 Lab 4|Lab 4]]<br />
*Postfix Mail Configuration<br />
|-<br />
|'''Week 6'''<br />
October 10-14<br />
|<br />
Web Servers<br />
*apache installation and configuration<br />
*Quiz #1 & Review<br />
<br />
<br />
| <br />
*Chapter 23 - Web Hosting<br />
|[[OPS335 Lab 5|Lab 5]]<br />
*Apache Install/Config<br />
|-<br />
|'''Week 7'''<br />
October 17-21<br />
|<br />
*Midterm Test<br />
*Assignment #1 due<br />
<br />
|<br />
<br />
|<br />
*Assignment #1 Due<br />
|-<br />
!colspan="4"|Study Week<br />
|-<br />
|'''Week 8'''<br />
October 31-November 4<br />
|<br />
FTP Server<br />
<br />
<br />
|<br />
<br />
|[[OPS335 Lab 6|Lab 6]]<br />
*VSFTP Server Setup<br />
|-<br />
|'''Week 9'''<br />
November 7-11<br />
|<br />
NFS with Automount<br />
*exportfs, showmount, /etc/exports,autofs, auto.master<br />
<br />
|<br />
*Chapter 18 - The Network File System<br />
<br />
|[[OPS335 Lab 7|Lab 7]]<br />
*NFS Setup<br />
|-<br />
|'''Week 10'''<br />
November 14-18<br />
|<br />
NIS<br />
<br />
*ypserv, ypbind, ypcat<br />
|<br />
*Chapter 19 - Sharing System Files<br />
<br />
|[[OPS335 Lab 8|Lab 8]]<br />
*NIS Configuration<br />
|-<br />
|'''Week 11'''<br />
November 21-15<br />
|<br />
SAMBA<br />
*smbclient, smbmount (mount -t cifs), smbpasswd, smb.conf<br />
|<br />
*Chapter 30 - Cooperating with Windows <br />
|[[OPS335 Lab 9|Lab 9]]<br />
*Samba Servers and Clients<br />
|-<br />
|'''Week 12'''<br />
November 28-December 2<br />
|<br />
Backup/Restore<br />
*tar, cpio, dump/restore, wget, netcat, ssh, scp, rsync, cron, at<br />
<br />
|<br />
*Chapter 10 - Backups<br />
|[[OPS335 Lab 10|Lab 10]]<br />
*Automating Backups<br />
<br />
|-<br />
|'''Week 13'''<br />
December 5-9<br />
|<br />
*Quiz #2 & Review<br />
*Assignment #2 due<br />
<br />
<br />
|<br />
|<br />
*Assignment #2<br />
*Outstanding Labs<br />
|-<br />
!colspan="4"|Exam Week<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
[[OPS335 Resources]]</div>Mgiuntahttps://wiki.cdot.senecacollege.ca/w/index.php?title=OPS335_Assignment_1&diff=72350OPS335 Assignment 12011-10-19T23:35:39Z<p>Mgiunta: </p>
<hr />
<div>'''Keeping accurate time on a Linux-based computer is one of the functions assigned to the system administrator. Correct time will ensure log records have accurate time stamps and that scheduled processes (eg. cron jobs) will run precisely when intended. Linux's time keeping toolchest includes the following:'''<br />
* date<br />
* hwclock<br />
* daytime<br />
* rdate<br />
* ntpdate<br />
* ntpd<br />
* chrony<br />
* radios<br />
<br />
'''For this assignment you are to investigate each of the above mentioned time keeping methods on your Fedora 13 Linux PC:'''<br />
<br />
'''date'''<br />
# Show real examples of how to use this command to set your Fedora system clock.<br />
# Comment on the accuracy of the time set using this method.<br />
# State advantages and disadvantages of this method.<br />
<br />
'''hwclock'''<br />
# Show real examples of how to use this command to set your Fedora system clock.<br />
# Show real examples of how to use this command to set your hardware clock.<br />
# Comment on the accuracy of the time set using this method.<br />
# State advantages and disadvantages of this method.<br />
# Comment on the accuracy of the hardware clock built into the mainboarrd of your computer.<br />
<br />
'''daytime'''<br />
# Set up your Fedora PC to be a daytime server (through xinetd).<br />
# Set up a virtual machine and configure it to set its clock to the host using a local rc file and netcat at boot time.<br />
# Find other hosts on the Internet that will let you use this method to set your clock. Which one did you use?<br />
# Comment on the accuracy of the time set using this method.<br />
# State advantages and disadvantages of this method.<br />
# Be sure to list any files you modified and or created. Specifically inside /etc/init.d /etc/xinetd.d directory.<br />
<br />
'''rdate'''<br />
# Show how to use rdate in a cron job to set your virtual machine's clock to the host's time. Try this out - don't just guess at the answer.<br />
# Find other hosts that will let you use rdate to set your clock. Which host did you use?<br />
# Comment on the accuracy of the time set using this method.<br />
# State advantages and disadvantages of this method.<br />
# Be sure to list any files you modified and or created.<br />
# What port(s) are used by this method?<br />
<br />
'''ntpdate'''<br />
# Use ntpdate command in a cron job to set your virtual machine's clock to the time on any ntp server.<br />
# Comment on the differences between stratum-1, stratum-2, stratum-3, etc. time servers.<br />
# Comment on the accuracy of the time set using this method.<br />
# State advantages and disadvantages of this method.<br />
# Be sure to list any files you modified and or created.<br />
# What port(s) are used by this method?<br />
<br />
'''ntpd'''<br />
# Set up an ntp server on your Fedora host. Be sure to enable logging and statistics files.<br />
# Find an open and free stratum-1 time server to use on your host.<br />
# Show log records when starting your ntp server.<br />
# Show and explain the contents of your ntp server's statistics file.<br />
# Set up an ntp server on your Fedora VM and use your host as its time server.<br />
# Use the ntpstat command on both host and VM to demonstrate that everything is working properly.<br />
# Comment on the accuracy of the time set using this method.<br />
# State advantages and disadvantages of this method.<br />
# Explain how you could set up another VM as a stratum-3 server.<br />
<br />
'''chrony'''<br />
# Install and configure chrony on your Fedora host and your VM. Then use chrony on your VM to synchronize its clock to the host.<br />
# Explain precisely how you did this. Show edited files and specific commands used.<br />
# Comment on the accuracy of the time set using this method.<br />
# State advantages and disadvantages of this method.<br />
<br />
'''radios'''<br />
# In order to test this method you'll need some sort of radio card that will receive GPS satellite signals. I use an old Garmin Etrex portable receiver that connects to my computer's serial port. Since most students probably won't have such a device it would be ok to just write a paragraph or two about this method. i.e. is it accurate, easy to set up, expensive, etc. <br />
<br />
'''Finally, provide conclusions to your experimentation. i.e. which method is most accurate? least accurate? most reliable? least reliable? etc. Perhaps a table could be used to summarize your results?'''<br />
<br />
: NOTES:<br />
<br />
'''This is a hands-on assignment to be done by each student individually (this is NOT a group assignment).'''<br />
<br />
'''Please submit this assignment in formal written form according to instructions posted on your teacher's web page and also email an electronic copy to him/her.'''<br />
<br />
<u>'''This assignment is worth 10% of your final grade.'''</u></div>Mgiuntahttps://wiki.cdot.senecacollege.ca/w/index.php?title=OPS335_Assignment_2&diff=72349OPS335 Assignment 22011-10-19T22:25:43Z<p>Mgiunta: </p>
<hr />
<div>'''From Wikipedia, the free encyclopedia: "A server farm or server cluster is a collection of computer servers usually maintained by an enterprise to accomplish server needs far beyond the capability of one machine."'''<br />
<br />
* In this assignment you will <u>build (actually simulate) a web server farm consisting of Fedora 13 machines each running the Apache web server.</u> <br />
* Your farm will be behind a firewall that will use Linux's net filter (iptables) to balance the load across the web servers in a round-robin fashion. <br />
* Yes, there are other ways to do load balancing (eg DNS) but in this assignment you must use iptables. <br />
* Your web servers (you must have at least two) will be virtual machines. <br />
* You will also require another VM to be used for backup and the consolidation of Apache error and access logs. <br />
<br />
Below is a network diagram of your cluster. <br />
<br />
'''ASSIGNMENT PARAMETERS:'''<br />
# All machines will start with the default Fedora Server (Server not Desktop) firewall. You will then add necessary rules as required.<br />
# Each web server should have identical web pages in /var/www/html/, except for the title of the initial page (index.html) which should be different for each web site. This will make it easy to tell which server's page we are actually viewing with our browser. And yes, it's up to you to code these pages.<br />
# The firewall on the gateway should use net filter (iptables) to distribute http requests evenly (load balance) among all web servers.<br />
# Both error and access logs of all web servers should be consolidated on the Logger/Backup machine. You should use the syslog facility on each web server to do this.<br />
# All web servers should have cron jobs set up to rsync their web site data to the Logger/Backup machine.<br />
# To demonstrate that your server farm is functioning properly you must include at least the following:<br />
:* A copy of each cron job used to backup the web site.<br />
:* Output produced by the cron jobs.<br />
:* A listing of the firewall on the gateway (use iptables-save command).<br />
:* Listings of the firewall on each web server.<br />
:* A listing of the firewall on the Logger/Backup machine.<br />
:* Segments of the access and error logs from the Logger/Backup machine that show load balancing taking place.<br />
:* Explaination of how you consolidated the log files. Show changes you made to syslog and httpd config files and include any scripts you wrote that assisted this effort.<br />
:* The code (html) for each web site.<br />
:* Your testing methodology. State how you tested your configuration. You might consider writing a bash script that bombards your firewall with http requests from the outside - you can use wget or curl for this.<br />
:* Finally, comment on the effectiveness of your setup - this can be in your conclusions.<br />
:* And don't forget to set your clocks on all machines to the correct date and time. If I see any log records with unrealistic times you'll lose marks.<br />
<br />
'''NOTES:''' <br />
Don't forget to end your report with at least one paragraph of conclusions.<br />
This is a hands-on assignment to be done by each student individually '''(this is NOT a group assignment)'''.<br />
<br />
Please submit this assignment in formal written form according to instructions posted on your teacher's web page and also email an electronic copy to him/her.<br />
<br />
'''This assignment is worth 10% of your final grade.'''</div>Mgiuntahttps://wiki.cdot.senecacollege.ca/w/index.php?title=OPS335_Assignment_1&diff=71989OPS335 Assignment 12011-10-16T00:30:21Z<p>Mgiunta: </p>
<hr />
<div>'''Keeping accurate time on a Linux-based computer is one of the functions assigned to the system administrator. Correct time will ensure log records have accurate time stamps and that scheduled processes (eg. cron jobs) will run precisely when intended. Linux's time keeping toolchest includes the following:'''<br />
* date<br />
* hwclock<br />
* daytime<br />
* rdate<br />
* ntpdate<br />
* ntpd<br />
* chrony<br />
* radios<br />
For this assignment you are to investigate each of the above mentioned time keeping methods on your Fedora 13 Linux PC. <br />
<br />
'''date'''<br />
# Show real examples of how to use this command to set your Fedora system clock.<br />
# Comment on the accuracy of the time set using this method.<br />
# State advantages and disadvantages of this method.<br />
<br />
'''hwclock'''<br />
# Show real examples of how to use this command to set your Fedora system clock.<br />
# Show real examples of how to use this command to set your hardware clock.<br />
# Comment on the accuracy of the time set using this method.<br />
# State advantages and disadvantages of this method.<br />
# Comment on the accuracy of the hardware clock built into the mainboarrd of your computer.<br />
<br />
'''daytime'''<br />
# Set up your Fedora PC to be a daytime server (through xinetd).<br />
# Set up a virtual machine and configure it to set its clock to the host using a local rc file and netcat at boot time.<br />
# Find other hosts on the Internet that will let you use this method to set your clock. Which one did you use?<br />
# Comment on the accuracy of the time set using this method.<br />
# State advantages and disadvantages of this method.<br />
# Be sure to list any files you modified and or created. Specifically inside /etc/init.d /etc/xinetd.d directory.<br />
<br />
'''rdate'''<br />
# Show how to use rdate in a cron job to set your virtual machine's clock to the host's time. Try this out - don't just guess at the answer.<br />
# Find other hosts that will let you use rdate to set your clock. Which host did you use?<br />
# Comment on the accuracy of the time set using this method.<br />
# State advantages and disadvantages of this method.<br />
# Be sure to list any files you modified and or created.<br />
# What port(s) are used by this method?<br />
<br />
'''ntpdate'''<br />
# Use ntpdate command in a cron job to set your virtual machine's clock to the time on any ntp server.<br />
# Comment on the differences between stratum-1, stratum-2, stratum-3, etc. time servers.<br />
# Comment on the accuracy of the time set using this method.<br />
# State advantages and disadvantages of this method.<br />
# Be sure to list any files you modified and or created.<br />
# What port(s) are used by this method?<br />
<br />
'''ntpd'''<br />
# Set up an ntp server on your Fedora host. Be sure to enable logging and statistics files.<br />
# Find an open and free stratum-1 time server to use on your host.<br />
# Show log records when starting your ntp server.<br />
# Show and explain the contents of your ntp server's statistics file.<br />
# Set up an ntp server on your Fedora VM and use your host as its time server.<br />
# Use the ntpstat command on both host and VM to demonstrate that everything is working properly.<br />
# Comment on the accuracy of the time set using this method.<br />
# State advantages and disadvantages of this method.<br />
# Explain how you could set up another VM as a stratum-3 server.<br />
<br />
'''chrony'''<br />
# Install and configure chrony on your Fedora host and your VM. Then use chrony on your VM to synchronize its clock to the host.<br />
# Explain precisely how you did this. Show edited files and specific commands used.<br />
# Comment on the accuracy of the time set using this method.<br />
# State advantages and disadvantages of this method.<br />
<br />
'''radios'''<br />
# In order to test this method you'll need some sort of radio card that will receive GPS satellite signals. I use an old Garmin Etrex portable receiver that connects to my computer's serial port. Since most students probably won't have such a device it would be ok to just write a paragraph or two about this method. i.e. is it accurate, easy to set up, expensive, etc. <br />
<br />
'''Finally, provide conclusions to your experimentation. i.e. which method is most accurate? least accurate? most reliable? least reliable? etc. Perhaps a table could be used to summarize your results?'''<br />
<br />
: NOTES:<br />
<br />
'''This is a hands-on assignment to be done by each student individually (this is NOT a group assignment).'''<br />
<br />
'''Please submit this assignment in formal written form according to instructions posted on your teacher's web page and also email an electronic copy to him/her.'''<br />
<br />
<u>'''This assignment is worth 10% of your final grade.'''</u></div>Mgiuntahttps://wiki.cdot.senecacollege.ca/w/index.php?title=OPS335_Assignment_1&diff=70897OPS335 Assignment 12011-10-04T15:37:11Z<p>Mgiunta: </p>
<hr />
<div>'''Keeping accurate time on a Linux-based computer is one of the functions assigned to the system administrator. Correct time will ensure log records have accurate time stamps and that scheduled processes (eg. cron jobs) will run precisely when intended. Linux's time keeping toolchest includes the following:'''<br />
* date<br />
* hwclock<br />
* daytime<br />
* rdate<br />
* ntpdate<br />
* ntpd<br />
* chrony<br />
* radios<br />
For this assignment you are to investigate each of the above mentioned time keeping methods on your Fedora 13 Linux PC. <br />
<br />
'''date'''<br />
# Show real examples of how to use this command to set your Fedora system clock.<br />
# Comment on the accuracy of the time set using this method.<br />
# State advantages and disadvantages of this method.<br />
<br />
'''hwclock'''<br />
# Show real examples of how to use this command to set your Fedora system clock.<br />
# Show real examples of how to use this command to set your hardware clock.<br />
# Comment on the accuracy of the time set using this method.<br />
# State advantages and disadvantages of this method.<br />
# Comment on the accuracy of the hardware clock built into the mainboarrd of your computer.<br />
<br />
'''daytime'''<br />
# Set up your Fedora PC to be a daytime server (through xinetd).<br />
# Set up a virtual machine and configure it to set its clock to the host using a local rc file and netcat at boot time.<br />
# Find other hosts on the Internet that will let you use this method to set your clock. Which one did you use?<br />
# Comment on the accuracy of the time set using this method.<br />
# State advantages and disadvantages of this method.<br />
# Be sure to list any files you modified and or created. Specifically inside /etc/init.d /etc/xinetd.d directory.<br />
<br />
'''rdate'''<br />
# Show how to use rdate in a cron job to set your virtual machine's clock to the host's time. Try this out - don't just guess at the answer.<br />
# Find other hosts that will let you use rdate to set your clock. Which host did you use?<br />
# Comment on the accuracy of the time set using this method.<br />
# State advantages and disadvantages of this method.<br />
# Be sure to list any files you modified and or created.<br />
# What port(s) are used by this method?<br />
<br />
'''ntpdate'''<br />
# Use ntpdate command in a cron job to set your virtual machine's clock to the time on any ntp server.<br />
# Comment on the differences between stratum-1, stratum-2, stratum-3, etc. time servers.<br />
# Comment on the accuracy of the time set using this method.<br />
# State advantages and disadvantages of this method.<br />
# Be sure to list any files you modified and or created.<br />
# What port(s) are used by this method?<br />
<br />
'''ntpd'''<br />
# Set up an ntp server on your Fedora host. Be sure to enable logging and statistics files.<br />
# Find an open and free stratum-1 time server to use on your host.<br />
# Show log records when starting your ntp server.<br />
# Show and explain the contents of your ntp server's statistics file.<br />
# Set up an ntp server on your Fedora VM and use your host as its time server.<br />
# Use the ntpstat command on both host and VM to demonstrate that everything is working properly.<br />
# Comment on the accuracy of the time set using this method.<br />
# State advantages and disadvantages of this method.<br />
# Explain how you could set up another VM as a stratum-3 server.<br />
<br />
'''chrony'''<br />
# Install and configure chrony on your Fedora host and your VM. Then use chrony on your VM to synchronize its clock to the host.<br />
# Explain precisely how you did this. Show edited files and specific commands used.<br />
# Comment on the accuracy of the time set using this method.<br />
# State advantages and disadvantages of this method.<br />
<br />
'''radios'''<br />
# In order to test this method you'll need some sort of radio card that will receive GPS satellite signals. I use an old Garmin Etrex portable receiver that connects to my computer's serial port. Since most students probably won't have such a device it would be ok to just write a paragraph or two about this method. i.e. is it accurate, easy to set up, expensive, etc. <br />
# Finally, provide conclusions to your experimentation. i.e. which method is most accurate? least accurate? most reliable? least reliable? etc. Perhaps a table could be used to summarize your results?<br />
<br />
: NOTES:<br />
<br />
'''This is a hands-on assignment to be done by each student individually (this is NOT a group assignment).'''<br />
<br />
'''Please submit this assignment in formal written form according to instructions posted on your teacher's web page and also email an electronic copy to him/her.'''<br />
<br />
<u>'''This assignment is worth 10% of your final grade.'''</u></div>Mgiuntahttps://wiki.cdot.senecacollege.ca/w/index.php?title=OPS335_Installation_Lab&diff=70895OPS335 Installation Lab2011-10-04T15:27:24Z<p>Mgiunta: /* Instructions */</p>
<hr />
<div>== Installation of Fedora 13 ==<br />
<br />
[[Category:OPS335]][[Category:OPS335 Labs]]<br />
<br />
=== Objectives ===<br />
* Install Fedora 13<br />
<br />
=== Instructions ===<br />
<br />
# Download a copy of Fedora 13 Live CD 64 bit edition from FedoraProject.Org web site or burn the CD using Seneca's Freedom Toaster which is located in the Open Lab on the 2nd floor of the TEL building. Note: we'll be using the 64 bit version of Fedora otherwise known as x86_64 Fedora because all of our lab computers are equiped with Intel 64 bit mainboards and CPUs. Also, we'll be using the Live CD for installation because it's much simpiler and quicker to install a basic Fedora Linux system on a hard drive. Finally, if you're going to burn your CD using the Freedom Toaster then be sure to use a blank CD-R disk. For some reason CD+R disks sometimes fail to burn successfully.<br />
# Purchase a SATA (Serial Advanced Technology Attachment) removable HDD (Hard Disk Drive) with a minimum of 80 GB capacity from Seneca's bookstore located on the first floor of the SEQ building. I strongly recommend you use this disk drive exclusively for this course. If another course requires a similar HDD you should purchase a separate one and not attempt to use one disk drive for both courses.<br />
#Insert your HDD into the docking bay of a PC in the lab and boot the computer using your Fedora Live CD. If possible try to use the same PC for this course for the rest of the semester. Some PCs may be configured with slight hardware variations from others which may cause problems when moving your HDD from one system to another. <br />
#Once Fedora has loaded, start Firefox and ensure the network is functioning. You will need to authenticate yourself with your LEARN user name and password before Internet access is allowed to the outside world. <br />
#Open a terminal window, switch to root using 'su' and use the 'ifconfig' command to view your assigned IP address. <br />
#Still in the terminal window use the 'fdisk -l' command to ensure your HDD is available for use.<br />
#If you're satisfied that your Fedora Live system is functioning properly, double click on the INSTALL icon to begin the installation of Fedora 13 onto your HDD. --#Perform your installation following these guidelines:<br />
#*wherever possible select the default options<br />
#*set Toronto as your time zone<br />
#*let Fedora configure your whole disk<br />
#*set the root password<br />
#*create a user named 'joker'<br />
#After completing phase I of the installation, remove the Live CD and reboot from your HDD to complete phase II of the installation.<br />
#Login as user 'joker' and open a terminal window. Then use 'su' to become root and run the 'yum update' command. Logout when done. Note, you may have to reboot after all updates have completed. Now that your system is up to date, again login as user 'joker' and do the following:<br />
#*Verify that your system date and time are correct. If not then set the correct system date and time.<br />
#*Verify that your network is functioning.<br />
#*Run and record the output of the 'df -hT' command.<br />
#*Run and record the output of the 'cat /etc/fstab' command.<br />
#*Run and record the output of the 'cat /etc/issue' command.<br />
#*Run and record the output of the 'uname -a' command.<br />
At this point you have a basic Fedora 13 installed and updated. All the rest of our labs will assume you have this basic system running. If, for any reason, your system becomes corrupted during the semester, you'll have to redo this lab to be able to continue with the remaining uncompleted labs.<br />
{{Admon/important | Live disc installations and system-config-network | The fedora host was installed from Live CD. It is missing the GUI Network Configuration tool we will be using.}}<br />
{{Admon/important|Unbind your MAC address|Before moving your disk pack to another system, [[Unbinding MAC Addresses on Fedora|unbind your MAC address]].}}<br />
<br />
{{Admon/important | Disable SELinux | It is often recommended that you disable SELinux for this lab and future labs.<br />
<code>vi /etc/selinux/config</code><br />
<br />
Edit <code>SELINUX<nowiki>=</nowiki></code> to show <code>disabled</code><br />
<br />
Restart your machine.}}<br />
<br />
== Completing the Lab ==<br />
<br />
Answer the following questions and and email them to your teacher in ASCII text format. Be sure to follow your teacher's guidelines for submitting labs. These guidelines are posted on his web page.<br />
#What is your full name and nine digit Seneca student ID?<br />
#What is the code name of this Fedora Linux system?<br />
#What kernel release is your system running?<br />
#What is the UUID (Universally Unique Identifier) of your root file system?<br />
#What is the size and type of your /boot file system?</div>Mgiuntahttps://wiki.cdot.senecacollege.ca/w/index.php?title=OPS335_Installation_Lab&diff=70894OPS335 Installation Lab2011-10-04T15:26:16Z<p>Mgiunta: /* Objectives */</p>
<hr />
<div>== Installation of Fedora 13 ==<br />
<br />
[[Category:OPS335]][[Category:OPS335 Labs]]<br />
<br />
=== Objectives ===<br />
* Install Fedora 13<br />
<br />
=== Instructions ===<br />
<br />
# Download a copy of Fedora 13 Live CD 64 bit edition from FedoraProject.Org web site or burn the CD using Seneca's Freedom Toaster which is located in the Open Lab on the 2nd floor of the TEL building. Note: we'll be using the 64 bit version of Fedora otherwise known as x86_64 Fedora because all of our lab computers are equiped with Intel 64 bit mainboards and CPUs. Also, we'll be using the Live CD for installation because it's much simpiler and quicker to install a basic Fedora Linux system on a hard drive. Finally, if you're going to burn your CD using the Freedom Toaster then be sure to use a blank CD-R disk. For some reason CD+R disks sometimes fail to burn successfully.<br />
# Purchase a SATA (Serial Advanced Technology Attachment) removable HDD (Hard Disk Drive) with a minimum of 80 GB capacity from Seneca's bookstore located on the first floor of the SEQ building. I strongly recommend you use this disk drive exclusively for this course. If another course requires a similar HDD you should purchase a separate one and not attempt to use one disk drive for both courses.<br />
#Insert your HDD into the docking bay of a PC in the lab and boot the computer using your Fedora Live CD. If possible try to use the same PC for this course for the rest of the semester. Some PCs may be configured with slight hardware variations from others which may cause problems when moving your HDD from one system to another. <br />
#Once Fedora has loaded, start Firefox and ensure the network is functioning. You will need to authenticate yourself with your LEARN user name and password before Internet access is allowed to the outside world. <br />
#Open a terminal window, switch to root using 'su' and use the 'ifconfig' command to view your assigned IP address. <br />
#Still in the terminal window use the 'fdisk -l' command to ensure your HDD is available for use.<br />
#If you're satisfied that your Fedora Live system is functioning properly, double click on the INSTALL icon to begin the installation of Fedora 13 onto your HDD. --#Perform your installation following these guidelines:<br />
#*wherever possible select the default options<br />
#*set Toronto as your time zone<br />
#*let Fedora configure your whole disk<br />
#*set the root password<br />
#*create a user named 'joker'<br />
#After completing phase I of the installation, remove the Live CD and reboot from your HDD to complete phase II of the installation.<br />
#Login as user 'joker' and open a terminal window. Then use 'su' to become root and run the 'yum update' command. Logout when done. Note, you may have to reboot after all updates have completed. Now that your system is up to date, again login as user 'joker' and do the following:<br />
#*Verify that your system date and time are correct. If not then set the correct system date and time.<br />
#*Verify that your network is functioning.<br />
#*Run and record the output of the 'df -hT' command.<br />
#*Run and record the output of the 'cat /etc/fstab' command.<br />
#*Run and record the output of the 'cat /etc/issue' command.<br />
#*Run and record the output of the 'uname -a' command.<br />
At this point you have a basic Fedora 13 installed and updated. All the rest of our labs will assume you have this basic system running. If, for any reason, your system becomes corrupted during the semester, you'll have to redo this lab to be able to continue with the remaining uncompleted labs.<br />
{{Admon/important | Live disc installations and system-config-network | The fedora host was installed from Live CD. It is missing the GUI Network Configuration tool we will be using.}}<br />
{{Admon/important|Unbind your MAC address|Before moving your disk pack to another system, [[Unbinding MAC Addresses on Fedora|unbind your MAC address]].}}<br />
<br />
== Completing the Lab ==<br />
<br />
Answer the following questions and and email them to your teacher in ASCII text format. Be sure to follow your teacher's guidelines for submitting labs. These guidelines are posted on his web page.<br />
#What is your full name and nine digit Seneca student ID?<br />
#What is the code name of this Fedora Linux system?<br />
#What kernel release is your system running?<br />
#What is the UUID (Universally Unique Identifier) of your root file system?<br />
#What is the size and type of your /boot file system?</div>Mgiuntahttps://wiki.cdot.senecacollege.ca/w/index.php?title=OPS335_Installation_Lab&diff=70893OPS335 Installation Lab2011-10-04T15:24:59Z<p>Mgiunta: /* Objectives */</p>
<hr />
<div>== Installation of Fedora 13 ==<br />
<br />
[[Category:OPS335]][[Category:OPS335 Labs]]<br />
<br />
=== Objectives ===<br />
* Install Fedora 13<br />
<br />
{{Admon/important | Disable SELinux | It is often recommended that you disable SELinux for this lab and future labs.<br />
<code>vi /etc/selinux/config</code><br />
<br />
Edit <code>SELINUX<nowiki>=</nowiki></code> to show <code>disabled</code><br />
<br />
Restart your machine.}}<br />
<br />
=== Instructions ===<br />
<br />
# Download a copy of Fedora 13 Live CD 64 bit edition from FedoraProject.Org web site or burn the CD using Seneca's Freedom Toaster which is located in the Open Lab on the 2nd floor of the TEL building. Note: we'll be using the 64 bit version of Fedora otherwise known as x86_64 Fedora because all of our lab computers are equiped with Intel 64 bit mainboards and CPUs. Also, we'll be using the Live CD for installation because it's much simpiler and quicker to install a basic Fedora Linux system on a hard drive. Finally, if you're going to burn your CD using the Freedom Toaster then be sure to use a blank CD-R disk. For some reason CD+R disks sometimes fail to burn successfully.<br />
# Purchase a SATA (Serial Advanced Technology Attachment) removable HDD (Hard Disk Drive) with a minimum of 80 GB capacity from Seneca's bookstore located on the first floor of the SEQ building. I strongly recommend you use this disk drive exclusively for this course. If another course requires a similar HDD you should purchase a separate one and not attempt to use one disk drive for both courses.<br />
#Insert your HDD into the docking bay of a PC in the lab and boot the computer using your Fedora Live CD. If possible try to use the same PC for this course for the rest of the semester. Some PCs may be configured with slight hardware variations from others which may cause problems when moving your HDD from one system to another. <br />
#Once Fedora has loaded, start Firefox and ensure the network is functioning. You will need to authenticate yourself with your LEARN user name and password before Internet access is allowed to the outside world. <br />
#Open a terminal window, switch to root using 'su' and use the 'ifconfig' command to view your assigned IP address. <br />
#Still in the terminal window use the 'fdisk -l' command to ensure your HDD is available for use.<br />
#If you're satisfied that your Fedora Live system is functioning properly, double click on the INSTALL icon to begin the installation of Fedora 13 onto your HDD. --#Perform your installation following these guidelines:<br />
#*wherever possible select the default options<br />
#*set Toronto as your time zone<br />
#*let Fedora configure your whole disk<br />
#*set the root password<br />
#*create a user named 'joker'<br />
#After completing phase I of the installation, remove the Live CD and reboot from your HDD to complete phase II of the installation.<br />
#Login as user 'joker' and open a terminal window. Then use 'su' to become root and run the 'yum update' command. Logout when done. Note, you may have to reboot after all updates have completed. Now that your system is up to date, again login as user 'joker' and do the following:<br />
#*Verify that your system date and time are correct. If not then set the correct system date and time.<br />
#*Verify that your network is functioning.<br />
#*Run and record the output of the 'df -hT' command.<br />
#*Run and record the output of the 'cat /etc/fstab' command.<br />
#*Run and record the output of the 'cat /etc/issue' command.<br />
#*Run and record the output of the 'uname -a' command.<br />
At this point you have a basic Fedora 13 installed and updated. All the rest of our labs will assume you have this basic system running. If, for any reason, your system becomes corrupted during the semester, you'll have to redo this lab to be able to continue with the remaining uncompleted labs.<br />
{{Admon/important | Live disc installations and system-config-network | The fedora host was installed from Live CD. It is missing the GUI Network Configuration tool we will be using.}}<br />
{{Admon/important|Unbind your MAC address|Before moving your disk pack to another system, [[Unbinding MAC Addresses on Fedora|unbind your MAC address]].}}<br />
<br />
== Completing the Lab ==<br />
<br />
Answer the following questions and and email them to your teacher in ASCII text format. Be sure to follow your teacher's guidelines for submitting labs. These guidelines are posted on his web page.<br />
#What is your full name and nine digit Seneca student ID?<br />
#What is the code name of this Fedora Linux system?<br />
#What kernel release is your system running?<br />
#What is the UUID (Universally Unique Identifier) of your root file system?<br />
#What is the size and type of your /boot file system?</div>Mgiuntahttps://wiki.cdot.senecacollege.ca/w/index.php?title=OPS335&diff=68507OPS3352011-09-06T14:10:52Z<p>Mgiunta: /* Faculty */</p>
<hr />
<div>[[Category:OPS335]]<br />
<br />
{| style="float: right; margin: 0 0 3em 2em; border: 1px solid black;"<br />
!style="background: #cccccc"| Quick Links<br />
|-<br />
|[[OPS335 Weekly Schedule|Weekly Schedule]]<br/>[https://scs.senecac.on.ca/course/ops335 Course Outline]<br />[http://fedoraproject.org Fedora Project]<br />[http://docs.fedoraproject.org/ Fedora documentation]<br />
|-<br />
!style="background: #cccccc"| Assignments<br />
|-<br />
|[[OPS335_Assignment_1|Assignment 1]]<br/>[[OPS335_Assignment_2|Assignment 2]]<br />
|}<br />
<br />
= Welcome to OPS335 - ''Open System Application Server'' =<br />
<br />
== What This Course is About ==<br />
This course teaches the maintenance and administration of a UNIX server using Linux. Students will learn to install configure, customize, test and maintain common services available on Linux servers.<br />
This course is the third in a series of courses about Linux technologies.<br />
* ULI101 taught you to be Linux user.<br />
* OPS235 taught you to move from being a Linux user to being a Linux system administrator.<br />
* '''OPS335 will teach you to ''administer'' Linux ''servers'' (web servers, DNS servers, FTP servers, file sharing servers).'''<br />
<br />
As a system administrator, you will be responsible for installing, configuring, adjusting, maintaining, and troubleshooting the operation of computer systems. This is a lot of responsibility, and with that responsibility comes power. You will be able to change anything on the system, and you will also have the ability to damage or destroy the system.<br />
<br />
In this course you use a removable disk pack with the lab computers to set up a Linux system. You will also set up four additional Linux systems using "Virtual Machines", and therefore gain experience with different types of system configurations as well as setting up networking between systems.<br />
<br />
== Learning by Doing ==<br />
<br />
Most of the learning in this course occurs through the hands-on problem solving that takes place in the eight labs and two assignments. Therefore, it's very important to stay up-to-date with the coursework, and to practice until you have confidently mastered each task.<br />
<br />
All of the software used in this course is ''open source'' software, so you are free to use, modify, and redistribute it. This means that you can install it as many times as you want on as many different computers as you would like. It also means that you can tinker with it -- you can take it apart, see how it works, and put it back together in the same or a different way, limited only by your time and ambition. You are encouraged to experiment and question liberally.<br />
<br />
The notes that you make during the labs and assignments are your reference material for the quizzes, tests, and assignments. Take really good notes, and if you have questions, experiment and consult with your professor.<br />
<br />
= Weekly Schedule =<br />
<br />
Weekly topic, lab, and assignment information is available on the [[OPS335 Weekly Schedule |OPS335 Weekly Schedule]] page.<br />
<br />
= Supplies Checklist =<br />
<br />
Needed by the second class: <br />
# '''Fedora 13 Live CD''' (x86_64). You can burn this from ISO image on a CD or a DVD using the Freedom Toaster (in the Open Lab) -- however, this machine has problems with some types of DVDs. The image is also available from:<br />
#* http://belmont.senecac.on.ca/fedora/releases/13/Live/x86_64/Fedora-13-x86_64-Live.iso - Seneca's mirror of the Fedora project. This is very fast, but is only accessible from within Seneca's network (you can't access this from home). You can burn this disc on the machines in the Open Lab.<br />
#* http://get.fedoraproject.org - Accessible from any Internet connection.<br />
# '''SATA Hard disk in removable drive tray''' (at least 160GB). Please buy the tray from ACS or the bookstore as not all trays are compatible.<br />
# '''USB flash drive''' (64MB or more - 2GB or larger recommended. Warning: anything on this flash drive will be erased!)<br />
<br />
{{Admon/important|Bring all of these supplies to each class.|Even after installation, the Live CD, Installation DVD, and flash drive may be required.}}<br />
<br />
{{Admon/important|Do not share your OPS335 disk drive with another course.|The work you do in this course will render your other work inaccessible and may erase it.}}<br />
<br />
= Faculty =<br />
<br />
During the Fall 2011 semester, OPS335 is taught by:<br />
<br />
* [http://cs.senecac.on.ca/~paul.whalen/ Paul Whalen] (Section A, B, C)<br />
* [https://scs.senecac.on.ca/staff/lockhart-ryan Ryan Lockhart] (Section D)<br />
<br />
= Course Information =<br />
<br />
* [https://scs.senecac.on.ca/course/ops335 Course Outline]<br />
* [https://cs.senecac.on.ca/~scs/DonMillsPolicies/policy.html Course Policies]<br />
* [https://scs.senecac.on.ca/ School of Computer Studies Homepage] (includes class cancellation information and general bulletins)<br />
<br />
= Tips and Suggestions =<br />
<br />
* Always shut down your system under software control, rather than using the reset or power buttons. You can shutdown using the GUI or with the <code>poweroff</code>, <code>reboot</code>, <code>init</code>, or <code>shutdown</code> commands. Shut down your virtual machines before shutting down your main system.<br />
* If you get a message about the gnome-power-manager configuration at the login screen, you may have run out of disk space. Switch to a character-mode virtual terminal (for example, switch to VT2 by pressing Ctrl-Alt-F2). Login and take a look at the available space (with the command: <code>df -h</code>). If the <code>/</code> filesystem is full, delete some files (such as unused VM images in <code>/var/lib/libvirt/images</code>) and then reboot the system.<br />
* Fedora 13 Slowdowns: If your system is becoming very slow from time to time, it is probably due to a known issue with the Intel video driver, kernel, NICs, storage system, and hardware detection software (!). See [https://bugzilla.redhat.com/show_bug.cgi?id=523646 Bug 523646] on the Fedora Bugzilla system. A fix for this problem is apparently in the works -- update your system regularly so that you get the fix as soon as it is available.<br />
** '''Workaround:''' Type this command as root (be patient, it will take a minute or two for the system to return to normal speed): <code>killall hald devkit-disks-daemon</code><br />
<br />
= This is a Wiki! =<br />
<br />
You can edit these pages! Please feel free to fix typos or add links to additional resources. Please use this capability responsibly.</div>Mgiuntahttps://wiki.cdot.senecacollege.ca/w/index.php?title=Volunteer_-_2010&diff=44067Volunteer - 20102010-09-13T20:28:42Z<p>Mgiunta: </p>
<hr />
<div>FSOSS needs you! Current Seneca students are invited to help out with [http://fsoss.ca FSOSS]. As a thank you, your registration fee will be waived and you can attend FSOSS for free, and you will receive an volunteer FSOSS shirt (while supplies last). To volunteer, please edit this page:<br />
<br />
<br />
# '''Pick one of the volunteer job and add your name to the list under each job description'''<br />
# '''Make sure you include email contact info'''<br />
# '''Signup only for jobs that are open'''<br />
<br />
<br />
<br />
If you have any questions, please contact [[User:Catherine.leung|Catherine Leung]].<br />
<br />
<br />
<br />
<br />
The following describes the jobs that we will require volunteers to do. It will specify the date, the time, location, how long it will take, and the maximum number of people we will need for each job. Most volunteer work will be done during the week of the event but some jobs have to be done before hand. If you see something that you are able/interested in helping with, please sign up by adding your name to this page by editing this wiki. NOTE: New jobs will be posted continuously so please check back again. If you need more info on a job or need more info about editing this wiki, please contact cathy at: catherine.leung@senecac.on.ca<br />
<br />
----<br />
===Clean Up Crew - Thursday/Friday===<br />
*Date(s): Oct. 28/29<br />
*Time: 5:00pm<br />
*Location: On campus<br />
*Duration: 2 hours, 1 hour each day<br />
*Max. Volunteer needed: 2<br />
*Description: Help put signs/tables/etc. back into office<br />
====Signup here (open) ====<br />
* Name (email)<br />
<br />
----<br />
<br />
===Stand By Helpers===<br />
<br />
*Date(s): Oct. 28 and Oct 29<br />
*Time: starting at 9am check in at registration desk every 2 to 3 hours<br />
*Location: On campus<br />
*Duration: N/A<br />
*Max. Volunteer needed: 4<br />
*Description: Be available to help out for things that come up unexpectedly. You may not need to do anything at all but you may be asked to do things that come up unexpectedly at the last minute. If you volunteer for this, you will need to check in with someone every 2 or 3 hours.<br />
<br />
====Signup here (open) ====<br />
* Name (email)<br />
<br />
Joe Wang (zwang98@learn.senecac.on.ca)<br />
----<br />
<br />
===Setup/Registration Signup - Friday Morning===<br />
<br />
*Date(s): Oct. 29<br />
*Time: 7:00am to 9:30am<br />
*Location: On campus<br />
*Duration: 2.5 hours<br />
*Max. Volunteer needed: 12<br />
*Description: Staff the registration tables.<br />
<br />
====Signup here (open)====<br />
* Name (email)<br />
<br />
Raymond Woo (rwoo3@learn.senecac.on.ca)<br/><br />
----<br />
<br />
===Photographers===<br />
<br />
*Date(s): Oct. 28 and Oct. 29<br />
*Time: Ongoing<br />
*Location: On campus<br />
*Duration: N/A<br />
*Max. Volunteer needed: 3<br />
*Description: Snap Pictures of attendees and get them posted to a flickr feed as the event is happening. You will need to provide your own camera and laptop to do this job.<br />
<br />
====Signup here (open)====<br />
* Name (email)<br />
Mike Giunta (mgiunta@learn.senecac.on.ca)<br />
<br />
<br />
----<br />
<br />
===Bag Stuffing/Badge Making===<br />
<br />
*Date(s): TBA but likely week before FSOSS or monday or tuesday of that week<br />
*Time: TBA but flexible<br />
*Location: On campus<br />
*Duration: 3 to 4 hours<br />
*Max. Volunteer needed: 6<br />
*Description: Put together bags for attendees. Each person who goes to the conference gets a bag with schedule and other literatures and a badge. Volunteers for this job will put the bags and badges together.<br />
<br />
====Signup here (open)====<br />
* Name (email)<br />
Sean Clarke (smclarke2@learn.senecac.on.ca) <br/><br />
Huda Rawasia (harawasia@learn.senecac.on.ca)<br/><br />
Mao Hua Li (mhli4@learn.senecac.on.ca)<br/><br />
Cliff Liu (ysliu2@learn.senecac.on.ca)<br/><br />
Xi Zhang (xzhang148@learn.senecac.on.ca)<br/><br />
Sidong Zhou (szhou19@learn.senecac.on.ca)<br/> <br />
<br />
----<br />
<br />
===Registration Signup - Thursday Morning===<br />
<br />
*Date(s): Oct. 28<br />
*Time: 7:00am to 9:30am<br />
*Location: On campus<br />
*Duration: 2.5 hours<br />
*Max. Volunteer needed: 3<br />
*Description: Staff the registration tables.<br />
<br />
====Signup here (open)====<br />
* Name (email)<br />
Yonghoon Shin (yshin8@learn.senecac.on.ca)<br />
<br />
Harry Tao (htao3@learn.senecac.on.ca)<br />
----<br />
<br />
===Registration Signup-Afternoon Both Days===<br />
<br />
*Date(s): Oct. 28 and Oct. 29<br />
*Time: 11:45am to 1:15pm<br />
*Location: On campus<br />
*Duration: 3 hours<br />
*Max. Volunteer needed: 3<br />
*Description: Staff the registration tables.<br />
<br />
====Signup here (open)====<br />
* Name (email)<br />
Sayed Alam (smalam3@learn.senecac.on.ca) <br/><br />
Yu Jin Jeong (yjeong@learn.senecac.on.ca) <br/><br />
Tanay Singh Thapa(tthapa@learn.senecac.on.ca)<br />
----<br />
<br />
===Video Recording===<br />
*Date(s): Early FSOSS week for training (Monday or Tuesday, exact date TBA). Friday Oct. 29<br />
*Time: 8am Friday<br />
*Location: On campus<br />
*Duration: All day<br />
*Max. Volunteer needed: 6<br />
*Description:<br />
This job involves operating the video equipment to record the speaker sessions throughout the day. Volunteers are expected to attend the entire session they are recording<br />
'''NOTE: this job requires a significant amount of commitment. Volunteers for this job will also receive an invitation to the FSOSS Speaker's dinner'''<br />
<br />
====Signup here (open)====<br />
* Ronak Patwa (rypatwa@learn.senecac.on.ca)<br />
* Syed Nasir (shnasir@learn.senecac.on.ca)<br />
* Sayed Alam (smalam3@learn.senecac.on.ca)<br />
----</div>Mgiuntahttps://wiki.cdot.senecacollege.ca/w/index.php?title=OPS235_Assignment_2_OLD&diff=42779OPS235 Assignment 2 OLD2010-08-06T15:08:28Z<p>Mgiunta: </p>
<hr />
<div>[[Category:OPS235]]<br />
{{Admon/note | Please take note! | Doing your assignment is part of your ongoing learning process. As such you will be tested on this material in future tests and exams. If you have any questions or need help, please consult your instructor in a timely manner. The due date for this assignment will not be extended. This assignment will be marked partially through demonstration or through the submission of files.}}<br />
<br />
= OPS235 Assignment #2 -- Summer 2010=<br />
<br />
Weight: 5% of the overall grade<br><br />
<br />
Due Date: Week 13 - week of Aug 9-13 ('''Check with your Professor for exact date''')<br />
<br />
<br />
{{Admon/important | Very Important! | Before making any changes to your system configuration, backup the original configuration files into the <code>/backups</code> directory.}}<br />
<br />
== Introduction and Purpose ==<br />
<br />
In this assignment, you will demonstrate the skills you have learned to this point by configuring two services: a database server and a web server. You will install and use a database-backed web application, MediaWiki, to show that these services have been installed properly. Finally, you will configure the SELinux security system and the web server to serve files in the <code>public_html</code> subdirectory of each user's home directory, including a short web script.'<br />
<br />
In this assignment, you will attempt to maintain a high level of security, by using SELinux and the iptables firewall to guard against unauthorized access.<br />
<br />
This lab may be performed using any combination of your virtual machines and/or host disk pack.<br />
<br />
== About SELinux ==<br />
<br />
SELinux stands for ''Security Enhanced Linux'' and is based on research performed at NSA and other locations. Where the normal Unix/Linux security system, based upon file permissions, is a ''discretionary access control'' system (DAC), SELinux is a ''mandatory access control'' system (MAC). This means that it attempts to enforce a consistent policy across the entire system, regardless of settings that any user has configured.<br />
<br />
SELinux decisions are based on the ''security context'' of system resources such as files and processes. The security context consists of a user, role, type, and sensitivity component; you can see the security context of files and processes by adding the <code>-Z</code> option to the <code>ls</code> and <code>ps</code> commands:<br />
<br />
$ ls -lZ<br />
drwxr-xr-x. root root '''system_u:object_r:file_t:s0''' arm<br />
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' arm2<br />
drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' bin<br />
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Desktop<br />
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Documents<br />
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Downloads<br />
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora0.ks<br />
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora1.ks<br />
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora2.ks<br />
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora3.ks<br />
-rw-rw-r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' foo<br />
-rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' hosts<br />
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Music<br />
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Pictures<br />
drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' play<br />
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Public<br />
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Templates<br />
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Videos<br />
-rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' x<br />
[chris@muskoka ~]$ ps -Z<br />
LABEL PID TTY TIME CMD<br />
'''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2595 pts/1 00:00:00 bash<br />
'''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2612 pts/1 00:00:00 ps<br />
<br />
The SELinux policy controls the interactions between security contexts. For example, the policy may specify that the Apache httpd webserver cannot read files in <code>/etc</code>, so if an attacker finds a way to make httpd (or a script run by httpd) read a file in <code>/etc</code>, SELinux will recognize that this is not normal and will deny the access. Since this is done at the kernel level, httpd will get a "file not found" error, even though the file is present, and there is no way for httpd to work around that error.<br />
<br />
=== SELinux Context Commands ===<br />
<br />
There are two main commands used to set the SELinux security context of files:<br />
# chcon - sets the security context of a file to a particular value<br />
#* Example: setting the ''type'' of a file: <code>chcon -t ''unconfined_t'' ''/tmp/foo''</code><br />
#* Example: setting the user/role/type of a file: <code>chcon ''unconfined_u:object_r:user_home_t'' ''~/foo''</code><br />
# restorecon - resets the default security context of a file<br />
#* Example: reset the context of one file: <code>restorecon /etc/services</code><br />
#* Example: recursively reset the contexts of all of the files in a directory: <code>restorecon -R ~</code><br />
<br />
You can reset the default security context of the entire system at the next boot with this command:<br />
<br />
touch /.autorelabel<br />
<br />
=== SELinux Booleans ===<br />
<br />
SELinux policy can be tuned (without writing an entirely new policy) through the use of ''booleans'' or option switches. Each boolean can have a value of on (1) or off (0).<br />
<br />
The <code>getsebool</code> and <code>setsebool</code> commands can be used to view and set SELinux boolean values:<br />
<br />
{|class="mediawiki sortable" border="1" cellspacing="0"<br />
!Command<br />
!Description<br />
|-<br />
|<code>getsebool -a</code><br />
|Displays all SELinux booleans<br />
|-<br />
|<code>getsebool ''foo''</code><br />
|Displays the SELinux boolean ''foo''<br />
|-<br />
|<code>setsebool ''foo'' ''value''</code><br />
|Sets the SELinux boolean ''foo'' to ''value'' (where ''value'' is 0 or "off", or 1 or "on")<br />
|}<br />
<br />
<br />
=== SELinux Graphical Tools ===<br />
<br />
The ''system-config-selinux'' tool, which is on the menu as System>Adminstration>SELinux Management, provides a GUI for managing SELinux booleans and more.<br />
<br />
<br />
{{Admon/note|Takes Notes!|Take detailed notes of the steps you perform from this point onward.}}<br />
<br />
== Installing Packages ==<br />
<br />
Install these packages using ''yum'':<br />
* '''httpd''' - this is the Apache web server software. It provides the '''httpd''' service, which runs on port 80.<br />
* '''mysql-server''' - this is the MySQL database server. It provides the '''mysqld''' service, which runs on a Unix domain socket.<br />
* '''mediawiki''' - this is the wiki software used by this wiki, Wikipedia, and many other sites. It is a series of PHP scripts which are run by Apache httpd as requests are received, and it connects to a local database such as MySQL.<br />
<br />
== Configuring Services ==<br />
<br />
=== Apache httpd ===<br />
<br />
# Start the httpd service using the '''service''' command.<br />
# Confirm that you can connect to your web server using a web browser -- both from the machine on which the server is running as well as from another machine on the same network. You should see a test page.<br />
# Configure this software to start when the system is booted.<br />
# Create a very simple HTML index page for your system, and place it at <code> /var/www/html/index.html </code><br />
# Confirm that you can view the index page. If not, adjust your iptables configuration as necessary, or check for errors in <code>/var/log/httpd</code><br />
<br />
=== MySQL ===<br />
<br />
# Start the MySQL service (mysqld).<br />
# '''When started for the first time, this service will print a message telling you how to set a password and take other basic steps to secure the the MySQL server.''' Follow those instructions to set a password, recording the detail of what you do for later use.<br />
# Configure this software to start when the system is booted.<br />
<br />
=== MediaWiki ===<br />
<br />
# Edit MediaWiki's httpd configuration file, <code>/etc/httpd/conf.d/mediawiki.conf</code><br />
#* Uncomment the first two <code>Alias</code> lines<br />
#* Reload the httpd configuration using the <code>service</code> command<br />
# Access <code>http://localhost/wiki</code> on the machine on which the web server is running (this will not work if done remotely, unless you use an ssh tunnel so that the access appears to be coming from the local host). You will see the MediaWiki welcome page; click on the setup link.<br />
# Enter the setup information for your wiki:<br />
#* Enter a name for the wiki<br />
#* Enter your learn e-mail address as the contact information<br />
#* Disable all e-mail features<br />
#* Leave the database host as "localhost"<br />
#* Set up a database password<br />
#* Get MediaWiki to set up the superuser account by checking the appropriate box and entering the superuser password ('''Note:''' This is the database superuser password, NOT the root password).<br />
# Click the "Install MediaWiki!" button.<br />
# Once the setup is complete, you will need to move a file within the MediaWiki directory (inside <code>/var/www</code>). Refer to the directions in the confirmation web page.<br />
<br />
When you are done, you should be able to go to <code>http://'''hostname'''/wiki</code> from any directly-connected machine.<br />
<br />
=== Serving Personal Web Pages ===<br />
<br />
# Configure httpd to serve the <code>~/public_html</code> directories of your users. This will require changes to <code>/etc/httpd/conf/httpd.conf</code> as well as the SELinux configuration. See the man page for <code>httpd_selinux</code> and the Apache [http://httpd.apache.org/docs/2.2/ httpd documentation] for details.<br />
# Prove that this works by creating a page in your <code>~/public_html</code> directory. The URL will be <code>http://''hostname''/~''your-user-id''/</code><br />
# Create a short web script which displays the available disk space on the computer. At its most basic level, a web script is the same as a regular script, with this additional requirement:<br />
#* It must output the line "Content-type: text/plain" or "Content-type: text/html" (depending on whether the script output is plain text or HTML), followed by a blank line.<br />
# Name the script <code>~/public_html/diskfree.cgi</code> - The URL will be <code>http://''hostname''/~''your-user-id''/diskfree.cgi</code><br />
# Configure httpd and SELinux to allow your script to be run from the web. This will require changes to <code>/etc/httpd/conf/httpd.conf</code> as well as the SELinux configuration (possibly including both booleans and SELinux context). As with step 1, see the man page for <code>httpd_selinux</code> and the Apache [http://httpd.apache.org/docs/2.2/ httpd documentation] for details.<br />
<br />
{{Admon/tip|Hint|Look for an "add-handler" line in your httpd.conf file.}}<br />
<br />
== Write-up ==<br />
<br />
Create a high-quality write-up of this assignment on your wiki. Include at least these pages:<br />
# A main page, describing in general terms what you did and containing links to the other wiki pages, as well as a link to the page and script in your <code>~/public_html</code> directory.<br />
# A page for your httpd configuration. Along with a description, include the exact text of your httpd.conf file.<br />
# A page for your MySQL configuration. Along with a description, include the details of the steps you performed to set up MySQL.<br />
# A page for your SELinux configuration. Along with a description, include a list of all of your booleans and their current settings. Show that the configuration is as tight as possible (e.g., don't change booleans unnecessarily).<br />
# A page for your MediaWiki configuration. Along with a description, include your MediaWiki configuration file.<br />
# A page for your iptables configuration. Show the exact iptables rules that are in effect. Demonstrate that the configuration is as tight as possible.<br />
<br />
The easiest way to create new page is to create a link to it from an existing page (such as the main page), and then follow that link.<br />
<br />
Resources on wiki markup:<br />
* [http://en.wikipedia.org/wiki/Help:Wiki_markup Wiki markup] - Wikipedia<br />
* [[Sandbox|Sandbox page on this wiki]] - examples<br />
<br />
{{Admon/tip|Bonus Opportunity!|Change the default icon in the upper-left corner of your MediaWiki installation to a picture of your choosing. Be sure that you have copyright clearance to use that image (e.g., it is licensed to you, or it is a picture you own).}}<br />
<br />
== Submitting the Assignment ==<br />
<br />
Your professor will require you to submit this assignment in at least one of two ways:<br />
<br />
# Demonstrate that the wiki is working.<br />
# Use wget to harvest the wiki pages:<br />
#* Issue the command: <code>wget -prk http://''hostname''/wiki</code><br />
#* Create a compressed tar file containing the results. (name the file <learnid>-a2.tgz)<br />
#* Submit it to your professor in the manner he specifies.<br />
<br />
Check with your professor for the submission details for your section.<br />
<br />
=== Sections A & B - Chris Tyler ===<br />
<br />
* Submit online through this link: https://cs.senecac.on.ca/~ctyler/ops235/a2/ by 11:59 pm, Friday, August 13.<br />
<br />
=== Section C - Andrew Grimo ===<br />
<br />
* Submit online through this link: https://cs.senecac.on.ca/~andrew.grimo/ops235/a2/ by 11:59pm, Friday, August 13.<br />
<br />
== Assessment ==<br />
<br />
* 50% - completion of steps - quality of configuration, iptables and SELinux configuration as tight as possible<br />
* 50% - documentation on the wiki - quality of writing, quality of presentation, and accuracy and completeness of information<br />
* +5% - bonus for replacing the wiki logo</div>Mgiuntahttps://wiki.cdot.senecacollege.ca/w/index.php?title=OPS235_Assignment_2_OLD&diff=42778OPS235 Assignment 2 OLD2010-08-06T15:05:49Z<p>Mgiunta: </p>
<hr />
<div>[[Category:OPS235]]<br />
{{Admon/note | Please take note! | Doing your assignment is part of your ongoing learning process. As such you will be tested on this material in future tests and exams. If you have any questions or need help, please consult your instructor in a timely manner. The due date for this assignment will not be extended. This assignment will be marked partially through demonstration or through the submission of files.}}<br />
<br />
= OPS235 Assignment #2 -- Summer 2010=<br />
<br />
Weight: 5% of the overall grade<br><br />
<br />
Due Date: Week 13 - week of Aug 9-13 ('''Check with your Professor for exact date''')<br />
<br />
<br />
{{Admon/important | Very Important! | Before making any changes to your system configuration, backup the original configuration files into the <code>/backups</code> directory.}}<br />
<br />
== Introduction and Purpose ==<br />
<br />
In this assignment, you will demonstrate the skills you have learned to this point by configuring two services: a database server and a web server. You will install and use a database-backed web application, MediaWiki, to show that these services have been installed properly. Finally, you will configure the SELinux security system and the web server to serve files in the <code>public_html</code> subdirectory of each user's home directory, including a short web script.'<br />
<br />
In this assignment, you will attempt to maintain a high level of security, by using SELinux and the iptables firewall to guard against unauthorized access.<br />
<br />
This lab may be performed using any combination of your virtual machines and/or host disk pack.<br />
<br />
== About SELinux ==<br />
<br />
SELinux stands for ''Security Enhanced Linux'' and is based on research performed at NSA and other locations. Where the normal Unix/Linux security system, based upon file permissions, is a ''discretionary access control'' system (DAC), SELinux is a ''mandatory access control'' system (MAC). This means that it attempts to enforce a consistent policy across the entire system, regardless of settings that any user has configured.<br />
<br />
SELinux decisions are based on the ''security context'' of system resources such as files and processes. The security context consists of a user, role, type, and sensitivity component; you can see the security context of files and processes by adding the <code>-Z</code> option to the <code>ls</code> and <code>ps</code> commands:<br />
<br />
$ ls -lZ<br />
drwxr-xr-x. root root '''system_u:object_r:file_t:s0''' arm<br />
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' arm2<br />
drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' bin<br />
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Desktop<br />
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Documents<br />
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Downloads<br />
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora0.ks<br />
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora1.ks<br />
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora2.ks<br />
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora3.ks<br />
-rw-rw-r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' foo<br />
-rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' hosts<br />
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Music<br />
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Pictures<br />
drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' play<br />
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Public<br />
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Templates<br />
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Videos<br />
-rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' x<br />
[chris@muskoka ~]$ ps -Z<br />
LABEL PID TTY TIME CMD<br />
'''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2595 pts/1 00:00:00 bash<br />
'''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2612 pts/1 00:00:00 ps<br />
<br />
The SELinux policy controls the interactions between security contexts. For example, the policy may specify that the Apache httpd webserver cannot read files in <code>/etc</code>, so if an attacker finds a way to make httpd (or a script run by httpd) read a file in <code>/etc</code>, SELinux will recognize that this is not normal and will deny the access. Since this is done at the kernel level, httpd will get a "file not found" error, even though the file is present, and there is no way for httpd to work around that error.<br />
<br />
=== SELinux Context Commands ===<br />
<br />
There are two main commands used to set the SELinux security context of files:<br />
# chcon - sets the security context of a file to a particular value<br />
#* Example: setting the ''type'' of a file: <code>chcon -t ''unconfined_t'' ''/tmp/foo''</code><br />
#* Example: setting the user/role/type of a file: <code>chcon ''unconfined_u:object_r:user_home_t'' ''~/foo''</code><br />
# restorecon - resets the default security context of a file<br />
#* Example: reset the context of one file: <code>restorecon /etc/services</code><br />
#* Example: recursively reset the contexts of all of the files in a directory: <code>restorecon -R ~</code><br />
<br />
You can reset the default security context of the entire system at the next boot with this command:<br />
<br />
touch /.autorelabel<br />
<br />
=== SELinux Booleans ===<br />
<br />
SELinux policy can be tuned (without writing an entirely new policy) through the use of ''booleans'' or option switches. Each boolean can have a value of on (1) or off (0).<br />
<br />
The <code>getsebool</code> and <code>setsebool</code> commands can be used to view and set SELinux boolean values:<br />
<br />
{|class="mediawiki sortable" border="1" cellspacing="0"<br />
!Command<br />
!Description<br />
|-<br />
|<code>getsebool -a</code><br />
|Displays all SELinux booleans<br />
|-<br />
|<code>getsebool ''foo''</code><br />
|Displays the SELinux boolean ''foo''<br />
|-<br />
|<code>setsebool ''foo'' ''value''<br />
|Sets the SELinux boolean ''foo'' to ''value'' (where ''value'' is 0 or "off", or 1 or "on")<br />
|}<br />
<br />
<br />
=== SELinux Graphical Tools ===<br />
<br />
The ''system-config-selinux'' tool, which is on the menu as System>Adminstration>SELinux Management, provides a GUI for managing SELinux booleans and more.<br />
<br />
<br />
{{Admon/note|Takes Notes!|Take detailed notes of the steps you perform from this point onward.}}<br />
<br />
== Installing Packages ==<br />
<br />
Install these packages using ''yum'':<br />
* '''httpd''' - this is the Apache web server software. It provides the '''httpd''' service, which runs on port 80.<br />
* '''mysql-server''' - this is the MySQL database server. It provides the '''mysqld''' service, which runs on a Unix domain socket.<br />
* '''mediawiki''' - this is the wiki software used by this wiki, Wikipedia, and many other sites. It is a series of PHP scripts which are run by Apache httpd as requests are received, and it connects to a local database such as MySQL.<br />
<br />
== Configuring Services ==<br />
<br />
=== Apache httpd ===<br />
<br />
# Start the httpd service using the '''service''' command.<br />
# Confirm that you can connect to your web server using a web browser -- both from the machine on which the server is running as well as from another machine on the same network. You should see a test page.<br />
# Configure this software to start when the system is booted.<br />
# Create a very simple HTML index page for your system, and place it at <code> /var/www/html/index.html </code><br />
# Confirm that you can view the index page. If not, adjust your iptables configuration as necessary, or check for errors in <code>/var/log/httpd</code><br />
<br />
=== MySQL ===<br />
<br />
# Start the MySQL service (mysqld).<br />
# '''When started for the first time, this service will print a message telling you how to set a password and take other basic steps to secure the the MySQL server.''' Follow those instructions to set a password, recording the detail of what you do for later use.<br />
# Configure this software to start when the system is booted.<br />
<br />
=== MediaWiki ===<br />
<br />
# Edit MediaWiki's httpd configuration file, <code>/etc/httpd/conf.d/mediawiki.conf</code><br />
#* Uncomment the first two <code>Alias</code> lines<br />
#* Reload the httpd configuration using the <code>service</code> command<br />
# Access <code>http://localhost/wiki</code> on the machine on which the web server is running (this will not work if done remotely, unless you use an ssh tunnel so that the access appears to be coming from the local host). You will see the MediaWiki welcome page; click on the setup link.<br />
# Enter the setup information for your wiki:<br />
#* Enter a name for the wiki<br />
#* Enter your learn e-mail address as the contact information<br />
#* Disable all e-mail features<br />
#* Leave the database host as "localhost"<br />
#* Set up a database password<br />
#* Get MediaWiki to set up the superuser account by checking the appropriate box and entering the superuser password ('''Note:''' This is the database superuser password, NOT the root password).<br />
# Click the "Install MediaWiki!" button.<br />
# Once the setup is complete, you will need to move a file within the MediaWiki directory (inside <code>/var/www</code>). Refer to the directions in the confirmation web page.<br />
<br />
When you are done, you should be able to go to <code>http://'''hostname'''/wiki</code> from any directly-connected machine.<br />
<br />
=== Serving Personal Web Pages ===<br />
<br />
# Configure httpd to serve the <code>~/public_html</code> directories of your users. This will require changes to <code>/etc/httpd/conf/httpd.conf</code> as well as the SELinux configuration. See the man page for <code>httpd_selinux</code> and the Apache [http://httpd.apache.org/docs/2.2/ httpd documentation] for details.<br />
# Prove that this works by creating a page in your <code>~/public_html</code> directory. The URL will be <code>http://''hostname''/~''your-user-id''/</code><br />
# Create a short web script which displays the available disk space on the computer. At its most basic level, a web script is the same as a regular script, with this additional requirement:<br />
#* It must output the line "Content-type: text/plain" or "Content-type: text/html" (depending on whether the script output is plain text or HTML), followed by a blank line.<br />
# Name the script <code>~/public_html/diskfree.cgi</code> - The URL will be <code>http://''hostname''/~''your-user-id''/diskfree.cgi</code><br />
# Configure httpd and SELinux to allow your script to be run from the web. This will require changes to <code>/etc/httpd/conf/httpd.conf</code> as well as the SELinux configuration (possibly including both booleans and SELinux context). As with step 1, see the man page for <code>httpd_selinux</code> and the Apache [http://httpd.apache.org/docs/2.2/ httpd documentation] for details.<br />
<br />
{{Admon/tip|Hint|Look for an "add-handler" line in your httpd.conf file.}}<br />
<br />
== Write-up ==<br />
<br />
Create a high-quality write-up of this assignment on your wiki. Include at least these pages:<br />
# A main page, describing in general terms what you did and containing links to the other wiki pages, as well as a link to the page and script in your <code>~/public_html</code> directory.<br />
# A page for your httpd configuration. Along with a description, include the exact text of your httpd.conf file.<br />
# A page for your MySQL configuration. Along with a description, include the details of the steps you performed to set up MySQL.<br />
# A page for your SELinux configuration. Along with a description, include a list of all of your booleans and their current settings. Show that the configuration is as tight as possible (e.g., don't change booleans unnecessarily).<br />
# A page for your MediaWiki configuration. Along with a description, include your MediaWiki configuration file.<br />
# A page for your iptables configuration. Show the exact iptables rules that are in effect. Demonstrate that the configuration is as tight as possible.<br />
<br />
The easiest way to create new page is to create a link to it from an existing page (such as the main page), and then follow that link.<br />
<br />
Resources on wiki markup:<br />
* [http://en.wikipedia.org/wiki/Help:Wiki_markup Wiki markup] - Wikipedia<br />
* [[Sandbox|Sandbox page on this wiki]] - examples<br />
<br />
{{Admon/tip|Bonus Opportunity!|Change the default icon in the upper-left corner of your MediaWiki installation to a picture of your choosing. Be sure that you have copyright clearance to use that image (e.g., it is licensed to you, or it is a picture you own).}}<br />
<br />
== Submitting the Assignment ==<br />
<br />
Your professor will require you to submit this assignment in at least one of two ways:<br />
<br />
# Demonstrate that the wiki is working.<br />
# Use wget to harvest the wiki pages:<br />
#* Issue the command: <code>wget -prk http://''hostname''/wiki</code><br />
#* Create a compressed tar file containing the results. (name the file <learnid>-a2.tgz)<br />
#* Submit it to your professor in the manner he specifies.<br />
<br />
Check with your professor for the submission details for your section.<br />
<br />
=== Sections A & B - Chris Tyler ===<br />
<br />
* Submit online through this link: https://cs.senecac.on.ca/~ctyler/ops235/a2/ by 11:59 pm, Friday, August 13.<br />
<br />
=== Section C - Andrew Grimo ===<br />
<br />
* Submit online through this link: https://cs.senecac.on.ca/~andrew.grimo/ops235/a2/ by 11:59pm, Friday, August 13.<br />
<br />
== Assessment ==<br />
<br />
* 50% - completion of steps - quality of configuration, iptables and SELinux configuration as tight as possible<br />
* 50% - documentation on the wiki - quality of writing, quality of presentation, and accuracy and completeness of information<br />
* +5% - bonus for replacing the wiki logo</div>Mgiuntahttps://wiki.cdot.senecacollege.ca/w/index.php?title=OPS235_Lab_7_-_Fedora17&diff=42548OPS235 Lab 7 - Fedora172010-07-27T20:17:27Z<p>Mgiunta: </p>
<hr />
<div>= Setup and Configure Secure Shell Services (ssh) Using Virtual Machines =<br />
[[Category:OPS235]][[Category:OPS235 Labs]]<br />
<br />
<br />
== Objectives ==<br />
* To set up, configure Secure Shell Services (ssh/sshd)<br />
* To use the ssh, scp, and sftp clients to access another host securely<br />
* Use ssh to tunnel X applications<br />
* Use ssh to tunnel other traffic<br />
* To customize sshd to create a more private, secure system<br />
<br />
== Reference ==<br />
* [http://linuxmanpages.com/ man pages] for ssh, ssh-keygen, sshd_config, ssh_config, scp, netstat, sftp, ifconfig, ping, arp, netstat, service<br />
* [http://suso.org/docs/shell/ssh.sdf A good ssh tutorial]<br />
* [http://it.toolbox.com/blogs/locutus/shh-securing-ssh-howto-10640 A good HOW-TO to make ssh more secure]<br />
<br />
== Required materials ==<br />
* [http://fedoraproject.org/get-fedora Fedora 12] Live CD or a classmate on the same pod<br />
* One SATA hard disk in a removable drive tray with Fedora host and 3 Fedora Virtual Machines installed<br />
* Completion of [[OPS235_Lab_6 | Lab 6]]<br />
<br />
== Lab Preparation ==<br />
{{Admon/important | Update your systems | It is advisable to perform a <code>yum update</code> on your Fedora host and all 3 VM's.}}<br />
<br />
{{Admon/important | Backup your VMs before proceeding | If you did not do it at the end of Lab 6, stop all of your VMs and backup your VM disk images.}}<br />
<br />
== Lab Investigations ==<br />
<br />
=== Investigation 1: How do you enable the sshd service. ===<br />
{{Admon/note | Note! | Complete the following steps on your fedora host.}}<br />
<br />
* OpenSSH should have been installed by default. Lets confirm this by issuing the command: <br />
** <code>rpm -qa | grep ssh</code><br />
* You should see a number of packages installed including <code>openssh-clients</code> and <code>openssh-server</code> <br />
* <code>openssh-server<code> installs a service called <code>sshd</code>, confirm this service is running by issuing the command:<br />
** <code>service sshd status</code><br />
* Now check that the sshd service is configured to start for runlevels 2, 3, 4, & 5, by issuing the command:<br />
** <code>chkconfig --list sshd</code> <br />
* If the service is not configured correctly fix it by issuing the command:<br />
** <code>chkconfig --level 2345 sshd on</code><br />
* Now that you know the service is running investigate what port number and protocol sshd uses by issuing the command:<br />
** <code>netstat -atunp</code><br />
* What protocol and port is the sshd process using?<br />
* What is the state of the port?<br />
* Why do UDP ports not have a state?<br />
* Reissue the <code>netstat</code> command without the <code>n</code> option. <br />
* What is the difference? <br />
* The <code>n</code> option tells netstat to list everything with numerical values, without it netstat resolves IP addresses and port numbers to host names and protocol names using the files <code>/etc/hosts</code> and <code>/etc/services</code> <br />
* <code>netstat</code> is a very useful command for anything to do with networking. Read its man page and make sure you understand its output.<br />
* Make sure your <code>sshd</code> service is running on all 3 of your VM's<br />
* Answer the Investigation 1 question in your lab log book.<br />
<br />
=== Investigation 2: How do you establish an ssh connection. ===<br />
{{Admon/note | Note! | Complete this investigation on your fedora2 VM.}}<br />
<br />
* As your learn account establish an ssh connection to your fedora3 VM using the command:<br />
** <code>ssh ops235@fedora3</code><br />
* Where 'ops235' is the account on fedora3 and 'fedora3' is the hostname of the fedora3 VM.<br />
* You should receive a message similar to the following:<br />
<pre><br />
The authenticity of host 'fedora3 (192.168.235.13)' can't be established.<br />
RSA key fingerprint is 53:b4:ad:c8:51:17:99:4b:c9:08:ac:c1:b6:05:71:9b.<br />
Are you sure you want to continue connecting (yes/no)? yes<br />
Warning: Permanently added 'fedora3' (RSA) to the list of known hosts.<br />
</pre><br />
{{Admon/note | | When a user connects to a host using ssh, the host sends a fingerprint or digital signature to the client to establish its identity. The first time a connection is established the identity must be stored for subsequent connections. The fingerprints are stored separately for each user in a file called <code>~/.ssh/known_hosts</code> .}}<br />
* Answer yes to add to the list of known hosts.<br />
{{Admon/note | | From now on when you connect to that host the client will compare the received fingerprint against the list of known hosts before connecting. If the fingerprint does not match it could indicate somebody had setup a system to impersonate the computer you wish to connect to and you would receive a message like this:}}<br />
<pre><br />
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<br />
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @<br />
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<br />
The RSA host key for fedora3 has changed,<br />
and the key for the according IP address 192.168.235.13<br />
is unchanged. This could either mean that<br />
DNS SPOOFING is happening or the IP address for the host<br />
and its host key have changed at the same time.<br />
Offending key for IP in /home/user1/.ssh/known_hosts:10<br />
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<br />
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @<br />
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<br />
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!<br />
Someone could be eavesdropping on you right now (man-in-the-middle attack)!<br />
It is also possible that the RSA host key has just been changed.<br />
The fingerprint for the RSA key sent by the remote host is<br />
96:92:62:15:90:ec:40:12:47:08:00:b8:f8:4b:df:5b.<br />
Please contact your system administrator.<br />
Add correct host key in /home/user1/.ssh/known_hosts to get rid of this message.<br />
Offending key in /home/user1/.ssh/known_hosts:53<br />
RSA host key for fedora3 has changed and you have requested strict<br />
checking.<br />
Host key verification failed.<br />
</pre><br />
{{Admon/note | | If you receive a message like this you should investigate why it is happening as it could indicate a serious security issue, or it could just mean that something on the host has changed, i.e. the OS was reinstalled.}}<br />
<br />
* When prompted enter your password for your ops235 account on fedora3.<br />
* Establish an ssh connection using your learn account from fedora3 to fedora2.<br />
{{Admon/note | | When you have both ssh connections established between fedora2 and fedora3 check your network connections using the netstat command. You should now see at least 2 TCP connections with a state of ESTABLISHED. One connection represents the connection from fedora2 to fedora3 and the other represents the connection from fedora3 to fedora2. You should also see that you still have ssh listening to TCP port 22. Notice that the client side of each connection uses a random port number in the upper ranges. This common behaviour for client side applications.}}<br />
* Logout of your ssh connection by typing <code>exit</code>.<br />
* Check the state of the connection after logging out. Wait a few minutes and then check again. Record your observations.<br />
* Use the Internet to search for "TCP 3 way handshake" to see how TCP connections are established and closed.<br />
{{Admon/tip | Tip: | In this part of the lab you established an ssh connection to another host using a password to establish your identity. But passwords are not the only or even the best way of authenticating your identity. We can also use Public/Private key encryption.}}<br />
* Answer the Investigation 2 question in your lab log book.<br />
<br />
=== Investigation 3: How do you establish an ssh connection using Public Key Authentication. ===<br />
{{Admon/note | Note! | Complete this investigation on your fedora2 VM.}}<br />
<br />
{{Admon/note | | Public Key authentication is a method of establishing identity using a pair of encryption keys that are designed to work together. One key is known as your private key (which as the name suggests should remain private and protected) and the other is known as the public key. (which as the name suggests can be freely distributed) The keys are designed to work together to encrypt data asymmetrically, that is to say that when we encrypt data with one of the keys it can only be decrypted with the other key from the pair. This means that when we connect, ssh can use the private key that only exists on my system in my account, to encrypt a message. That message can be decrypted by anybody with the corresponding public key. While it doesn't mean the message is secure as anybody could decrypt it with the public key, it does establish my identity, if the host can successfully decrypt the message then it must have come from the one person in possession of the private key. This basic method of authentication is used extensively in many network communications protocols that require the ability to authenticate identity.}}<br />
* Start by generating a keypair as your learn account on fedora2 using the command:<br />
** <code>ssh-keygen -t dsa</code><br />
* That should generate output similar to the following:<br />
<pre><br />
Generating public/private dsa key pair.<br />
Enter file in which to save the key (/home/user1/.ssh/id_dsa): <br />
Enter passphrase (empty for no passphrase): <br />
Enter same passphrase again: <br />
Your identification has been saved in /home/user1/.ssh/id_dsa.<br />
Your public key has been saved in /home/user1/.ssh/id_dsa.pub.<br />
The key fingerprint is:<br />
93:58:20:56:72:d7:bd:14:86:9f:42:aa:82:3d:f8:e5 user1@fedora2<br />
</pre><br />
* After generating the keys it prompts you for the location to save the keys. The default is <code>~/.ssh</code> Your private key will be saved as <code>id_dsa</code> and your public key will be saved as <code>id_dsa.pub</code><br />
{{Admon/tip | Tip: | You will then be prompted for a passphrase. The passphrase must be entered in order to use your private key. Passphrases are more secure than passwords and should be lengthy, hard to guess and easy to remember. For example one passphrase that meets this criteria might be "seneca students like fish at 4:00am". Avoid famous phrases such as "to be or not to be" as they are easy to guess. It is possible to leave the passphrase blank but this is dangerous. It means that if a hacker were able to get into your account they could then use your private key to access other systems you use.}}<br />
* Once your keys have been saved you should check to make sure the permissions of the <code>.ssh</code> directory and your key files are secure. <br />
* Use the following commands to secure them:<br />
** <code>chmod 700 ~/.ssh</code><br />
** <code>chmod 600 ~/.ssh/id_dsa*</code><br />
* The next step is to copy your public key to fedora3 (the remote host). You can use the scp command to do it.<br />
* <code>scp</code> (secure copy) is used to copy files between hosts over the ssh protocol. The files are sent over an encrypted channel as is all ssh traffic. <br />
* Issue the command:<br />
** <code>scp ~/.ssh/id_dsa.pub ops235@fedora3:</code><br />
* This will copy your public key to your ops235 home directory on fedora3.<br />
* The ''':''' is important as it separates the hostname from the path where it is copied to. <br />
* The default location is the users home directory on the remote host but you can also use an absolute or relative path after the ''':'''<br />
* Enter your password to complete the copy.<br />
* Now ssh to fedora3 using a password to authenticate.<br />
* Once logged in to fedora3 we need to add the public key to your list of authorized_keys<br />
* The safest way to do this is to append the contents of <code>id_dsa.pub</code> to the <code>.ssh/authorized_keys</code> file. To do this use the command:<br />
** <code>cat ~/id_dsa.pub >> ~/.ssh/authorized_keys</code><br />
{{Admon/important | Note! | You don't want to overwrite the file as it may contain multiple public keys. Make sure you are using the append redirection '''>>''' and not '''>'''.}}<br />
* Once again you should secure the <code>.ssh</code> directory and the <code>authorized_keys</code> file using the following commands:<br />
** <code>chmod 700 ~/.ssh</code><br />
** <code>chmod 600 ~/.ssh/authorized_keys</code><br />
* Logout of fedora3 and log back in again.<br />
* You should be prompted to enter your passphrase to unlock your private key.<br />
{{Admon/tip | Tip: | If you are connecting from terminal started from in your GUI environment you can also choose it to remember your passphrase every time you login to the GUI.}}<br />
* Now we can ssh into fedora3 from fedora2 using 2 different authentication methods.<br />
* Answer the Investigation 3 question in your lab log book.<br />
<br />
=== Investigation 4: How do you use scp and sftp. ===<br />
{{Admon/note | Note! | Complete this investigation on your fedora2 VM.}}<br />
<br />
{{Admon/note | | There are 2 common command line tools for transferring files between hosts over an encrypted ssh connection, <code>scp</code> and <code>sftp</code>. <code>sftp</code> is an interactive file transfer program that functions much like an ftp client. }}<br />
<br />
* To connect to a remote host type the command:<br />
** <code>sftp ops235@fedora3</code><br />
* This will establish an interactive session after authentication. <br />
* Type <code>help</code> to see the list of sftp commands at any time.<br />
* The 2 main commands are <code>put</code> to copy a file from the local host to the remote host (upload) and <code>get</code> to copy a file from the remote host to the local host (download).<br />
* Try using <code>sftp</code> to transfer files back and forth between hosts.<br />
<br />
* As you did previously you can also use the <code>scp</code> command to copy files to and from remote hosts and even from one remote host to another.<br />
* Use <code>scp</code> to copy your services file to the fedora3 host into the /tmp directory. (The path on a remote host follows the ''':''') using the command: <br />
** <code>scp /etc/services ops235@fedora3:/tmp</code><br />
* Experiment with <code>scp</code> to copy a file from fedora3 directly to fedora1.<br />
* Answer the Investigation 4 question in your lab log book.<br />
<br />
=== Investigation 5: How do you use ssh to tunnel X. ===<br />
{{Admon/note | Note! | Complete this investigation on your fedora2 and fedora1 VM's.}}<br />
<br />
{{Admon/tip| SELinux | SELinux may prevent ssh from accessing your home directories on Fedora 1 because you created a new filesystem there. You can reset the security context of the /home directory with this command: <code>restorecon -Rv /home</code>}}<br />
<br />
You can also use ssh to tunnel window and bitmap information. Allowing us to login to a remote desktop host and run a Xwindows application such as <code>gedit</code> or <code>firefox</code> and the application will run on the remote host but be displayed on the local host.<br />
<br />
<!-- * In order to allow remote users to tunnel your X window (GUI) applications you must configure <code>sshd</code> to forward this type of data.<br />
* Edit the sshd configuration file on fedora1. <code>/etc/ssh/sshd_config</code> and edit or uncomment the following:<br />
<pre><br />
X11Forwarding yes<br />
X11DisplayOffset 10<br />
X11UseLocalhost yes<br />
</pre><br />
* Restart the <code>sshd</code> service on fedora1 using the command:<br />
** <code>service sshd restart</code> --><br />
* From fedora2 <code>ssh</code> to fedora1 using the following command:<br />
** <code>ssh -X -C user@fedora1</code> (Where 'user' is your learn account on fedora1). The <code>-X</code> enables the forwarding of X window information, and the <code>-C</code> enables compression for better performance.<br />
* Once connected run the <code>gedit</code> application. (Gnome Text Editor)<br />
* The gedit window will display on fedora2 but it is running fedora1.<br />
* Enter some text and save a file with <code>gedit</code>. <br />
* Exit <code>gedit</code>.<br />
* Where was the file saved?<br />
* Experiment with running other GUI applications through <code>ssh</code>.<br />
* Answer the Investigation 5 question in your lab log book.<br />
<br />
=== Investigation 6: How do you use ssh to tunnel other traffic. ===<br />
{{Admon/note | Note! | Complete this investigation on your fedora2 and fedora1 VM's.}}<br />
<br />
{{Admon/note | | You can also use an ssh connection to tunnel other types of traffic. There could be different reasons for doing this. For example tunneling traffic for an unencrypted application/protocol through ssh can increase the security of that application. Alternatively you could use it to circumvent a firewall that is blocking traffic you wish to use but allows ssh traffic to pass through.}}<br />
<br />
* You will be working with the 2nd scenario of bypassing a firewall that blocks http traffic.<br />
* In this investigation fedora1 will be your http server and fedora2 will be your client.<br />
* On the HTTP server (fedora1), make sure the Apache web server is installed by typing the command:<br />
** <code>rpm -q httpd</code><br />
* If it is installed check the configuration of the service to see if it is automatically started at any runlevels by issuing the command:<br />
** <code>chkconfig --list httpd</code><br />
* If it has not been started automatically start the service using the command:<br />
** <code>service httpd start</code><br />
* Confirm that httpd is listening to TCP/80 using the command:<br />
** <code>netstat -atnp</code><br />
* Create a small html document called <code>/var/www/html/index.html</code> that displays a short message.* <br />
* On the fedora1 (the http server) confirm everything is working locally by using a browser to connect to http://localhost<br />
* The default firewall configuration on fedora1 is to REJECT incoming requests to http (TCP/80)<br />
* Confirm that you can't connect by using firefox on fedora2 to connect to fedora1 http://fedora1/<br />
* On fedora2 confirm that the httpd service is stopped so it cannot interfere with your observations.<br />
* The next step is to establish a tunnel. When you establish a tunnel you make an ssh connection to a remote host and open a new port on the local host. That local host port is then connected to a port on the remote host through the established tunnel. When you send requests to the local port it is forwarded through the tunnel to the remote port.<br />
:::: [[Image:Tunnel.png]]<br />
* Establish a tunnel using a local port on fedora2 of 20808, that connects to the remote port on fedora1 of 80, using the following command on fedora2:<br />
** <code>ssh -L 20808:fedora1:80 user@fedora1</code><br />
{{Admon/note | Note! | The -L (which means Local port) takes one argument of <pre><local-port>:<connect-to-host>:<connect-to-port></pre> The command basically connects your local port of 20808 to the remote port of 80 on fedora1. This means all requests to 20808 on the localhost (fedora2) are actually tunnelled through your ssh connection to port 22 on fedora1 and then delivered to port 80 on fedora1, bypassing the firewall. }}<br />
* Once the tunnel is established use netstat to verify the port 20808 is listening on fedora2<br />
* Now using the browser on fedora2 connect to http://localhost:20808<br />
* You should see the index.html page on fedora1.<br />
* Close the ssh connection and verify that the port 20808 is no longer listening.<br />
* Answer the Investigation 6 question in your lab log book.<br />
<br />
=== Investigation 7: How do you make sshd more secure. ===<br />
{{Admon/note | Note! | Complete this investigation on your fedora2 and fedora1 VM's.}}<br />
<br />
{{Admon/note | | Anytime you configure your computer to allow logins from the network you are leaving yourself vulnerable to potential unauthorized access by so called "hackers". Running the sshd service is a fairly common practice but care must be taken to make things more difficult for those hackers that attempt to use "brute force" attacks to gain access to your system. Hackers use their knowledge of your system and many password guesses to gain access. They know which port is likely open to attack (TCP:22), the administrative account name (root), all they need to do is to "guess" the password.}}<br />
<br />
{{Admon/tip | Tip! | Making your root password (and all other accounts!) both quite complex but easy to remember is not hard. Passwords should be a minimum of 8 characters long, preferably longer, contain upper and lower case letters, numbers, and special characters. A good example of a strong password might be "LotR3--RotK." This is not that hard to remember as it corresponds to a book title. "Lord of the Rings 3 Return of the King." The password "P@ssw0rd!" is not as good because it is quite obvious and common.}}<br />
<br />
* Think of a good quality password and change your root passwords on all 3 VM's to be more secure. (It would be a good idea to do this for non-root accounts also)<br />
* The next change you can make is to prevent the root account from logging in to sshd altogether. <br />
* Edit the file <code>/etc/ssh/sshd_config</code> and look for the option <code>PermitRootLogin</code>. Uncomment the option and change it to <code>"no"</code>.<br />
* Even better it is possible to restrict access to just specific users that require it. <br />
* Edit the file <code>/etc/ssh/sshd_config</code> and add a new option of <code>"AllowUsers account"</code> using your login account for account.<br />
* In order for these changes to be effective restart the sshd service.<br />
** <code>service sshd restart</code><br />
* Now any hacking attempt also has to guess an account name as well as the password. If you need to ssh with root access, ssh as a regular user and use <code>su -</code> to become root.<br />
* Next change the default port number that sshd uses (TCP:22). <br />
* Edit the sshd configuration file again and change the port number it uses to 2200. <br />
* Restart the service. <br />
* Confirm the new port is being used with a <code>netstat</code> command.<br />
* Before we can use this new port we must change our firewall to allow traffic through the new port number and block access to port 22.<br />
** <code>iptables -I INPUT -p tcp -s0/0 --dport 22 -j DROP</code><br />
** <code>iptables -I INPUT -p tcp -s0/0 --dport 2200 -j ACCEPT</code><br />
* To test the new port connect to fedora1 from fedora2 using the following command:<br />
** <code>ssh -p 2200 user@fedora1</code><br />
{{Admon/tip | Tip! | For scp access the option to be used is: <code>scp -P 2200</code>}}<br />
{{Admon/tip | Tip! | For more ideas on making sshd more secure consult the HOW-TO link above.}}<br />
* Finally as a system administrator you should periodically monitor your system logs for unauthorized login attempts.<br />
* On Fedora systems the log file that is used is <code>/var/log/secure</code> <br />
* It also logs all uses of the <code>su</code> and <code>sudo</code> commands.<br />
* Attempt to connect to all of your VM's as root and other users using both public key and password authentication. Use some su and sudo commands also. <br />
* Inspect the log to see what kind of information is logged.<br />
* Answer the Investigation 7 question in your lab log book.<br />
<br />
== Completing the lab ==<br />
<br />
{{Admon/important|Time for a new backup!|If you have successfully completed this lab, make a new backup of your virtual machines.}}<br />
<br />
Arrange proof of the following on the screen:<br />
# have configured sshd to allow connections over a non default port.<br />
# have logged in to a VM using public key authentication<br />
# have scp'd and sftp'd files to a VM.<br />
# have tunneled Xwindows applications through ssh<br />
# have tunneled http through firewall using ssh<br />
# have secured ssh against root access<br />
<br />
== Preparing for the Quizzes ==<br />
<br />
* What port does sshd use by defaults? <br />
* What file is used to configure sshd?<br />
* What sftp commands are used to upload/download files?<br />
* What kind of files are stored in the "~/.ssh/" directory?<br />
* How do you determine whether the sshd service is running on your system or not?<br />
* What is the purpose of the ~/.ssh/known_hosts file?<br />
* What is the purpose of the ~/.ssh/authorized_keys file?<br />
* Which system log file records each use of the sudo command?<br />
* How do you stop the sshd service?<br />
* How do you tunnel XWindows applications?<br />
* What port is the default scp port?<br />
* What port(s) is/are used by httpd service?</div>Mgiunta