Changes

Jump to: navigation, search

OPS235 Lab 7

15 bytes added, 17:39, 22 June 2016
no edit summary
'''Perform the following steps:'''
# For this section, you will still be using your '''centos1c7host''' and '''centos2centos1''' VMs.
# We will be bypassing a firewall that blocks http traffic.
# In this investigation, '''centos1c7host''' will be your '''http server''' and '''centos2centos1''' will be your <u>client</u>.
# Use the '''hostname''' command to verify that you are in your centos1 VM (as opposed to another VM by mistake via ssh!)
# On the HTTP server, make sure that the Apache web server is installed by typing the command:<br /><b><code><span style="color:#3366CC;font-size:1.2em;">rpm -q httpd</span></code></b>
# Confirm that httpd is listening to TCP/80 using the '''netstat''' command.
# Create a small html document called '''/var/www/html/index.html''' that displays a short message. If you do not know how to use HTML markup language, just type a simple text message...
# <u>Restart</u> your '''centos1c7host''' VM. # On your '''centos1c7host''' VM (i.e. the http server), confirm everything is working locally by using a browser to connect to '''http://localhost'''
# Set the default firewall configuration on centos1 to '''REJECT''' incoming requests to http (TCP/80)
# NOTE: '''centos1c7host''': if '''http://localhost''' stops working locally, add the following iptables rule to centos1, as root <br /><b><code><span style="color:#3366CC;font-size:1.2em;">iptables -I INPUT -i lo -j ACCEPT</span></code></b> # On '''centos2centos1''' confirm that the httpd service is stopped so it cannot interfere with your observations.# On '''centos2centos1''' confirm that you can't connect by using firefox to centos1 '''http://centos1/'''
# The next step is to establish a <u>tunnel</u>. When you establish a tunnel you make an ssh connection to a remote host and open a new port on the local host. That local host port is then connected to a port on the remote host through the established tunnel. When you send requests to the local port it is forwarded through the tunnel to the remote port.
# In a terminal in your '''centos2''' VM, '''make certain you are NOT logged in as root!'''
# Establish a tunnel using a local port on centos2 of 20808, that connects to the remote port on '''centos1c7host''' of 80, using the following command on '''centos2centos1''':<br /><b><code><span style="color:#3366CC;font-size:1.2em;">ssh -L 20808:centos1:80 username@centos1</span></code></b><br><br> '''Note:'''<br>The '''-L''' option (which means Local port) takes one argument:<br><span style="courier">&lt;local-port&gt;:&lt;connect-to-host&gt;:&lt;connect-to-port&gt;</span><br><br> The command basically connects your local port of 20808 to the remote port of 80 on '''centos1c7host'''.<br>This means all requests to 20808 on the <u>localhost</u> ('''centos2centos1''') are actually tunnelled tunneled through your ssh connection<br>to port 22 on '''centos1c7host''' and then delivered to port 80 on '''centos1c7host''', bypassing the firewall.<br><br># Once the tunnel is established use '''netstat''' to verify the port 20808 is listening on '''centos2centos1'''# Now using the browser on '''centos2centos1''' connect to '''http://localhost:20808'''#You should see the '''index.html''' page on '''centos1c7host'''.
# Close the ssh connection and verify that the port 20808 is no longer listening.
'''Perform the following steps:'''
# For this section, you will still be using your '''centos1c7host''' and '''centos2centos1''' VMs.
# Think of a good quality password and change your root passwords on all 3 VM's to be more secure. (It would be a good idea to do this for non-root accounts also)
# The next change you can make is to prevent the root account from logging in to sshd altogether.
# Change to your '''centos2centos1''' VM and open a terminal.
# Edit the file '''/etc/ssh/sshd_config''' and look for the option '''PermitRootLogin'''. Un-comment the option (or add the option if it does not appear) and change the option value to '''"no"'''.<br><br>'''NOTE:''' Now any hacking attempt also has to guess an account name as well as the password. If you need to ssh with root access, ssh as a regular user and use '''su -''' to become root.<br><br>
# Even better, it is possible to restrict access to just specific users that require it.
# Edit the file '''/etc/ssh/sshd_config''' and add a new option of '''"AllowUsers account"''' using your login account for account
# In order for these changes to be effective, issue the following command to restart the sshd service:<br /><b><code><span style="color:#3366CC;font-size:1.2em;">service sshd restart</span></code></b>
# Try sshing from your '''centos1c7host''' VM to your '''centos2centos1''' VM. Where you successful? Would it work if you let "AllowUsers account" without a username, or a non-existent username? Do not do this for your machine!
# Next change the default port number that sshd uses (TCP:22).
# Edit the '''/etc/ssh/sshd_config''' file again, un-comment the port option and change the port number it uses from ''22'' to '''2200'''.
# Switch to your '''centos1''' VM.
# Issue the commmand: <b><code><span style="color:#3366CC;font-size:1.2em;">ssh username@centos2</span></code></b>. What happens? What port do you think that command is using by default?
# Now issue the following command to ssh via port "2200": <b><code><span style="color:#3366CC;font-size:1.2em;">ssh -p 2200 username@centos2centos1</span></code></b>. Where you able to connect?
<ol><li value="17">Finally, as a system administrator, you should periodically monitor your system logs for unauthorized login attempts.</li>
<li>On CentOS systems the log file that is used is '''/var/log/secure''' </li>
'''Perform the Following Steps:'''
# Make certain ALL of your VMs are running.# Switch to your '''centos2c7host''' VMand '''su -''' into root.# Change to the '''/root/bin''' directory.
# Issue the Linux command: <b><code><span style="color:#3366CC;font-size:1.2em;">wget http://matrix.senecac.on.ca/~murray.saul/ops235/lab7-check.bash</span></code></b>
# Give the '''lab7-check.bash''' file execute permissions (for the file owner).
# Run the shell script and if any warnings, make fixes and re-run shell script until you receive "congratulations" message.
#Arrange proof of the following on the screen:<br><blockquote><span style="color:green;font-size:1.5em;">&#x2713;</span> '''centos2''' VM:<blockquote><ul><li>have tunneled Xwindows application from '''centos1''' via ssh</li><li>have tunneled http through firewall using ssh (on web-browser</li><li>have secured ssh against root access</li><li>have logged into centos3 VM using '''public key authentication'''</li><li>Output from running the '''lab7(with a pass-check.bash''' script with all OK messagesphrase)</li></ul></blockquote><span style="color:green;font-size:1.5em;">&#x2713;</span> '''c7host''' Machine:<blockquote><ul><li>Confirmation that sshd is have tunneled Xwindows application from '''centos1''' via ssh</li><li>have tunneled http through firewall using ssh (on web-browser</li><li>Output from running on host machinethe '''lab7-check.bash''' script with all OK messages</li></ul></blockquote><span style="color:green;font-size:1.5em;">&#x2713;</span> '''Lab7''' log-book filled out.
13,420
edits

Navigation menu