Difference between revisions of "OPS705 Lab 4"

From CDOT Wiki
Jump to: navigation, search
m (Part 1: Replacing firewalld with iptables)
(Part 2: Securing Your Firewall)
 
Line 51: Line 51:
 
# Set your default policy for the INPUT chain to DROP: <code>iptables -P INPUT DROP</code>
 
# Set your default policy for the INPUT chain to DROP: <code>iptables -P INPUT DROP</code>
 
# Remove the reject rule from the INPUT chain to hide our server from scans: <code> iptables -D INPUT 5</code>
 
# Remove the reject rule from the INPUT chain to hide our server from scans: <code> iptables -D INPUT 5</code>
# Set your default policy for the FORWARD chain to DROP
+
# Set your default policy for the FORWARD chain to DROP: <code>iptables -P FORWARD DROP</code>
# Remove the reject rule from the FORWARD chain to hide it from scans.
+
# Remove the reject rule from the FORWARD chain to hide it from scans: <code>iptables -D FORWARD 1</code>
 
# To verify your work, log out of SSH and log back in. If you don't encounter any login issues, you're good to go.
 
# To verify your work, log out of SSH and log back in. If you don't encounter any login issues, you're good to go.
 
# '''Assuming the step above works''', in your Linux VM, save your rule changes: <code>service iptables save</code>
 
# '''Assuming the step above works''', in your Linux VM, save your rule changes: <code>service iptables save</code>

Latest revision as of 12:34, 27 October 2020

LAB PREPARATION

Purpose / Objectives of Lab 4

In this lab, you will learn how to install rpm packages, manage services, and set up a basic Apache web server. We will also conduct some light HTML editing, and get our first look at the Linux iptables firewall.

If you encounter technical issues, please contact your professor via e-mail or in your section's Microsoft Teams group.

Minimum Requirements

Before beginning, you must have:

  1. Successfully completed Lab 3
  2. Watched the Week 5 video lecture
  3. Read through the Week 5 slides, and have them handy as a reference for concepts
  4. Your Azure-based Linux VM

INVESTIGATION 1: Setting Up A Web Server

In this investigation, you'll install the Apache web server package from a Linux repository and set up the service.

Part 1: Installing the Apache Package

  1. Using SSH, login to your Linux VM. (Remember to check your IP/FQDN, it may change when you start up the VM in Azure.)
  2. Elevate to root: sudo su -
  3. Install the Apache package with the following command: yum install httpd
  4. When prompted for confirmation, answer: Y
  5. To confirm it has installed properly, run the following: yum info httpd The output should include an entry with Repo : installed. If it doesn't say installed, repeat Step 2 or as for assistance.

Part 2: Managing the httpd (Apache) Service

  1. Now that the package is installed, it's time to start up the web server. We do this by interacting with the service. Run the following: systemctl start httpd
  2. Next, we have to confirm the service has started without any errors. Run: systemctl status httpd If it says active in bolded green, you're good to go. Tip: Always check the status of a service you've just modified, whether you're starting, stopping, or restarting it.
  3. Finally, check the web server is serving web pages by loading a page locally. Run: curl localhost If you get a bunch of HTML code, you've succeeded! Curl doesn't render HTML code, so you see it as plain text. This is how we check the web server works without dealing with networking.
  4. Remember from our lecture, there's a difference between systemctl start and systemctl enable. To ensure the web server starts up with the system every time, run: systemctl enable httpd
  5. In a browser on your computer, copy and paste the address for your Linux VM. It doesn't load, does it? We're not done. Move to Investigation 2 to deal with the firewall.

INVESTIGATION 2: Configuring Your Firewall

In this investigation, you'll replace the default firewall with another and configure it to allow web server traffic into your VM. You will also follow security best practices in constructing your firewall rules.

Part 1: Replacing firewalld with iptables

Figure 1. Default iptables firewall rules.

The default firewall for CentOS, firewalld is more complex than we need. We'll be reverting to the easier to use iptables standard. Make sure you follow these instructions in order. If you don't, you may be locked out of your Linux VM forever. If you encounter errors on any step, stop and ask for help. Do not continue!

  1. Install the iptables-services package: yum install iptables-services
  2. Stop the firewalld service and start the iptables service in a single, chained command: systemctl stop firewalld; systemctl start iptables
  3. Check the status of the firewalld service. It should tell you it's stopped.
  4. Check the status of the iptables service. It should tell you it's active.
  5. View your current iptables firewall rules: iptables -L -vn --line-numbers
  6. Refer to Figure 1. If your rules at this stage look different, stop and contact your professor for help.
  7. Set iptables to start with the system: systemctl enable iptables
  8. Remove firewalld completely: yum autoremove firewalld Note: If you don't remove firewalld and both firewalls are set to start with the system, firewalld will always start instead of iptables. This can lead to much frustration. Make sure you remove it!

Part 2: Securing Your Firewall

There are a few standard security practices to follow when dealing with firewalls. For more detail, refer to the Week 5 lecture and material.

  1. Set your default policy for the INPUT chain to DROP: iptables -P INPUT DROP
  2. Remove the reject rule from the INPUT chain to hide our server from scans: iptables -D INPUT 5
  3. Set your default policy for the FORWARD chain to DROP: iptables -P FORWARD DROP
  4. Remove the reject rule from the FORWARD chain to hide it from scans: iptables -D FORWARD 1
  5. To verify your work, log out of SSH and log back in. If you don't encounter any login issues, you're good to go.
  6. Assuming the step above works, in your Linux VM, save your rule changes: service iptables save
  7. Congratulations, you've secured your firewall!

Part 3: Allowing Web Traffic

Here's where our hard work will pay off. We'll open a firewall exception to allow requests to our web server through, so we can access our new web server from the Internet.

  1. Before making changes, it's a good idea to review our current rules: iptables -L -vn --line-numbers
  2. Add your rule exception. Web traffic is typically served on TCP port 80, and that's what we'll use: iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  3. Go back to your browser, and reload the page. Does it work now?
  4. If it does, congratulations! You're almost done.
  5. Back in you SSH session, save your new rules! Remember, changes you make will be erased when you shut down unless you save them.

Part 4: Editing Your Website

Finally, let's modify the main page. Currently, it's displaying the default Apache splash page. Let's change that.

  1. Navigate to /var/www/html. (Refer to Lab 3 for file system navigation tips.)
  2. List all files in this directory. There are none; this is expected.
  3. Open a new vim session for index.html: vim index.html
  4. Using HTML, give it a title of: OPS705 Linux Server - Fall 2020.
  5. Using HTML, add to the body: Name: yourname
  6. Using HTML, add to the body as a new line: Student Number: yourstudentnumber
  7. Save and quit the vim session.
  8. In your browser, refresh the page. If your changes show up, you're done!

Lab Submission

Submit to Blackboard full-desktop screenshots (PNG/JPG) of the following:

  1. Browser window showing the Linux Apache page (on your computer, not displayed on your VM).
  2. SSH session window with your iptables rules listed.

Your professor will review your page directly; the screenshots are a backup in case of catastrophic issues.

Your professor will not check your lab until the screenshot has been submitted.

Make sure to shut down your virtual machines when you're done!