Difference between revisions of "OPS705 Lab 4 (2211)"

From CDOT Wiki
Jump to: navigation, search
m (Part 1: Installing the Apache Package)
m (Chris.johnson moved page OPS705 Lab 4 to OPS705 Lab 4 (2211) without leaving a redirect)
 
(2 intermediate revisions by the same user not shown)
Line 44: Line 44:
 
# Refer to ''Figure 1''. If your rules at this stage look different, stop and contact your professor for help. (Packet and byte count numbers will be unique.)
 
# Refer to ''Figure 1''. If your rules at this stage look different, stop and contact your professor for help. (Packet and byte count numbers will be unique.)
 
# Set iptables to start with the system: <code>systemctl enable iptables</code>
 
# Set iptables to start with the system: <code>systemctl enable iptables</code>
# Remove ''firewalld'' completely: <code>yum autoremove firewalld</code> '''Note:''' If you don't remove firewalld and both firewalls are set to start with the system, firewalld will always start instead of iptables. This can lead to much frustration. Make sure you remove it!
+
# Remove ''firewalld'' completely: <code>yum autoremove firewalld</code> '''Note:''' It may not be installed. If it says "no match" when you run the command, you can move on.
  
 
== Part 2: Securing Your Firewall ==
 
== Part 2: Securing Your Firewall ==
Line 97: Line 97:
 
Submit to Blackboard full-desktop screenshots (PNG/JPG) of the following:
 
Submit to Blackboard full-desktop screenshots (PNG/JPG) of the following:
  
# Browser window showing the Linux Apache page (on your computer, not displayed on your VM).
+
# Browser window showing the modified HTML page (on your computer, not displayed on your VM).
 
# SSH session window with your iptables rules listed. (See ''Fig. 1'')
 
# SSH session window with your iptables rules listed. (See ''Fig. 1'')
  

Latest revision as of 00:50, 7 September 2021

LAB PREPARATION

Purpose / Objectives of Lab 4

In this lab, you will learn how to install rpm packages, manage services, and set up a basic Apache web server. We will also conduct some light HTML editing, and get our first look at the Linux iptables firewall.

If you encounter technical issues, please contact your professor via e-mail or in your section's Microsoft Teams group.

Minimum Requirements

Before beginning, you must have:

  1. Successfully completed Lab 3
  2. Watched the Week 4 video lecture
  3. Read through the Week 4 slides, and have them handy as a reference for concepts
  4. Your AWS EC2 Linux VM

INVESTIGATION 1: Setting Up A Web Server

In this investigation, you'll install the Apache web server package from a Linux repository and set up the service.

Part 1: Installing the Apache Package

  1. Using SSH, login to your Linux VM. (Remember to check your IP/FQDN, it may change when you start up the VM in AWS.)
  2. Elevate to the root account: sudo su -
  3. Install the Apache package with the following command: yum install httpd
  4. When prompted for confirmation, answer: Y
  5. To confirm it has installed properly, run the following: yum info httpd The output should include an entry with Repository : @System. If it doesn't say installed, repeat Step 2 or as for assistance.

Part 2: Managing the httpd (Apache) Service

  1. Now that the package is installed, it's time to start up the web server. We do this by interacting with the service. Run the following: systemctl start httpd
  2. Next, we have to confirm the service has started without any errors. Run: systemctl status httpd If it says active in bolded green, you're good to go. Tip: Always check the status of a service you've just modified, whether you're starting, stopping, or restarting it.
  3. Finally, check the web server is serving web pages by loading a page locally. Run: curl localhost If you get a bunch of HTML code, you've succeeded! Curl doesn't render HTML code, so you see it as plain text. This is how we check the web server works without dealing with networking.
  4. Remember from our lecture, there's a difference between systemctl start and systemctl enable. To ensure the web server starts up with the system every time, run: systemctl enable httpd
  5. Copy and paste the Public DNS address from the EC2 Instance details page for your Linux VM into a browser on your computer. It doesn't load, does it? We're not done. Move to Investigation 2 to deal with the firewall.

INVESTIGATION 2: Configuring Your Linux Firewall

In this investigation, you'll replace the default internal firewall with another and configure it to allow web server traffic into your VM. You will also follow security best practices in constructing your firewall rules.

Part 1: Replacing firewalld with iptables

Figure 1. Default iptables firewall rules.

The default firewall for RHEL, firewalld is more complex than we need. We'll be reverting to the easier to use iptables standard. Make sure you follow these instructions in order. If you don't, you may be locked out of your Linux VM forever. If you encounter errors on any step, stop and ask for help. Do not continue!

  1. Install the iptables-services package: yum install iptables-services
  2. Stop the firewalld service and start the iptables service in a single, chained command: systemctl stop firewalld; systemctl start iptables (Note: If firewalld isn't present on your system, you'll get a not loaded error. This is fine. You can move on to Step 4.)
  3. Check the status of the firewalld service. It should tell you it's stopped.
  4. Check the status of the iptables service. It should tell you it's active.
  5. View your current iptables firewall rules: iptables -nvL --line-numbers
  6. Refer to Figure 1. If your rules at this stage look different, stop and contact your professor for help. (Packet and byte count numbers will be unique.)
  7. Set iptables to start with the system: systemctl enable iptables
  8. Remove firewalld completely: yum autoremove firewalld Note: It may not be installed. If it says "no match" when you run the command, you can move on.

Part 2: Securing Your Firewall

There are a few standard security practices to follow when dealing with firewalls. For more detail, refer to the Week 5 lecture and material.

  1. Set your default policy for the INPUT chain to DROP: iptables -P INPUT DROP
  2. Remove the reject rule from the INPUT chain to hide our server from scans: iptables -D INPUT 5
  3. Set your default policy for the FORWARD chain to DROP: iptables -P FORWARD DROP
  4. Remove the reject rule from the FORWARD chain to hide it from scans: iptables -D FORWARD 1
  5. To verify your work, log out of SSH and log back in. If you don't encounter any login issues, you're good to go.
  6. Assuming the step above works, in your Linux VM, save your rule changes: service iptables save
  7. Congratulations, you've secured your firewall!

Part 3: Allowing Web Traffic

Here's where our hard work will pay off. We'll open a firewall exception to allow requests to our web server through, so we can access our new web server from the Internet.

  1. Before making changes, it's a good idea to review our current rules: iptables -nvL --line-numbers
  2. Add your rule exception. Web traffic is typically served on TCP port 80, and that's what we'll use: iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  3. Review your new rules with the iptables command above. If it looks correct, save your new rules! Remember, changes you make will be erased when you shut down unless you save them.

INVESTIGATION 3: Configuring Your AWS Firewall

Figure 2. The Security groups section of the EC2 Instance details page.

In the previous investigation, you configured your VM's internal firewall at the OS level. Here, you'll configure AWS (cloud level) to let web traffic through.

  1. In the Linux VM's EC2 Instance summary page, click the Security tab. Under Inbound rules, you should see a single entry on port 22 for SSH.
  2. On this page, look for the Security groups section and the blue link. Click this link. (See Fig. 2)
  3. You are now in the Security Group. We'll spend more time with this in a later lab. For now, click on Edit inbound rules.
  4. In the new Edit inbound rules page, click the Add rule button near the bottom left.
  5. A second rule appears. (Warning: Be careful! Don't modify the SSH rule.) Change it to the following:
    1. Type: HTTP
    2. Source: Anywhere
  6. Click save.
  7. You'll now be back in the Security Groups details page, and should see two new additional rules for HTTP.
  8. Click on EC2 at the top of the page to go back to Instances.
  9. Go back to your browser, and reload the page. Does it work now? (Hint: Manually type in http:// to the beginning of the URL.)
  10. If it does, congratulations! You're almost done.

INVESTIGATION 4: Editing Your Website

Finally, let's modify the main page. Currently, it's displaying the default Apache splash page. Let's change that.

  1. Switch to the root user account.
  2. Navigate to /var/www/html. (Refer to Lab 3 for file system navigation tips.)
  3. List all files in this directory. There are none; this is expected.
  4. Open a new vim session for index.html: vim index.html
  5. Using HTML, give it a title of: OPS705 Linux Server - Winter 2021.
  6. Using HTML, add to the body: Name: yourname
  7. Using HTML, add to the body as a new line: Student Number: yourstudentnumber
  8. Save and quit the vim session.
  9. In your browser, refresh the page. If your changes show up, you're done!

Lab Submission

Submit to Blackboard full-desktop screenshots (PNG/JPG) of the following:

  1. Browser window showing the modified HTML page (on your computer, not displayed on your VM).
  2. SSH session window with your iptables rules listed. (See Fig. 1)

Your professor will review your page directly; the screenshots are a backup in case of catastrophic issues.

Your professor will not check your lab until the screenshot has been submitted.

Make sure to shut down your virtual machines when you're done!