Changes

← Older edit

OPS235 Lab 7

1,059 bytes added, 17:52, 25 November 2020

→‎Part 1: Confirming sshd service is Running on VMs.

[http://man7.org/linux/man-pages/man8/netstat.8.html netstat]

[http://man7.org/linux/man-pages/man8/ifconfig.8.html ifconfig]

[http://man7.org/linux/man-pages/man8/ip.8.html ip]

[http://man7.org/linux/man-pages/man8/ping.8.html ping]

[http://man7.org/linux/man-pages/man8/arp.8.html arp]

|style="padding-left:20px;"|Additional Utilities

[http://man7.org/linux/man-pages/man7/hostname.7.html hostname]

[http://linux.die.net/man/8/restorecon restorecon] Managing Services [http://~~linux~~www.~~die~~dsm.~~net~~fordham.edu/cgi-bin/man~~/8/chkconfig chkconfig~~-cgi.pl?topic=systemctl systemctl]

Configuration Files

[~~http~~https://~~linux~~www.~~about~~freebsd.~~com~~org/~~library~~cgi/~~cmd/blcmdl5_ssh_config~~man.~~htm~~ cgi?query=ssh_config&sektion=5 ssh_config] [~~http~~https://~~linux~~www.~~about~~freebsd.~~com/od/commands~~org/lcgi/~~blcmdl5_sshdcon~~man.~~htm~~ cgi?sshd_config(5) sshd_config]

|style="padding-left:20px;"|SSH Reference

[http://support.suso.com/supki/SSH_Tutorial_for_Linux A good ssh tutorial]

# Switch to your '''c7host''' VM.

# Create a file in your current directory of your c7host machine with some text in it called: '''myfile.txt'''

# ~~Issue~~ Ensure you've successfully connected to the VPN required for Matrix (https://inside.senecacollege.ca/its/services/vpn/studentvpn.html). Then issue the following command (using your Matrix login id): <code>scp   myfile.txt   yourmatrixid@matrix.senecac.on.ca:/home/yourmatrixid</code> (followed by your Matrix password) What did this command do?

# Issue the following single command (arguments are separated by a space - use your Matrix login id): <code>ssh   yourmatrixid@matrix.senecac.on.ca   ls /home/yourmatrixid/myfile.txt</code> (followed by your Matrix password) What did this command do? Issue the following Linux command: <code>ssh   yourmatrixid@matrix.senecac.on.ca   cat /home/yourmatrixid/myfile.txt</code> How do these commands differ from using issuing the ssh command without the ls or cat command? How is this useful? The client ssh application contains the utlities: '''ssh''', '''scp''' and '''sftp''' (learned in ULI101) to connect to remote Linux servers in order to issue commands or transfer files between Linux servers. You can install the SSH service on your Linux server, although this has already been performed upon installation. We will now confirm that the ssh service is running on all of your VMs.

# OpenSSH should have been installed by default. Let's confirm this by issuing the command: <code>rpm -qa | grep ssh</code>

<li>Make sure the '''sshd''' service is running on '''all 3 of your VM's'''</li>

</ol>

===Part 2: SSH Server Security Configuration===

# Try SSHing from your c7host VM to your centos1 VM as your regular user accountname. Did it work?

# Create another regular user called: '''other'''

# Set the password for the newly-created ~~called~~ called '''other'''

# Try SSHing from your c7host VM to your centos1 VM for the account called '''other'''. Why didn't it work?

# Edit the file '''/etc/ssh/sshd_config''' to add the account '''other''' for the '''AllowUsers''' option (use a space to separate usernames instead of a comma).

'''Answer INVESTIGATION 1 observations / questions in your lab log book.'''

=INVESTIGATION 2: ADDITIONAL METHODS TO SECURE YOUR SSH SERVER =

<li>Make certain that you are in your centos2 VM and that you are logged in as a '''regular user''' (i.e. NOT root!) (you have been warned!)</li>

<li>To generate a keypair (public/private keys), issue the following command: <code>ssh-keygen</code></li>

<livalue="14">After generating the keys it prompts you for the location to save the keys. The default is '''~/.ssh''' Your private key will be saved as id_rsa and your public key will be saved as '''id_rsa.pub'''. Press ENTER to accept the default, .</li><li>You will then ~~enter~~ be prompted for a '''pass-phrase ~~used~~ '''. The pass-phrase must be entered in order to ~~establish~~ use your ~~identity~~private key. Pass-phrases are more secure than passwords and should be lengthy, hard to guess and reeasy to remember. For example one pass-~~enter~~ phrase that meets this criteria might be ''"seneca students like to dance at 4:00am"''. Avoid famous phrases such as ''"to be or not to be"'' as they are easy to guess. It is possible to leave the pass-phrase blank but this is dangerous. It means that if a hacker were able to get into your account they could then use your private key to ~~verify~~access other systems you use. The output should appear similar as what is shown below:</li></ol>

</pre>

<ol><li value="15"> After generating the keys it prompts you for the location to save the keys. The default is '''~/.ssh''' Your private key will be saved as id_rsa and your public key will be saved as '''id_rsa.pub'''</li><li>You will then be prompted for a '''pass-phrase'''. The pass-phrase must be entered in order to use your private key. Pass-phrases are more secure than passwords and should be lengthy, hard to guess and easy to remember. For example one pass-phrase that meets this criteria might be ''"seneca students like to dance at 4:00am"''. Avoid famous phrases such as ''"to be or not to be"'' as they are easy to guess. It is possible to leave the pass-phrase blank but this is dangerous. It means that if a hacker were able to get into your account they could then use your private key to access other systems you use. </li>~~<li~~16>Now issue the command <code>ssh-copy-id -i ~/.ssh/id_rsa.pub ops235@centos3</code></li>

<li>When prompted for password, enter OPS235's root password</li>

<li>Try using ssh to now log into your '''centos3''' VM from your '''centos2''' VM. What happens? Were you required to use your pass-phrase?</li>

# Run the graphical program remotely by issuing only one Linux command: <code>ssh -X -C yourUserID@centos1   gedit</code> (Note: ignore warning messages).

# Exit the gedit application.

# Experiment with running other GUI applications (in the /bin directory with applications starting with the letter "x" via '''ssh''' (for example: ~~xeyes~~xev or xchat).

'''Answer INVESTIGATION 2 observations / questions in your lab log book.'''

=INVESTIGATION 3: MANAGING FIREWALLS FOR PROTECTION & TROUBLESHOOTING =

# Issue the following Linux command: <code>iptables -P INPUT DROP</code>

# Issue the '''iptables -L''' command. Can you see the policy to DROP all incoming connections?

# Although you have set a default policy to DROP all incoming connections, there is a problem: now, you cannot browse the Internet. You can confirm that by opening a SEPARATE web-browser and perform a Net-search. In order to fix that problem, you can make an exception to allow incoming web-based traffic (via port 80). Those iptables commands to create exceptions are more complex since you need to determine: <ul><li>'''Where each rules appears in the chain'''? (order can be important)</li><li>'''Which protocol(s)''' are affected (eg. tcp, udp, icmp)</li><li>'''What source or destination IP Addresses''' are affected?</li><li>'''What port numbers''' are affected?</li><li>'''What action to take''' if all of the above conditions are met? (eg. ACCEPT, REJECT, DROP, or LOG)</li></ul> '''iptables Command Structure (for setting exceptions): (NOTE: If element in column is not specified in the iptables command, then rule relates to ALL elements)'''<table width="100%" cellpadding="10" cellspacing="0" border="1"><tr valign="top><td>Place Rule in Chain</td><td>Chain Name</td><td>Specify Protocol</td><td>Source/Destination IPADDR</td><td>Port Number</td><td>Action -></td><td>Target</td></tr><tr valign="top"><td>'''-A''' (add / Append to bottom of chain) '''-I''' (insert at top of chain) '''-i I CHAIN-NAME 5''' (insert before line 5) </td><td>'''INPUT''' '''OUTPUT''' '''FORWARD''' '''CHAIN-NAME'''</td><td>'''-p tcp''' (tcp packets) '''-p udp''' (datagram packets) '''-p tcp,udp,icmp''' (combined) (refer to '''/etc/protocols''' )</td><td>'''-s IPADDR''' (originating IPADDR) '''-d IPADDR''' (destination IPADDR)</td><td>'''--sport 22''' (originating port 22 - SSH) '''--~~sport~~ dport 80''' (~~originating~~ destined port 80 - http) (refer to '''/etc/services''')</td><td>'''-j''' </td><td>'''ACCEPT''' '''REJECT''' '''DROP''' '''LOG'''</td></tr></table> # Issue the following Linux commands to ensure the loopback interface is not affected by these rules. The computer should be able to communicate with itself with any state and protocol: <code>iptables -A INPUT -i lo -p all -j ACCEPT</code> <code>iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT</code>

# Issue the following Linux command to ADD an exception to the INPUT chain to allow web-based incoming traffic (ie. port 80): <code>iptables -A INPUT -p tcp --dport 80 -j ACCEPT</code>

# Issue an iptables command to confirm that their is an exception rule to handle incoming tcp packets over port 80.

# Provide your external facing address, and provide another lab-mate to ping that external facing address. Were they successful?

# Have your lab-mate determine THEIR external facing address and obtain that IP Address.

# Issue the following iptables command to allow an exception for pings from your lab-mate: <code>iptables -A INPUT -p icmp -s {neighbour's ~~exeternal~~ external facing address} -j ACCEPT</code>

# Have your neighbour repeat pinging your external facing IP Address. What happened? Why?

# Have your neighbour try to SSH into YOUR c7host. Were they Successful?

# List the iptables rules for the INPUT chain. What happened to your iptables rules for the INPUT chain?

# Proceed to the next part to learn how to learn how to make your iptables rules persistent.

=== Part 3: Making iptables Policies Persistent ===

# Flush all of your iptables rules by issuing the following command: <code>iptables -F</code>

# Set the default INPUT policy to ACCEPT by issuing the following command: <code>iptables -P INPUT ACCEPT</code>

# Verify there are no iptables rules by issuing the command: <code>iptables -L</code>

# Make a backup of the file '''/etc/sysconfig/iptables''' by issuing the command: <code>cp /etc/sysconfig/iptables~~-save >~~ /etc/sysconfig/iptables.bk</code>

#To make the iptables rules '''persistent''' (i.e. keeps rules when system restarts), you issue the command: <code>iptables-save > /etc/sysconfig/iptables</code>

# Verify that the file '''/etc/sysconfig/iptables''' exists.

= LAB 7 SIGN-OFF (SHOW INSTRUCTOR) =

===Exclusively for Summer 2020 term, submissions are accepted only online!===

Follow the submission instructions for lab 7 on Blackboard.

{{Admon/important|Time for a new backup!|If you have successfully completed this lab, make a new backup of your virtual machines as well as your host machine.}}

# Switch to your '''c7host''' VM and '''su -''' into root.

# Change to the '''/root/bin''' directory.

# Issue the Linux command: <code>wget ~~http~~https://~~matrix~~ict.~~senecac.on~~senecacollege.ca/~~~murray.saul~~ops235/~~ops235~~labs/lab7-check.bash</code>

# Give the '''lab7-check.bash''' file execute permissions (for the file owner).

# Run the shell script and if any warnings, make fixes and re-run shell script until you receive "congratulations" message.

#Arrange proof of the following on the screen: <blockquote>✓ '''centos2''' VM:<blockquote><ul><li>have logged into centos3 VM using '''public key authentication''' (with a pass-phrase)</li></ul></blockquote>✓ '''c7host''' Machine:<blockquote><ul><li>have tunneled Xwindows application from '''centos1''' via ssh</li><li>Run the '''lab7-check.bash''' script in front of your instructor (must have all <code> OK </code> messages)</li></ul></blockquote>✓ '''Lab7''' log-book filled out.

= Practice For Quizzes, Tests, Midterm & Final Exam =

[[Category:OPS235]]

[[Category:OPS235 Labs]]

[[Category:CentOSS 7]]

[[Category:SSD2]]

[[Category:Digital Classroom]]

Ahadalioglu

572

edits

Changes

OPS235 Lab 7

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

get involved with CDOT

courses

course projects

links

Tools