Jump to: navigation, search

OPS235 Lab 7

380 bytes added, 16:52, 25 November 2020
Part 1: Confirming sshd service is Running on VMs.
# Switch to your '''c7host''' VM.
# Create a file in your current directory of your c7host machine with some text in it called: '''myfile.txt'''
# Issue Ensure you've successfully connected to the VPN required for Matrix ( Then issue the following command (using your Matrix login id):<br><b><code><span style="color:#3366CC;font-size:1.2em;">scp &nbsp; myfile.txt &nbsp;</span></code></b><br>(followed by your Matrix password)<br>What did this command do?
# Issue the following single command (arguments are separated by a space - use your Matrix login id):<br><b><code><span style="color:#3366CC;font-size:1.2em;">ssh &nbsp; &nbsp; ls /home/yourmatrixid/myfile.txt</span></code></b><br>(followed by your Matrix password)<br>What did this command do?<br>Issue the following Linux command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">ssh &nbsp; &nbsp; cat /home/yourmatrixid/myfile.txt</span></code></b><br>How do these commands differ from using issuing the ssh command without the ls or cat command? How is this useful?<br><br>The client ssh application contains the utlities: '''ssh''', '''scp''' and '''sftp''' (learned in ULI101) to connect to remote Linux servers in order to issue commands or transfer files between Linux servers. You can install the SSH service on your Linux server, although this has already been performed upon installation. We will now confirm that the ssh service is running on all of your VMs.<br><br>
# OpenSSH should have been installed by default. Let's confirm this by issuing the command:<br /> <b><code><span style="color:#3366CC;font-size:1.2em;">rpm -qa | grep ssh</span></code></b>
<li>Make sure the '''sshd''' service is running on '''all 3 of your VM's'''</li>
===Part 2: SSH Server Security Configuration===
# Run the graphical program remotely by issuing only one Linux command:<br> <b><code><span style="color:#3366CC;font-size:1.2em;">ssh -X -C yourUserID@centos1 &nbsp; gedit</span></code></b> (Note: ignore warning messages).
# Exit the gedit application.
# Experiment with running other GUI applications (in the /bin directory with applications starting with the letter "x" via '''ssh''' (for example: xeyesxev or xchat).
'''Answer INVESTIGATION 2 observations / questions in your lab log book.'''
# Issue the following Linux command: <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.2em;">iptables -P INPUT DROP</span></code></b>
# Issue the '''iptables -L''' command. Can you see the policy to DROP all incoming connections?
# Although you have set a default policy to DROP all incoming connections, there is a problem: now, you cannot browse the Internet. You can confirm that by opening a SEPARATE web-browser and perform a Net-search.<br><br>In order to fix that problem, you can make an exception to allow incoming web-based traffic (via port 80). Those iptables commands to create exceptions are more complex since you need to determine: <ul><li>'''Where each rules appears in the chain'''? (order can be important)</li><li>'''Which protocol(s)''' are affected (eg. tcp, udp, icmp)</li><li>'''What source or destination IP Addresses''' are affected?</li><li>'''What port numbers''' are affected?</li><li>'''What action to take''' if all of the above conditions are met? (eg. ACCEPT, REJECT, DROP, or LOG)</li></ul><br>'''iptables Command Structure (for setting exceptions):<br>(NOTE: If element in column is not specified in the iptables command, then rule relates to ALL elements)'''<table width="100%" cellpadding="10" cellspacing="0" border="1"><tr valign="top><td>Place Rule in Chain</td><td>Chain Name</td><td>Specify Protocol</td><td>Source/Destination IPADDR</td><td>Port Number</td><td>Action<br> -&gt;</td><td>Target</td></tr><tr valign="top"><td>'''-A''' (add / Append to bottom of chain)<br>'''-I''' (insert at top of chain)<br>'''-I CHAIN-NAME 5''' (insert before line 5) </td><td>'''INPUT'''<br>'''OUTPUT'''<br>'''FORWARD'''<br>'''CHAIN-NAME'''</td><td>'''-p tcp''' (tcp packets)<br>'''-p udp''' (datagram packets)<br>'''-p tcp,udp,icmp''' (combined)<br><br>(refer to '''/etc/protocols''' )</td><td>'''-s IPADDR''' (originating IPADDR)<br>'''-d IPADDR''' (destination IPADDR)</td><td>'''<span style="font-family:courier">--</span>sport 22''' (originating port 22 - SSH)<br>'''<span style="font-family:courier">--</span>sport dport 80''' (originating destined port 80 - http)<br><br>(refer to '''/etc/services''')</td><td>'''-j''' </td><td>'''ACCEPT'''<br>'''REJECT'''<br>'''DROP'''<br>'''LOG'''</td></tr></table><br>
# Issue the following Linux commands to ensure the loopback interface is not affected by these rules. The computer should be able to communicate with itself with any state and protocol:<br><b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.2em;">iptables -A INPUT -i lo -p all -j ACCEPT</span></code><br><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.2em;">iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT</span></code></b>
# Issue the following Linux command to ADD an exception to the INPUT chain to allow web-based incoming traffic (ie. port 80):<br><b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.2em;">iptables -A INPUT -p tcp --dport 80 -j ACCEPT</span></code></b>
===Exclusively for Summer 2020 term, submissions are accepted only online!===
Follow the submission instructions for lab 7 on Blackboard.
{{Admon/important|Time for a new backup!|If you have successfully completed this lab, make a new backup of your virtual machines as well as your host machine.}}
# Switch to your '''c7host''' VM and '''su -''' into root.
# Change to the '''/root/bin''' directory.
# Issue the Linux command: <b><code><span style="color:#3366CC;font-size:1.2em;">wget http</span></code></b>
# Give the '''lab7-check.bash''' file execute permissions (for the file owner).
# Run the shell script and if any warnings, make fixes and re-run shell script until you receive "congratulations" message.
[[Category:OPS235 Labs]]
[[Category:CentOSS 7]]
[[Category:Digital Classroom]]

Navigation menu