Changes

Jump to: navigation, search

OPS245 Lab 7

2,411 bytes added, 8 April
m
Part 1: Generating Private and Public Keys (Public Key Infrastructure)
:'''Perform the following steps:'''
Some tasks in this part of the investigation require you to be connected ot Seneca's VPN.
*If you are running your installation through VMWare, then you can use [https://inside.senecacollege.ca/its/services/vpn/studentvpn.html the instructions provided by ITS] to connect to it from your Windows machine (your c7host and its nested VMs will use the VPN through the windows machine without further configuration).
*If you installed your c7host directly onto a machine without using VMWare as an intermediary (or the steps above do not work for you), use the following instructions:
::*Install the package openconnect
::*Run the following command as root (or with sudo): openconnect --protocol=gp studentvpn.senecacollege.ca -b
::*This should prompt you for your username and password (you could also put the user name in the command with -p)
::*You'll know it is working if you check your ip address and see something in the 10.0.0.0/8 range.
::*To disconnect, as root (or with sudo): killall openconnect
Once you have connected to the VPN with either method you may continue
# Launch your '''c7host machine''' and your '''centos1''' and '''centos3''' VMs.
# Switch to your '''c7host''' VM.
# Create a file in your current directory of your c7host machine with some text in it called: '''myfile.txt'''
# Ensure you've successfully connected to the VPN required for Matrix (https://inside.senecacollege.ca/its/services/vpn/studentvpn.html). Then issue Issue the following command (using your Matrix login id):<br><b><code><span style="color:#3366CC;font-size:1.2em;">scp &nbsp; myfile.txt &nbsp; yourmatrixid@matrix.senecac.onsenecacollege.ca:/home/yourmatrixid</span></code></b><br>(followed by your Matrix password)<br>What did this command do?# Issue the following single command (arguments are separated by a space - use your Matrix login id):<br><b><code><span style="color:#3366CC;font-size:1.2em;">ssh &nbsp; yourmatrixid@matrix.senecac.onsenecacollege.ca &nbsp; ls /home/yourmatrixid/myfile.txt</span></code></b><br>(followed by your Matrix password)<br>What did this command do?<br>Issue the following Linux command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">ssh &nbsp; yourmatrixid@matrix.senecac.onsenecacollege.ca &nbsp; cat /home/yourmatrixid/myfile.txt</span></code></b><br>How do these commands differ from using issuing the ssh command without the ls or cat command? How is this useful?<br><br>The client ssh application contains the utlities: '''ssh''', '''scp''' and '''sftp''' (learned in ULI101) to connect to remote Linux servers in order to issue commands or transfer files between Linux servers. You can install the SSH service on your Linux server, although this has already been performed upon installation. We will now confirm that the ssh service is running on all of your VMs.<br><br>
# OpenSSH should have been installed by default. Let's confirm this by issuing the command:<br /> <b><code><span style="color:#3366CC;font-size:1.2em;">rpm -qa | grep ssh</span></code></b>
# You should see a number of packages installed including <b>openssh-clients</b> and <b>openssh-server</b>
<pre style="font-family:monospace;background-color:white;border-style:none;padding-left:50px;">
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ops245yoursenecaid/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter passphrase again:
Your public key has been saved in /home/ops245yoursenecaid/.ssh/id_rsa.pub.
The key fingerprint is:
ef:de:31:67:f7:15:a4:43:39:15:5d:78:1b:e8:97:74 ops245yoursenecaid@centos3centos2
The key's randomart image is:
+--[ RSA 2048]----+
Any changes to your iptables policy rules will be lost when you restart your Linux server, unless you make your iptables rules persistent. Failure to perform the following steps after setting up your firewall rules can cause confusion and wasted time.
{{Admon/important|Don't save copies of rules that libvirtd will auto-add every boot.|The libvirtd service running on your c7host automatically adds some rules to iptables to allow the machines in your virtual network comunicate with each other and the outside world. We don't want to save these, or you will end up with two (or more) copies of them in your firewall. This won't actually break anything, but it does clutter up your iptables and make them harder to read. Before you continue with this investigaion, restart your iptables. This will leave you with just the rules that exist in its saved configuration, and not the ones added by libvirtd.}}
:'''Perform the following steps:'''
# Make a backup of the file '''/etc/sysconfig/iptables''' by issuing the command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bk</span></code></b>
# Make sure the default policy of your INPUT and FORWARD chains are both set to DROP.
# Delete the rule in the INPUT chain that allows SSH traffic from <b>anyone</b>, and replace it with one that only allows ssh traffic sent by your other machine(that is, your windows host, or other machine in your network).
# Note that this now means your VMs won't be able to ssh to your c7host, so add a rule that allows the entire network your VMs are on (192.168.245.0/24) to ssh to your c7host.
# Delete the rule in the INPUT chain that allows ICMP traffic from <b>anyone</b>, and replace it with one that only allows ssh traffic sent by your other machine.
# Delete the rule in your '''INPUT''' and '''FORWARD''' chains that '''REJECT'''s any traffic you haven't '''ACCEPT''ed. You are better protected by the default '''DROP''' policy you set.#To make the iptables rules '''persistent''' (i.e. keeps rules when system restarts), you issue the command: <br><b><code><span style="color:#3366CC;font-size:1.2em;">sudo iptables-save > /etc/sysconfig/iptables</span></code></b>#You will notice that even when running the command with sudo, it isn't letting you write to <b><code><span style="color:#3366CC;font-size:1.2em;">/etc/sysconfig/iptables</span></code></b>. Use <b><code><span style="color:#3366CC;font-size:1.2em;">sudo -i</span></code></b>, then try to save them again.
# Verify that the file '''/etc/sysconfig/iptables''' exists.
# Restart your iptables service and test your configuration.
# Restart the libvirtd service, and note the rules it adds to your iptables. It will do this automatically every time it starts.
# Run the shell script and if there are any warnings, make fixes and re-run shell script until you receive "congratulations" message.
#Arrange proof of the following on the screen:<br><blockquote><span style="color:green;font-size:1.5em;">&#x2713;</span> '''centos2''' VM:<blockquote><ul><li>have logged into centos3 VM using '''public key authentication''' (with a pass-phrase)</li></ul></blockquote><span style="color:green;font-size:1.5em;">&#x2713;</span> '''c7host''' Machine:<blockquote><ul><li>have tunneled Xwindows application from '''centos1''' via ssh</li><li>Run the '''lab7-check.bash''' script in front of your instructor (must have all <b><code><span style="color:#66cc00;border:thin solid black;font-size:1.2em;">&nbsp;OK&nbsp;</span></code></b> messages)</li></ul></blockquote><span style="color:green;font-size:1.5em;">&#x2713;</span> '''Lab7''' log-book filled out.
#Upload a screenshot of proof from the previous step, along with the file generated by '''lab7-check.bash'''.
= Practice For Quizzes, Tests, Midterm &amp; Final Exam =
316
edits

Navigation menu