Difference between revisions of "OPS705 Lab 4 (2211)"
(→INVESTIGATION 3: Configuring Your AWS Firewall) |
m (Chris.johnson moved page OPS705 Lab 4 to OPS705 Lab 4 (2211) without leaving a redirect) |
||
(10 intermediate revisions by the same user not shown) | |||
Line 18: | Line 18: | ||
== Part 1: Installing the Apache Package == | == Part 1: Installing the Apache Package == | ||
# Using SSH, login to your Linux VM. (Remember to check your IP/FQDN, it may change when you start up the VM in AWS.) | # Using SSH, login to your Linux VM. (Remember to check your IP/FQDN, it may change when you start up the VM in AWS.) | ||
− | # Elevate to root: <code> sudo su -</code> | + | # Elevate to the root account: <code> sudo su -</code> |
# Install the Apache package with the following command: <code>yum install httpd</code> | # Install the Apache package with the following command: <code>yum install httpd</code> | ||
# When prompted for confirmation, answer: <code>Y</code> | # When prompted for confirmation, answer: <code>Y</code> | ||
− | # To confirm it has installed properly, run the following: <code>yum info httpd</code> The output should include an entry with ''' | + | # To confirm it has installed properly, run the following: <code>yum info httpd</code> The output should include an entry with '''Repository : @System'''. If it doesn't say installed, repeat Step 2 or as for assistance. |
== Part 2: Managing the httpd (Apache) Service == | == Part 2: Managing the httpd (Apache) Service == | ||
Line 28: | Line 28: | ||
# Finally, check the web server is serving web pages by loading a page locally. Run: <code>curl localhost</code> If you get a bunch of HTML code, you've succeeded! Curl doesn't render HTML code, so you see it as plain text. This is how we check the web server works without dealing with networking. | # Finally, check the web server is serving web pages by loading a page locally. Run: <code>curl localhost</code> If you get a bunch of HTML code, you've succeeded! Curl doesn't render HTML code, so you see it as plain text. This is how we check the web server works without dealing with networking. | ||
# Remember from our lecture, there's a difference between ''systemctl start'' and ''systemctl enable''. To ensure the web server starts up with the system every time, run: <code>systemctl enable httpd</code> | # Remember from our lecture, there's a difference between ''systemctl start'' and ''systemctl enable''. To ensure the web server starts up with the system every time, run: <code>systemctl enable httpd</code> | ||
− | # | + | # Copy and paste the '''Public DNS''' address from the EC2 Instance details page for your Linux VM into a browser on your computer. It doesn't load, does it? We're not done. Move to '''Investigation 2''' to deal with the firewall. |
= INVESTIGATION 2: Configuring Your Linux Firewall = | = INVESTIGATION 2: Configuring Your Linux Firewall = | ||
Line 38: | Line 38: | ||
# Install the ''iptables-services'' package: <code>yum install iptables-services</code> | # Install the ''iptables-services'' package: <code>yum install iptables-services</code> | ||
− | # Stop the ''firewalld'' service and start the ''iptables'' service in a single, chained command: <code> systemctl stop firewalld; systemctl start iptables</code> | + | # Stop the ''firewalld'' service and start the ''iptables'' service in a single, chained command: <code> systemctl stop firewalld; systemctl start iptables</code> (Note: If firewalld isn't present on your system, you'll get a ''not loaded'' error. This is fine. You can move on to Step 4.) |
# Check the status of the firewalld service. It should tell you it's stopped. | # Check the status of the firewalld service. It should tell you it's stopped. | ||
# Check the status of the iptables service. It should tell you it's '''active'''. | # Check the status of the iptables service. It should tell you it's '''active'''. | ||
# View your current iptables firewall rules: <code>iptables -nvL --line-numbers</code> | # View your current iptables firewall rules: <code>iptables -nvL --line-numbers</code> | ||
− | # Refer to ''Figure 1''. If your rules at this stage look different, stop and contact your professor for help. | + | # Refer to ''Figure 1''. If your rules at this stage look different, stop and contact your professor for help. (Packet and byte count numbers will be unique.) |
# Set iptables to start with the system: <code>systemctl enable iptables</code> | # Set iptables to start with the system: <code>systemctl enable iptables</code> | ||
− | # Remove ''firewalld'' completely: <code>yum autoremove firewalld</code> '''Note:''' If you | + | # Remove ''firewalld'' completely: <code>yum autoremove firewalld</code> '''Note:''' It may not be installed. If it says "no match" when you run the command, you can move on. |
== Part 2: Securing Your Firewall == | == Part 2: Securing Your Firewall == | ||
Line 84: | Line 84: | ||
Finally, let's modify the main page. Currently, it's displaying the default Apache splash page. Let's change that. | Finally, let's modify the main page. Currently, it's displaying the default Apache splash page. Let's change that. | ||
+ | # Switch to the root user account. | ||
# Navigate to '''/var/www/html'''. (Refer to ''Lab 3'' for file system navigation tips.) | # Navigate to '''/var/www/html'''. (Refer to ''Lab 3'' for file system navigation tips.) | ||
# List all files in this directory. There are none; this is expected. | # List all files in this directory. There are none; this is expected. | ||
Line 96: | Line 97: | ||
Submit to Blackboard full-desktop screenshots (PNG/JPG) of the following: | Submit to Blackboard full-desktop screenshots (PNG/JPG) of the following: | ||
− | # Browser window showing the | + | # Browser window showing the modified HTML page (on your computer, not displayed on your VM). |
# SSH session window with your iptables rules listed. (See ''Fig. 1'') | # SSH session window with your iptables rules listed. (See ''Fig. 1'') | ||
Latest revision as of 23:50, 6 September 2021
Contents
LAB PREPARATION
Purpose / Objectives of Lab 4
In this lab, you will learn how to install rpm packages, manage services, and set up a basic Apache web server. We will also conduct some light HTML editing, and get our first look at the Linux iptables firewall.
If you encounter technical issues, please contact your professor via e-mail or in your section's Microsoft Teams group.
Minimum Requirements
Before beginning, you must have:
- Successfully completed Lab 3
- Watched the Week 4 video lecture
- Read through the Week 4 slides, and have them handy as a reference for concepts
- Your AWS EC2 Linux VM
INVESTIGATION 1: Setting Up A Web Server
In this investigation, you'll install the Apache web server package from a Linux repository and set up the service.
Part 1: Installing the Apache Package
- Using SSH, login to your Linux VM. (Remember to check your IP/FQDN, it may change when you start up the VM in AWS.)
- Elevate to the root account:
sudo su -
- Install the Apache package with the following command:
yum install httpd
- When prompted for confirmation, answer:
Y
- To confirm it has installed properly, run the following:
yum info httpd
The output should include an entry with Repository : @System. If it doesn't say installed, repeat Step 2 or as for assistance.
Part 2: Managing the httpd (Apache) Service
- Now that the package is installed, it's time to start up the web server. We do this by interacting with the service. Run the following:
systemctl start httpd
- Next, we have to confirm the service has started without any errors. Run:
systemctl status httpd
If it says active in bolded green, you're good to go. Tip: Always check the status of a service you've just modified, whether you're starting, stopping, or restarting it. - Finally, check the web server is serving web pages by loading a page locally. Run:
curl localhost
If you get a bunch of HTML code, you've succeeded! Curl doesn't render HTML code, so you see it as plain text. This is how we check the web server works without dealing with networking. - Remember from our lecture, there's a difference between systemctl start and systemctl enable. To ensure the web server starts up with the system every time, run:
systemctl enable httpd
- Copy and paste the Public DNS address from the EC2 Instance details page for your Linux VM into a browser on your computer. It doesn't load, does it? We're not done. Move to Investigation 2 to deal with the firewall.
INVESTIGATION 2: Configuring Your Linux Firewall
In this investigation, you'll replace the default internal firewall with another and configure it to allow web server traffic into your VM. You will also follow security best practices in constructing your firewall rules.
Part 1: Replacing firewalld with iptables
The default firewall for RHEL, firewalld is more complex than we need. We'll be reverting to the easier to use iptables standard. Make sure you follow these instructions in order. If you don't, you may be locked out of your Linux VM forever. If you encounter errors on any step, stop and ask for help. Do not continue!
- Install the iptables-services package:
yum install iptables-services
- Stop the firewalld service and start the iptables service in a single, chained command:
systemctl stop firewalld; systemctl start iptables
(Note: If firewalld isn't present on your system, you'll get a not loaded error. This is fine. You can move on to Step 4.) - Check the status of the firewalld service. It should tell you it's stopped.
- Check the status of the iptables service. It should tell you it's active.
- View your current iptables firewall rules:
iptables -nvL --line-numbers
- Refer to Figure 1. If your rules at this stage look different, stop and contact your professor for help. (Packet and byte count numbers will be unique.)
- Set iptables to start with the system:
systemctl enable iptables
- Remove firewalld completely:
yum autoremove firewalld
Note: It may not be installed. If it says "no match" when you run the command, you can move on.
Part 2: Securing Your Firewall
There are a few standard security practices to follow when dealing with firewalls. For more detail, refer to the Week 5 lecture and material.
- Set your default policy for the INPUT chain to DROP:
iptables -P INPUT DROP
- Remove the reject rule from the INPUT chain to hide our server from scans:
iptables -D INPUT 5
- Set your default policy for the FORWARD chain to DROP:
iptables -P FORWARD DROP
- Remove the reject rule from the FORWARD chain to hide it from scans:
iptables -D FORWARD 1
- To verify your work, log out of SSH and log back in. If you don't encounter any login issues, you're good to go.
- Assuming the step above works, in your Linux VM, save your rule changes:
service iptables save
- Congratulations, you've secured your firewall!
Part 3: Allowing Web Traffic
Here's where our hard work will pay off. We'll open a firewall exception to allow requests to our web server through, so we can access our new web server from the Internet.
- Before making changes, it's a good idea to review our current rules:
iptables -nvL --line-numbers
- Add your rule exception. Web traffic is typically served on TCP port 80, and that's what we'll use:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
- Review your new rules with the iptables command above. If it looks correct, save your new rules! Remember, changes you make will be erased when you shut down unless you save them.
INVESTIGATION 3: Configuring Your AWS Firewall
In the previous investigation, you configured your VM's internal firewall at the OS level. Here, you'll configure AWS (cloud level) to let web traffic through.
- In the Linux VM's EC2 Instance summary page, click the Security tab. Under Inbound rules, you should see a single entry on port 22 for SSH.
- On this page, look for the Security groups section and the blue link. Click this link. (See Fig. 2)
- You are now in the Security Group. We'll spend more time with this in a later lab. For now, click on Edit inbound rules.
- In the new Edit inbound rules page, click the Add rule button near the bottom left.
- A second rule appears. (Warning: Be careful! Don't modify the SSH rule.) Change it to the following:
- Type: HTTP
- Source: Anywhere
- Click save.
- You'll now be back in the Security Groups details page, and should see two new additional rules for HTTP.
- Click on EC2 at the top of the page to go back to Instances.
- Go back to your browser, and reload the page. Does it work now? (Hint: Manually type in http:// to the beginning of the URL.)
- If it does, congratulations! You're almost done.
INVESTIGATION 4: Editing Your Website
Finally, let's modify the main page. Currently, it's displaying the default Apache splash page. Let's change that.
- Switch to the root user account.
- Navigate to /var/www/html. (Refer to Lab 3 for file system navigation tips.)
- List all files in this directory. There are none; this is expected.
- Open a new vim session for index.html:
vim index.html
- Using HTML, give it a title of: OPS705 Linux Server - Winter 2021.
- Using HTML, add to the body: Name: yourname
- Using HTML, add to the body as a new line: Student Number: yourstudentnumber
- Save and quit the vim session.
- In your browser, refresh the page. If your changes show up, you're done!
Lab Submission
Submit to Blackboard full-desktop screenshots (PNG/JPG) of the following:
- Browser window showing the modified HTML page (on your computer, not displayed on your VM).
- SSH session window with your iptables rules listed. (See Fig. 1)
Your professor will review your page directly; the screenshots are a backup in case of catastrophic issues.
Your professor will not check your lab until the screenshot has been submitted.
Make sure to shut down your virtual machines when you're done!