1,576
edits
Changes
Created page with "= LAB PREPARATION = === Purpose / Objectives of Lab 4 === In this lab, you will learn how to install rpm packages, manage services, and set up a basic Apache web server. We w..."
= LAB PREPARATION =
=== Purpose / Objectives of Lab 4 ===
In this lab, you will learn how to install rpm packages, manage services, and set up a basic Apache web server. We will also conduct some light HTML editing, and get our first look at the Linux iptables firewall.
If you encounter technical issues, please contact your professor via e-mail or in your section's Microsoft Teams group.
=== Minimum Requirements ===
Before beginning, you must have:
# Successfully completed [[OPS705_Lab_3 | Lab 3]]
# Watched the Week 4 video lecture
# Read through the Week 4 slides, and have them handy as a reference for concepts
# Your AWS EC2 Linux VM
= INVESTIGATION 1: Setting Up A Web Server =
In this investigation, you'll install the Apache web server package from a Linux repository and set up the service.
== Part 1: Installing the Apache Package ==
# Using SSH, login to your Linux VM. (Remember to check your IP/FQDN, it may change when you start up the VM in AWS.)
# Elevate to root: <code> sudo su -</code>
# Install the Apache package with the following command: <code>yum install httpd</code>
# When prompted for confirmation, answer: <code>Y</code>
# To confirm it has installed properly, run the following: <code>yum info httpd</code> The output should include an entry with '''Repo : installed'''. If it doesn't say installed, repeat Step 2 or as for assistance.
== Part 2: Managing the httpd (Apache) Service ==
# Now that the package is installed, it's time to start up the web server. We do this by interacting with the service. Run the following: <code>systemctl start httpd</code>
# Next, we have to confirm the service has started without any errors. Run: <code>systemctl status httpd</code> If it says ''active'' in bolded green, you're good to go. '''Tip:''' Always check the status of a service you've just modified, whether you're starting, stopping, or restarting it.
# Finally, check the web server is serving web pages by loading a page locally. Run: <code>curl localhost</code> If you get a bunch of HTML code, you've succeeded! Curl doesn't render HTML code, so you see it as plain text. This is how we check the web server works without dealing with networking.
# Remember from our lecture, there's a difference between ''systemctl start'' and ''systemctl enable''. To ensure the web server starts up with the system every time, run: <code>systemctl enable httpd</code>
# In a browser on your computer, copy and paste the address for your Linux VM. It doesn't load, does it? We're not done. Move to '''Investigation 2''' to deal with the firewall.
= INVESTIGATION 2: Configuring Your Linux Firewall =
In this investigation, you'll replace the default internal firewall with another and configure it to allow web server traffic into your VM. You will also follow security best practices in constructing your firewall rules.
== Part 1: Replacing ''firewalld'' with ''iptables'' ==
[[Image:Ops705_lab4_fig1.png|thumb|right|500px|Figure 1. Default iptables firewall rules.]]
The default firewall for RHEL, ''firewalld'' is more complex than we need. We'll be reverting to the easier to use ''iptables'' standard. '''Make sure you follow these instructions in order. If you don't, you may be locked out of your Linux VM forever.''' If you encounter errors on any step, stop and ask for help. Do not continue!
# Install the ''iptables-services'' package: <code>yum install iptables-services</code>
# Stop the ''firewalld'' service and start the ''iptables'' service in a single, chained command: <code> systemctl stop firewalld; systemctl start iptables</code>
# Check the status of the firewalld service. It should tell you it's stopped.
# Check the status of the iptables service. It should tell you it's '''active'''.
# View your current iptables firewall rules: <code>iptables -nvL --line-numbers</code>
# Refer to ''Figure 1''. If your rules at this stage look different, stop and contact your professor for help.
# Set iptables to start with the system: <code>systemctl enable iptables</code>
# Remove ''firewalld'' completely: <code>yum autoremove firewalld</code> '''Note:''' If you don't remove firewalld and both firewalls are set to start with the system, firewalld will always start instead of iptables. This can lead to much frustration. Make sure you remove it!
== Part 2: Securing Your Firewall ==
There are a few standard security practices to follow when dealing with firewalls. For more detail, refer to the Week 5 lecture and material.
# Set your default policy for the INPUT chain to DROP: <code>iptables -P INPUT DROP</code>
# Remove the reject rule from the INPUT chain to hide our server from scans: <code> iptables -D INPUT 5</code>
# Set your default policy for the FORWARD chain to DROP: <code>iptables -P FORWARD DROP</code>
# Remove the reject rule from the FORWARD chain to hide it from scans: <code>iptables -D FORWARD 1</code>
# To verify your work, log out of SSH and log back in. If you don't encounter any login issues, you're good to go.
# '''Assuming the step above works''', in your Linux VM, save your rule changes: <code>service iptables save</code>
# Congratulations, you've secured your firewall!
== Part 3: Allowing Web Traffic ==
Here's where our hard work will pay off. We'll open a firewall exception to allow requests to our web server through, so we can access our new web server from the Internet.
# Before making changes, it's a good idea to review our current rules: <code>iptables -nvL --line-numbers</code>
# Add your rule exception. Web traffic is typically served on TCP port 80, and that's what we'll use: <code>iptables -A INPUT -p tcp --dport 80 -j ACCEPT</code>
# Review your new rules with the iptables command above. If it looks correct, save your new rules! '''Remember, changes you make will be erased when you shut down unless you save them.'''
= INVESTIGATION 3: Configuring Your AWS Firewall =
In the previous investigation, you configured your VM's internal firewall at the OS level. Here, you'll configure AWS (cloud level) to let web traffic through.
# In the Linux VM's EC2 Instance summary page, click the '''Security''' tab. Under ''Inbound rules'', you should see a single entry on port 22 for SSH.
# On this page, look for the ''Security groups'' section and the blue link. Click this link. (See Fig. 4)
# You are now in the Security Group. We'll spend more time with this in a later lab. For now, click on '''Edit inbound rules'''.
# In the new ''Edit inbound rules'' page, click the '''Add rule''' button near the bottom left.
# A second rule appears. (Warning: Be careful! Don't modify the SSH rule.) Change it to the following:
## '''Type:''' HTTP
## '''Source:''' Anywhere
# Click save.
# You'll now be back in the ''Security Groups'' details page, and should see two new additional rules for HTTP.
# Click on '''EC2''' at the top of the page to go back to ''Instances''.
# Go back to your browser, and reload the page. Does it work now? (Hint: Manually type in '''http://''' to the beginning of the URL.)
# If it does, congratulations! You're almost done.
= INVESTIGATION 4: Editing Your Website =
Finally, let's modify the main page. Currently, it's displaying the default Apache splash page. Let's change that.
# Navigate to '''/var/www/html'''. (Refer to ''Lab 3'' for file system navigation tips.)
# List all files in this directory. There are none; this is expected.
# Open a new vim session for index.html: <code>vim index.html</code>
# Using HTML, give it a title of: '''OPS705 Linux Server - Winter 2021'''.
# Using HTML, add to the body: '''Name: yourname'''
# Using HTML, add to the body as a new line: '''Student Number: yourstudentnumber'''
# Save and quit the vim session.
# In your browser, refresh the page. If your changes show up, you're done!
= Lab Submission =
Submit to Blackboard full-desktop screenshots (PNG/JPG) of the following:
# Browser window showing the Linux Apache page (on your computer, not displayed on your VM).
# SSH session window with your iptables rules listed. (See ''Fig. 1'')
Your professor will review your page directly; the screenshots are a backup in case of catastrophic issues.
'''Your professor will not check your lab until the screenshot has been submitted.'''
Make sure to shut down your virtual machines when you're done!
[[Category:OPS705]]
[[Category:OPS705 Labs]]
[[Category:Digital Classroom]]
[[Category:Winter 2021]]
=== Purpose / Objectives of Lab 4 ===
In this lab, you will learn how to install rpm packages, manage services, and set up a basic Apache web server. We will also conduct some light HTML editing, and get our first look at the Linux iptables firewall.
If you encounter technical issues, please contact your professor via e-mail or in your section's Microsoft Teams group.
=== Minimum Requirements ===
Before beginning, you must have:
# Successfully completed [[OPS705_Lab_3 | Lab 3]]
# Watched the Week 4 video lecture
# Read through the Week 4 slides, and have them handy as a reference for concepts
# Your AWS EC2 Linux VM
= INVESTIGATION 1: Setting Up A Web Server =
In this investigation, you'll install the Apache web server package from a Linux repository and set up the service.
== Part 1: Installing the Apache Package ==
# Using SSH, login to your Linux VM. (Remember to check your IP/FQDN, it may change when you start up the VM in AWS.)
# Elevate to root: <code> sudo su -</code>
# Install the Apache package with the following command: <code>yum install httpd</code>
# When prompted for confirmation, answer: <code>Y</code>
# To confirm it has installed properly, run the following: <code>yum info httpd</code> The output should include an entry with '''Repo : installed'''. If it doesn't say installed, repeat Step 2 or as for assistance.
== Part 2: Managing the httpd (Apache) Service ==
# Now that the package is installed, it's time to start up the web server. We do this by interacting with the service. Run the following: <code>systemctl start httpd</code>
# Next, we have to confirm the service has started without any errors. Run: <code>systemctl status httpd</code> If it says ''active'' in bolded green, you're good to go. '''Tip:''' Always check the status of a service you've just modified, whether you're starting, stopping, or restarting it.
# Finally, check the web server is serving web pages by loading a page locally. Run: <code>curl localhost</code> If you get a bunch of HTML code, you've succeeded! Curl doesn't render HTML code, so you see it as plain text. This is how we check the web server works without dealing with networking.
# Remember from our lecture, there's a difference between ''systemctl start'' and ''systemctl enable''. To ensure the web server starts up with the system every time, run: <code>systemctl enable httpd</code>
# In a browser on your computer, copy and paste the address for your Linux VM. It doesn't load, does it? We're not done. Move to '''Investigation 2''' to deal with the firewall.
= INVESTIGATION 2: Configuring Your Linux Firewall =
In this investigation, you'll replace the default internal firewall with another and configure it to allow web server traffic into your VM. You will also follow security best practices in constructing your firewall rules.
== Part 1: Replacing ''firewalld'' with ''iptables'' ==
[[Image:Ops705_lab4_fig1.png|thumb|right|500px|Figure 1. Default iptables firewall rules.]]
The default firewall for RHEL, ''firewalld'' is more complex than we need. We'll be reverting to the easier to use ''iptables'' standard. '''Make sure you follow these instructions in order. If you don't, you may be locked out of your Linux VM forever.''' If you encounter errors on any step, stop and ask for help. Do not continue!
# Install the ''iptables-services'' package: <code>yum install iptables-services</code>
# Stop the ''firewalld'' service and start the ''iptables'' service in a single, chained command: <code> systemctl stop firewalld; systemctl start iptables</code>
# Check the status of the firewalld service. It should tell you it's stopped.
# Check the status of the iptables service. It should tell you it's '''active'''.
# View your current iptables firewall rules: <code>iptables -nvL --line-numbers</code>
# Refer to ''Figure 1''. If your rules at this stage look different, stop and contact your professor for help.
# Set iptables to start with the system: <code>systemctl enable iptables</code>
# Remove ''firewalld'' completely: <code>yum autoremove firewalld</code> '''Note:''' If you don't remove firewalld and both firewalls are set to start with the system, firewalld will always start instead of iptables. This can lead to much frustration. Make sure you remove it!
== Part 2: Securing Your Firewall ==
There are a few standard security practices to follow when dealing with firewalls. For more detail, refer to the Week 5 lecture and material.
# Set your default policy for the INPUT chain to DROP: <code>iptables -P INPUT DROP</code>
# Remove the reject rule from the INPUT chain to hide our server from scans: <code> iptables -D INPUT 5</code>
# Set your default policy for the FORWARD chain to DROP: <code>iptables -P FORWARD DROP</code>
# Remove the reject rule from the FORWARD chain to hide it from scans: <code>iptables -D FORWARD 1</code>
# To verify your work, log out of SSH and log back in. If you don't encounter any login issues, you're good to go.
# '''Assuming the step above works''', in your Linux VM, save your rule changes: <code>service iptables save</code>
# Congratulations, you've secured your firewall!
== Part 3: Allowing Web Traffic ==
Here's where our hard work will pay off. We'll open a firewall exception to allow requests to our web server through, so we can access our new web server from the Internet.
# Before making changes, it's a good idea to review our current rules: <code>iptables -nvL --line-numbers</code>
# Add your rule exception. Web traffic is typically served on TCP port 80, and that's what we'll use: <code>iptables -A INPUT -p tcp --dport 80 -j ACCEPT</code>
# Review your new rules with the iptables command above. If it looks correct, save your new rules! '''Remember, changes you make will be erased when you shut down unless you save them.'''
= INVESTIGATION 3: Configuring Your AWS Firewall =
In the previous investigation, you configured your VM's internal firewall at the OS level. Here, you'll configure AWS (cloud level) to let web traffic through.
# In the Linux VM's EC2 Instance summary page, click the '''Security''' tab. Under ''Inbound rules'', you should see a single entry on port 22 for SSH.
# On this page, look for the ''Security groups'' section and the blue link. Click this link. (See Fig. 4)
# You are now in the Security Group. We'll spend more time with this in a later lab. For now, click on '''Edit inbound rules'''.
# In the new ''Edit inbound rules'' page, click the '''Add rule''' button near the bottom left.
# A second rule appears. (Warning: Be careful! Don't modify the SSH rule.) Change it to the following:
## '''Type:''' HTTP
## '''Source:''' Anywhere
# Click save.
# You'll now be back in the ''Security Groups'' details page, and should see two new additional rules for HTTP.
# Click on '''EC2''' at the top of the page to go back to ''Instances''.
# Go back to your browser, and reload the page. Does it work now? (Hint: Manually type in '''http://''' to the beginning of the URL.)
# If it does, congratulations! You're almost done.
= INVESTIGATION 4: Editing Your Website =
Finally, let's modify the main page. Currently, it's displaying the default Apache splash page. Let's change that.
# Navigate to '''/var/www/html'''. (Refer to ''Lab 3'' for file system navigation tips.)
# List all files in this directory. There are none; this is expected.
# Open a new vim session for index.html: <code>vim index.html</code>
# Using HTML, give it a title of: '''OPS705 Linux Server - Winter 2021'''.
# Using HTML, add to the body: '''Name: yourname'''
# Using HTML, add to the body as a new line: '''Student Number: yourstudentnumber'''
# Save and quit the vim session.
# In your browser, refresh the page. If your changes show up, you're done!
= Lab Submission =
Submit to Blackboard full-desktop screenshots (PNG/JPG) of the following:
# Browser window showing the Linux Apache page (on your computer, not displayed on your VM).
# SSH session window with your iptables rules listed. (See ''Fig. 1'')
Your professor will review your page directly; the screenshots are a backup in case of catastrophic issues.
'''Your professor will not check your lab until the screenshot has been submitted.'''
Make sure to shut down your virtual machines when you're done!
[[Category:OPS705]]
[[Category:OPS705 Labs]]
[[Category:Digital Classroom]]
[[Category:Winter 2021]]