Changes

[http://linux.die.net/man/8/restorecon restorecon]<br><br>Managing Services<br>[http://linuxwww.diedsm.netfordham.edu/cgi-bin/man/8/chkconfig chkconfig-cgi.pl?topic=systemctl systemctl]<br><br>

[httphttps://linuxwww.aboutfreebsd.comorg/librarycgi/cmd/blcmdl5_ssh_configman.htm cgi?query=ssh_config&sektion=5 ssh_config]<br>[httphttps://linuxwww.aboutfreebsd.com/od/commandsorg/lcgi/blcmdl5_sshdconman.htm cgi?sshd_config(5) sshd_config]<br>

# Set the password for the newly-created called called '''other'''

<livalue="14">After generating the keys it prompts you for the location to save the keys. The default is '''~/.ssh''' Your private key will be saved as <b>id_rsa</b> and your public key will be saved as '''id_rsa.pub'''. Press ENTER to accept the default, .</li><li>You will then enter be prompted for a '''pass-phrase used '''. The pass-phrase must be entered in order to establish use your identityprivate key. Pass-phrases are more secure than passwords and should be lengthy, hard to guess and reeasy to remember. For example one pass-enter phrase that meets this criteria might be ''"seneca students like to dance at 4:00am"''. Avoid famous phrases such as ''"to be or not to be"'' as they are easy to guess. It is possible to leave the pass-phrase blank but this is dangerous. It means that if a hacker were able to get into your account they could then use your private key to verifyaccess other systems you use.<br><br>The output should appear similar as what is shown below:</li></ol>

<ol><li value="15"> After generating the keys it prompts you for the location to save the keys. The default is '''~/.ssh''' Your private key will be saved as <b>id_rsa</b> and your public key will be saved as '''id_rsa.pub'''</li><li>You will then be prompted for a '''pass-phrase'''. The pass-phrase must be entered in order to use your private key. Pass-phrases are more secure than passwords and should be lengthy, hard to guess and easy to remember. For example one pass-phrase that meets this criteria might be ''"seneca students like to dance at 4:00am"''. Avoid famous phrases such as ''"to be or not to be"'' as they are easy to guess. It is possible to leave the pass-phrase blank but this is dangerous. It means that if a hacker were able to get into your account they could then use your private key to access other systems you use.<br><br></li><li16>Now issue the command <b><code><span style="color:#3366CC;font-size:1.2em;">ssh-copy-id -i ~/.ssh/id_rsa.pub ops235@centos3</span></code></b></li>

# Issue the '''iptables -L''' command verify . Can you see the INPUT policy has been to DROP all incoming connections?# Although you have set (look for a default policy to DROP all incoming connections, there is a problem: now, you cannot browse the Policy section, NOT INPUT)Internet. You can confirm that by opening a SEPARATE web-browser and perform a Net-search.<br><br>After the overall default policy is setIn order to fix that problem, then you can create policy rules that are "exceptions" make an exception to the default policy rulesallow incoming web-based traffic (via port 80). These Those iptables commands to create exceptions are more complex since you need to determine: <ul><li>'''Where each rules appears in the chain'''? (order can be important)</li><li>'''Which protocol(s)''' are affected (eg. tcp, udp, icmp)</li><li>'''What source or destination IP Addresses''' are affected?</li><li>'''What port numbers''' are affected?</li><li>'''What action to take''' if all of the above conditions are met? (eg. ACCEPT, REJECT, DROP, or LOG)</li></ul><br><br>'''iptables Command Structure (for setting exceptions):<br>(NOTE: If element in column is not specified in the iptables command, then rule relates to ALL elements)'''<br><table width="100%" cellpadding="10" cellspacing="0" border="1"><tr valign="top><td>Place Rule in Chain</td><td>Chain Name</td><td>Specify Protocol</td><td>Source/Destination IPADDR</td><td>Port Number</td><td>Action<br> -&gt;</td><td>Target</td></tr><tr valign="top"><td>'''-A''' (add / Append to bottom of chain)<br>'''-I''' (insert at top of chain)<br>'''-i I CHAIN-NAME 5''' (insert before line 5) </td><td>'''INPUT'''<br>'''OUTPUT'''<br>'''FORWARD'''<br>'''CHAIN-NAME'''</td><td>'''-p tcp''' (tcp packets)<br>'''-p udp''' (datagram packets)<br>'''-p tcp,udp,icmp''' (combined)<br><br>(refer to '''/etc/protocols''' )</td><td>'''-s IPADDR''' (originating IPADDR)<br>'''-d IPADDR''' (destination IPADDR)</td><td>'''<span style="font-family:courier">--</span>sport 22''' (originating port 22 - SSH)<br>'''<span style="font-family:courier">--</span>sport 80''' (originating port 80 - http)<br><br>(refer to '''/etc/services''')</td><td>'''-j''' </td><td>'''ACCEPT'''<br>'''REJECT'''<br>'''DROP'''<br>'''LOG'''</td></tr></table><br># Issue the following Linux commands to ensure the loopback interface is not affected by these rules. The computer should be able to communicate with itself with any state and protocol:<br><b><code><span style="pointer-events: none;cursor: default;color:# Make certain you are in your '''c7host''' machine3366CC;font-size:1.2em;">iptables -A INPUT -i lo -p all -j ACCEPT</span></code><br><code><span style="pointer-events: none;cursor: default;color:# Determine the '''external facing address''' of your c7host machine (ip address should start with 103366CC;font-size:1. 2em;">iptables -A INPUT -m state -- otherwisestate RELATED, type ip address in webESTABLISHED -browser)# Have a lab neighbour try to ping that external facing address. Were they successful?j ACCEPT</span></code></b># Issue the following iptables policy Linux command to ADD an exception to the INPUT chain to DROP all allow web-based incoming connectionstraffic (ie. port 80):<br><b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.2em;">iptables -P A INPUT DROP-p tcp --dport 80 -j ACCEPT</span></code></b># Have Issue an iptables command to confirm that their is an exception rule to handle incoming tcp packets over port 80.# Use your neighbour try other web-browser to ping confirm that you can now browse the Internet. If you cannot, contact your lab assistant or professor for help.# Determine the '''external facing address''' of your c7host machine.<br>('''Tip:''' in a web-browser, enter the term: '''"ip address"'''. The external facing IP Addressshould start with '''"10."'''). What happened? Why# Provide your external facing address, and provide another lab-mate to ping that external facing address. Were they successful?# Have your neighbour obtain the lab-mate determine THEIR external facing address and obtain that IP Address on THEIR c7host machine.# Issue the following iptables command to ADD ping allow an exception for pings from your neighbour's IPAddresslab-mate:<br><b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.2em;">iptables -A INPUT -p icmp -s {neighbour's exeternal external facing address} -j ACCEPT</span></code></b><br>Is # Have your neighbour able to ping YOUR repeat pinging your external facing IP Address. What happened? Why?

# Issue an iptables rule (in a similar way as with the following previous iptables command:<br><b><code><span style="pointer-events: none;cursor: default;color:) to allow an exception for incoming ssh traffic (eg. port #3366CC;font-size:1.2em;">iptables -A INPUT -p tcp -s {22) from your neighbour's exeternal external facing IP address} --sport 22 -j ACCEPT</span></code></b><br>.# Have your neighbour try to SSH into YOUR c7host(at least to get a password prompt). Were they Successful? If so, why?# Issue the following iptables command to add a rule at bottom of OUTPUT chain to DROP http (port 80 connections). Try to think of the command yourself.# Open another web-browser. Can you connect to a webpage?# Issue iptables rule to '''flush''' the OUTPUT chain. Does your web-browser now work?

# Make a backup of the file '''/etc/sysconfig/iptables''' by issuing the command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">cp /etc/sysconfig/iptables-save > /etc/sysconfig/iptables.bk</span></code></b>

# Issue the Linux command: <b><code><span style="color:#3366CC;font-size:1.2em;">wget http://matrixcs.senecac.onsenecacollege.ca/~murray.saulops235/ops235lab7/lab7-check.bash</span></code></b>