Changes

OPS235 Lab 7

168 bytes added, 15:03, 22 December 2018

→‎LAB 7 SIGN-OFF (SHOW INSTRUCTOR)

[http://man7.org/linux/man-pages/man8/netstat.8.html netstat]

[http://man7.org/linux/man-pages/man8/ifconfig.8.html ifconfig]

[http://man7.org/linux/man-pages/man8/ip.8.html ip]

[http://man7.org/linux/man-pages/man8/ping.8.html ping]

[http://man7.org/linux/man-pages/man8/arp.8.html arp]

|style="padding-left:20px;"|Additional Utilities

[http://man7.org/linux/man-pages/man7/hostname.7.html hostname]

[http://linux.die.net/man/8/restorecon restorecon] Managing Services [http://~~linux~~www.~~die~~dsm.~~net~~fordham.edu/cgi-bin/man~~/8/chkconfig chkconfig~~-cgi.pl?topic=systemctl systemctl]

Configuration Files

[~~http~~https://~~linux~~www.~~about~~freebsd.~~com~~org/~~library~~cgi/~~cmd/blcmdl5_ssh_config~~man.~~htm~~ cgi?query=ssh_config&sektion=5 ssh_config] [~~http~~https://~~linux~~www.~~about~~freebsd.~~com/od/commands~~org/lcgi/~~blcmdl5_sshdcon~~man.~~htm~~ cgi?sshd_config(5) sshd_config]

|style="padding-left:20px;"|SSH Reference

[http://support.suso.com/supki/SSH_Tutorial_for_Linux A good ssh tutorial]

# Try SSHing from your c7host VM to your centos1 VM as your regular user accountname. Did it work?

# Create another regular user called: '''other'''

# Set the password for the newly-created ~~called~~ called '''other'''

# Try SSHing from your c7host VM to your centos1 VM for the account called '''other'''. Why didn't it work?

# Edit the file '''/etc/ssh/sshd_config''' to add the account '''other''' for the '''AllowUsers''' option (use a space to separate usernames instead of a comma).

'''Answer INVESTIGATION 1 observations / questions in your lab log book.'''

=INVESTIGATION 2: ADDITIONAL METHODS TO SECURE YOUR SSH SERVER =

<li>Make certain that you are in your centos2 VM and that you are logged in as a '''regular user''' (i.e. NOT root!) (you have been warned!)</li>

<li>To generate a keypair (public/private keys), issue the following command: <code>ssh-keygen</code></li>

<livalue="14">After generating the keys it prompts you for the location to save the keys. The default is '''~/.ssh''' Your private key will be saved as id_rsa and your public key will be saved as '''id_rsa.pub'''. Press ENTER to accept the default, .</li><li>You will then ~~enter~~ be prompted for a '''pass-phrase ~~used~~ '''. The pass-phrase must be entered in order to ~~establish~~ use your ~~identity~~private key. Pass-phrases are more secure than passwords and should be lengthy, hard to guess and reeasy to remember. For example one pass-~~enter~~ phrase that meets this criteria might be ''"seneca students like to dance at 4:00am"''. Avoid famous phrases such as ''"to be or not to be"'' as they are easy to guess. It is possible to leave the pass-phrase blank but this is dangerous. It means that if a hacker were able to get into your account they could then use your private key to ~~verify~~access other systems you use. The output should appear similar as what is shown below:</li></ol>

</pre>

<ol><li value="15"> After generating the keys it prompts you for the location to save the keys. The default is '''~/.ssh''' Your private key will be saved as id_rsa and your public key will be saved as '''id_rsa.pub'''</li><li>You will then be prompted for a '''pass-phrase'''. The pass-phrase must be entered in order to use your private key. Pass-phrases are more secure than passwords and should be lengthy, hard to guess and easy to remember. For example one pass-phrase that meets this criteria might be ''"seneca students like to dance at 4:00am"''. Avoid famous phrases such as ''"to be or not to be"'' as they are easy to guess. It is possible to leave the pass-phrase blank but this is dangerous. It means that if a hacker were able to get into your account they could then use your private key to access other systems you use. </li>~~<li~~16>Now issue the command <code>ssh-copy-id -i ~/.ssh/id_rsa.pub ops235@centos3</code></li>

<li>When prompted for password, enter OPS235's root password</li>

<li>Try using ssh to now log into your '''centos3''' VM from your '''centos2''' VM. What happens? Were you required to use your pass-phrase?</li>

# Issue the following Linux command: <code>iptables -P INPUT DROP</code>

# Issue the '''iptables -L''' command. Can you see the policy to DROP all incoming connections?

# Although you have set a default policy to DROP all incoming connections, there is a problem: now, you cannot browse the Internet. You can confirm that by opening a SEPARATE web-browser and perform a Net-search. In order to fix that problem, you can make an exception to allow incoming web-based traffic (via port 80). Those iptables commands to create exceptions are more complex since you need to determine: <ul><li>'''Where each rules appears in the chain'''? (order can be important)</li><li>'''Which protocol(s)''' are affected (eg. tcp, udp, icmp)</li><li>'''What source or destination IP Addresses''' are affected?</li><li>'''What port numbers''' are affected?</li><li>'''What action to take''' if all of the above conditions are met? (eg. ACCEPT, REJECT, DROP, or LOG)</li></ul> '''iptables Command Structure (for setting exceptions): (NOTE: If element in column is not specified in the iptables command, then rule relates to ALL elements)'''<table width="100%" cellpadding="10" cellspacing="0" border="1"><tr valign="top><td>Place Rule in Chain</td><td>Chain Name</td><td>Specify Protocol</td><td>Source/Destination IPADDR</td><td>Port Number</td><td>Action -></td><td>Target</td></tr><tr valign="top"><td>'''-A''' (add / Append to bottom of chain) '''-I''' (insert at top of chain) '''-i I CHAIN-NAME 5''' (insert before line 5) </td><td>'''INPUT''' '''OUTPUT''' '''FORWARD''' '''CHAIN-NAME'''</td><td>'''-p tcp''' (tcp packets) '''-p udp''' (datagram packets) '''-p tcp,udp,icmp''' (combined) (refer to '''/etc/protocols''' )</td><td>'''-s IPADDR''' (originating IPADDR) '''-d IPADDR''' (destination IPADDR)</td><td>'''--sport 22''' (originating port 22 - SSH) '''--sport 80''' (originating port 80 - http) (refer to '''/etc/services''')</td><td>'''-j''' </td><td>'''ACCEPT''' '''REJECT''' '''DROP''' '''LOG'''</td></tr></table>

# Issue the following Linux commands to ensure the loopback interface is not affected by these rules. The computer should be able to communicate with itself with any state and protocol: <code>iptables -A INPUT -i lo -p all -j ACCEPT</code> <code>iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT</code>

# Issue the following Linux command to ADD an exception to the INPUT chain to allow web-based incoming traffic (ie. port 80): <code>iptables -A INPUT -p tcp --dport 80 -j ACCEPT</code>

# Provide your external facing address, and provide another lab-mate to ping that external facing address. Were they successful?

# Have your lab-mate determine THEIR external facing address and obtain that IP Address.

# Issue the following iptables command to allow an exception for pings from your lab-mate: <code>iptables -A INPUT -p icmp -s {neighbour's ~~exeternal~~ external facing address} -j ACCEPT</code>

# Have your neighbour repeat pinging your external facing IP Address. What happened? Why?

# Have your neighbour try to SSH into YOUR c7host. Were they Successful?

# List the iptables rules for the INPUT chain. What happened to your iptables rules for the INPUT chain?

# Proceed to the next part to learn how to learn how to make your iptables rules persistent.

=== Part 3: Making iptables Policies Persistent ===

# Flush all of your iptables rules by issuing the following command: <code>iptables -F</code>

# Set the default INPUT policy to ACCEPT by issuing the following command: <code>iptables -P INPUT ACCEPT</code>

# Verify there are no iptables rules by issuing the command: <code>iptables -L</code>

# Make a backup of the file '''/etc/sysconfig/iptables''' by issuing the command: <code>cp /etc/sysconfig/iptables~~-save >~~ /etc/sysconfig/iptables.bk</code>

#To make the iptables rules '''persistent''' (i.e. keeps rules when system restarts), you issue the command: <code>iptables-save > /etc/sysconfig/iptables</code>

# Verify that the file '''/etc/sysconfig/iptables''' exists.

# Switch to your '''c7host''' VM and '''su -''' into root.

# Change to the '''/root/bin''' directory.

# Issue the Linux command: <code>wget http://~~matrix~~cs.~~senecac.on~~senecacollege.ca/~~~murray.saul~~ops235/~~ops235~~lab7/lab7-check.bash</code>

# Give the '''lab7-check.bash''' file execute permissions (for the file owner).

# Run the shell script and if any warnings, make fixes and re-run shell script until you receive "congratulations" message.

#Arrange proof of the following on the screen: <blockquote>✓ '''centos2''' VM:<blockquote><ul><li>have logged into centos3 VM using '''public key authentication''' (with a pass-phrase)</li></ul></blockquote>✓ '''c7host''' Machine:<blockquote><ul><li>have tunneled Xwindows application from '''centos1''' via ssh</li><li>Run the '''lab7-check.bash''' script in front of your instructor (must have all <code> OK </code> messages)</li></ul></blockquote>✓ '''Lab7''' log-book filled out.

= Practice For Quizzes, Tests, Midterm & Final Exam =

Chris.johnson

Bureaucrats, Administrators

1,576

edits

Changes

OPS235 Lab 7

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

get involved with CDOT

courses

course projects

links

Tools