Changes

OPS235 Lab 7

93 bytes added, 16:24, 23 May 2020

→‎LAB 7 SIGN-OFF (SHOW INSTRUCTOR)

# Try SSHing from your c7host VM to your centos1 VM as your regular user accountname. Did it work?

# Create another regular user called: '''other'''

# Set the password for the newly-created ~~called~~ called '''other'''

# Try SSHing from your c7host VM to your centos1 VM for the account called '''other'''. Why didn't it work?

# Edit the file '''/etc/ssh/sshd_config''' to add the account '''other''' for the '''AllowUsers''' option (use a space to separate usernames instead of a comma).

'''Answer INVESTIGATION 1 observations / questions in your lab log book.'''

=INVESTIGATION 2: ADDITIONAL METHODS TO SECURE YOUR SSH SERVER =

<li>Make certain that you are in your centos2 VM and that you are logged in as a '''regular user''' (i.e. NOT root!) (you have been warned!)</li>

<li>To generate a keypair (public/private keys), issue the following command: <code>ssh-keygen</code></li>

<livalue="14">After generating the keys it prompts you for the location to save the keys. The default is '''~/.ssh''' Your private key will be saved as id_rsa and your public key will be saved as '''id_rsa.pub'''. Press ENTER to accept the default, .</li><li>You will then ~~enter~~ be prompted for a '''pass-phrase ~~used~~ '''. The pass-phrase must be entered in order to ~~establish~~ use your ~~identity~~private key. Pass-phrases are more secure than passwords and should be lengthy, hard to guess and reeasy to remember. For example one pass-~~enter~~ phrase that meets this criteria might be ''"seneca students like to dance at 4:00am"''. Avoid famous phrases such as ''"to be or not to be"'' as they are easy to guess. It is possible to leave the pass-phrase blank but this is dangerous. It means that if a hacker were able to get into your account they could then use your private key to ~~verify~~access other systems you use. The output should appear similar as what is shown below:</li></ol>

</pre>

<ol><li value="15"> After generating the keys it prompts you for the location to save the keys. The default is '''~/.ssh''' Your private key will be saved as id_rsa and your public key will be saved as '''id_rsa.pub'''</li><li>You will then be prompted for a '''pass-phrase'''. The pass-phrase must be entered in order to use your private key. Pass-phrases are more secure than passwords and should be lengthy, hard to guess and easy to remember. For example one pass-phrase that meets this criteria might be ''"seneca students like to dance at 4:00am"''. Avoid famous phrases such as ''"to be or not to be"'' as they are easy to guess. It is possible to leave the pass-phrase blank but this is dangerous. It means that if a hacker were able to get into your account they could then use your private key to access other systems you use. </li>~~<li~~16>Now issue the command <code>ssh-copy-id -i ~/.ssh/id_rsa.pub ops235@centos3</code></li>

<li>When prompted for password, enter OPS235's root password</li>

<li>Try using ssh to now log into your '''centos3''' VM from your '''centos2''' VM. What happens? Were you required to use your pass-phrase?</li>

# Run the graphical program remotely by issuing only one Linux command: <code>ssh -X -C yourUserID@centos1   gedit</code> (Note: ignore warning messages).

# Exit the gedit application.

# Experiment with running other GUI applications (in the /bin directory with applications starting with the letter "x" via '''ssh''' (for example: ~~xeyes~~xev or xchat).

'''Answer INVESTIGATION 2 observations / questions in your lab log book.'''

=INVESTIGATION 3: MANAGING FIREWALLS FOR PROTECTION & TROUBLESHOOTING =

# Issue the following Linux command: <code>iptables -P INPUT DROP</code>

# Issue the '''iptables -L''' command. Can you see the policy to DROP all incoming connections?

# Although you have set a default policy to DROP all incoming connections, there is a problem: now, you cannot browse the Internet. You can confirm that by opening a SEPARATE web-browser and perform a Net-search. In order to fix that problem, you can make an exception to allow incoming web-based traffic (via port 80). Those iptables commands to create exceptions are more complex since you need to determine: <ul><li>'''Where each rules appears in the chain'''? (order can be important)</li><li>'''Which protocol(s)''' are affected (eg. tcp, udp, icmp)</li><li>'''What source or destination IP Addresses''' are affected?</li><li>'''What port numbers''' are affected?</li><li>'''What action to take''' if all of the above conditions are met? (eg. ACCEPT, REJECT, DROP, or LOG)</li></ul> '''iptables Command Structure (for setting exceptions): (NOTE: If element in column is not specified in the iptables command, then rule relates to ALL elements)'''<table width="100%" cellpadding="10" cellspacing="0" border="1"><tr valign="top><td>Place Rule in Chain</td><td>Chain Name</td><td>Specify Protocol</td><td>Source/Destination IPADDR</td><td>Port Number</td><td>Action -></td><td>Target</td></tr><tr valign="top"><td>'''-A''' (add / Append to bottom of chain) '''-I''' (insert at top of chain) '''-i I CHAIN-NAME 5''' (insert before line 5) </td><td>'''INPUT''' '''OUTPUT''' '''FORWARD''' '''CHAIN-NAME'''</td><td>'''-p tcp''' (tcp packets) '''-p udp''' (datagram packets) '''-p tcp,udp,icmp''' (combined) (refer to '''/etc/protocols''' )</td><td>'''-s IPADDR''' (originating IPADDR) '''-d IPADDR''' (destination IPADDR)</td><td>'''--sport 22''' (originating port 22 - SSH) '''--sport 80''' (originating port 80 - http) (refer to '''/etc/services''')</td><td>'''-j''' </td><td>'''ACCEPT''' '''REJECT''' '''DROP''' '''LOG'''</td></tr></table>

# Issue the following Linux commands to ensure the loopback interface is not affected by these rules. The computer should be able to communicate with itself with any state and protocol: <code>iptables -A INPUT -i lo -p all -j ACCEPT</code> <code>iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT</code>

# Issue the following Linux command to ADD an exception to the INPUT chain to allow web-based incoming traffic (ie. port 80): <code>iptables -A INPUT -p tcp --dport 80 -j ACCEPT</code>

= LAB 7 SIGN-OFF (SHOW INSTRUCTOR) =

===Exclusively for Summer 2020 term, submissions are accepted only online!===

Follow the submission instructions for lab 7 on Blackboard.

{{Admon/important|Time for a new backup!|If you have successfully completed this lab, make a new backup of your virtual machines as well as your host machine.}}

# Switch to your '''c7host''' VM and '''su -''' into root.

# Change to the '''/root/bin''' directory.

# Issue the Linux command: <code>wget ~~http~~https://~~matrix~~ict.~~senecac.on~~senecacollege.ca/~~~murray.saul~~ops235/~~ops235~~labs/lab7-check.bash</code>

# Give the '''lab7-check.bash''' file execute permissions (for the file owner).

# Run the shell script and if any warnings, make fixes and re-run shell script until you receive "congratulations" message.

#Arrange proof of the following on the screen: <blockquote>✓ '''centos2''' VM:<blockquote><ul><li>have logged into centos3 VM using '''public key authentication''' (with a pass-phrase)</li></ul></blockquote>✓ '''c7host''' Machine:<blockquote><ul><li>have tunneled Xwindows application from '''centos1''' via ssh</li><li>Run the '''lab7-check.bash''' script in front of your instructor (must have all <code> OK </code> messages)</li></ul></blockquote>✓ '''Lab7''' log-book filled out.

= Practice For Quizzes, Tests, Midterm & Final Exam =

[[Category:OPS235]]

[[Category:OPS235 Labs]]

[[Category:CentOSS 7]]

[[Category:SSD2]]

Ahadalioglu

572

edits

Changes

OPS235 Lab 7

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

get involved with CDOT

courses

course projects

links

Tools