13,420
edits
Changes
no edit summary
[[Category:OPS235]]
{{Admon/caution|Draft Lab|This lab has NOT been released for regular distribution. When the lab is ready to be released, this caution banner will disappear.}}
= Setup and Configure Secure Shell Services (ssh) Using Virtual Machines =
==Overview==
==Required Materials (Bring to All Labs)==
* '''Fedora 16 17 LIVE CD''' - You can burn this onto a CD-R in the Open Lab* '''Fedora 16 x_64 17 x86_64 Installation DVD''' - You can burn this onto a DVD-R in the Open Lab (or burn image onto a DVD+R if you are using the Freedom Toaster).* '''SATA Hard Disk''' (in removable disk tray)* '''USB Memory Stick''' (minimum 64M)* '''Lab Logbook (Lab5 Reference Sheet)''' (to make notes and observations).
==Prerequisites==
=== Investigation 1: How do you enable the sshd service. ===
{{Admon/note | Use your f16host f17host computer system | Complete the following steps on your fedora host.}}
# OpenSSH should have been installed by default. Lets confirm this by issuing the command:<br /> <code>rpm -qa | grep ssh</code>
# You should see a number of packages installed including <code>openssh-clients</code> and <code>openssh-server</code>
# <code>openssh-server</code> installs a service called <code>sshd</code>, confirm this service is running by issuing the command:<br /><code>systemctl status sshd.service</code>
# Now check that the sshd service is configured to start for runlevels 2, 3, 4, & 5, by issuing the commandautomatically:<br /><code>systemctl listis-units enabled sshd</code> # If the .service is not configured correctly fix it by issuing the command:<br /> <code>chkconfig --level 2345 sshd on</code>
# Now that you know the service is running investigate what port number and protocol sshd uses by issuing the command:<br /><code>netstat -atunp</code>
# What protocol and port is the sshd process using?
'''Answer the Investigation 1 observations / questions in your lab log book.'''
=== Investigation 2: How do you establish an ssh connection. ===
-->
<ol><li value="3">Now issue the command<code>ssh-copy-id -i ~/.ssh/id_rsa.pub fedora3</code></li>
<li>Now we can ssh into fedora3 from fedora2 using 2 different authentication methods.</li>
<li>Make certain to logout of your Fedora3 system. Use the <code>hostname</code> command to verify you are back in your Fedora2 server.</li>
# On the HTTP server (fedora1), make sure the Apache web server is installed by typing the command:<br /><code>rpm -q httpd</code>
# If it is installed check the configuration of the service to see if it is automatically started at any runlevels by issuing the command:<br /><code>systemctl status httpd.service</code>
# If it has not been started automatically start the service using the command:<br /><code>systemctl status sshdstart httpd.service</code>
# Confirm that httpd is listening to TCP/80 using the command:<br /><code>netstat -atnp</code>
# Create a small html document called <code>/var/www/html/index.html</code> that displays a short message.*
'''Answer the Investigation 6 observations / questions in your lab log book.'''
=== Investigation 7: How do you make sshd more secure ===
# Before we can use this new port we must change our firewall to allow traffic through the new port number and block access to port 22:<br /><code>iptables -I INPUT -p tcp -s0/0 --dport 22 -j DROP</code><br /><code>iptables -I INPUT -p tcp -s0/0 --dport 2200 -j ACCEPT</code>
# To test the new port connect to fedora1 from fedora2 using the following command:<br /><code>ssh -p 2200 user@fedora1</code>
{{Admon/important|Cannot connect via SSH?|To fix issues with the ability to ssh, on both machines:<ul><li>Ensure ssh is running. Systemctl status sshd.service.</li><li>Disable selinux by going into /etc/selinux/config and change "enforcing" to "disabled"; "targeted" to "minimum".</li><li>If your are still encountering problems flush iptables.</li></ul>}}
{{Admon/tip | Tip! | For scp access the option to be used is: <code>scp -P 2200</code>}}
{{Admon/tip | Tip! | For more ideas on making sshd more secure consult the HOW-TO link above.}}
