Changes

==NIS (Network Information Services)==* An NIS server is used to synchronize system files and other information between machines Note the two globes in an NIS domainthe above diagram.* In this lab you will set a Fedora VM as both Those globes represent the Internet that your emails travel through in order to be received by an NFS and NIS servere-mail recipient. You will then use your other VMThe '''s to serve as smaller globe (the one your NFS and NIS clients.{{Admon/important|Prerequisites|Before you begin make sure all your machines are up workstation is connected to date (dnf update)cannot be trusted to send mail messages unencrypted'''.Ensure both host and VMThe 's have firewalls set up according to prior labs and all labs have been completed. Ensure that your NFS server ''larger globe usually involves inter-ISP traffic, often through an internet trunk line, so it is running on VM2 and exporting the also unencrypted, but it cannot be easily accessed by hackers, pen-testers, or evildoers''/home' directory. }}

===PART A: Setting up your NIS Server===*Install the NIS server and client onto your VM 2. yum install ypserv ypbind*Add the following line to the bottom of the file /etc/sysconfig/network NISDOMAIN="<learn-id>.org" YPSERV_ARGS="-p 783"*This should be enough to set the domain name, however there is currently a bug in systemd that prevents this from working properly on its own.**You will also need to start and enable the fedora-domainname service.*Edit the file /etc/yp.conf and set up your domain: domain <learn-id>.org server 127.0.0.1*Create the file /var/yp/securenets: host 127.0.0.1 255.255.255.0 192.168.x.0*Enable and start the NIS (ypserv) service. systemctl start ypserv.service systemctl enable ypserv.service*Backup the configuration file for NIS databases cp /var/yp/Makefile /var/yp/Makefile.orig* Verify that your servers (NFS, ypserv) There are running correctly with the following command: rpcinfo -p*At this step you should edit your firewalls to allow RPC and NIS traffic through your firewall (Hint: check the output of rpcinfo -p or iptables traffic on the "lo" interface)*The machine will essentially be communicating with its own NIS server when using the Makefile*Now change to directory /var/yp and run this command to build the information databases make*Enable and start the NIS binding (ypbind) service. systemctl start ypbind.service*Use the following command to verify your NIS server is working - you should see your learnid password record. ypcat passwd*Add a new user named nis-user, with password "ops335".*Run 'ypcat passwd' again.*In order for the new user to show up 'two important general truths you will need to recreate the map files- change directory to /var/yp and run the "make" command again.understand about email encryption''':

===PART B: Examining a Problem Solved by NIS===*Ensure your VM3 is still mounting your home directory from VM 2 using autofs. If it is not, revisit last weeks lab.*Many students have had an issue in the NFS lab caused by having different GID & UID's between systems - when attempting to mount ''Email (the home directory from way the VM2 you received various permission issues. In case you did not experience it, we will intentionally create this issue and then correct vast majority of people use it with NIS.*Stop the autofs service on VM3.*Run the following command on both machines. grep /home /etc/passwd*Look at the existing users on VM 3 and compare them with the same users on VM 2. Find one whose credentials differ (Specifically, a user name that exists on both machines, but has a different UID). If you have no such user, create one.*For example on VM 3: [root@vm3 ~]# cat /etc/passwd | grep home nis-user:x:1000:1000::/home/nis-user:/bin/bash paul:x:1001:1001::/home/paul:/bin/bash*And on VM 2: [root@fvm2 ~]# cat /etc/passwd | grep home paul:x:1000:1000:paul:/home/paul:/bin/bash nis-user:x:1001:1001::/home/nis-user:/bin/bash*While the two hosts share the same users, their UID and GID are different. This will cause a problem when mounting the home directory using NFS.*Back on vm3 start autofs again and try to switch travels from SMTP server to your learnid (or other account where UID/GID differs between systems) su <learnid> cd ~*You should recieve a permission denied error as the UID on the local system differs from the UID of the file owner on the remote SMTP server.*Obtain a listing of the directories in /home: [paul@vm3 /]# ls -l /home drwx------. 3 nis-user nis-user 4096 Mar 11 19:13 paul*Notice that one useruncencrypted''s home directory shows up as being owned by a different user.*Try to access the other user's home directory (it should show up as owned by this user): [paul@vm3 /]# cd /home/nis-user*You should now be successful. Obtain a directory listing. Below is some example output: [paul@vm3 /home/nis-user]$ ll drwxr-xr-x. 2 paul paul 4096 Mar 14 09:09 Desktop drwxr-xr-x. 2 paul paul 4096 Feb 17 05:24 Documents drwxr-xr-x. 2 paul paul 4096 Feb 17 05:45 Downloads drwxr-xr-x. 2 paul paul 4096 Jan 4 10:12 Music drwxr-xr-x. 2 paul paul 4096 Jan 4 10:12 Pictures drwxr-xr-x. 2 paul paul 4096 Jan 4 10:12 Public drwxr-xr-x. 2 paul paul 4096 Jan 4 10:12 Templates drwxr-xr-x. 2 paul paul 4096 Jan 4 10:12 Videos*Create an empty file and do a listing again [paul@vm3 ~]$ touch empty_from_vm3 [paul@vm3 ~]$ ll -rw-rw-r--. 1 paul paul 0 Mar 18 14:58 empty_from_vm3 drwxr-xr-x. 2 paul paul 4096 Mar 14 09:09 Desktop drwxr-xr-x. 2 paul paul 4096 Feb 17 05:24 Documents drwxr-xr-x. 2 paul paul 4096 Feb 17 05:45 Downloads drwxr-xr-x. 2 paul paul 4096 Jan 4 10:12 Music drwxr-xr-x. 2 paul paul 4096 Jan 4 10:12 Pictures drwxr-xr-x. 2 paul paul 4096 Jan 4 10:12 Public drwxr-xr-x. 2 paul paul 4096 Jan 4 10:12 Templates drwxr-xr-x. 2 paul paul 4096 Jan 4 10:12 Videos*Now we will fix this problem by making this machine use NIS for user information*Change users back to root

===Part C: Client Configuration===*Install ypbind on your vm3.* You may wish to follow the logs on vm3. In addition to your normal log in, ssh from the host to vm3 and get a continuous feed from the logs with: tail -f /var/log/messages*Edit /etc/yp.conf adding the following line: domain That means that nothing sent over email is <learnidu>.org server 192.168.x.3*Add the following line to the bottom of the file truly</etc/sysconfig/network NISDOMAIN="<learn-idu>secure.org"*Start the ypbind But attempting to continually intercept SMTP server with the command. systemctl start ypbind.service*Looking at your logs ensure that ypbind is registered with rpcbind, if it is unable your firewall may need to be adjusted.*Now when you run the following command: ypcat passwd*You should be able to see the users from the SMTP server.*If you added a mismatched usertraffic is difficult and expensive, you must update not worth doing for the map files on the server by running make again.*Edit the /etc/nsswitch.conf file (on VM3 only) and change the following lines so they appear as below: passwd: nis files shadow: nis files group: nis files*Save and exit the file.*Ensure ypbind will start at boot and restart the vm.*Log into vm3 using one little bit of money most of the conflicting accounts. You should now be able to see the files us have in their home directory with the correct mappingour bank account.

===Part D: Obtaining autofs maps through NIS:===*Make sure autofs service is installed on your VM 3 '''Email travelling over a LAN (If you completed the nfs labespecially Wifi, it isbut any local network). If it is not, go back and complete the NFS lab now.*Copy the autofs files from VM3 to your VM2always encrypted'''. scp /etc/auto.{home,master} root@vm2:/etc/

*Edit /etc/auto.master on VM2 and remove the 'etc' prefix from auto.home's path: /home auto.home : If e--timeout=60*Regenerate your NIS maps mail traffic on a LAN was not encrypted, it would be easy and run: ypcat auto.home*You should receive the following: No such map auto.home. Reason: No such map inexpensive to intercept (in server's domain*You will need order to look into the Makefile to determine how to add auto.home obtain your username and autopassword).master These days, unencrypted connections from your client to the list of files shared by NIS.*After making changes to your Makefile, regenerate your maps again and run the same command as above. You should now see the file and its contents when you run ypcat auto.home. [root@vm2 yp]# ypcat auto.home -fstype=nfs4,rw,nosuid,soft 192.168.70.3:SMTP/homeIMAP/&*On vm3 delete the autofs files, and edit the /etc/nsswitch.conf file so that autofs consults NIS. Reboot the machine.*When the VM comes back up, log in as any non-privileged user and ensure auto mounting of home occurredPOP3 server very rarely exist.

===Part E: Adding You see in our diagram that one of the other VM's===*When you have successfully made SMTP connections is supposed to be encrypted (this change on vm3, repeat these steps so is the one that vm1 will also use NIS for user identification, would be "LAN" traffic) and mount home directories using autofs files located on vm2.**Warning: When configuring the location of the NIS server to bind IMAP connection as well (this one is either LAN-like traffic or is connecting tolocalhost, use the ip address instead of the hostname. When the machine which is booting, you have no guarantee that named starts before ypbinda different scenario altogether).

==Completing We're going to secure the Lab==You have now created an NIS server for your network and caused your other virtual machines two connections that we left to use it as be in plain text previously. Unfortunately encrypting things is rarely a central repository for user informationstraighforward process. It is also allowing all other VMs Fortunately we have a whole week to mount the /home directory, the instructions for which are also stored in the central information repositoryspend on it.

Exploration questions=== Online Resources===* [https://en.wikipedia.org/wiki/Transport_Layer_Security TSL, SSL Definition]* [https://www.e-rave.nl/create-a-self-signed-ssl-key-for-postfix Create a self signed SSL key for Postfix]* [http://wiki2.dovecot.org/SSL/DovecotConfiguration Dovecot SSL configuration]  == INVESTIGATION 1: GENERATING A SELF-SIGNED CERTIFICATE == According to Wikipedia (https://en.wikipedia.org/wiki/Transport_Layer_Security), '''Transport Layer Security''' (TLS) and its predecessor, '''Secure Sockets Layer''' (SSL), both of which are frequently referred to as 'SSL', are cryptographic protocols designed to provide communications security over a computer network. Normally (in production), you would need to pay a "certificate authority" to issue a '''certificate''' for you. That is essentially '''a "signed" public key''' that will tell strangers on the internet that your server is really yours (i.e. the certificate authority says so). There is an obvious problem with the previous statement but that is mainly how public key encryption works on the Internet today. We will be generating our own public keys, mainly in order to avoid paying for a certificate. We will not have enough time to get into the details of what all the following commands do in this section. They are from [https://www.e-rave.nl/create-a-self-signed-ssl-key-for-postfix this blog post]. If you don't understand what the blog post refers to but would like to understand in more details, a good recommended book for interest, called Crypto by Steven Levy, provides a more in-depth discussion of encryption and security. The public key cryptography concepts in this lab are the same in a previous lab ([http://zenit.senecac.on.ca/wiki/index.php/OPS335_Lab_1#What SSH_Keys Lab1: SSH]), although the terminology is slightly different. A simple way to summarize the purpose differences is::* The '''.key''' file is your private key.:* The '''.crt''' file is your public key.  === Encrypting Postfix with Transport Layer Security (TLS) === '''Perform the following steps:''' #Let's start with the "sending" SMTP server we have on VM2. Run the following, replacing <u>andrewsmith.org</u> with '''<u>your</u> domain name''': <source lang="bash">mkdir -p /root/postfix-keys /etc/ssl/{private,certs}cd /root/postfix-keysopenssl genrsa -des3 -out vm2.andrewsmith.org.key 2048chmod 600 vm2.andrewsmith.org.keyopenssl req -new -key vm2.andrewsmith.org.key -out vm2.andrewsmith.org.csropenssl x509 -req -days 365 -in vm2.andrewsmith.org.csr -signkey vm2.andrewsmith.org.key -out vm2.andrewsmith.org.crtopenssl rsa -in vm2.andrewsmith.org.key -out vm2.andrewsmith.org.key.nopassmv vm2.andrewsmith.org.key.nopass vm2.andrewsmith.org.keyopenssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650chmod 600 vm2.andrewsmith.org.key cakey.pemcp vm2.andrewsmith.org.key cakey.pem /etc/ssl/privatecp vm2.andrewsmith.org.crt cacert.pem /etc/ssl/certs</source> ::'''NOTE:''' Those commands will create a certificate, a certificate signing request, a certificate authority, and sign your certificate with your certificate authority.<br>This would be the same as in the real world except there you would contact a real CA, here you're making up your own. <ol><li value="2">Now, configure Postfix to use the generated certificate, by adding the following to your '''main.cf''' file:</li></ol> <pre># Settings to enable secure SMTP using my self-signed certificate:smtpd_tls_auth_only = nosmtpd_use_tls = yessmtp_use_tls = yessmtpd_tls_key_file = /etc/ssl/private/vm2.andrewsmith.org.keysmtpd_tls_cert_file = /etc/ssl/certs/vm2.andrewsmith.org.crtsmtpd_tls_CAfile = /etc/ssl/certs/cacert.pemtls_random_source = dev:/dev/urandomsmtpd_tls_loglevel = 1</pre> === Setting Up and Testing Encryption with Thunderbird === '''Perform the following steps:''' #Currently your Thunderbird is set up to use '''vm2.yoursenecaid.org''' for an SMTP server, with <u>no</u> security. Change that to use '''STARTTLS''' instead (you can change it under '''account settings --> Outgoing Server''').# We haven't set up any user authentication, just an encrypted channel;therefore, leave the '''authentication method''' at the value: '''none'''.#When you try to send an email Thunderbird will warn you about the self-signed certificate. You obviously know it's your certificate so you can tell Thunderbird to trust it:  [[Image:SMTP-certificate-warning.png]]  ::'''NOTE:''' Your message may look slightly different (This author, that created the diagram above, made a little mistake when generating the certificate). <ol><li value="4">After you confirm that security exception, send another email to yourself and make sure you receive it.</li><li> Notice that from the user's point of view nothing is different. But if you were an evildoer trying to steal an identity (the difference is huge). Before it was trivial and now it's computationally prohibitive.</li></ol> === Encryption Dovecot with Secure Socket layer (SSL) === Now we will ensure that our '''Dovecot''' connection is secure, and enforce that policy. With SMTP, you will need to allow plain text connections since that is the only method to pass email from server-to-server. With IMAP, there is no server-to-server interaction, but rather only client-to-server interaction. The reason to have an unencrypted IMAP connection would be if your '''IMAP server''' and '''IMAP client''' were the rpcinfo command?<u>same</u> machine. '''Perform the following steps:''' #Explain Let's start by generating a new certificate for Dovecot on your vm3 machine by issuing the following commands:<source lang="bash">mkdir /etc/ssl/{private,certs}openssl genrsa -des3 -out vm3.andrewsmith.org.key 2048chmod 600 vm3.andrewsmith.org.keyopenssl req -new -key vm3.andrewsmith.org.key -out vm3.andrewsmith.org.csropenssl x509 -req -days 365 -in vm3.andrewsmith.org.csr -signkey vm3.andrewsmith.org.key -out vm3.andrewsmith.org.crtopenssl rsa -in vm3.andrewsmith.org.key -out vm3.andrewsmith.org.key.nopassmv vm3.andrewsmith.org.key.nopass vm3.andrewsmith.org.keyopenssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650chmod 600 vm3.andrewsmith.org.key cakey.pemcp vm3.andrewsmith.org.key cakey.pem /etc/ssl/privatecp vm3.andrewsmith.org.crt cacert.pem /etc/ssl/certs</source> ::'''NOTE:''' This process is identical to what you've done for the purpose vm2 certificate. In fact if your IMAP and SMTP servers are on the same machine you can share the certificate between them. In our case, they are not on the same machine. <ol><li value="2">Next, we need to configure Dovecot to use this for encrypted connections and not allow any kind of plain text connections. Edit the '''10-auth.conf''', <u>and</u> '''10-ssl.conf''' files and change the following settings (note: these parameters already exist in those files, just find them and set them to the correct value):</li></ol> <source lang="bash">ssl = requiredssl_cert = <path_to_your_crt_filessl_key = <path_to_your_key_filedisable_plaintext_auth = yes</source>  <ol><li value="3">Now, we will disable normal imap connections, leaving only imaps (secured imap) allowed. Edit the '''10-master.conf''' file and set the port number in '''inet_listener imap''' to '''0'''.</li><li>Your key/certificate doesn't have a '''.pem''' extension but they are PEM-encoded files. You can confirm that using the '''file''' command. If you're interested, learning more about configuring Dovecot for SSL, refer to the following documentation: [http://wiki2.dovecot.org/SSL/DovecotConfiguration Dovecot SSL configuration].</li></ol> === Verifying that Mail Messages are Encrypted=== '''Perform the following steps:''' #Use the make '''ss''' command to confirm you're only listening on the '''imaps''' port, and not the plain imap port.#Next, reconfigure your account settings in Thunderbird to use the '''SSL/TLS''' connection security with your IMAP server, leaving the password as '''Normal Password'''. ::'''NOTE:''' When you send your test email, you will get another warning because you're using a self-signed certificate on '''vm3'''. Make certain to authorize the exception. '''Record steps, commands, and your observations on this investigation in your OPS335 lab log- what does it book''' == INVESTIGATION 2: INSTALL, CONFIGURE &amp; RUN WEBMAIL APPLICATION (Roundcube Mail) =={|cellpadding="15" width="40%" align="right" |- valign="top" |width="10%" | [[Image:Roundcube.png|thumb|right|200px|'''Roundcube''' webmail application Logo<br>GPL,<br> https://commons.wikimedia.org/w/index.php?curid=1772791]] |width="10%" |[[Image:roundcube-pic.png|thumb|right|300px|Screencapture of '''roundcube''' webmail application running in order to send and receive mail messages via a web-browser.]]  |} In the investigation, we will simply install, configure and run the '''roundcube''' webmail application. '''Perform the following steps on vm1:''' *Perform a search on the roundcube application in order to access the website.*Either Download the "zipped tarball" from their website from a direct link or use the wget command to download directly from a download link (This part may take some effort depending on the Sourceforge website).*Extract the "zipped tarball" and rename the generated directory that contains download source code to: '''webmail'''.::* Use the '''--no-same-owner''' option when extracting the tar achive to ensure that the files do?not keep the original owner (who will not exist on your system).#Explain *Change the purpose ownership of the '''temp''' and '''logs''' directories so they belong to apache.*This service needs to be able to write to several directories ('''temp''' and '''logs''') that SELinux prevents write access to. If you are in a section that has SELinux set to '''enforcing''', run the following commands to let it know that apache should be allowed to write to files in those directories.<source lang="bash">semanage fcontext -a -t httpd_log_t '/var/www/html/webmail/temp(/.*)?'semanage fcontext -a -t httpd_log_t '/var/www/html/webmail/logs(/.*)?'restorecon -v -R /var/ypwww/html/securenets webmail</source>::*If your machine does not have the semage command, use yum to install the policycoreutils-python package.*In the directory now named "webmail", there will be a filenamed '''INSTALL''' which will walk you through the rest of the Roundcube installation.<br /><br />Some installation tips to consider: ::* Be careful about copying &amp; pasting the MySQL setup part: take time and pay attention to detail: do not try to "rush it".::* You will need to install additional Apache modules including: '''php-xml''' and '''php-mbstring'''.::* Don't forget to set the password in the roundcube configuration. *Note that both of your IMAP and SMTP servers are on different machines (i.e. not on vm1). Therefore, you will need to set the following options for Roundcube: ::* '''$config['smtp_server']'''::* '''$config['default_host']'''::* '''$config['default_port']''' :::'''NOTE:''' The last <u>two</u> entries above refer to your IMAP server *You should be able to test the configuration in your Roundcube installer after completing Step 3.</li><li>Try to test if the roundcube webmail application is working by sending and receiving e-mail messages.* {{Admon/important |Backup your VMs!|You MUST perform a '''full backup''' of ALL of your VMs whenever you complete your '''OPS335 labs''' or when working on your '''OPS335 assignments'''. You should be using the dump command, and you should use the Bash shell script that you were adviced to create in order to backup all of your VMs.}} '''Record steps, commands, and your observations on this investigation in your OPS335 lab log-book''' ==COMPLETING THE LAB==In completing this lab you have gained experience... '''Depending on your professor you will either be asked to submit the lab in class, or online. Follow the appropriate set of instructions below.''' ===Online Submission (Peter Callaghan's Classes only)===Follow the instructions for lab 8 on moodle. ===In Class Submission==='''Arrange evidence (command output) for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:''' ::<span style="color:green;font-size:1.5em;">&#x2713;</span>Thunderbird with a message sent and received using encrypted channels.::<span style="color:green;font-size:1.5em;">&#x2713;</span>New Thunderbird server configuration for your account.::<span style="color:green;font-size:1.5em;">&#x2713;</span>Logs on vm2 and vm3 showing the message has been sent and received.::<span style="color:green;font-size:1.5em;">&#x2713;</span>Your webmail showing your inbox::<span style="color:green;font-size:1.5em;">&#x2713;</span>Your webmail sending an email out::<span style="color:green;font-size:1.5em;">&#x2713;</span>You receiving that mail on an exernal account::<span style="color:green;font-size:1.5em;">&#x2713;</span>Download the labcheck8.bash checking bash shell script by issuing the command:<br><br>'''wget http://matrix.senecac.on.ca/~peter.callaghan/files/OPS335/labcheck8.bash'''<br><br>set execute permission and run the shell script on your '''c7host''' machine. ::*For '''Peter's classes''', follow his Online Submission instructions in Moodle.::*For '''Murray's classes''', run command (piping to the '''more''' command) and show output to instructor.::<span style="color:green;font-size:1.5em;">&#x2713;</span>Completed Lab8 log-book notes.  ==EXPLORATION QUESTIONS== #What is Briefly define the term '''TSL'''.#Briefly define the term '''SSL'''.#List the steps to setup Encryption for Postfix with TLS.#List the steps to setup Encryption for Dovecot with SSL.#List the steps to setup Encryption for the function Thunderbird application.#Provide a brief description of the portmapper servicefollowing terms as they relate to mail servers:#*'''Open Relay'''#*'''SPF'''#*'''DKIM'''# How does a webmail application differ from using another MUA like Thunderbird?#What ports did you need List the additional Apache modules that are required in order to open on your firewallrun the Roundcube web application?