1,576
edits
Changes
→Switching to SSH keypair authentication:
Normally, the shell environment will ask you for your account password as an extra security precaution when using sudo. However, cloud-based Linux VMs typically have ''password-less sudo access''. The idea is that identity management and security is handled by the cloud infrastructure. We'll explore that in detail later in the course.
[[Image:Ops705_lab2_fig1.png|thumb|right|350px|Figure 1. : Example commands with sudo.]]
Run the following commands:
# <code> whoami </code>
Notice that your command prompt has immediately changed. It no longer prints out your username at the beginning of each line, but the name of the '''root''' account. This is a good visual aid to let you know how you're logged in.
[[Image:Ops705_lab2_fig2.png|thumb|right|350px|Figure 2. : Example commands as root.]]
Run the same commands from the sudo subsection:
# <code> whoami </code>
== Part 2: Update CentOS ==
As mentioned in the Week 2 lecture, keeping your Linux system up to date is an incredibly important task and must be done regularly. You are the administrator of this system, you must keep it running well. While updating is a graded part of this lab, you should run the command again regularly to check for new updates while you continue to work with this virtual machine over the next several week.weeks.
[[Image:Ops705_lab2_fig3.png|thumb|right|500px|Figure 3. : A yum update in progress.]]
Run the command to update CentOS: <code>sudo yum update</code>
== Part 1: Replacing ''firewalld'' with ''iptables'' ==
[[Image:Ops705_lab2_fig16.png|thumb|right|500px|Figure 4. : Service status of both firewalls.]][[Image:Ops705_lab2_fig4.png|thumb|right|500px|Figure 5. : Default iptables firewall rules.]]
The default firewall for CentOS, ''firewalld'' is more complex than we need. We'll be reverting to the easier to use ''iptables'' standard. This will require the removal of the ''firewalld'' package, the installation of the ''iptables-services'' package, and working with systemd services to turn on your new firewall.
# Check the status of the iptables service. It should tell you it's '''active''': <code>systemctl status -l iptables</code>
# View your current iptables firewall rules: <code>iptables -L -vn --line-numbers</code>
# Refer to ''Figure 15''. If your rules at this stage look different, stop and contact your professor for help. (Values in the '''pkts''' and '''bytes''' column may vary.)
# Set iptables to start with the system: <code>systemctl enable iptables</code>
# Remove ''firewalld'' completely, including all unused files: <code>yum autoremove firewalld</code> ('''Note:''' If you don't remove firewalld and both firewalls are set to start with the system, firewalld will always start instead of iptables. This can lead to much frustration. Make sure you remove it!)
There are a few standard security practices to follow when dealing with firewalls. In this section, we will changes our firewall rules to follow those practices. For more detail, refer to the Week 2 lecture and material.
[[Image:Ops705_lab2_fig15.png|thumb|right|500px|Figure 6. : Modified iptables firewall rules.]]
# Set your default policy for the INPUT chain to DROP: <code>iptables -P INPUT DROP</code>
# Remove the reject rule from the INPUT chain to hide our server from scans: <code> iptables -D INPUT 5</code>
== Part 1: Text Editing with <code>vim</code> ==
[[Image:vi-text-editor-2.png|right|250px|thumb|Figure 7: The online vi-tutorial provides users "hands-on" experience of using the vi text editor.]]
You will now learn basic editing skills using the vi (vim) text editor including creating, editing, and saving text files. As mentioned, the vim text editor (although taking longer to learn) has outstanding features to increase coding productivity.
An interactive tutorial has been created to give you "hands-on" experience on how to use vi text editor. It is recommended that you run this interactive tutorial in your Linux account to learn how to create and edit text files with the vi text editor.
# Run the interactive tutorial: <code>vi-tutorial</code>
# In the tutorial menu, select the first menu item labelled "USING THE VI TEXT EDITOR"
# When you want to exit the tutorial, select the menu option to exit the tutorial.
[[Image:vi-text-editor-b.png|right|200px|thumb|Fig. 10Figure 8: Contents of ''othertext.txt'']]
After you have completed the tutorial:
# Using vim, create a new text file called ''othertext.txt'' in your home directory.<code>cd ~; vim othertext.txt</code># Write the text shown in ''Fig. 10Figure 8'' to your new ''othertext.txt'' file, save, and quit.# Confirm the contents of your text file match ''Figure 8'': <code>cat othertext.txt</code>
You can also '''manage''', '''view''' or '''manipulate the display''' of text files. This is HIGHLY ADVISED in case you only want to view contents and '''NOT''' edit text file contents which can cause accidental erasure of data.
== Part 3: Adding a Firewall Rule for the Custom SSH Port ==
[[Image:Ops705_sshd_custom_rule.png|right|500px|thumb|Figure 9: Adding a firewall rule for our new SSH custom port.]]
As mentioned, we want to change what port the system uses to allow incoming SSH connections. To do that, we have to add an extra rule to our firewall to allow it through:
# Review your current rules for reference: <code>sudo iptables -nvL --line</code>
=== SSH Listen Port ===
[[Image:Ops705_sshd_listenport_custom.png|right|400px|thumb|Figure 10: Setting the custom listen port for SSHd.]]# From the command line, run the following (it will take a few minutes): <code>sudo semanage port -a -t ssh_port_t -p tcp 22222</code>
# Using vim, open the SSH configuration file: <code>sudo vim /etc/ssh/sshd_config</code>
# Find the line (near the top) containing the words: '''Port 22'''
=== Switching to SSH keypair authentication: ===
[[Image:Ops705_filezilla-connect.png|right|400px|thumb|Figure 11: Connection information for FileZilla using the custom port.]]# First, download and install the FileZilla Client software on your personal computer.
# On your Linux VM as a regular user, generate your SSH keypair (accept all defaults): <code>ssh-keygen</code>
# Install the new keys on the system: <code>ssh-copy-id -p 22222 localhost</code>
# Using FileZilla on your personal computer, log into the Linux VM and download your new public key:to your personal computer. They can be found on your Linux VM in <code>~/.ssh/</code>
#* On Windows, store the downloaded key here: <code>C:\Users\[yoursenecaid]\.ssh\</code>
#* On Mac, store the downloaded key here: <code>~/.ssh/</code>, then run the following command: <code>chmod 700 ~/.ssh; chmod 600 ~/.ssh/id_rsa*</code>
# With a second terminal, verify that you can login to your VM's SSH from your personal computer without a password (keypair authentication). Do not move on to the next step until you’re sure.
#* Login the same way as before. '''If you aren't asked for a password, then keypair authentication has succeeded.'''
# Save both keys (''id_rsa'' and ''id_rsa.pub'') to secondary, portable location. This can be online storage like OneDrive or Dropbox, or to a USB drive. You will need your keys when you come to class to log in to your Linux VM going forward.
=== Adding Your Professor's Public Key ===
In this section, you will add your professor's public key to allow them to log in to your Linux VM and run lab checks and perform troubleshooting when needed.
# On Blackboard, find your professor's public key in ''Course Documents'' and copy the text from inside the file.
# Using the following command as your '''regular user''', install your professor's public key on to your Linux VM (substitute <professorID> for the actual public key text): <code>echo "<professorID>" >> ~/.ssh/authorized_keys</code>
# On your test terminal, log out and log back in again to check that keypair authentication is still working.
=== Disabling SSH password authentication: ===
[[Image:Ops705_sshd_passauth_no.png|right|300px|thumb|Figure 12: Disabling password-based authentication in SSHd.]]
# Make sure you have two SSH separate terminals connected to you Azure Linux VM.
# In your control terminal, use '''vim''' to open the SSH configuration file: <code>sudo vim /etc/ssh/sshd_config</code>
#* If you can't reconnect, use your control terminal window to find any mistakes you may have made. Remember, don't disconnect from your control terminal until you're sure you can reconnect! Use as many test terminal windows as you need.
= INVESTIGATION 4: Confirming Your Linux Work =[[Image:script-check-lab2.png|thumb|right|400px|If all checks pass, then user performed task correctly and can continue.]]===Running a Shell Script to Check Your Work=== Although you have been double-checking your work (right?), you ''might'' have made some mistakes. For example:* Forgetting to enable iptables.* Missing a firewall rule.* Forgetting to update Linux. To check for mistakes, a '''shell script''' has been created to check your work. '''If the checking shell script detects an error''', then it will tell you and offer constructive feedback on how to fix that problem so you can re-run the checking shell scripts until your work is correct. Perform the following steps:# Change directories to ~/bin: <code>cd ~/bin</code># Make sure you have the most recent lab files: <code>git pull</code># Change back to your home directory: <code>cd ~</code># Run the checking script for your Linux work in this lab: <code>labcheck2.sh</code>#* If you encounter errors, then view the feedback to make corrections, and then re-run the checking script.#* If all checks pass, then proceed to the next part.# Assuming you passed all checks, take a screenshot of the full script output. You'll need it for later. = INVESTIGATION 5: Updating Windows Server 2022 2019 =
Updating your Windows Server VM in Azure is a little bit easier. It takes advantage of the cloud infrastructure to allow point-and-click updates.
== Part 1: Updating with Artifacts ==
[[Image:Ops705_artifacts1.jpg|right|500px|thumb|Figure 13: Adding artifacts to your Windows VM in Azure.]]
# Spin up your Windows Server VM, and wait until it's fully started up.
# In the Azure blade for your Windows Server VM, click on the '''Manage artifacts''' item in the menu bar to the left.
= Lab Submission =
Submit to Blackboard full-desktop screenshots (PNG/JPG) of the following:
# Logging in to your Linux VM without a password on port '''22222'''.
# Run the <code>yum update</code> command to show there are no further updates to install and screenshot the result.
# Service status of ''firewalld'' and ''iptables''.
# Listing of your modified firewall rules.
# A full view of the contents of your '''othertext.txt''' file.
# A full view of the contents of '''~/.ssh/authorized_keys'''.
# Listing of your applied artifacts in Azure for your Windows Server VM.
