Fincer
/
linux-server-setup
mirror of https://github.com/Fincer/linux-server-setup
1
0
Fork 0
Code Issues 0 Projects 0 Releases 0 Wiki Activity
Instructions to set up a basic LAMP+SSH server environment
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
42 Commits
1 Branch
52 MiB
Tree: 65a22f50d4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '65a22f50d4'
${ noResults }
linux-server-setup/exercises/h5.md

1037 lines
61 KiB
Raw Normal View History

Initial commit
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Minor fixes
5 years ago
H5: Fix even more links
5 years ago
H5: Update titles
5 years ago
H5: Fix even more links
5 years ago
H5: Update titles
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Minor fixes
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Minor fixes
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Minor fixes
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Minor fixes
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Minor fixes
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Minor fixes
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Minor fixes
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Minor fixes
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Minor fixes
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Minor fixes
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Minor fixes
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Minor fixes
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Minor fixes
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Minor fixes
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
H5: Fix even more links
5 years ago
H5: Fix the document layout
5 years ago
Initial commit
5 years ago
H5: Fix the document layout
5 years ago
Initial commit
5 years ago
H5: Fix the document layout
5 years ago
Initial commit
5 years ago
H5: Minor fixes
5 years ago
Initial commit
5 years ago
H5: Fix the document layout
5 years ago
Initial commit
5 years ago
H5: Fix the document layout
5 years ago
Initial commit
5 years ago
H5: Fix the document layout
5 years ago
Initial commit
5 years ago
H5: Fix the document layout
5 years ago
Initial commit
5 years ago
H5: Fix the document layout
5 years ago
Initial commit
5 years ago
H5: Fix the document layout
5 years ago
Initial commit
5 years ago
H5: Fix the document layout
5 years ago
Initial commit
5 years ago
H5: Fix the document layout
5 years ago
 
  1. Linux servers - Exercice 5
  2. ==============
  3. 

  4. *Disclaimer:*
  5. --------------
  6. 

  7. This exercise is a part of [Linux servers (ICT4TN021, spring 2018) // Linux-palvelimet (ICT4TN021, kevät 2018)](http://www.haaga-helia.fi/fi/opinto-opas/opintojaksokuvaukset/ICT4TN021) school course organized as a part of Information Technology studies in Haaga-Helia university of Applied Sciences, Helsinki, Finland. Course lecturer [Tero Karvinen](http://terokarvinen.com/) has defined the original assignment descriptions in Finnish presented in this document in English. Answers and translations have been written by Pekka Helenius (me, ~ Fincer).
  8. 

  9. **a)** Install SSH server daemon
  10. --------------
  11. 

  12. **Answer:**
  13. 

  14. SSH daemon has already been installed on the virtual server machine (you can't establish a connection to the server with a SSH client program otherwise). However, the installation on Debian-based systems goes as follows:
  15. 

  16. ```
  17. phelenius@my-machine:~$ sudo apt-get update && sudo apt-get install openssh-server
  18. ```
  19. 

  20. Start SSH daemon and check whether it is active or not:
  21. 

  22. ```
  23. phelenius@my-machine:~$ sudo systemctl start sshd.service
  24. phelenius@my-machine:~$ [[ $(systemctl is-active sshd | grep ^active | wc -w) -eq 1 ]] && echo "REPLY: SSH server daemon is active" || echo "REPLY: SSH server daemon is not active"
  25. REPLY: SSH server daemon is active
  26. ```
  27. 

  28. SSH server daemon has been installed and is active on the server computer. Let's take a look-up into Systemd process tree:
  29. 

  30. ```
  31. phelenius@my-machine:~$ systemctl status
  32. ...
  33.    CGroup: /
  34.            ├─init.scope
  35.            │ └─1 /lib/systemd/systemd --system --deserialize 20
  36.            ├─system.slice
  37.            ...
  38.            │ ├─ssh.service
  39.            │ │ ├─1534 /usr/sbin/sshd -D
  40.            │ │ ├─2365 sshd: [accepted]    
  41.            │ │ └─2366 sshd: [net]
  42. ```
  43. 

  44. Executable root binary file (sbin) is `/usr/sbin/sshd_ with command parameter _-D` (Process Identifier/Process ID/PID is 1534).
  45. 

  46. **NOTE:** The following is stated about `-D` parameter in sshd manual:
  47. 

  48. ```
  49. phelenius@my-machine:~$ man sshd | grep -E "\-D" -C1
  50. 

  51.      -D      When this option is specified, sshd will not detach and does not become a daemon.  This allows easy monitoring of sshd.
  52. ```
  53. 

  54. `-D` parameter definition by [SSH Communications Security](https://www.ssh.com/ssh/sshd/):
  55. 

  56. > -D Do not detach and become daemon. This is often used when sshd is run using systemd. This allows easier monitoring of the process in such environments. Without this option, the SSH server forks and detaches from terminal, making itself a background daemon process. The latter has been the traditional way to run the SSH server until recently. Many embedded systems would still use the latter.

  57. 

  58. About relevance of the `-D` parameter has been discussed, for instance, on [superuser.com (Differences between ssh -L to -D](https://superuser.com/questions/408031/differences-between-ssh-l-to-d)).
  59. 

  60. 

  61. **b)** Establish a firewall protection to the server computer (Note: allow SSH traffic before that)
  62. --------------
  63. 

  64. **Answer:**
  65. 

  66. The firewall protection is done by using Linux kernel ip_table module(s). Firewall rules can be modified in User Space with the corresponding iptables command or with the simplified Python 3 based program/script 'Uncomplicated Firewall' (`ufw`). Other firewall solutions also exists on Linux, please see ['Other firewall solutions'](https://github.com/Fincer/linux_server_setup/blob/master/exercises/h5.md#other-firewall-solutions) below. 
  67. 

  68. We can check which loadable kernel modules have been enabled in Linux kernel with the kernel-related lsmod command.
  69. 

  70. ```
  71. phelenius@my-machine:~$ man lsmod | sed -n '/NAME/{n;p}' | sed 's/\s*//'
  72. lsmod - Show the status of modules in the Linux Kernel
  73. ...
  74. phelenius@my-machine:~$ lsmod |grep filter
  75. ip6table_filter        16384  1
  76. ip6_tables             28672  1 ip6table_filter
  77. iptable_filter         16384  1
  78. ip_tables              24576  1 iptable_filter
  79. x_tables               36864  14 ip6table_filter,xt_hl,xt_recent,ip_tables,xt_tcpudp,xt_limit,xt_conntrack,xt_LOG,iptable_filter,ip6t_rt,ipt_REJECT,ip6_tables,xt_addrtype,ip6t_REJECT
  80. ```
  81. 

  82. Source codes of these modules can be found on git.kernel.org: [ipv6 netfilter](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv6/netfilter), [ipv6 netfilter core](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv6/netfilter.c), [ipv4 netfilter](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv4/netfilter), [ipv4 netfilter core](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv4/netfilter.c)
  83. 

  84. ### UFW configuration

  85. 

  86. By default, python-based Uncomplicated Firewall (`ufw`) is usually pre-installed on many Linux distributions, including Debian-based systems. It's usually the default firewall front-end for `iptables` on Linux systems. Let's confirm that:
  87. 

  88. ```
  89. phelenius@my-machine:~$ if [[ $(dpkg --get-selections |grep ufw | awk '{print $1}' | wc -l) -eq 0 ]]; then sudo apt-get update && sudo apt-get -y install ufw && echo "REPLY: UFW is installed now"; else echo "REPLY: UFW has already been installed"; fi
  90. REPLY: UFW has already been installed
  91. ```
  92. 

  93. Therefore UFW firewall is installed. Otherwise it would be installed on the system with `apt-get install ufw` command.
  94. 

  95. By default, the Linux firewall blocks SSH input traffic (default port `22`). This input port can be opened by applying the following ufw command:
  96. 

  97. ```
  98. phelenius@my-machine:~$ sudo ufw allow 22/tcp
  99. ```
  100. 

  101. or with the command (however, not specific port number is defined here):
  102. 

  103. ```
  104. phelenius@my-machine:~$ sudo ufw allow ssh
  105. ```
  106. 

  107. Afterwards, UFW can be re-enabled with the following command:
  108. 

  109. ```
  110. phelenius@my-machine:~$ sudo ufw enable
  111. Command may disrupt existing ssh connections. Proceed with operation (y|n)?
  112. ```
  113. 

  114. Your answer should be `y` (yes). The firewall does not close (possibly already established) SSH connection because we have opened port `22` TCP input traffic. We get a notification, stating:
  115. 

  116. ```
  117. Firewall is active and enabled on system startup
  118. ```
  119. 

  120. **NOTE:** The message is bit unclear, because according to some testing, the ufw firewall may still not be enabled on system boot. Automated start of ufw during system boot can foolproofly be enabled with:
  121. 

  122. ```
  123. phelenius@my-machine:~$ sudo systemctl enable ufw.service
  124. Created symlink /etc/systemd/system/multi-user.target.wants/ufw.service -> /usr/lib/systemd/system/ufw.service.
  125. ```
  126. 

  127. Alternatively, the following message may appear:
  128. 

  129. ```
  130. Synchronizing state of ufw.service with SysV init with /lib/systemd/systemd-sysv-install...
  131. Executing /lib/systemd/systemd-sysv-install enable ufw
  132. ```
  133. 

  134. ### iptables configuration

  135. 

  136. **1.** Remove UFW from the Linux system, and remove all relevant UFW entries from iptables firewall rule list.
  137. 

  138. **NOTE:** Warning: (May) delete other important iptables rules configured by system administration!
  139. 

  140. **NOTE:** Be sure that you have direct access (local terminal, without network) to the target machine in a case of failure. Otherwise you may lock yourself out from the server.
  141. 

  142. ```
  143. sudo systemctl stop ufw.service && sudo systemctl disable ufw.service
  144. sudo apt-get purge --remove ufw
  145. sudo iptables --flush && sudo iptables --delete-chains
  146. ```
  147. 

  148. **2.** Confirm deletion of ufw entries from iptables firewall rule list with
  149. 

  150. ```
  151. sudo iptables -S
  152. ```
  153. 

  154. Output should be:
  155. 

  156. ```
  157. -P INPUT ACCEPT
  158. -P FORWARD ACCEPT
  159. -P OUTPUT ACCEPT
  160. ```
  161. 

  162. **3.** Add new firewall rules to iptables and keep already established connections open:
  163. 

  164. ```
  165. sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  166. ```
  167. 

  168. **4.** Drop all connections, excluding already established connections like SSH:
  169. 

  170. ```
  171. sudo iptables -A INPUT -j DROP
  172. sudo iptables -A FORWARD -j DROP
  173. ```
  174. 

  175. **5.** Allow SSH traffic (port number: `22`, protocol: `tcp`, etc.):
  176. 

  177. ```
  178. sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
  179. ```
  180. 

  181. **NOTE:** This applies only to IPv4 connections. For IPv6, check [iptables6](https://www.linux.com/learn/intro-to-linux/2017/8/iptables-rules-ipv6).
  182. 

  183. **NOTE:** The forementioned command can be written so that connections only from a single IP is allowed, by using `eth0` network interface. For instance:
  184. 

  185. ```
  186. sudo iptables -I INPUT -p tcp -i eth0 -s 231.123.24.24 --dport 22 -j ACCEPT
  187. ```
  188. 

  189. **NOTE:** Be sure you have enabled 'net.ifnames=0' in your udev rules to get network interface names like `eth0`, `wlan0` etc.!
  190. 

  191. More about setting iptables firewall rules, take a look on [DigitalOcean website](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands) and [iptables - Append vs. Insert - website](https://serverfault.com/questions/472258/difference-between-iptables-a-and-i-option), for instance.
  192. 

  193. **6.** Confirm proper iptables firewall rules with `sudo iptables -S` command:
  194. 

  195. ```
  196. -P INPUT ACCEPT
  197. -P FORWARD ACCEPT
  198. -P OUTPUT ACCEPT
  199. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  200. -A INPUT -j DROP
  201. -A FORWARD -j DROP
  202. -I INPUT -p tcp --dport 22 -j ACCEPT
  203. ```
  204. 

  205. **7.** Save the rules so that they won't be lost after rebooting:
  206. 

  207. ```
  208. sudo iptables-save | sudo tee /etc/iptables/iptables.save > /dev/null
  209. cat /etc/iptables/iptables.save
  210. ```
  211. 

  212. **8.** Apply and enable the rules. You can restart iptables service (Packet Filtering Framework) if you prefer to do so:
  213. 

  214. ```
  215. sudo iptables-restore && sudo systemctl restart iptables.service
  216. ```
  217. 

  218. **9.** Confirm the current iptables firewall rules with the command `sudo iptables -S`.
  219. 

  220. More about iptables:
  221. 

  222. - [DigitalOcean - Iptables Essentials: Common Firewall Rules and Commands, SSH service](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands#service-ssh)
  223. 

  224. - [DigitalOcean - Iptables Essentials: Common Firewall Rules and Commands, Saving rules](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands#saving-rules).
  225. 

  226. - [The Geek Stuff - 25 Most Frequently Used Linux IPTables Rules Examples](https://www.thegeekstuff.com/2011/06/iptables-rules-examples)
  227. 

  228. ### Other firewall solutions

  229. 

  230. In addition to UFW, other iptables-based firewall solutions have been developed on Linux. Take a look on [Firestarter](http://www.fs-security.com/), [Firewalld](https://fedoraproject.org/wiki/Firewalld?rd=FirewallD), [PeerGuardian](https://sourceforge.net/projects/peerguardian/?source=navbar), [FWBuilder](http://www.fwbuilder.org/), etc.
  231. 

  232. ------------------------------------------------
  233. 

  234. ### EXTRA - root account: more restrictions

  235. 

  236. In addition to previous root restrictions, the following extra restrictions were applied, too:
  237. 

  238. - root default shell were changed to `/sbin/nologin` in `/etc/passwd` file
  239. 

  240. - root account were locked by applying command `sudo usermod root --lock` (this was done already, it sets up an exclamation mark prefix to the root account password in file `/etc/shadow`
  241. 

  242. - root access removal of TTY sessions by commenting out relevant lines in file `/etc/securetty`
  243. 

  244. - SSH: setting `PermitRootLogin no` were applied in SSH server configuration file `/etc/ssh/sshd_config`
  245. 

  246. PAM configuration files (Pluggable Authentitation Modules) were not altered in `/etc/pam.d/` although security can be improved by applying some special system-spefific authentication rules there. PAM rules can restrict root permissions as well, including executable daemon processes and commands (i.e. you can restrict even root execution rights in the target system, in contradiction what is usually told for new Linux users that "root can do anything". With PAM, you can restrict that "anything" privilege.)
  247. 

  248. Reference: [Red Hat - 4.4.2. Disallowing Root Access](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Security_Guide/s2-wstation-privileges-noroot.html)
  249. 

  250. **c)** Transfer files using SSH protocol
  251. --------------
  252. 

  253. **Answer:**
  254. 

  255. Let's use [Secure Copy (scp)](https://en.wikipedia.org/wiki/Secure_copy) command for file transfers.
  256. 

  257. The assignment has been done in the following command sequence. The following steps are executed:
  258. 

  259. **1.** Create new subdirectory `httpd` into the current user's home directory on the local computer
  260. 

  261. **2.** Download related control, description and patch files of debian package of Apache web server, version `2.4.18-2ubuntu3.5` from archive.ubuntu.com ([packages.ubuntu.com](https://packages.ubuntu.com/xenial/apache2)). Target directory for the download is the recently created subdirectory `httpd`
  262. 

  263. **3.** Extract the downloaded archive files into `$HOME/httpd`. Subdirectory `debian` will be created in `httpd` directory.
  264. 

  265. **4.** Establish a new SSH connection to the server computer with server user `newuser`, use port `1234` and create directory `$HOME/patches` for this user.
  266. 

  267. **5.** Transfer all local files (and directories) which 1) start with any character 2) end with suffix `.diff` and `.patch` 3) locate at the current user's `./httpd/debian/patches/` subdirectory
  268. 

  269. to the directory `$HOME/patches` located at the server computer (where `$HOME` is `/home/newuser/`). SSH connection port is `1234`. Use `scp` command.
  270. 

  271. For more information about patches, check 
  272. 

  273. - [What is the format of a patch file - stackoverflow.com](https://stackoverflow.com/questions/987372/what-is-the-format-of-a-patch-file)
  274. 

  275. - [Patch command examples - thegeekstuff.com](https://www.thegeekstuff.com/2014/12/patch-command-examples))
  276. 

  277. **6.** List contents of the remote subdirectory `$HOME/patches` with SSH connection, use port `1234`
  278. 

  279. **7.** Delete current user's local subdirectory `httpd` and its contents. `-R` or `-r` stands for recursive deletion, `-f` stands for forceful removal. Remote files in the server computer's directory `/home/newuser/patches/` will be kept intact.
  280. 

  281. ```
  282. [20/02/2018 13:24:40 - fincer: ~ ]$ mkdir httpd
  283. [20/02/2018 13:24:54 - fincer: ~ ]$ wget http://archive.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.4.18-2ubuntu3.5.debian.tar.xz -P httpd
  284. --2018-02-20 13:25:13--  http://archive.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.4.18-2ubuntu3.5.debian.tar.xz
  285. Resolving archive.ubuntu.com... 2001:67c:1560:8001::11, 2001:67c:1360:8001::17, 2001:67c:1560:8001::14, ...
  286. Connecting to archive.ubuntu.com|2001:67c:1560:8001::11|:80... connected.
  287. HTTP request sent, awaiting response... 200 OK
  288. Length: 387448 (378K) [application/x-xz]
  289. Saving to: ‘httpd/apache2_2.4.18-2ubuntu3.5.debian.tar.xz’
  290. 

  291. apache2_2.4.18-2ubuntu3.5.debian.tar.xz   100%[==================================================================================>] 378.37K   450KB/s    in 0.8s    
  292. 

  293. 2018-02-20 13:25:15 (450 KB/s) - ‘httpd/apache2_2.4.18-2ubuntu3.5.debian.tar.xz’ saved [387448/387448]
  294. 

  295. [20/02/2018 13:25:15 - fincer: ~ ]$ tar xf apache2_2.4.18-2ubuntu3.5.debian.tar.xz -C httpd
  296. [20/02/2018 13:25:35 - fincer: ~ ]$ ssh newuser@174.138.2.190 -p 1234 mkdir patches
  297. newuser@174.138.2.190's password: 
  298. [20/02/2018 13:26:12 - fincer: ~ ]$ scp -P 1234 ./httpd/debian/patches/*.{diff,patch} newuser@174.138.2.190:./patches/
  299. newuser@174.138.2.190's password: 
  300. hostnames_with_underscores.diff                                                                                                    100%  479   114.6KB/s   00:00    
  301. reproducible_builds.diff                                                                                                           100% 1710   427.2KB/s   00:00    
  302. build_suexec-custom.patch                                                                                                          100% 1981   473.6KB/s   00:00    
  303. customize_apxs.patch                                                                                                               100% 9316   888.9KB/s   00:00    
  304. CVE-2016-0736.patch                                                                                                                100%   12KB 867.4KB/s   00:00    
  305. CVE-2016-2161.patch                                                                                                                100% 4787   493.1KB/s   00:00    
  306. CVE-2016-5387.patch                                                                                                                100%  666   287.9KB/s   00:00    
  307. CVE-2016-8743.patch                                                                                                                100%   80KB   1.0MB/s   00:00    
  308. CVE-2017-3167.patch                                                                                                                100% 8922   698.9KB/s   00:00    
  309. CVE-2017-3169.patch                                                                                                                100% 4663   458.1KB/s   00:00    
  310. CVE-2017-7668.patch                                                                                                                100% 1746   482.5KB/s   00:00    
  311. CVE-2017-7679.patch                                                                                                                100% 1925   527.4KB/s   00:00    
  312. CVE-2017-9788.patch                                                                                                                100% 2252   582.1KB/s   00:00    
  313. CVE-2017-9798.patch                                                                                                                100% 1172   381.3KB/s   00:00    
  314. fhs_compliance.patch                                                                                                               100% 2541   635.6KB/s   00:00    
  315. no_LD_LIBRARY_PATH.patch                                                                                                           100%  444   199.8KB/s   00:00    
  316. prefork_single_process_crash.patch                                                                                                 100%  773   359.0KB/s   00:00    
  317. suexec-custom.patch                                                                                                                100% 5785   792.4KB/s   00:00    
  318. suexec-CVE-2007-1742.patch                                                                                                         100% 2356   589.3KB/s   00:00    
  319. suexec_is_shared.patch                                                                                                             100%  622   194.1KB/s   00:00    
  320. [20/02/2018 13:28:03 - fincer: ~ ]$ ssh newuser@174.138.2.190 -p 1234 ls -l ./patches
  321. newuser@174.138.2.190's password: 
  322. total 196
  323. -rw-r--r-- 1 newuser newuser 12446 Feb 20 11:38 CVE-2016-0736.patch
  324. -rw-r--r-- 1 newuser newuser  4787 Feb 20 11:38 CVE-2016-2161.patch
  325. -rw-r--r-- 1 newuser newuser   666 Feb 20 11:38 CVE-2016-5387.patch
  326. -rw-r--r-- 1 newuser newuser 81900 Feb 20 11:38 CVE-2016-8743.patch
  327. -rw-r--r-- 1 newuser newuser  8922 Feb 20 11:38 CVE-2017-3167.patch
  328. -rw-r--r-- 1 newuser newuser  4663 Feb 20 11:38 CVE-2017-3169.patch
  329. -rw-r--r-- 1 newuser newuser  1746 Feb 20 11:38 CVE-2017-7668.patch
  330. -rw-r--r-- 1 newuser newuser  1925 Feb 20 11:38 CVE-2017-7679.patch
  331. -rw-r--r-- 1 newuser newuser  2252 Feb 20 11:38 CVE-2017-9788.patch
  332. -rw-r--r-- 1 newuser newuser  1172 Feb 20 11:38 CVE-2017-9798.patch
  333. -rw-r--r-- 1 newuser newuser  1981 Feb 20 11:38 build_suexec-custom.patch
  334. -rw-r--r-- 1 newuser newuser  9316 Feb 20 11:38 customize_apxs.patch
  335. -rw-r--r-- 1 newuser newuser  2541 Feb 20 11:38 fhs_compliance.patch
  336. -rw-r--r-- 1 newuser newuser   479 Feb 20 11:38 hostnames_with_underscores.diff
  337. -rw-r--r-- 1 newuser newuser   444 Feb 20 11:38 no_LD_LIBRARY_PATH.patch
  338. -rw-r--r-- 1 newuser newuser   773 Feb 20 11:38 prefork_single_process_crash.patch
  339. -rw-r--r-- 1 newuser newuser  1710 Feb 20 11:38 reproducible_builds.diff
  340. -rw-r--r-- 1 newuser newuser  2356 Feb 20 11:38 suexec-CVE-2007-1742.patch
  341. -rw-r--r-- 1 newuser newuser  5785 Feb 20 11:38 suexec-custom.patch
  342. -rw-r--r-- 1 newuser newuser   622 Feb 20 11:38 suexec_is_shared.patch
  343. [20/02/2018 13:32:01 - fincer: ~ ]$ rm -Rf httpd
  344. ```
  345. 

  346. **d)** Automate SSH login with public key method
  347. --------------
  348. 

  349. **Answer:**
  350. 

  351. **1.** Let's generate a key pair on the client computer with a user who is wanted to have the public key authentication method for SSH connections. Both private and public keys are generated with `ssh-keygen` command. Accept the default settings unless you have any requirements to customize them.
  352. 

  353. **2.** Copy the **public key** to the server computer with your SSH client using command `ssh-copy-id -i $HOME/.ssh/id_rsa.pub username@server-ip-or-name`. The command copies your public key to the subdirectory `.ssh/authorized_keys` located at the server computer.
  354. 

  355. **NOTE:** Copy public key only, do **NOT** copy the private key!!
  356. 

  357. More about the topic:
  358. 

  359. [ssh.com - Key Pair - Public and Private](https://www.ssh.com/ssh/public-key-authentication#sec-Key-Pair-Public-and-Private)
  360. 

  361. **3.** Let confirm that SSH server daemon configuration file (`/etc/ssh/sshd_config` by default) has the following settings in place (either use `sudo nano /etc/ssh/sshd_config` or `sudoedit /etc/ssh/sshd_config`):
  362. 

  363. ```
  364. AuthenticationMethods   publickey
  365. PubkeyAuthentication    yes
  366. AuthorizedKeysFile      .ssh/authorized_keys
  367. ```
  368. 

  369. **Extra hint 1:** SSH client settings are generally defined in `/etc/ssh/ssh_config`
  370. 

  371. **Extra hint 2:** You can use ssh command with `-v` parameter to gain more information about used authentication methods in unclear cases or for debugging purposes. The `-v` parameter is defined as follows:
  372. 

  373. > -v      Verbose mode. Causes ssh to print debugging messages about its progress.  This is helpful in debugging connection, authentication, and configuration problems.  Multiple -v options increase the verbosity. The maximum is 3.

  374. 

  375. **4.** We shall restart server SSH daemon with `sudo systemctl restart sshd.service` command (note! this interrupts any existing & opened SSH connections)
  376. 

  377. **5.** We shall test public key authentication from the client computer. Use same user account which you previously used for executing `ssh-keygen` command on the client computer. The client computer user should be able to login into SSH server without a password.
  378. 

  379. **EXTRA: Modifying welcome banner**
  380. 

  381. Let's modify default Ubuntu login/SSH banner message by executing the following bash script:
  382. 

  383. ```
  384. #!/bin/bash

  385. 

  386. # Modify SSH login banner message

  387. 

  388. ## 00-header file:

  389. #
  390. sudo sed -i 's?printf "Welcome to %s (%s %s %s)\\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"?printf "Welcome to %s\\nUptime: 
  391. %s\\n\\n" "Server Computer" "$(uptime)"?' /etc/update-motd.d/00-header
  392. 

  393. ## File extensions of the following files will be modified

  394. ## We could also remove these files with 'sudo rm <file>'

  395. #
  396. FILES=( 10-help-text 51-cloudguest 90-updates-available 91-release-upgrade )
  397. 

  398. cd /etc/update-motd.d/
  399. for file in ${FILES[@]}; do sudo mv $file $file.old; done
  400. cd
  401. ```
  402. 

  403. **NOTE:** Location of the banner file varies between different Linux distributions. For instance, Arch Linux uses banner file `/etc_motd`.
  404. 

  405. **e)** Install, configure and start sysstat. Use sar command to confirm whether the sysstat package services have been enabled (for instance, log entry "Linux reboot..." exists). Run sysstat a day or two. Afterwards, check computer workload history with sysstat commands sar, iostat, pidstat etc. Analyze the results, i.e. explain the results in detail.
  406. --------------
  407. 

  408. **Answer:**
  409. 

  410. **1.** We shall connect to the server computer (running Ubuntu) and then install the required package with command sequence `sudo apt-get update && sudo apt-get install -y install sysstat`
  411. 

  412. **2.** Run [shell-based sysstat script](https://github.com/Fincer/linux_server_setup/blob/master/scripts/sysstat_command.sh) which runs `sar` and `pidstat` commands for two days with 20 second intervals.
  413. 

  414. **NOTE:** The script can be opmitized more/adapted better to suit the real requirements for the server environment (statistics interval, collection period, etc.) 
  415. 

  416. **3.** The script described in step 2 has generated sar analytics file `sar-stats_2018-02-24_2018-02-26.file` into path `/home/newuser/sar_statistics/` on the server computer. 
  417. 

  418. Time period: 24. - 26.02.2018
  419. 

  420. The following sums up some command samples which can be applied to the analytics file.
  421. 

  422. | File | Description |
  423. |------------------------------------|-------------------------------------------------|
  424. | sar -u -f <analytics-file> | Processor workload statistics |
  425. | sar -v -f <analytics-file> | Inode and file statistics |
  426. | sar -r -f <analytics-file> | Memory consumption statistics |
  427. | sar -n DEV -f <analytics-file> | Network stats: devices |
  428. | sar -n EDEV -f <analytics-file> | Network stats: errors in devices |
  429. | sar -n IP -f <analytics-file> | Network stats: IPv4 traffic |
  430. | sar -n EIP -f <analytics-file> | Network stats: errors in IPv4 traffic |
  431. | sar -n IP6 -f <analytics-file> | Network stats: IPv6 traffic |
  432. | sar -n EIP6 -f <analytics-file> | Network stats: errors in IPv6 traffic |
  433. | sar -n SOCK -f <analytics-file> | Network stats: IPv4 socket |
  434. | sar -n SOCK6 -f <analytics-file> | Network stats: IPv6 socket |
  435. | sar -n TCP -f <analytics-file> | Network stats: TCPv4 protocol traffic |
  436. | sar -n ETCP -f <analytics-file> | Network stats: errors in TCPv4 protocol traffic |
  437. | sar -S -f <analytics-file> | Swap memory consumption |
  438. | sar -w -f <analytics-file> | Process statistics |
  439. | sar -F MOUNT / -f <analytics-file> | File system which is mounted at / |
  440. 

  441. Statistics can be combined etc, as you can find out with 'man sar' command:
  442. 

  443. ```
  444. sar -u 2 5
  445.     Report CPU utilization for each 2 seconds. 5 lines are displayed.
  446. 

  447. sar -I 14 -o int14.file 2 10
  448.     Report statistics on IRQ 14 for each 2 seconds. 10 lines are displayed.  Data are stored in a file called int14.file.
  449. 

  450. sar -r -n DEV -f /var/log/sysstat/sa16
  451.     Display memory and network statistics saved in daily data file 'sa16'.
  452. 

  453. sar -A
  454.     Display all the statistics saved in current daily data file.
  455. ```
  456. 

  457. Or [The Geek Stuff - 10 Useful Sar (Sysstat) Examples for UNIX / Linux Performance Monitoring](https://www.thegeekstuff.com/2011/03/sar-examples/?utm_source=feedburner)
  458. 

  459. What are inode and swap? Check
  460.  
  461. - [inode - 1](https://www.cyberciti.biz/tips/understanding-unixlinux-filesystem-inodes.html)
  462. 

  463. - [inode - 2](https://unix.stackexchange.com/questions/117093/find-where-inodes-are-being-used)
  464. 

  465. - [Swap](https://wiki.archlinux.org/index.php/swap)
  466. 

  467. Additionally, the following pidstat files were generated:
  468. 

  469. | File | Description |
  470. |----------------------------|------------------------------------|
  471. | pidstat_stats_cpu-tasks | Processor workload statistics |
  472. | pidstat_stats_io | I/O statistics |
  473. | pidstat_stats_kerneltables | Statistics of Linux kernel tables  |
  474. | pidstat_stats_pagefaults | Page fault statistics |
  475. | pidstat_stats_stacks | Process stack statistics |
  476. 

  477. (Check. [Stacks](https://stackoverflow.com/questions/8905271/what-is-the-linux-stack), [Page fault](https://en.wikipedia.org/wiki/Page_fault))
  478. 

  479. Additionally, iostat command was run on the background.
  480. 

  481. **4.** Let's take a closer look on two sar analytics files and I/O statistics file. The following commands open analytics files in more detailed view.
  482. 

  483. ------------------------------------------------
  484. 

  485. ### SAR network statistics - IPv4 traffic

  486. 

  487. **command: sar -n IP -f sar-stats_2018-02-24_2018-02-26.file**
  488. 

  489. ![sar-stats-ipv4](https://github.com/Fincer/linux_server_setup/blob/master/images/sar-stats_ipv4.png)
  490. 

  491. **Observation period:** 24.-26.02.2018
  492. 

  493. | Field | Description | Average |
  494. |-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|
  495. | Left column | Record time |  |
  496. | irec/s | The total number of input datagrams received from interfaces per second, including those received in error. | 1.33 |
  497. | fwddgm/s | The number of input datagrams per second, for which this entity was not their final IP destination, as a result of which an attempt was made to find a route to forward them to that final destination. | 0.00 |
  498. | idel/s | The total number of input datagrams,successfully,delivered,per,second,to,IP user-protocols (including ICMP). | 1.30 |
  499. | orq/s | The total number of IP datagrams which local IP user-protocols (including ICMP) supplied per second to IP in requests for,transmission. Note that this,counter,does,not include any datagrams counted in fwddgm/s. | 1.45 |
  500. | asmrq/s | The number of IP fragments received per second which needed to be reassembled at this entity. | 0.00 |
  501. | asmok/s | The number of IP datagrams successfully re-assembled per second. | 0.00 |
  502. | fragok/s | The number of IP datagrams that,have,been,successfully fragmented at this entity per second. | 0.00 |
  503. | fragcrt/s | The number of IP datagram fragments that have been generated per second as a result of fragmentation at this entity. | 0.00 |
  504. 

  505. **NOTE:** Descriptions are provided in sysstat package (manpages).
  506. 

  507. **Analysis - IPV4**
  508. 

  509. The server computer has not forwarded a single datagram in the observation period. Input network traffic has been received which can be concluded by observing `irec/s`, `idel/s` and `orq/s` field values. The current workload of the server computer is very low, including only HTTP daemon (Apache web server) and SSH server daemon. No webpages are available on the server which could increase input HTTP/HTTPS protocol based traffic. HTTPS was not enabled in the server computer.
  510. 

  511. By default, the server computer allows `128` simultaneous input network connections (command `cat /proc/sys/net/core/somaxconn`. **NOTE:** The value can be changed by issuing `echo 1024 | sudo tee /proc/sys/net/core/somaxconn`, for instance).
  512. 

  513. MTU value of the web server computer for network interface `eth0` was `1500` (you can check it with `ifconfig` command). MTU stands for **Maximum Transmission Unit** which determines the highest PDU unit ([Protocol Data Unit](https://en.wikipedia.org/wiki/Protocol_data_unit)) that can be transferred over the network at once.
  514. 

  515. Check also
  516. 

  517. - [MTU - hyperlink 1](http://www.tcpipguide.com/free/t_IPDatagramSizeMaximumTransmissionUnitMTUFragmentat.htm)
  518. 

  519. - [MTU - hyperlink 2](https://en.wikipedia.org/wiki/Maximum_transmission_unit)
  520. 

  521. - [Stack Overflow - What's the practical limit on the size of single packet transmitted over domain socket?](https://stackoverflow.com/questions/21856517/whats-the-practical-limit-on-the-size-of-single-packet-transmitted-over-domain)
  522. 

  523. - [Stack Overflow - What is the default size of datagram queue length in Unix Domain Sockets (AF_UNIX)? Is it configurable?](https://stackoverflow.com/questions/21448960/what-is-the-default-size-of-datagram-queue-length-in-unix-domain-sockets-af-uni)
  524. 

  525. - [IP fragmentation](https://en.wikipedia.org/wiki/IP_fragmentation)
  526. 

  527. - Related article: [Linux Tune Network Stack (Buffers Size) To Increase Networking Performance](https://www.cyberciti.biz/faq/linux-tcp-tuning/)
  528. 

  529. **NOTE:** About datagrams, [quoted from Wikipedia](https://en.wikipedia.org/wiki/Datagram#Internet_Protocol):
  530. 

  531. > The term datagram is often considered synonymous to packet but there are some nuances. The term datagram is generally reserved for packets of an unreliable service, which cannot notify the sender if delivery fails, while the term packet applies to any packet, reliable or not. Datagrams are the IP packets that provide a quick and unreliable service like UDP, and all IP packets are datagrams; however, at the TCP layer, what is termed a TCP segment is the sometimes necessary IP fragmentation of a datagram, but those are referred to as "packets".

  532. 

  533. ------------------------------------------------
  534. 

  535. ### SAR - memory consumption statistics - RAM & Swap

  536. 

  537. **command: sar -r -f sar-stats_2018-02-24_2018-02-26.file**
  538. **command: sar -S -f sar-stats_2018-02-24_2018-02-26.file**
  539. 

  540. ![sar-stats-memusage](https://github.com/Fincer/linux_server_setup/blob/master/images/sar-stats_memusage.png)
  541. 

  542. **Observation period:** 24.-26.02.2018
  543. 

  544. **NOTE:** Average values are not visible in the attached picture!
  545. 

  546. | Field | Description | Average |
  547. |-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|
  548. | Left column | Record time |  |
  549. | kbmemfree | Amount of free memory available in kilobytes. | 87631 KB (~ 87 MB) |
  550. | kbmemused | Amount,of,used,memory in kilobytes. This does not take into account memory used by the kernel itself. | 928 457 KB (~ 928 MB) |
  551. | %memused | Percentage of used memory. | 91.38 % |
  552. | kbbuffers | Amount of memory used as buffers by the kernel in kilobytes. | 77 746 KB (~ 77 MB) |
  553. | kbcached | Amount of memory used to cache data by the kernel in kilobytes. | 644 777 KB (~ 644 MB) |
  554. | kbcommit | Amount of memory in kilobytes needed for current workload. This is an estimate of how much RAM/swap is needed to guarantee that there never is out of memory. | 470 619 KB (~ 470 MB) |
  555. | %commit | Percentage of memory needed for current workload in relation to the total amount of memory (RAM+swap).,This number may be greater than 100% because the,kernel,usually overcommits memory. | 46.32 % |
  556. | kbactive | Amount of active memory in kilobytes (memory that has been used more recently and usually not reclaimed unless absolutely necessary). | 468 703 KB (~ 468 MB) |
  557. | kbinact | Amount of inactive memory in kilobytes (memory which has been less recently used. It is more eligible to be reclaimed for other purposes). | 301 098 KB (~ 301 MB) |
  558. | kbdirty | Amount of memory in kilobytes waiting to get written back to the disk. | 254 KB (0.254 MB) |
  559. 

  560. **NOTE:** Descriptions are provided in `sysstat` package (manpages).
  561. 

  562. **Analysis - Memory Statistics**
  563. 

  564. The target server memory size:
  565. 

  566. ```
  567. [newuser@goauldhost: ~ ]$ grep -i memtotal /proc/meminfo
  568. MemTotal:        1016088 kB
  569. ```
  570. 

  571. i.e. approximately ~ 1016 MB.
  572. 

  573. Great part of this memory were in use during the observation period. There were multiple active processes running on the server computer during the period, thus increased workload was intended and meant for statistics collection.
  574. 

  575. The web server didn't have Swap partition or Swap file. This can be found out by
  576. 

  577. - executing command `for i in "cat /etc/fstab" "sudo fdisk -l"; do $i | grep -i swap; echo $?; done` which returns value 1 two times  (meaning returning of 'false' boolean value to shell two separate times) 
  578. 

  579. - Or, for instance:
  580. 

  581. ```
  582. [newuser@goauldhost: ~ ]$ cat /etc/fstab
  583. LABEL=cloudimg-rootfs	/	 ext4	defaults	0 0
  584. LABEL=UEFI	/boot/efi	vfat	defaults	0 0
  585. 

  586. [newuser@goauldhost: ~ ]$ sudo fdisk -l
  587. [sudo] password for newuser: 
  588. Disk /dev/vda: 25 GiB, 26843545600 bytes, 52428800 sectors
  589. Units: sectors of 1 * 512 = 512 bytes
  590. Sector size (logical/physical): 512 bytes / 512 bytes
  591. I/O size (minimum/optimal): 512 bytes / 512 bytes
  592. Disklabel type: gpt
  593. Disk identifier: 39DFE5D0-C8FB-44D8-93F8-EBB37A54BDF8
  594. 

  595. Device      Start      End  Sectors  Size Type
  596. /dev/vda1  227328 52428766 52201439 24.9G Linux filesystem
  597. /dev/vda14   2048    10239     8192    4M BIOS boot
  598. /dev/vda15  10240   227327   217088  106M Microsoft basic data
  599. ```
  600. 

  601. It may not be wise to collect Swap statistics (although Linux kernel [Swappiness value](https://en.wikipedia.org/wiki/Swappiness) has default value `60` defined in `/proc/sys/vm/swappiness` on DigitalOcean virtual servers).
  602. 

  603. ------------------------------------------------
  604. 

  605. ### SAR - I/O statistics

  606. 

  607. ![sar-iostat](https://github.com/Fincer/linux_server_setup/blob/master/images/sar-iostats.png)
  608. 

  609. Main command: `iostat -dmtx 20`
  610. 

  611. ```
  612. -d     Display the device utilization report.
  613. -m     Display statistics in megabytes per second.
  614. -t     Print the time for each report displayed.
  615. -x     Display extended statistics.
  616. 20     20 sec interval.
  617. ```
  618. 

  619. | Field | Description |
  620. |--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
  621. | Device | Device or partition defined in system directory '/dev'. |
  622. | rrqm/s | The number of read requests merged per second that were queued to the device. |
  623. | wrqm/s | The percentage of write requests merged together before being sent to the device. |
  624. | r/s | The number (after merges) of read requests completed per second for the device. |
  625. | w/s | The number (after merges) of write requests completed per second for the device. |
  626. | rMB/s | The number of sectors (KB, MB) read from the device per second. |
  627. | wMB/s | The number of sectors (KB, MB) write from the device per second. |
  628. | avgrq-sz (areq-sz) | The average size (in kilobytes) of the I/O requests,that were issued to the device. |
  629. | avgqu-sz (aqu-sz) | The average queue length of the requests that were issued to the device. |
  630. | await | The average time (ms) for I/O requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them. |
  631. | r_await | The average time (ms) for read requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them. |
  632. | w_await | The average time (ms),for,write,requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them. |
  633. | svctm | The average service time (ms) for I/O requests that were issued to the device. This field will be removed in a future sysstat version. |
  634. | %util | Percentage of elapsed time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100% for devices serving requests serially. But for devices serving requests in parallel, such as RAID arrays and modern SSDs, this number does not reflect their performance limits. |
  635. 

  636. **NOTE:** Descriptions are provided in sysstat package (manpages).
  637. 

  638. **Analysis - I/O Statistics**
  639. 

  640. Virtual partition `/dev/vda` were hibernated most of the time during the observation period. Little variation can be seen in writing requests (`wrqm/s`), in succeeded writing requests (`w/s`) and in written sector count (`wMB/s`). Average sector size is 10-20 sectors (`avgrq-sz`) which is quite little. I/O and read request service times are mostly 0.0. Workload of the virtual hard drive is low during the observation period.
  641. 

  642. ------------------------------------------------
  643. 

  644. In addition to sysstat, `top` command could have been used in some TTY session in order to observe processes in real time, and with [inotify](https://en.wikipedia.org/wiki/Inotify), some file system changes could have been reported. Sysstat's advantage is that programs which are included in it can record and save analytics in binary format for further and detailed inspection.
  645. 

  646. **f)** (optional) Change sshd (SSH server process) port
  647. --------------
  648. 

  649. **Answer:**
  650. 

  651. Let the following shell script do the job...
  652. 

  653. ```
  654. #!/bin/bash

  655. 

  656. # SSH server daemon configuration file in the system

  657. SSH_CONFIG=/etc/ssh/sshd_config
  658. 

  659. # New SSH server daemon input port as user input value.

  660. NEW_SSH_PORT=$1
  661. 

  662. [[ -f $SSH_CONFIG ]] \
  663. && sed -i "s/.*Port.*/Port $NEW_SSH_PORT/" $SSH_CONFIG && echo "SSH server: new port $NEW_SSH_PORT is set." \
  664. || echo "SSH server configuration file could not be found!"
  665. 

  666. if [[ $(cat $SSH_CONFIG | grep -i port | awk '{print $2}') == $NEW_SSH_PORT ]]; then
  667.     echo -e "SSH server input port has been changed to $NEW_SSH_PORT.\n \
  668. Restarting SSH server daemon in order to apply the changes (root required)."
  669. 

  670.     sudo systemctl restart sshd.service
  671. 

  672.     if [[ $? == 0 ]]; then
  673.         echo "SSH server daemon restarted, new input port is $NEW_SSH_PORT."
  674.     else
  675.         echo "Something went wrong while restarting SSH server daemon. Execute 'systemctl status sshd.service' \
  676. to get more information about the problem."
  677.     fi
  678. fi
  679. ```
  680. 

  681. Save the above script code in file `$HOME/ssh-port.sh`, for instance. Change the port with command `bash $HOME/ssh-port.sh 4312` where the number value is your new SSH port (`4312` in this case).
  682. 

  683. ------------------------------------------------
  684. 

  685. ### EXTRA - Using new port address of SSH server daemon when connecting with a client computer/program

  686. 

  687. Changing SSH server input port on the server computer must be taken into account while establishing connection with a client computer. Because the default SSH port `22` is not used anymore, the following syntax must be applied while connecting to the SSH server computer:
  688. 

  689. ```
  690. [19/02/2018 23:23:49 - fincer: ~ ]$ ssh newuser@174.138.2.190 -p <new-port-number>
  691. ```
  692. 

  693. ------------------------------------------------
  694. 

  695. ### EXTRA - detecting SSH port change with port scanning techniques (nmap)

  696. 

  697. Enable log level `VERBOSE` in `/etc/ssh/sshd_config` configuration file (`LogLevel VERBOSE`), restart SSH server daemon with command `sudo systemctl restart sshd.service` and try port scanning with another computer.
  698. 

  699. Port scanning:
  700. 

  701. ```
  702. nmap -sS -F -v -O 174.138.2.190
  703. ```
  704. 

  705. nmap output when port scanning is applied with another computer using target IP `174.138.2.190` and port `1234` (**NOTE:** This scanning has been applied to my own server only **once** as an experiment, not in bad intentions! Make sure you have permission to proceed with your scanning and do not attack to any server just for fun, to avoid any problems!):
  706. 

  707. ```
  708. phelenius@my-machine:~$ sudo nmap -sS -p 1234 -O -v 174.138.2.190
  709. 

  710. Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-19 20:02 EET
  711. Initiating Ping Scan at 20:02
  712. Scanning 174.138.2.190 [4 ports]
  713. Completed Ping Scan at 19:59, 0.20s elapsed (1 total hosts)
  714. Initiating Parallel DNS resolution of 1 host. at 20:02
  715. Completed Parallel DNS resolution of 1 host. at 20:02, 0.01s elapsed
  716. Initiating SYN Stealth Scan at 20:02
  717. Scanning 174.138.2.190 [1 port]
  718. Completed SYN Stealth Scan at 20:02, 0.20s elapsed (1 total ports)
  719. Initiating OS detection (try #1) against 174.138.2.190
  720. adjust_timeouts2: packet supposedly had rtt of -125997 microseconds.  Ignoring time.
  721. adjust_timeouts2: packet supposedly had rtt of -125997 microseconds.  Ignoring time.
  722. Retrying OS detection (try #2) against 174.138.2.190
  723. adjust_timeouts2: packet supposedly had rtt of -150518 microseconds.  Ignoring time.
  724. adjust_timeouts2: packet supposedly had rtt of -150518 microseconds.  Ignoring time.
  725. WARNING: OS didn't match until try #2
  726. Nmap scan report for 174.138.2.190
  727. Host is up (0.00041s latency).
  728. PORT   STATE    SERVICE
  729. 1234/tcp open  unknown
  730. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  731. Device type: switch|general purpose|media device
  732. Running: Cisco CatOS 7.X|8.X, HP Tru64 UNIX 5.X, Vantage embedded
  733. OS CPE: cpe:/h:cisco:catalyst_ws-c6506 cpe:/o:cisco:catos:7.6 cpe:/o:cisco:catos:8.3 cpe:/o:hp:tru64:5.1a cpe:/h:vantage:hd7100s
  734. OS details: Cisco Catalyst WS-C6506 switch (CatOS 7.6(16)), Cisco Catalyst switch (CatOS 8.3(2)), HP Tru64 UNIX 5.1A, Vantage HD7100S satellite receiver
  735. 

  736. Read data files from: /usr/bin/../share/nmap
  737. OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  738. Nmap done: 1 IP address (1 host up) scanned in 3.39 seconds
  739.            Raw packets sent: 44 (6.312KB) | Rcvd: 18 (1.820KB)
  740. ```
  741. 

  742. If SSH server uses the default input port `22`, the following is likely to be presented in output of `nmap` command (unless you've defined a particular port to be scanned in your `nmap` command, like port `1234`):
  743. 

  744. ```
  745. PORT   STATE    SERVICE
  746. 22/tcp filtered ssh
  747. ```
  748. 

  749. Corresponding log entries of targeted SSH server during the nmap scanning (`/var/log/auth.log`):
  750. 

  751. ```
  752. Feb 19 18:02:46 goauldhost sshd[30057]: Connection from XXX.XXX.XXX.XXX port 6967 on 174.138.2.190 port 1234
  753. Feb 19 18:02:46 goauldhost sshd[30057]: Did not receive identification string from XXX.XXX.XXX.XXX
  754. Feb 19 18:02:46 goauldhost sshd[30058]: Connection from XXX.XXX.XXX.XXX port 52205 on 174.138.2.190 port 1234
  755. Feb 19 18:02:46 goauldhost sshd[30058]: Did not receive identification string from XXX.XXX.XXX.XXX
  756. Feb 19 18:02:47 goauldhost sshd[30059]: Connection from XXX.XXX.XXX.XXX port 25326 on 174.138.2.190 port 1234
  757. Feb 19 18:02:47 goauldhost sshd[30059]: Did not receive identification string from XXX.XXX.XXX.XXX
  758. Feb 19 18:02:47 goauldhost sshd[30060]: Connection from XXX.XXX.XXX.XXX port 32812 on 174.138.2.190 port 1234
  759. Feb 19 18:02:47 goauldhost sshd[30060]: Did not receive identification string from XXX.XXX.XXX.XXX
  760. Feb 19 18:02:47 goauldhost sshd[30061]: Connection from XXX.XXX.XXX.XXX port 17024 on 174.138.2.190 port 1234
  761. Feb 19 18:02:47 goauldhost sshd[30061]: Did not receive identification string from XXX.XXX.XXX.XXX
  762. Feb 19 18:02:47 goauldhost sshd[30062]: Connection from XXX.XXX.XXX.XXX port 53268 on 174.138.2.190 port 1234
  763. Feb 19 18:02:47 goauldhost sshd[30062]: Did not receive identification string from XXX.XXX.XXX.XXX
  764. Feb 19 18:02:47 goauldhost sshd[30063]: Connection from XXX.XXX.XXX.XXX port 34923 on 174.138.2.190 port 1234
  765. Feb 19 18:02:47 goauldhost sshd[30063]: Did not receive identification string from XXX.XXX.XXX.XXX
  766. Feb 19 18:02:47 goauldhost sshd[30064]: Connection from XXX.XXX.XXX.XXX port 14489 on 174.138.2.190 port 1234
  767. Feb 19 18:02:47 goauldhost sshd[30064]: Did not receive identification string from XXX.XXX.XXX.XXX
  768. Feb 19 18:02:47 goauldhost sshd[30065]: Connection from XXX.XXX.XXX.XXX port 40086 on 174.138.2.190 port 1234
  769. Feb 19 18:02:47 goauldhost sshd[30065]: Did not receive identification string from XXX.XXX.XXX.XXX
  770. Feb 19 18:02:47 goauldhost sshd[30066]: Connection from XXX.XXX.XXX.XXX port 38147 on 174.138.2.190 port 1234
  771. Feb 19 18:02:47 goauldhost sshd[30066]: Did not receive identification string from XXX.XXX.XXX.XXX
  772. Feb 19 18:02:48 goauldhost sshd[30067]: Connection from XXX.XXX.XXX.XXX port 49215 on 174.138.2.190 port 1234
  773. Feb 19 18:02:48 goauldhost sshd[30067]: Did not receive identification string from XXX.XXX.XXX.XXX
  774. Feb 19 18:02:48 goauldhost sshd[30068]: Connection from XXX.XXX.XXX.XXX port 34445 on 174.138.2.190 port 1234
  775. Feb 19 18:02:48 goauldhost sshd[30068]: Did not receive identification string from XXX.XXX.XXX.XXX
  776. Feb 19 18:02:48 goauldhost sshd[30069]: Connection from XXX.XXX.XXX.XXX port 4600 on 174.138.2.190 port 1234
  777. Feb 19 18:02:48 goauldhost sshd[30069]: Did not receive identification string from XXX.XXX.XXX.XXX
  778. Feb 19 18:02:48 goauldhost sshd[30070]: Connection from XXX.XXX.XXX.XXX port 59405 on 174.138.2.190 port 1234
  779. Feb 19 18:02:48 goauldhost sshd[30070]: Did not receive identification string from XXX.XXX.XXX.XXX
  780. Feb 19 18:02:48 goauldhost sshd[30071]: Connection from XXX.XXX.XXX.XXX port 7848 on 174.138.2.190 port 1234
  781. Feb 19 18:02:48 goauldhost sshd[30071]: Did not receive identification string from XXX.XXX.XXX.XXX
  782. Feb 19 18:02:49 goauldhost sshd[30072]: Connection from XXX.XXX.XXX.XXX port 5206 on 174.138.2.190 port 1234
  783. Feb 19 18:02:49 goauldhost sshd[30072]: Did not receive identification string from XXX.XXX.XXX.XXX
  784. Feb 19 18:02:50 goauldhost sshd[30073]: Connection from XXX.XXX.XXX.XXX port 5517 on 174.138.2.190 port 1234
  785. Feb 19 18:02:50 goauldhost sshd[30073]: Did not receive identification string from XXX.XXX.XXX.XXX
  786. Feb 19 18:02:50 goauldhost sshd[30074]: Connection from XXX.XXX.XXX.XXX port 3970 on 174.138.2.190 port 1234
  787. Feb 19 18:02:50 goauldhost sshd[30074]: Did not receive identification string from XXX.XXX.XXX.XXX
  788. Feb 19 18:02:50 goauldhost sshd[30075]: Connection from XXX.XXX.XXX.XXX port 38690 on 174.138.2.190 port 1234
  789. Feb 19 18:02:50 goauldhost sshd[30075]: Did not receive identification string from XXX.XXX.XXX.XXX
  790. Feb 19 18:02:50 goauldhost sshd[30076]: Connection from XXX.XXX.XXX.XXX port 50572 on 174.138.2.190 port 1234
  791. Feb 19 18:02:50 goauldhost sshd[30076]: Did not receive identification string from XXX.XXX.XXX.XXX
  792. Feb 19 18:02:50 goauldhost sshd[30077]: Connection from XXX.XXX.XXX.XXX port 27830 on 174.138.2.190 port 1234
  793. Feb 19 18:02:50 goauldhost sshd[30077]: Did not receive identification string from XXX.XXX.XXX.XXX
  794. Feb 19 18:02:50 goauldhost sshd[30078]: Connection from XXX.XXX.XXX.XXX port 49371 on 174.138.2.190 port 1234
  795. Feb 19 18:02:50 goauldhost sshd[30078]: Did not receive identification string from XXX.XXX.XXX.XXX
  796. Feb 19 18:02:51 goauldhost sshd[30079]: Connection from XXX.XXX.XXX.XXX port 36802 on 174.138.2.190 port 1234
  797. Feb 19 18:02:51 goauldhost sshd[30079]: Did not receive identification string from XXX.XXX.XXX.XXX
  798. Feb 19 18:02:51 goauldhost sshd[30080]: Connection from XXX.XXX.XXX.XXX port 50546 on 174.138.2.190 port 1234
  799. Feb 19 18:02:51 goauldhost sshd[30080]: Did not receive identification string from XXX.XXX.XXX.XXX
  800. Feb 19 18:02:51 goauldhost sshd[30081]: Connection from XXX.XXX.XXX.XXX port 43542 on 174.138.2.190 port 1234
  801. Feb 19 18:02:51 goauldhost sshd[30081]: Did not receive identification string from XXX.XXX.XXX.XXX
  802. Feb 19 18:02:51 goauldhost sshd[30082]: Connection from XXX.XXX.XXX.XXX port 56108 on 174.138.2.190 port 1234
  803. Feb 19 18:02:51 goauldhost sshd[30082]: Did not receive identification string from XXX.XXX.XXX.XXX
  804. Feb 19 18:02:51 goauldhost sshd[30083]: Connection from XXX.XXX.XXX.XXX port 6399 on 174.138.2.190 port 1234
  805. Feb 19 18:02:51 goauldhost sshd[30083]: Did not receive identification string from XXX.XXX.XXX.XXX
  806. Feb 19 18:02:51 goauldhost sshd[30084]: Connection from XXX.XXX.XXX.XXX port 55980 on 174.138.2.190 port 1234
  807. Feb 19 18:02:51 goauldhost sshd[30084]: Did not receive identification string from XXX.XXX.XXX.XXX
  808. Feb 19 18:02:51 goauldhost sshd[30085]: Connection from XXX.XXX.XXX.XXX port 12713 on 174.138.2.190 port 1234
  809. Feb 19 18:02:51 goauldhost sshd[30085]: Did not receive identification string from XXX.XXX.XXX.XXX
  810. Feb 19 18:02:51 goauldhost sshd[30086]: Connection from XXX.XXX.XXX.XXX port 5026 on 174.138.2.190 port 1234
  811. Feb 19 18:02:51 goauldhost sshd[30086]: Did not receive identification string from XXX.XXX.XXX.XXX
  812. 

  813. ```
  814. 

  815. The server computer has logged invalid nmap connection requests. In this case, we have defined the known SSH connection port number `1234` in our `nmap` command on the client computer (which is INPUT port at the server end, OUTPUT port at the client end).
  816. 

  817. You may check suggested countermeasures against port scanners on [Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/345114/how-to-protect-against-port-scanners/407904#407904). Does these measures interfere negatively to other network traffic in busy server environments? This depends on which ports (read: server daemon programs/services) are targets of your countermeasures.
  818. 

  819. Another `nmap` command shows us the following:
  820. 

  821. ```
  822. phelenius@my-machine:~$ sudo nmap 174.138.2.190 -sV
  823. 

  824. Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-20 14:50 EET
  825. Nmap scan report for 174.138.2.190
  826. Host is up (0.33s latency).
  827. Not shown: 998 filtered ports
  828. PORT     STATE SERVICE VERSION
  829. 1234/tcp open  ssh     OpenSSH 7.6 (protocol 2.0)
  830. 80/tcp   open  http
  831. ...
  832. ```
  833. 

  834. ... which reveals the actual service behind our new-defined port 1234/tcp to an attacker. In addition, the attacker can get more information about the server system, especially on Debian-based Linux distributions. For instance:
  835. 

  836. ```
  837. ...
  838. PORT   STATE SERVICE VERSION
  839. 22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
  840. ...
  841. ```
  842. 

  843. This information can be hidden by adding line `DebianBanner no` in `/etc/ssh/sshd_config` on Debian-based Linux systems and restarting the SSH server daemon with command `sudo systemctl restart sshd.service` afterwards
  844. 

  845. **NOTE:** Port scanning does not leave any log traces behind in Apache's access.log file (`/var/log/apache/access.log`)!
  846. 

  847. Check also
  848.  
  849. - [MyPapit GNU/Linux - How to Hide OpenSSH Ubuntu version from Nmap and other scanners](https://blog.mypapit.net/2015/08/how-to-hide-openssh-ubuntu-release-from-nmap-and-other-scanners.html)
  850. 

  851. - [serverfault.com - How to hide web server name and openssh version on linux when scanning server ports?](https://serverfault.com/questions/81690/how-to-hide-web-server-name-and-openssh-version-on-linux-when-scanning-server-po/81697#81697)
  852. 

  853. - [Unix & Linux Stack Exchange - Change SSH banner which is grabbed by netcat](https://unix.stackexchange.com/questions/269024/change-ssh-banner-which-is-grabbed-by-netcat/269027#269027)
  854. 

  855. - [GitHub - metacloud/openssh - Include the Debian version in our identification](https://github.com/metacloud/openssh/blob/master/debian/patches/package-versioning.patch)
  856. 

  857. ------------------------------------------------
  858. 

  859. ### EXTRA - Using Port Knocking technique against port scanning

  860. 

  861. Nmap requests are targeted to layer 3 (Network Layer) in OSI model. Additional security measures can be taken by applying [Port Knocking login techniques](https://wiki.archlinux.org/index.php/Port_knocking) on the server computer.
  862. 

  863. **WARNING!** The following **Knockd daemon** may break easily. Thus it can not be recommended for critical or rapidly updating server environments. For instance, dhcpcd version 7 or above breaks `knockd` daemon. Many users have had problems to start the daemon service during server boot-up process. Knockd assumes that you have a preconfigured network interface with established network connection (this is not 100% valid information but this is my best guess).
  864. 

  865. [DigitalOcean, "Port Knocking" - Ubuntu, knockd](https://www.digitalocean.com/community/tutorials/how-to-use-port-knocking-to-hide-your-ssh-daemon-from-attackers-on-ubuntu):
  866. 

  867. Dynamic firewall rules are manually applied to the server (iptables, for instance) or separate daemon process ([for instance, knockd](http://www.zeroflux.org/projects/knock)) is set up on the server computer. Daemon process is used to open a pre-defined port only if a client program has knocked correct server port numbers in right order and using correct protocol, either TCP or UDP, and this all has been done in predefined time limit. Additionally, limited timeout for user log-in can be set. For instance, a correctly authenticated user must log in in 10 seconds ater Knock daemon has opened a SSH port for that time period. When the time limit is reached, Knock daemon closes the port for any further connection attempts unless the knock port sequence is re-applied.
  868. 

  869. Knocking technique must be configured so that firewall does not close already established connections (like SSH in our case), but refuses any further connection attempts so that the port can not be detected with nmap port scanning techniques after the time limit has been reached.
  870. 

  871. [DigitalOcean, "Port Knocking" - FWKnop - Single packet authentication](https://www.digitalocean.com/community/tutorials/how-to-use-fwknop-to-enable-single-packet-authentication-on-ubuntu-12-04): 
  872. 

  873. Some more or less secure implementations for port knocking exist. Various encryption methods can be applied to the knocking technique, making it more difficult for an attacker to sniff network packets between a server and a client. One solution using encyption methods is [fwknop](http://www.cipherdyne.org/fwknop/) which uses `Single Packet Authorization` (SPA) method instead of insecure port sequences.
  874. 

  875. More about Port Knocking technique:
  876. 

  877. - [Improved Port Knocking with Strong Authentication - Rennie deGraaf, John Aycock, and Michael Jacobson, Jr.∗ (Department of Computer Science - University of Calgary)](https://www.acsac.org/2005/papers/156.pdf)
  878. 

  879. - [OpenWRT website](https://wiki.openwrt.org/doc/howto/portknock.server)
  880. 

  881. - [portknocking.org](http://www.portknocking.org/) and practical solutions on [Implementations sub-page](http://www.portknocking.org/view/implementations)
  882. 

  883. - [Information Security Stack Exchange - Port Knocking is it a good idea?](https://security.stackexchange.com/questions/1194/port-knocking-is-it-a-good-idea/1196#1196)
  884. 

  885. **NOTE:** Port Knocking technique must not be applied to block ports of server daemon processes which are required to be always reachable from a client program (take Apache server for an example). For SSH which does not require 24/7/365 connection, port knocking techniques can be applied more reliably. In addition to public key, password and PAM authentication methods, port knocking adds one more security layer to the stack. However, you must not apply these security countermeasures individually but use them together, instead. **The goal is to make it more difficult for an attacker to penetrate your network security.**
  886. 

  887. ------------------------------------------------
  888. 

  889. ### EXTRA - ARP Scan and spoofing your MAC address

  890. 

  891. Program [arp-scan](https://www.blackmoreops.com/2015/12/31/use-arp-scan-to-find-hidden-devices-in-your-network/) can be used in limited scale to scan a MAC address (OSI model layer 2, Data Link Layer) in a network.
  892. 

  893. Unique MAC address of a network interface (network card) can programmatically be spoofed with [these Arch Wiki instructions](https://wiki.archlinux.org/index.php/MAC_address_spoofing#Method_1:_systemd-networkd) or with my [Spoof MAC Address shell script](https://github.com/Fincer/linux_server_setup/blob/master/scripts/spoof_mac_address.sh).
  894. 

  895. Sample results of ARP Scan.
  896. 

  897. BEFORE:
  898. 

  899. ```
  900. [20/02/2018 18:52:35 - fincer: ~ ]$ sudo arp-scan --interface=wlan0 --localnet
  901. [sudo] password for fincer: 
  902. Interface: wlan0, datalink type: EN10MB (Ethernet)
  903. Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
  904. A.B.C.D         f4:0e:22:ad:b8:7d       (Unknown)
  905. 1.2.3.4         18:a9:05:4b:61:58       Hewlett-Packard Company
  906. ```
  907. 

  908. AFTER - MAC address of a computer having IP address 1.2.3.4 has been changed:
  909. 

  910. ```
  911. [20/02/2018 18:54:28 - fincer: ~ ]$ sudo arp-scan --interface=wlan0 --localnet
  912. Interface: wlan0, datalink type: EN10MB (Ethernet)
  913. Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
  914. A.B.C.D         f4:0e:22:ad:b8:7d       (Unknown)
  915. 1.2.3.4         aa:0c:9a:fa:7b:d4       (Unknown)
  916. ```
  917. 

  918. The following warning messages may be expected after spoofing a MAC address and when you establish SSH connection from a local computer to your server:
  919. 

  920. ```
  921. Warning: Permanently added the ECDSA host key for IP address '[1.2.3.4]:22' to the list of known hosts.
  922. ```
  923. 

  924. **g)** (optional) Allow SSH login only for users in group 'sshers'. Add your account to this group.
  925. --------------
  926. 

  927. **Answer:**
  928. 

  929. **1.** Log in to the server computer (`ssh username@server-ip -p <ssh-port>`)
  930. 

  931. **2.** Add group `sshers` with GID number `876` (you don't have to define GID here)
  932. 

  933. ```
  934. sudo groupadd -g 876 sshers
  935. ```
  936. 

  937. **3.** You can confirm existence of the created group with command `grep sshers /etc/group`. Output:
  938. 

  939. ```
  940. sshers:x:876:
  941. ```
  942. 

  943. **4.** Add the current user (read: yourself) `newuser` into this group
  944. 

  945. ```
  946. sudo usermod -aG sshers newuser
  947. ```
  948. 

  949. **5.** Command `grep sshers /etc/group` output now:
  950. 

  951. ```
  952. sshers:x:876:newuser
  953. ```
  954. 

  955. You can alternatively check groups of `newuser` by executing command `groups` while being that user:
  956. 

  957. ```
  958. [27/02/2018 10:39:58 - newuser@goauldhost: ~ ]$ groups
  959. sshers newuser sudo
  960. ```
  961. 

  962. or using command `sudo -u newuser groups` as any system user who can execute commands with sudo.
  963. 

  964. **NOTE:** `groups` command gives you correct output only after re-login.
  965. 

  966. **6.** Allow SSH login only to members of the group `sshers`.
  967. 

  968. Manual page of `sshd_config` (`man sshd_config`) describes `AllowGroups` option as follows:
  969. 

  970. > AllowGroups

  971. > This keyword can be followed by a list of group name patterns, separated by spaces.  If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.  Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups.  The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

  972. 

  973. Let's apply the following information into SSH server daemon configuration file `/etc/ssh/sshd_config`:
  974. 

  975. ```
  976. PermitRootLogin no
  977. AllowGroups sshers
  978. ```
  979. 

  980. And comment out the following lines (be careful here!):
  981. 

  982. ```
  983. # DenyUsers <user accounts>

  984. # AllowUsers <user accounts>

  985. # DenyGroups <group names>

  986. ```
  987. 

  988. If those lines are not defined in the configuration file, it is OK.
  989. 

  990. You can add multiple groups and users after those keywords, as you like.
  991. 

  992. For additional security, the following options can be applied as well (into `/etc/ssh/sshd_config` file), depending on your requests for SSH authentication policy:
  993. 

  994. ```
  995. IgnoreRhosts yes
  996. PermitEmptyPasswords no
  997. ChallengeResponseAuthentication yes
  998. UsePAM yes
  999. MaxAuthTries 3
  1000. ```
  1001. 

  1002. etc. More options and configurations can be found with commands `man sshd_config` and `man sshd`
  1003. 

  1004. **7.** Let's save this configuration and restart SSH server daemon by applying command `sudo systemctl restart sshd.service` (NOTE! Disconnects already-established/existing SSH connections!)
  1005. 

  1006. **8.** Test SSH login with a client computer using remote user `newuser` (belonging to the remote group `sshers`). Command syntax is: `ssh newuser@server-ip -p <server-port>`
  1007. 

  1008. **h)** (optional) Attach a remote network directory with sshfs.
  1009. --------------
  1010. 

  1011. **Answer:**
  1012. 

  1013. SSHFS stands for SSH File System. Corresponding program `sshfs` has been developed to attach SSH server file systems (folders/files) remotely on a client computer so that all attached file systems can locally be browsed on the client computer. SSHFS uses encrypted SFTP protocol (SSH/Secure File Transfer Protocol) for file tranfers.
  1014. 

  1015. **1.** Install `sshfs` with command sequence `sudo apt-get update && sudo apt-get -y install sshfs` on a Debian-based Linux system.
  1016. 

  1017. **2.** Mount remote folder `/home/newuser/public_html/` (server), to path `/home/<current-user>/public_html_ssh_remote` on your client computer. 
  1018. 

  1019. ```
  1020. mkdir $HOME/public_html_ssh_remote && sshfs newuser@174.138.2.190:./public_html $HOME/public_html_ssh_remote -p <ssh port>
  1021. ```
  1022. 

  1023. **NOTE:** If you use public key SSH authentication method, you are not asked for any password.
  1024. 

  1025. **3.** Check that you have successfully mounted your remote server folder `/home/newuser/public_html` to the client computer (command `ls ~/public_html_ssh_remote/`). Output should be as follows:
  1026. 

  1027. ```
  1028. index.html
  1029. ```
  1030. 

  1031. Additionally, check output of command `mount | grep public_html_ssh_remote`:
  1032. 

  1033. ```
  1034. newuser@174.138.2.190:./public_html on /home/phelenius/public_html_ssh_remote type fuse.sshfs (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
  1035. ```
  1036. 

  1037. **4.** Unmount the remote folder by issuing command `sudo umount /home/phelenius/public_html_ssh_remote`. On the client end, `ls` command should have empty output for directory `public_html_ssh_remote`.