Browse Source

H5: Minor fixes

master
Pekka Helenius 6 years ago
committed by GitHub
parent
commit
673576ca6a
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 16 deletions
  1. +15
    -16
      exercises/h5.md

+ 15
- 16
exercises/h5.md View File

@ -55,7 +55,7 @@ phelenius@my-machine:~$ man sshd | grep -E "\-D" -C1
> -D Do not detach and become daemon. This is often used when sshd is run using systemd. This allows easier monitoring of the process in such environments. Without this option, the SSH server forks and detaches from terminal, making itself a background daemon process. The latter has been the traditional way to run the SSH server until recently. Many embedded systems would still use the latter. > -D Do not detach and become daemon. This is often used when sshd is run using systemd. This allows easier monitoring of the process in such environments. Without this option, the SSH server forks and detaches from terminal, making itself a background daemon process. The latter has been the traditional way to run the SSH server until recently. Many embedded systems would still use the latter.
About relevance of the `-D` parameter has been discussed, for instance, on [superuser.com (Differences between ssh -L to -D](https://superuser.com/questions/408031/differences-between-ssh-l-to-d).
About relevance of the `-D` parameter has been discussed, for instance, on [superuser.com (Differences between ssh -L to -D](https://superuser.com/questions/408031/differences-between-ssh-l-to-d)).
**b)** Establish a firewall protection to the server computer (Note: allow SSH traffic before that) **b)** Establish a firewall protection to the server computer (Note: allow SSH traffic before that)
@ -129,7 +129,7 @@ Synchronizing state of ufw.service with SysV init with /lib/systemd/systemd-sysv
Executing /lib/systemd/systemd-sysv-install enable ufw Executing /lib/systemd/systemd-sysv-install enable ufw
``` ```
#### iptables configuration
### iptables configuration
**1.** Remove UFW from the Linux system, and remove all relevant UFW entries from iptables firewall rule list. **1.** Remove UFW from the Linux system, and remove all relevant UFW entries from iptables firewall rule list.
@ -223,7 +223,7 @@ More about iptables:
- [The Geek Stuff - 25 Most Frequently Used Linux IPTables Rules Examples](https://www.thegeekstuff.com/2011/06/iptables-rules-examples) - [The Geek Stuff - 25 Most Frequently Used Linux IPTables Rules Examples](https://www.thegeekstuff.com/2011/06/iptables-rules-examples)
#### Other firewall solutions
### Other firewall solutions
In addition to UFW, other iptables-based firewall solutions have been developed on Linux. Take a look on [Firestarter](http://www.fs-security.com/), [Firewalld](https://fedoraproject.org/wiki/Firewalld?rd=FirewallD), [PeerGuardian](https://sourceforge.net/projects/peerguardian/?source=navbar), [FWBuilder](http://www.fwbuilder.org/), etc. In addition to UFW, other iptables-based firewall solutions have been developed on Linux. Take a look on [Firestarter](http://www.fs-security.com/), [Firewalld](https://fedoraproject.org/wiki/Firewalld?rd=FirewallD), [PeerGuardian](https://sourceforge.net/projects/peerguardian/?source=navbar), [FWBuilder](http://www.fwbuilder.org/), etc.
@ -400,7 +400,7 @@ cd
**NOTE:** Location of the banner file varies between different Linux distributions. For instance, Arch Linux uses banner file `/etc_motd`. **NOTE:** Location of the banner file varies between different Linux distributions. For instance, Arch Linux uses banner file `/etc_motd`.
**j)** Install, configure and start sysstat. Use sar command to confirm whether the sysstat package services have been enabled (for instance, log entry "Linux reboot..." exists). Run sysstat a day or two. Afterwards, check computer workload history with sysstat commands sar, iostat, pidstat etc. Analyze the results, i.e. explain the results in detail.
**e)** Install, configure and start sysstat. Use sar command to confirm whether the sysstat package services have been enabled (for instance, log entry "Linux reboot..." exists). Run sysstat a day or two. Afterwards, check computer workload history with sysstat commands sar, iostat, pidstat etc. Analyze the results, i.e. explain the results in detail.
-------------- --------------
**Answer:** **Answer:**
@ -480,7 +480,7 @@ Additionally, iostat command was run on the background.
------------------------------------------------ ------------------------------------------------
#### SAR network statistics - IPv4 traffic
### SAR network statistics - IPv4 traffic
**command: sar -n IP -f sar-stats_2018-02-24_2018-02-26.file** **command: sar -n IP -f sar-stats_2018-02-24_2018-02-26.file**
@ -530,7 +530,7 @@ Check also
------------------------------------------------ ------------------------------------------------
SAR - memory consumption statistics - RAM & Swap
### SAR - memory consumption statistics - RAM & Swap
**command: sar -r -f sar-stats_2018-02-24_2018-02-26.file** **command: sar -r -f sar-stats_2018-02-24_2018-02-26.file**
**command: sar -S -f sar-stats_2018-02-24_2018-02-26.file** **command: sar -S -f sar-stats_2018-02-24_2018-02-26.file**
@ -600,7 +600,7 @@ It may not be wise to collect Swap statistics (although Linux kernel [Swappiness
------------------------------------------------ ------------------------------------------------
#### I/O statistics
### I/O statistics
![sar-iostat](https://github.com/Fincer/linux_server_setup/blob/master/images/sar-iostats.png) ![sar-iostat](https://github.com/Fincer/linux_server_setup/blob/master/images/sar-iostats.png)
@ -611,10 +611,9 @@ Main command: `iostat -dmtx 20`
-m Display statistics in megabytes per second. -m Display statistics in megabytes per second.
-t Print the time for each report displayed. -t Print the time for each report displayed.
-x Display extended statistics. -x Display extended statistics.
20 20 sec interval.
``` ```
**2.** 20 sec interval.
| Field | Description | | Field | Description |
|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Device | Device or partition defined in system directory '/dev'. | | Device | Device or partition defined in system directory '/dev'. |
@ -642,7 +641,7 @@ Virtual partition `/dev/vda` were hibernated most of the time during the observa
In addition to sysstat, `top` command could have been used in some TTY session in order to observe processes in real time, and with [inotify](https://en.wikipedia.org/wiki/Inotify), some file system changes could have been reported. Sysstat's advantage is that programs which are included in it can record and save analytics in binary format for further and detailed inspection. In addition to sysstat, `top` command could have been used in some TTY session in order to observe processes in real time, and with [inotify](https://en.wikipedia.org/wiki/Inotify), some file system changes could have been reported. Sysstat's advantage is that programs which are included in it can record and save analytics in binary format for further and detailed inspection.
**e)** (optional) Change sshd (SSH server process) port
**f)** (optional) Change sshd (SSH server process) port
-------------- --------------
**Answer:** **Answer:**
@ -681,7 +680,7 @@ Save the above script code in file `$HOME/ssh-port.sh`, for instance. Change the
------------------------------------------------ ------------------------------------------------
#### EXTRA - Using new port address of SSH server daemon when connecting with a client computer/program
### EXTRA - Using new port address of SSH server daemon when connecting with a client computer/program
Changing SSH server input port on the server computer must be taken into account while establishing connection with a client computer. Because the default SSH port `22` is not used anymore, the following syntax must be applied while connecting to the SSH server computer: Changing SSH server input port on the server computer must be taken into account while establishing connection with a client computer. Because the default SSH port `22` is not used anymore, the following syntax must be applied while connecting to the SSH server computer:
@ -691,7 +690,7 @@ Changing SSH server input port on the server computer must be taken into account
------------------------------------------------ ------------------------------------------------
#### EXTRA - detecting SSH port change with port scanning techniques (nmap)
### EXTRA - detecting SSH port change with port scanning techniques (nmap)
Enable log level `VERBOSE` in `/etc/ssh/sshd_config` configuration file (`LogLevel VERBOSE`), restart SSH server daemon with command `sudo systemctl restart sshd.service` and try port scanning with another computer. Enable log level `VERBOSE` in `/etc/ssh/sshd_config` configuration file (`LogLevel VERBOSE`), restart SSH server daemon with command `sudo systemctl restart sshd.service` and try port scanning with another computer.
@ -855,7 +854,7 @@ Check also
------------------------------------------------ ------------------------------------------------
#### EXTRA - Using Port Knocking technique against port scanning
### EXTRA - Using Port Knocking technique against port scanning
Nmap requests are targeted to layer 3 (Network Layer) in OSI model. Additional security measures can be taken by applying [Port Knocking login techniques](https://wiki.archlinux.org/index.php/Port_knocking) on the server computer. Nmap requests are targeted to layer 3 (Network Layer) in OSI model. Additional security measures can be taken by applying [Port Knocking login techniques](https://wiki.archlinux.org/index.php/Port_knocking) on the server computer.
@ -885,7 +884,7 @@ More about Port Knocking technique:
------------------------------------------------ ------------------------------------------------
#### EXTRA - ARP Scan and spoofing your MAC address**
### EXTRA - ARP Scan and spoofing your MAC address
Program [arp-scan](https://www.blackmoreops.com/2015/12/31/use-arp-scan-to-find-hidden-devices-in-your-network/) can be used in limited scale to scan a MAC address (OSI model layer 2, Data Link Layer) in a network. Program [arp-scan](https://www.blackmoreops.com/2015/12/31/use-arp-scan-to-find-hidden-devices-in-your-network/) can be used in limited scale to scan a MAC address (OSI model layer 2, Data Link Layer) in a network.
@ -920,7 +919,7 @@ The following warning messages may be expected after spoofing a MAC address and
Warning: Permanently added the ECDSA host key for IP address '[1.2.3.4]:22' to the list of known hosts. Warning: Permanently added the ECDSA host key for IP address '[1.2.3.4]:22' to the list of known hosts.
``` ```
**f)** (optional) Allow SSH login only for users in group 'sshers'. Add your account to this group.
**g)** (optional) Allow SSH login only for users in group 'sshers'. Add your account to this group.
-------------- --------------
**Answer:** **Answer:**
@ -1004,7 +1003,7 @@ etc. More options and configurations can be found with commands `man sshd_config
**8.** Test SSH login with a client computer using remote user `newuser` (belonging to the remote group `sshers`). Command syntax is: `ssh newuser@server-ip -p <server-port>` **8.** Test SSH login with a client computer using remote user `newuser` (belonging to the remote group `sshers`). Command syntax is: `ssh newuser@server-ip -p <server-port>`
**g)** (optional) Attach a remote network directory with sshfs.
**h)** (optional) Attach a remote network directory with sshfs.
-------------- --------------
**Answer:** **Answer:**


Loading…
Cancel
Save