@ -15,9 +15,9 @@ Let's pick up our previous major test [ict4tn021-1 autumn 2016](http://terokarvi
----------------------------
----------------------------
**Initial set-up for remote control of a server**
### Initial set-up for remote control of a server
_Prepare to control the server from abroad. Secure the server with firewall_
**Issue:** Prepare to control the server from abroad. Secure the server with firewall
We shall install SSH server daemon to the targeted server computer. It is assumed that local or other direct access to the server command line is available since SSH server daemon is not yet installed, thus preventing direct, remote SSH control of the server.
We shall install SSH server daemon to the targeted server computer. It is assumed that local or other direct access to the server command line is available since SSH server daemon is not yet installed, thus preventing direct, remote SSH control of the server.
@ -37,7 +37,7 @@ Command explanations:
- ip = Is the network interface, which should have connection to the internet, up and active (UP)?
- ip = Is the network interface, which should have connection to the internet, up and active (UP)?
When the internet connection is established, we shall proceed by installing the following packages, assuming that the server uses a Debian-based Linux distribution: openssh-server, openssh-sftp-server, openssh-client
When the internet connection is established, we shall proceed by installing the following packages, assuming that the server uses a Debian-based Linux distribution: `openssh-server`, `openssh-sftp-server`, `openssh-client`
On some distributions, those packages can be installed simply issuing:
On some distributions, those packages can be installed simply issuing:
@ -46,22 +46,20 @@ sudo apt-get update
sudo apt-get -y install ssh
sudo apt-get -y install ssh
```
```
We shall confirm that the SSH server daemon starts during the server boot-up. We shall also confirm that the SSH server daemon is up and running and its status is 'active':
We shall confirm that the SSH server daemon starts during the server boot-up. We shall also confirm that the SSH server daemon is up and running and its status is `active`:
```
```
sudo systemctl enable ssh.service
sudo systemctl enable ssh.service
systemctl status ssh.service
systemctl is-active ssh.service
```
```
**NOTE!** Alternative commands can also be used, like:
**NOTE:** Alternative commands can also be used, like:
```
```
sudo systemctl enable sshd
sudo systemctl enable sshd
systemctl is-active sshd
systemctl status sshd
```
```
etc.
Has our firewall program installed on the system?
Has our firewall program installed on the system?
```
```
@ -69,38 +67,38 @@ which ufw
which iptables
which iptables
```
```
If both of those executable files ('ufw' and 'iptables') are found on the system, we shall accept network traffic to port 22, protocol TCP (INPUT 22/TCP). Let's apply these rules to our firewall:
If both of those executable files ('ufw' and 'iptables') are found on the system, we shall accept network traffic to port `22`, protocol TCP (INPUT 22/TCP). Let's apply these rules to our firewall:
```
```
sudo ufw allow 22/tcp
sudo ufw allow 22/tcp
```
```
Make sure our firewall program 'ufw' (Uncomplicated Firewall) is enabled and turned on:
Make sure our firewall program `ufw` (Uncomplicated Firewall) is enabled and turned on:
```
```
sudo ufw enable
sudo ufw enable
sudo systemctl enable ufw.service
sudo systemctl enable ufw.service
```
```
**NOTE!** By default, Linux firewall blocks all input traffic. Therefore, SSH input traffic must separately be allowed like described above.
**NOTE:** By default, Linux firewall blocks all input traffic. Therefore, SSH input traffic must separately be allowed like described above.
----------------------------
----------------------------
**Security set-up for a company**
### Security set-up for a company
_Install remotely working security tools for our company. (In this assignment, you can assume that installing a package or packages from our repository is secure)_
**Issue:** Install remotely working security tools for our company. (In this assignment, you can assume that installing a package or packages from our repository is secure)
The following commands have been pre-determined in the assignment:
The following commands have been pre-determined in the assignment:
- download .deb installer file with 'wget' command
- download `.deb` package file with `wget` command
- install the downloaded .deb package with command 'sudo dpkg -i' which extract a new repository file 'terorep.list' into '/etc/apt/sources.list.d/')
- install the downloaded `.deb` package with command `sudo dpkg -i` which extract a new repository file `terorep.list` into `/etc/apt/sources.list.d/`)
- update package databases with command 'sudo apt-get update'
- update package databases with command `sudo apt-get update`
- install package 'terowatch' which is made available by the new repository. The package is available for Ubuntu distribution, version 16.04 LTS. The repository file itself contains string 'deb http://terokarvinen.com/qrs/terorep/ precise main'
- install package `terowatch` which is made available by the new repository. The package is available for Ubuntu distribution, version 16.04 LTS. The repository file `terorep.list` itself contains string `deb http://terokarvinen.com/qrs/terorep/ precise main`
**NOTE!** 'terowatch' package uses network interface 'eth0' by default. However, we haven't defined such interface in our system configuration (this can be fixed by adding 'net.ifnames=0' in udev rules/kernel boot parameters in syslinux or grub). Instead, we use network interface 'enp4s0'.
**NOTE:** `terowatch` package uses network interface `eth0` by default. However, we haven't defined such interface in our system configuration (this can be fixed by adding `net.ifnames=0` in udev rules or in kernel boot parameters in Syslinux or GRUB2). Instead, we use default network interface `enp4s0`.
Proper fix to this issue would be patching the code and applying the patch into the deb package. Another solution would be making the proper fix directly to the source code. In this assignment, we directly modify the executable file, written in Python. This method is not recommended but for the extent of this assignment, it is sufficient solution to proceed.
Proper fix to this issue would be patching the code and applying the patch into the deb package. Another solution would be making the proper fix directly to the source code. In this assignment, we directly modify the executable file, written in Python. This method is not recommended but for the extent of this assignment, it is sufficient solution to proceed.
@ -109,58 +107,58 @@ dpkg -L terowatch
sudo sed -i 's/eth0/enp4s0/g' /usr/bin/qrsc
sudo sed -i 's/eth0/enp4s0/g' /usr/bin/qrsc
```
```
Command _terowatch_ gives desired text output “TeroWatch is installed” (the string is defined in shell executable '/usr/bin/terowatch')
Command `terowatch` gives desired text output “TeroWatch is installed” (the string is defined in shell executable `/usr/bin/terowatch`)
----------------------------
----------------------------
**Statistics**
### System statistics
_Collect workload statistics of various system resources (CPU, RAM) while doing the assignment. The data collection must be started before proceeding in the assignment. Write a short analysis of the collected statistics after you've finished other parts of the assignment._
**Issue:** Collect workload statistics of various system resources (CPU, RAM) while doing the assignment. The data collection must be started before proceeding in the assignment. Write a short analysis of the collected statistics after you've finished other parts of the assignment.
- CPU (command: 'sar 10 -f $HOME/sysstat.file'): CPU has been in moderate workload. User processes have not depleted resources that much, in contrast to system processes which stress the CPU many times more. 'iowait' value tells us that the processor has waited for mass memory device. During the data collection, some data was transferred from a hard disk to another. CPU capacity limits were not reached.
- CPU (command: `sar 10 -f $HOME/sysstat.file`): CPU has been in moderate workload. User processes have not depleted resources that much, in contrast to system processes which stress the CPU many times more. 'iowait' value tells us that the processor has waited for mass memory device. During the data collection, some data was transferred from a hard disk to another. CPU capacity limits were not reached.
- Mem/RAM (command: 'sar -r 10 -f $HOME/sysstat.file'): Memory consumption has been significant during the data collection period ('%memused' and '%commit'). The system has 4GB DDR3 memory of which majority has been in use. Amount of free memory has been 100MB. Two main operations have affected the memory usage level: web browser usage and file transfer/copy operations which were performed during the data collection period. Active memory was used 2,5GB on average, passive (inactive) memory usage was 700MB. Amount of memory which has waited for to be written varies between 5MB-200MB ('kbdirty').
- Mem/RAM (command: `sar -r 10 -f $HOME/sysstat.file`): Memory consumption has been significant during the data collection period (`%memused` and `%commit`). The system has 4GB DDR3 memory of which majority has been in use. Amount of free memory has been 100MB. Two main operations have affected the memory usage level: web browser usage and file transfer/copy operations which were performed during the data collection period. Active memory was used 2.5GB on average, passive (inactive) memory usage was 700MB. Amount of memory which has waited for to be written varies between 5MB-200MB (`kbdirty`).
----------------------------
----------------------------
**PHP from remote countries**
### PHP from abroad
_Install us necessary tools for remote PHP website development._
**Issue:** Install us necessary tools for remote PHP website development.
- SSH server daemon has already been installed, port 22 is opened -> OK
- SSH server daemon has already been installed, port `22` is opened -> OK
- We shall install HTTP daemon (Apache web server) and open the default port 80 for it in our firewall. Additionally, we shall install necessary PHP (7.0) packages:
- We shall install HTTP daemon (Apache web server) and open the default port `80` for it in our firewall. Additionally, we shall install necessary PHP (7.0) packages:
Let's enable Apache server daemon, check the status of it (must be 'active') and tell the system that Apache should automatically be started during the server boot-up:
Let's enable Apache server daemon, check the status of it (must be `active`) and tell the system that Apache should automatically be started during the server boot-up:
```
```
systemctl status apache2.service
sudo systemctl enable apache2.service
systemctl is-active apache2
sudo systemctl enable apache2
```
```
Let's check that the port 80 is opened in our firewall:
Let's check that the port `80` is opened in our firewall:
```
```
xubuntu@xubuntu:/home$ sudo ufw status
xubuntu@xubuntu:/home$ sudo ufw status
@ -168,22 +166,22 @@ Status: active
To Action From
To Action From
-- ------ ----
-- ------ ----
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
```
```
(you don't need to execute command 'sudo systemctl start apache2.service' after the Apache installation because the Apache web server daemon is automatically enabled during the server boot-up by default. This information can be found with command 'systemctl status apache2.service')
(you don't need to execute command `sudo systemctl start apache2` after the Apache installation because the Apache web server daemon is automatically enabled during the server boot-up by default. This information can be found with command `systemctl status apache2`)
We shall enable Apache's PHP module while using module 'userdir'. This can be done by commenting the lines between <IfModulemod_userdir.c> tags in file '/etc/apache2/mods-available/php7.0.conf'. Right after we should enable Apache's 'userdir' module and restart the Apache web server:
We shall enable Apache's PHP module while using module `userdir`. This can be done by commenting the lines between `<IfModule mod_userdir.c>` tags in file `/etc/apache2/mods-available/php7.0.conf`. Right after we should enable Apache's 'userdir' module and restart the Apache web server:
```
```
sudo a2enmod userdir
sudo a2enmod userdir
sudo systemctl restart apache2.service
sudo systemctl restart apache2.service
```
```
Let's check that Apache web server is still up and running by issuing command 'systemctl status apache2.service'. Let's check that we can access our default localhost website (IP address 127.0.0.1) which indicates whether the Apache server works as intended:
Let's check that Apache web server is still up and running by issuing command `systemctl status apache2.service`. Let's check that we can access our default localhost website (IP address `127.0.0.1`) which indicates whether the Apache server works as intended:
```
```
xdg-open http://localhost
xdg-open http://localhost
@ -196,22 +194,22 @@ xdg-open http://localhost
xdg-open (1) - opens a file or URL in the user's preferred application
xdg-open (1) - opens a file or URL in the user's preferred application
```
```
We must check that we can access our website from a remote network. In a test laboratory, this test would be done checking output of command 'ifconfig', looking for a relevant IP address and login to the server from another computer using the grabbed IP address and SSH client program (command syntax using default SSH port 22 would be: 'ssh server-user@server-ip'). In order to access the server from a remote network, the relevant IP address for connecting the server must be known, and confirmation for succeeded remote access must exist. Any router & NAT/PAT configurations between a client and the server must work.
We must check that we can access our website from a remote network. In a test laboratory, this test would be done checking output of command `ifconfig`, looking for a relevant IP address and login to the server from another computer using the grabbed IP address and SSH client program (command syntax using default SSH port `22` would be: `ssh server-user@server-ip`). In order to access the server from a remote network, the relevant IP address for connecting the server must be known, and confirmation for succeeded remote access must exist. Any router & NAT/PAT configurations between a client and the server must work.
_Our users are as follows: Maija Mehilälinen, Peter Ö, Oskar Jäärä, John Do, Verner Vrij, Mikko Möttönen, Jalmari Ähkä, Håkan Swarz and Maija Maitoparta. Create a sample website for each user with PHP._
**Issue:** Our users are as follows: Maija Mehilälinen, Peter Ö, Oskar Jäärä, John Do, Verner Vrij, Mikko Möttönen, Jalmari Ähkä, Håkan Swarz and Maija Maitoparta. Create a sample website for each user with PHP.
_List all user accounts and passwords in file lab.txt (“/home/*/lab.txt”). Protect the file so that other users can not read it._
**Issue:** List all user accounts and passwords in file lab.txt (`/home/*/lab.txt`). Protect the file so that other users can not read it.
We shall generate all required passwords (9 for users + admin) with 'pwgen'. Password length is 20 characters, randomized, at least one uppercase character included and secure parameter for the command is used:
We shall generate all required passwords (9 for users + admin) with `pwgen`. Password length is 20 characters, randomized, at least one uppercase character included and secure parameter for the command is used:
```
```
sudo apt-get update && sudo apt-get install pwgen
sudo apt-get update && sudo apt-get install pwgen
pwgen 20 10 -sc1
pwgen 20 10 -sc1
```
```
We shall store additional admin password into a separate, secure place (of your choice). Admin account (or user) username is 'admin'.
We shall store additional admin password into a separate, secure place (of your choice). Admin account (or user) username is `admin`.
We haven't created admin user 'admin' yet. Let's do it. We shall also grant 'sudo' group permissions to this new administration user:
We haven't created admin user `admin` yet. Let's do it. We shall also grant `sudo` group permissions to this new administration user:
```
```
sudo adduser admin
sudo adduser admin
@ -219,21 +217,21 @@ sudo usermod -aG sudo admin
su admin
su admin
```
```
The last command 'su admin' switched our shell view to the user's 'admin' shell. We should lock the server root account by issuing command 'sudo usermod --lock root' (which adds an exclamation mark right before root's password in file '/etc/shadow'). We could increase system's overall security by blocking usage of various TTY sessions (commenting out lines in file '/etc/securetty') and by adding more restrictions to the system's PAM policy.
The last command `su admin` switched our shell view to `admin` shell. We should lock the server root account by issuing command `sudo usermod --lock root` (which adds an exclamation mark right before root's password in file `/etc/shadow`). We could increase system's overall security by blocking usage of various TTY sessions (commenting out lines in file `/etc/securetty`) and by adding more restrictions to the system's PAM policy.
For securing our SSH connections, we shall add the following line in '/etc/ssh/sshd_config' file (use 'sudoedit' or 'sudo nano' command):
For securing our SSH connections, we shall add the following line in `/etc/ssh/sshd_config` file (use `sudoedit /etc/ssh/sshd_config` or `sudo nano /etc/ssh/sshd_config` command):
```
```
PermitRootLogin no
PermitRootLogin no
```
```
After having altered '/etc/ssh/sshd_config', restart SSH server daemon by issuing command
After having altered `/etc/ssh/sshd_config`, restart SSH server daemon by issuing command
```
```
sudo systemctl restart sshd
sudo systemctl restart sshd
```
```
Create file $HOME/lab.txt (where $HOME=/home/admin) with the following contents:
Create file `$HOME/lab.txt` (where `$HOME` is `/home/admin`) with the following contents:
Restrict permissions for this file by issuing the following command (as user 'admin'):
Restrict permissions for this file by issuing the following command (as user `admin`):
```
```
chmod og-rwx,u-x $HOME/lab.txt
chmod og-rwx,u-x $HOME/lab.txt
@ -260,7 +258,7 @@ admin@xubuntu:~$ ls -l lab.txt
-rw------- 1 admin admin 407 Mar 12 11:42 lab.txt
-rw------- 1 admin admin 407 Mar 12 11:42 lab.txt
```
```
Let's create a generic, pretty simple PHP file 'index.php' into the home directory of the user 'admin', and as the user 'admin'.
Let's create a generic, pretty simple PHP file `index.php` into the home directory of `admin` (and as `admin`).
```
```
nano /home/admin/index.php
nano /home/admin/index.php
@ -274,28 +272,39 @@ phpinfo();
?>
?>
```
```
**NOTE!** Make sure you have enabled php & userdir modules on Apache at this point!
**NOTE:** Make sure you have enabled `php`&`userdir` modules on Apache at this point!
After that, we shall copy the PHP file for each user into a user-specific subdirectory 'public_html' ('/home/*/public_html').
After that, we shall copy the PHP file for each user into a user-specific subdirectory `public_html` (`/home/*/public_html`).
The user-specific directory 'public_html' and contents of it should have correct permissions set up for each user.
The user-specific directory `public_html` and contents of it should have correct permissions set up for each user.
On Debian-based Linux distributions, a perl script '[adduser](https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=adduser/adduser.git;a=tree)' is provided for creating new users. Let's do the following:
On Debian-based Linux distributions, a perl script '[adduser](https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=adduser/adduser.git;a=tree)' is provided for creating new users. Let's do the following:
- 1) Create required user accounts with the generated passwords
- 1) Create required user accounts with the generated passwords
- 2) Copy the pre-created index.php file into each user's $HOME/public_html folder
- 2) Copy the pre-created `index.php` file into each user's `$HOME/public_html` folder
- 3) For each user, test that their index.php is showing expected and correct output
- 3) For each user, test that their `index.php` is showing expected and correct output
Run the following with any system user who belongs to the 'sudo' group:
Run the following with any system user who belongs to `sudo` group:
for user in mmehilal po ojaara jdo vvrij mmottone jahka hswarz mmaitopa; do echo -e "User is: $user\n" && sudo adduser $user && sudo mkdir -p /home/$user/public_html/ && sudo cp /home/admin/index.php /home/$user/public_html/ && sudo chown -R $user:$user /home/$user && [[ $(curl -s http://localhost/~${user}/index.php | grep -i "404 not found" | wc -l) -ne 0 ]] && echo -e "\nPHP test site not found for '${user}'\n" || echo -e "\nPHP test site is OK for user\n"; done
sudo apt-get update && \
sudo apt-get -y install curl && \
for user in mmehilal po ojaara jdo vvrij mmottone jahka hswarz mmaitopa; do \
echo -e "\nPHP test site not found for '${user}'\n" || \
echo -e "\nPHP test site is OK for user\n"; \
done
```
```
**NOTE!** To test site on a graphical web browser, you need to keep in mind that user 'xubuntu' is the only user having access to graphical display on X server right now (see '.Xauthority' and environment variable DISPLAY for details). Thus, the following commands should be used in our current setup:
**NOTE:** To test site on a graphical web browser, you need to keep in mind that user `xubuntu` is the only user having access to graphical display on X server right now (see `.Xauthority` and environment variable `DISPLAY` for details). Thus, the following commands should be used in our current setup:
```
```
sudo passwd xubuntu
sudo passwd xubuntu
@ -303,13 +312,13 @@ su xubuntu
for user in mmehilal po ojaara jdo vvrij mmottone jahka hswarz mmaitopa; do xdg-open http://localhost/~${user}; done
for user in mmehilal po ojaara jdo vvrij mmottone jahka hswarz mmaitopa; do xdg-open http://localhost/~${user}; done
```
```
**NOTE!** We can exit the shell view of the user 'admin' simply issuing command 'exit' on that shell view.
**NOTE:** We can exit the shell view of the user `admin` simply issuing command `exit` on that shell view.
**NOTE!** Consider the following in a production environment, instead of doing nasty things with administration users:
**NOTE:** Consider the following in a production environment, instead of doing nasty things with administration users:
- You can (but don't have to) modify the current user, grant administration rights, modify username, home directory and groups ('usermod' command) instead of adding a separate account for an administrator
- You can (but don't have to) modify the current user, grant administration rights, modify username, home directory and groups (`usermod` command) instead of adding a separate account for an administrator
- You can create a new main/admin user and remove an old one (in our case, we should delete 'xubuntu' account). You can delete users with command 'userdel'.
- You can create a new main/admin user and remove an old one (in our case, we should delete `xubuntu` account). You can delete users with command `sudo userdel <account>`.
- You can have clearly restricted and well named groups to separate users with various permissions on a system. Apply your user and group policy so that specific users belong to the right groups.
- You can have clearly restricted and well named groups to separate users with various permissions on a system. Apply your user and group policy so that specific users belong to the right groups.
@ -319,7 +328,7 @@ Screenshot of user-specific PHP sites on the configured server environment:
_Install and configure metapackage 'iot12tools' for us. The metapackage should install the following development tools for 'Internet of Things': arduino IDE, gedit (text editor), gedit-plugins, curl (CLI browser) and Python 3 programming language._
**Issue:** Install and configure metapackage `iot12tools` for us. The metapackage should install the following development tools for 'Internet of Things': arduino IDE, gedit (text editor), gedit-plugins, curl (CLI browser) and Python 3 programming language.
Switch your shell view to user 'jahka' (Jalmari Ähkä) and go to his home directory:
Switch your shell view to user `jahka` (Jalmari Ähkä) and go to his home directory:
```
```
su jahka
su jahka
cd
cd
```
```
**NOTE!** We can make sure that we are in his home directory ('/home/jahka') by issuing command 'pwd'.
**NOTE:** We can make sure that we are in his home directory (`/home/jahka`) by issuing command 'pwd'.
Let's create a new file '~/helloworld.py' with the following contents:
Let's create a new file `~/helloworld.py` with the following contents:
```
```
#!/usr/bin/env python3
#!/usr/bin/env python3
@ -451,7 +461,7 @@ print("Hello World");
```
```
Modify file permissions, grant executable permission for the user 'jahka', remove from others (including the group who owns the file):
Modify file permissions, grant executable permission for the user `jahka`, remove from others (including the group who owns the file):
```
```
chmod u+x,og-x helloworld.py
chmod u+x,og-x helloworld.py
@ -471,7 +481,7 @@ Hello World
```
```
The output is as desired, 'Hello World', indicating that we have successfully installed Python3 development environment for the required user.
The output is as desired, `Hello World`, indicating that we have successfully installed Python3 development environment for the required user.
**c)** (optional) Use Linux outside the course scope.
**c)** (optional) Use Linux outside the course scope.
--------------
--------------
@ -492,7 +502,7 @@ The following pictures demonstrate [Arch Linux ARM](https://archlinuxarm.org/pla
- Desktop environment: LxQt
- Desktop environment: LxQt
About my Linux usage:
### About my Linux usage:
My first touch to Linux world was back in early spring, 2011. The first Linux distribution I installed was Ubuntu 10.04 LTS, and after that I have tried out many distributions, including Linux Mint, Fedora, OpenSUSE and Arch Linux.
My first touch to Linux world was back in early spring, 2011. The first Linux distribution I installed was Ubuntu 10.04 LTS, and after that I have tried out many distributions, including Linux Mint, Fedora, OpenSUSE and Arch Linux.