A9 Web instructions Web Homework - Apache Web Server and Firewalls Submit the writeup as a Word document or a PDF. As you go through the homework, responses that need to be included in the write up...

linux


A9 Web instructions Web Homework - Apache Web Server and Firewalls Submit the writeup as a Word document or a PDF. As you go through the homework, responses that need to be included in the write up are prefixed with a number. All questions are worth 1 point excepted where noted. Make sure you number your responses accordingly in your submission. There are extra credit questions worth 2 points each at the end of the homework. Web Homework - Apache Web Server and Firewalls 1 Homework Description 2 Homework Setup 3 Homework Directions 3 Part 1 - The Firewall 4 Part 2 - Basic Authentication Web Site 6 Part 3 - CAS Authentication 8 Part 4 - HTTPS 9 Extra Credit Questions 11 of 1 11 Homework Description In this homework you will be working with a new VM built from a custom image. You will need to download the box image and register it with vagrant as well as downloading the vagrant file for the homework. The VM uses a private IP 172.28.128.41 that will make the web server accessible by your host browser. This VM has a web server with several virtual host configurations available. It also has an iptables firewall configured. You will need to enable the virtual host configurations, update the firewall accordingly, and then access the web sites with a browser running on your host. This homework will require you to edit and access files that are owned by root. So most commands you will need to issue with sudo. Alternatively you can use the sudo -s command to launch a root shell with root privileges, though this is slightly more dangerous since all commands typed at the command line will be executed with root privileges. You can use the command nano to edit files. Don’t forget about using the commands cat or less to display the contents of the files. You will need to cd to several directories. of 2 11 https://indiana-my.sharepoint.com/:u:/g/personal/seiffert_iu_edu/EZmzY9PW6hJBuqy_JdKTeTUBRpPPyZP1ZwhZPL7dOYr_fg?download=1 https://indiana-my.sharepoint.com/:t:/g/personal/seiffert_iu_edu/Eb4ZSm4I1bBKo94gUDCdOSYBV9ELRnuzLjQbYLtwTyrGig?e=4KRsUt Homework Setup Follow these steps to setup the VM on your system. 1. Create a directory on your system named something like A541_web. I recommend mkdir ~/A541_web 2. Download the Vagrantfile and box image from Canvas homework site. Assuming your browser Download into the default Downloads directory use the following command to copy and rename the Vagrant file: cp ~/Downloads/A9_Vagrantfile.txt ~/A541_web/Vagrantfile 3. You will need to add the web homework box to vagrant with the following command, but first you need to cd to the homework directory. Remember the vagrant command looks for a vagrantfile in the current directory. vagrant box add sec_web_assignment ~/Downloads/security_web_assignment.box 4. Bring up the VM with the command vagrant up and then vagrant ssh command to login to the VM. Homework Directions These directions assume you have followed the setup instructions above and are logged into the VM. You should also have a browser window open. You may find it convenient to open a couple different tabs in your browser or open a couple windows for the different web sites used in the homework, but it is not necessary.
 of 3 11 Part 1 - The Firewall When you first login to the VM it will display the IP number that is bound to the eth1 interface. This interface will be using a bridged network and communicate directly with the internet just like your host machine. The eth0 interface is bound to an internal network over which only your host and the VM can communicate. Update your /etc/hosts file on you host system, i.e. your laptops OS, to include the line: 172.28.128.41 www.A541.edu Windows users can edit the hosts file with Notepad (launched with administrator privileges) and the file is located in 
 C:\Windows\System32\drivers\etc\ Mac users can use the command sudo nano /etc/hosts. This website has specific instructions for editing /etc/hosts in different OS’s. https://www.howtogeek.com/howto/27350/beginner-geek-how-to-edit-your-hosts-file/ 1) Why do you need to update your /etc/hosts file in order to access the web server with a URL like http://www.A541.edu from your host system’s browser? (2 points) Run the command iptables to list the current configuration. (don’t forget to use it with sudo or launch a root shell with sudo -s.) iptables -L -v "--line-numbers 2) Looking at the INPUT chain policy which is indicates that the default action is DROP, is this a denylist or an allowlist policy? Why? Now you will enable the the first website on your web server. To enable the website you will need to run the command a2ensite noauth and then you will need to tell Apache to reload its configuration with the service apache2 reload (again you will need root privileges.) of 4 11 http://www.i230.edu https://www.howtogeek.com/howto/27350/beginner-geek-how-to-edit-your-hosts-file/ Examine the configuration file located in /etc/apache2/sites-enabled/noauth.conf with a command like cat, less, or nano. You will need to examine each sites configuration file to understand how it is configured. 3) On which port is the noauth virtualhost listening? 4) From which directory does the virtualhost serve web pages? Try to connect to your web site with the URL http://www.A541.edu. You should find that your browser is not connecting. 5) Why is your browser not connecting? (Hint: look at the iptables rules.) (2 points) Use the tail command to look at the last few lines of the /var/log/kern.log file. This is where iptables will log packets it drops. 6) Copy and paste the line from the log describing the dropped packet. You are looking specifically for log entries for attempts to access destination port (DPT) 80. (HINT: grep DPT=80 ) 7) Looking at that line, from which port on your host did your browser connect to the server? (HINT: SPT) Insert a rule into the iptables INPUT chain to allow inbound packets to access the noauth virtual host. Use the following command: iptables -I INPUT 3 -p tcp -i eth1 "--dport 80 -j ACCEPT This command is inserting the rule on the INPUT chain at line 3. The rule matches on port 80 with the TCP protocol on the eth1 interface. If a packet matches, it is accepted. Verify the rule was inserted correctly by running: iptables -L -v "--line-numbers 8) Copy and paste the output of the INPUT chain. Try connecting to the web server again with the same URL http://www.A541.edu. Your browser should connect this time. Now try the URL http://www.A541.edu/cgi-bin/env.sh. 9) Copy and paste the line displaying the port your web browser used to connect to the server (HINT: REMOTE_PORT) of 5 11 http://www.A541.edu http://www.i230.edu http://www.i230.edu/cgi-bin/env.sh Part 2 - Basic Authentication Web Site Next you will enable the basicauth website with the command a2ensite basicauth and then reload the apache configuration as above with the command. service apache2 reload Examine the configuration file /etc/apache2/sites-enabled/basicauth.conf. Apache basic authentication uses a password file with user names and passwords to authenticate users. In addition, it needs an authorization directive to say which of the authenticated users can access a resource. We are using an Apache module that consults a file listing group names with a list of users separated by spaces. Each line of the file should contain one group and all of its members. Finally we need a directive to specify which group(s) from the file are allowed to access a resource. 10) On which port is this web site listening? 11) What is the path to the passwords file? 12) What is the path to the security groups file? 13) What is the group authorized to access this website? Again you will need to modify the firewall to allow access to this virtual host port. Use the iptables command to insert a rule. This command will be very similar to the one used above and only needs one change. 14) Write the iptables command you used to insert the rule for the basicauth virtual host web site. Verify the rule was inserted correctly with the iptables -L -v --line-numbers command as above. Access the website with the URL http://www.A541.edu:8080. You will be prompted for a userid and password. Use vagrant for both. You should be rewarded with a web page indicating you are authenticated. Now go to the http://www.A541.edu:8080/cgi-bin/env.sh. This will dump all the values visible to a cgi program executing on the web server. 15) Copy and paste the line displaying the REMOTE_USER. of 6 11 http://www.i230.edu:8080 http://www.i230.edu:8080/cgi-bin/env.sh We will allow your favorite superhero to authenticate to the website as well. First you need to add the superhero’s name and password to the password file using the htpasswd command. NOTE: This password file is not the system password file /etc/passwd. This is a password file for Apache2. If you examine the contents of the file you can note the format differences. htpasswd /etc/apache2/security/passwords your_superhero You will be prompted for a password and to verify the password. Use a password of your choosing. (If you should forget it, you can use the same command above to overwrite the old password with a new one.) Next you need to add your superhero to the security group for this website. Edit the security group file you identified above. You can use the nano command to edit the file. The usernames are separate by spaces on the line with the group name. 16) Copy and paste the contents of the group file. Open an incognito or private window in your browser and go back to the URL http://www.A541.edu:8080/cgi-bin/env.sh. Use your superhero account and password when prompted. 17) Copy and paste the line displaying the REMOTE_USER. 18) This website requires authentication. Examine the URL closely. What is a major security weakness with this website configuration? What should we change to make it more secure? (Not asking how, just what could be done?) (2 points) Return to the default URL http://www.A541.edu:8080/ and fill in form 1 and click on the Form 1 Continue button. 19) Copy and paste the environment variable that contains just the elements and values submitted in the form. (HINT: search for REQUEST) 20) What http method was used to send this form to the server? Hit the back link and fill in form 2. Click on the Form 2 Continue button. 21) What http method was used to send this form to the server? of 7 11 http://www.i230.edu:8080/cgi-bin/env.sh Part 3 - CAS Authentication In this part you will enable the CAS_site and use the IU CAS authentication page. Since you are utilizing the IU CAS service, you will need to authenticate with your IU username and password Use the a2ensite CAS_site command to enable the web site. Then