i have the project on file.
Practical Assignment 2 (PA.2) Use the instructions below to complete all 5 parts of the assignment. You will submit an answer for each section in red. Part One: Linux Client First, we will need a Linux machine to act as a client for this lab. The fastest method to add a new machine as a client, is to clone your existing VM from PA.1. 1. First, create a snapshot of your VM from PA.1: a. In the Google Cloud console, click Compute Engine, then Snapshots. b. Click Create Snapshot c. Provide a “name” and “description” for your snapshot. (I called mine cis285-client). d. For the “source disk”, choose the virtual instance you created in practical assignment one. e. Click “Create” 2. Once the snapshot has been created, build the new instance: a. In the Google Cloud console, click Compute Engine, then VM Instances. b. Click Create Instance c. Provide a name for the VM d. Use the N1 Series e. Use F1-Micro for the machine type f. Select Boot Disk, then select the Snapshots tab g. Select the snapshot you created in the previous step h. Create the virtual machine Part Two: Install vsftp We will use vsftp to demonstrate some of the security features in Linux. Vsftp is a simple FTP server. 1. Use the sudo yum install vsftpd command to install vsftp 2. Use the sudo systemctl list-unit-files –type service command to view all the services on your server. a. Are there any services that seem superfluous? Research two of the enabled services, and describe what they are for, and why they might be enabled by default. 3. Use the command sudo vi /etc/vsftpd/vsftpd.conf to look at the configuration file. a. Which setting in the configuration do you think allows vsftpd to use local accounts? b. Which file do you think vsftpd needs access to in order to authenticate users? 4. Start vsftpd using sudo systemctl start vsftpd 5. Ensure it is started by checking its status: sudo systemctl status vsftpd 6. Ensure that vsftpd is configured to run when the system is restarted using sudo systemctl enable vsftpd 7. Run sudo systemctl list-unit-files –type service again. a. Do you see vsftpd now listed? Part Three: Processes and Daemons In this unit, we learned about processes and daemons. We will explore the processes running on our CentOS server in this lab. Before you begin this section, use an SSH client to connect to your server (such as PowerShell, your terminal in Mac, or PuTTY if you have an older version of Windows). 1. What processes are running on your server? a. From your standard user’s prompt (not logged in with root privileges), use the ps command to show a list of processes. i. This is a short list. Why are there no other processes listed? b. Change to “root” privileges using the su command, and run the ps -ef command. i. Which of these processes are daemons/services, and which are user processes? Is it easy to tell? c. Run the ps -ejH | less command to see your process tree. i. It should now be a little easier to see your process, and how they relate to one another. What are the parent processes? Research what these are and provide an explanation for each. ii. What is the parent of vsftpd? iii. What is the PID of vsftpd? iv. Identify at least two processes under one of the parents above and explain what they are. v. Are there any processes that appear to be superfluous, or is CentOS as shipped/installed in Google Cloud fairly well trimmed down (i.e., hardened)? d. Kill vsftpd using kill PID (replace PID with the process ID you noted in a previous step). i. Is the process now gone when you use the ps command? e. Use the command systemctl status vsftpd i. Does this confirm the process was killed? f. Use the command systemctl start vsftpd to start the service again. g. Use the top command to view your processes (use “q” to quit when done). i. Which process is using the most memory? ii. Which processes is using the most CPU? Part Four: Linux Firewall 1. Use SSH to login to the server you created in Part One. 2. Use the command sudo yum install ftp to install an ftp client 3. Test your FTP server: a. Create a file with some content using vi some_file.txt b. Use the command ftp server_hostname to connect to your FTP server from your client system. Change server_hostname to the name of your server, which will be in Google Cloud Console. You can also type hostname on your server to find its hostname. c. When prompted, enter the username, and password. d. Use the command put some_file.txt to copy your file. Verify that the file was created on the server. 4. Now, switch to the SERVER, and we will configure the firewall in Linux to block FTP: a. First, use iptables -L to look at the firewall rules in IPTables. This is rather complicated! We will use the firewall-cmd utlity, which essentially manages iptables with more user-friendly commands. b. First, take a look at the zones available using firewall-cmd --get-zones i. Note the Public and Trusted zones. What other zones do you have? c. Next, lets see what the active zone is using firewall-cmd --get-active-zones i. What is your current active zone? d. Next, take a look at the rules for this zone using firewall-cmd --list-all --zone=public i. What is the behavior of this zone? Is it more permissive, or restrictive? (Hint: look at the Target value). ii. Which services are allowed? e. Next, lets switch our zone to Public using the command firewall-cmd --set-default-zone=public i. Go back to your client, and try to log in. Did it work? What was the error message? f. The public zone is far more secure, but in order to use certain services they must be added. Use the command firewall-cmd --zone=public --add-service=ftp to add FTP as a service enabled. i. Can you FTP from the client now? g. You can leave your zone set to public; however, in the future, we will need to add services to the public zone in order to use them. i. In this exercise, we use the service name to add them to the firewall rule, thus allowing traffic on the official port registered for that service (for example, FTP uses TCP port 21). In some cases, you may want to add a port that is not “well known”. Research the command that would configure either ALLOW or DENY for specific TCP ports. ii. Research “Port Hiding”. What is this? Is this an effective strategy to protect servers? Part Five: SELinux SELinux provides a mechanism for mandatory access control (rather than the default behavior of discretionary access control). We will take a look at the settings for SELinux. 1. On your SERVER, issue the commend to show SELinux current status: getenforce a. What is the state of SELinux? b. Use the command setenforce 0 – what is the status of SELinux after running this command? (Use setenforce 1 to set it back to a more restrictive state). 2. In this assignment, you have set up an FTP server. Take a look at some of the configuration options in SELinux that confines the FTP server using the command getsebool -a | grep ftp a. Research two of these settings; what are they used for? Do you agree with the default setting, or would you change this? 3. Change one of the settings you identified in the previous step using setsebool setting x (change setting to the name of setting you found, and x will 0 for off, or 1 for on). a. Verify the setting is now set using getsebool setting (change setting to the name of the setting you used). Does it reflect your earlier setting? Practical Assignment Three: systemd systemd is the replacement to the legacy Unix SysV and BSD INIT daemons. It provides a suite of components for managing services, in addition to many other functions such as logging, device management, managing mounts, networks/sockets, etc. In this assignment, you will use systemd to create a simple service that runs as a web service (using Python’s SimpleHTTPServer method). Step 1: Configure Firewalls and test Python 1. Configure Google Cloud Firewall to allow ports 80 and 8080 to your VM (this step is optional, but makes the assignment more fun): a. Log in to your Google Cloud Console and navigate to your Virtual Instances in the Compute Engine. b. Click on your Linux server to see the properties, then click “edit” c. Find the section for “Network Tags” and add a tag. For example, I used “cis285-server”. You will reference this tag later; it is how this machine will be identified by Google’s virtual firewall. Be sure to click “Save” when you are done. d. Click the main menu button (the “hamburger” with three horizontal lines), and go to the “Network” group, “VPC Networks”, then “Firewall”. e. Create a new firewall rule. Select: i. Direction: Ingress ii. Targets: Specified Target Tags iii. Target Tags: (enter the value you used for your “network tag” previously; for mine, I used “cis285-server”) iv. Source Filter: IP Ranges v. Source IP Ranges: 0.0.0.0/0 vi. Protocols/Ports: Specify TCP “80, 8080” vii. Save the new rule. 2. Configure the firewall in your Linux Server: a. Use the “su” command so you will have the “root” context. (Look for the # prompt, not $). b. Your default zone should still be “public”; use the command firewall-cmd –get-active-zone to verify. i. If the active zone is not public, use this command to set it: 1. firewall-cmd --set-default-zone=public --permanent ii. Add FTP, HTTP, and port 8080 to your firewall rules: 1. firewall-cmd --zone=public --permanent --add-service=ftp 2. firewall-cmd --zone=public --permanent --add-service=http 3. firewall-cmd --zone=public --permanent --add-port=8080/tcp iii. Verify it worked: 1. firewall-cmd --zone=public --list-ports 2. firewall-cmd --zone=public --list-services 3. Run a simple web server in your user-space: a. Create the following web page file, and customize the code to include your name: i. /home/student/index.html This is my page!
This is a sample page
This is a sample web page to demonstrate Python's simple web server.
Brian Green