#Task 1: Configuring SSH (3 Marks)
Secure Shell(SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line, login, and remote command execution, but any network service can be secured with SSH.SSH protocol usespublic-key cryptography to authenticate endpoints when setting up a terminal session as well as for encrypting session commands and output. In this task, your job is to perform the following tasks:
- Use Linux operating system setup under assessment item 1 to configure Virtual Machine network adapters as a private network (see diagram below),
- configure the ssh protocol on both client and server, (e.g., SSH CA Certificate, distributing SSH Public Key and all the necessary configurations),
- document all the steps and challenges while configuring the ssh protocol with a plain description of each step,
- explaining the cryptographic algorithms are used for the configuration.
#Task 2: DNS configuration (6 Marks)
Implement server a simple local DNS server calledns1.StudentLastName.org.au. The Local DNS accepts queries from clients and tries to resolve them, first by checking its local cache. The Local DNS must reply toA,
NS, andCNAMErequests. Before you start to implement your server, you should have a clear understanding of the DNS protocol and, specifically, of the message format. You can find good information online inLearning DNS by Cricket Liuor the textbook and the lecture slides.
Local DNS must be able to resolve queries iteratively starting from a given root name server. In other words, Local DNS must work even with a root server that does not support recursive queries. Local DNS must also correctly handle canonical names (
www
). This means that a server (the root server or others) might reply with a CNAME record in response to a request for the A record for
www.ns1.studentLastName.org.au
. In this case, Local DNS should first resolve the CNAME record and then reply to the original request with a DNS message that includes both the canonical-name record (CNAME) for the original name and the address record (A) for the canonical name.
You should demonstrate your Local DNS fully functional and tests your local DNS using dig tool to submit queries to your DNS server. Below is a summary of the most important requirements for your implementation:
- Your configuration must compile,
- Your server must reply to DNS requests of typesA,NS,PTR, andCNAME. Other types are optional,
- If your server receives a CNAME response from a name n while looking for the A record of n, your server should first recursively resolve the name returned in the CNAME record,
- you have to demonstrate that DNS configuration/zone files are free from errors by using
named-checkconf
,
named-checkzone
and
systemctl status named
with the proper arguments,
- You have to install Local DNS usingBINDto implement local DNS,
- You can easily test your implementation using the
dig command
with the proper arguments.
Note:
You are required to configure network virtual machines based on the above diagram,
document all the steps and challenges while configuring the DNS with a clear description of each step,
Submit all your zone/config files as an appendix.
#Task 3:Simple Web Services (3 Marks)
InstallingLEMPsoftware onServer 2. LEMP is a standard bundle in the Ubuntu Server platform. Once complete set up this Server 2 to host a website using the
NGINX web server
. The server should have astatically assigned addresswhich matches that specified in the A record for host www. Test your
NGINX
Server by using a web browser on another host and trying to browse the website LastNameStudentID.org.au. Once you have set up the webserver and tested it, install anFTPserver. The FTP server would allow users to upload/ download files to the webserver. Configure the server appropriately and then test from another host.
Next: in Server 2, your task is to configure the
NGINX web server
for the DNS namewww.StudentName.com.au. The server is implemented using the HTTP protocol listening on port 8181. Your challenge is to make the same site accessible using the HTTPS protocol. To do this set up SSL with aself-signed certificatefor the site.
Once configured correctly you should be able to accesswww.StudentName.com.auon bothHTTP/HTTPS ports. Naturally, you will need to make appropriate changes to your firewall rules.
document all the steps and challenges while configuring the LEMP with a clear description of each step,
#Task 4: Security and System-hardening (Configuring SELinux) (3 Marks)
Linux security is built on UNIX security. UNIX security consists of different solutions that were never developed with current IT security needs in mind. Most of the UNIX solutions focus on a part of the operating system only. That means that you need to collect a lot of different security solutions to get a secure operating system, which may be very hard. SELinux was developed to provide a complete and mandatory security solution. The basic principle is that if it is not specifically allowed it will be denied. That is what SELinux will do for you and that is what UNIX security won't bring you. As a result, all unknown services will always need additional configuration to enable them in an environment where SELinux is enabled. Overall, SELinux makes your system more secure, because it is one overall security solution, where things are only allowed to happen if the system administrator really wanted to allow them. In this task, you are required to:
- describes the difference between SELinuxenforcing and permissive modes,
enableand
enforcing permissive SELinux
on Server 2,
- Ensure that thessh serviceis running on server 2,
- Make sure that the ssh service runs onports 22and2022,
- Once you have configured port numbers, usenetstate -Ztulpento check thatport 2022is being enforced by SELinux,
- if not, use set SELinux to enforce a permissive policy to fix the problem,
- use
netstate -Ztulpen
to check if the port2022is enforced by SELinux.