This assignment covers the installation and configuration of virtual machines running Ubuntu and CentOS, BIND, LAMP, and FTP servers. It also covers hardening the web server using IPTables and making DNS robust. The article provides step-by-step instructions and screenshots. Course code and college/university not mentioned.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Managing Services and Security Name Institution
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Introduction In this assignment, two virtual machine running Ubuntu and CentOS were installed and configured on a VMware Workstation Player. The first machine was installed with a BIND, to provide DNS & SSH services, while the second one was installed with a Web Server. The name server on virtual machine 1 was configured to manage the domain saffioti.org.au. A zone was also set up for the reverse zone and hardened by use of firewall rules, which allowed access to the services. The virtual machine running Ubuntu OS was the web server, where LAMP was installed. The Apache Web Server in the LAMP software was used to host a website. Additionally, an FTP server was configured on the same virtual machine. Part 1: Virtual Machine One – DNS & SSH Server This virtual machine was installed with CentOs, and a BIND (DNS) installed and configured on it. The name server was configured to manage the domain; saffioti.org.au Step 1: Install Bind sudo yuminstallbindbind-utils Step 2: Configure DNS The namde.conf file was edited as shown below. nano -w /etc/named.conf
Step 3: Configure bind zone nano -w /var/named/saffioti.org.au.zone Restart the Service, then enable it to start automatically at boot time; the following commands were used; service namedrestart chkconfignamedon
Part 2: Virtual Machine Two: Server2 Ubuntu Operating system was installed on this virtual machine, and used as a web server. To enable it server as a web server, LAMP was installed. By definition LAMP is a stack of open source software tools, that are normally installed together to facilitate hosting of dynamic websites and web applications. LAMP translates to Linux,Apache,MySQL,PHP. The three software are installed on Linux along each other to facilitate web hosting. In this exercise, the software were installed in a series of steps as outlined below. step 1: Install Apache To install Apache, the following commands were used; sudo apt-get update:this command is used to update the list of packages and their version. The command only gets and updates information about the packages but does not install the updates. sudo apt-get install apache2: the command installs apache web server. Figure 1.0 Updating the package information. Figure 2.0 Installing Apache
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
To confirm that the Apache Web server was successfully installed, the default apache page was accessed from a web browser; Figure 3.0 Confirmation that the Apache was running on the local machine. Figure 4.0 The server was also accessible from the host machine.
Step 2: Install MySQL MySQL database was installed using the command; sudo apt install mysql-server Figure 5.0 MySQL installation Step 3. Install PHP For PhP to work, a number of packages had to be installed as outlined below. sudo apt install php-pear php-fpm php-dev php-zip php-curl php-xmlrpc php-gd php- mysql php-mbstring php-xml libapache2-mod-php Figure 6.0 PhP installation with its additional packages
Hardening the Web Server To harden the web server, which makes it more secure, by only allowing access to the web hosting services, the firewall was configured using IPTables. The process is as outline below. Step 1: Install the Persistent Firewall Service For the firewall service to run on the machine, it was necessary to install the iptables- persistent package. The packages allows the rules set to be persisted and be applied automatically at boot time. The following command was used to install the package sudo apt-get install iptables-persistent Figure 6.0 Installation of theiptables-persistent package which will facilitate automatic saving of rules and their application when the computer boots up. Step 2: edit the iptables for IPv4 sudo nano/etc/iptables/rules.v4
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Figure 7 IPv4 IP tables before editing Figure 8. Modified IPTables for IPv4 The same was done for IPTables for IPv6 with the command;
sudo nano/etc/iptables/rules.v6 To test forerrorsinthemodifiedfiles,thefollowingtwocommands were used; sudoiptables-restore-t/etc/iptables/rules.v4 sudoip6tables-restore-t/etc/iptables/rules.v6 No error was reported, meaning the iptables files were okay. The next command was used to activate the rules. Difficulties Encountered Major difficulties were encountered trying to harden the web server. The iptables-persistent service was not running and attempts to start it failed with the error; "Failed to start iptables-persistent.service: Unit iptables-persistent.service not found" After an hour of headache and Googling, I finally found a command to start the service. sudo service netfilter-persistent start I realized that the failure to start was a problem with some versions of Ubuntu; the above configurations seemed not to work and I had to do the following steps to harden the server with a firewall using IPTables. Step1; resetting the firewall sudo service netfilter-persistent flush Figure 9.0 Flushing the firewall rules After flushing, I verified that the rules were removed. Figure 10 verifying that the firewall rules were flushed. Create Protocols
The next step was to crete specific chain of protocols that the web server will accept; UDP, TCP and ICMP sudo iptables -N UDP sudo iptables -N TCP sudo iptables -N ICMP Since SSH traffic uses TCP protocol, I had to add an exception for SSH on the firewall. SSH traffic uses port 22. The following command was used to create the exception. sudo iptables -A TCP -p tcp --dport 22 -j ACCEPT Figure 11.0 Verifying that the new rules were added General Purpose Accept/Deny Rules To facilitate filtering of traffic, some general purpose rules were created to accept of drop packets. For a start traffic for an already established connection was accepted; this was implemented by the command. sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT Figure 12.0 Accept traffic for already established connections The firewall rule for filtering makes use of conntrack package, which enables internal tracking, allowing the iptables have the context to facilitate evaluation of packets. Allow Loopback traffic To allow traffic from the loopback interface, the following command was executed
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Deny all invalid Packets Packets that are invalid such as those that address a non-existing port has to be denied. This was implemented using the command. sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP Jump Rule for Protocol-Specific Chain To allow traffic reach the desired protocols, some jump rules were created. The rules will filter the traffic and only allow the genuine and valid traffic. For example TCP traffic will be filtered to only allow SYN packets, since SYN is the only valid traffic for TCP type connection. The following commands were executed to allow the rules to be create; sudo iptables-AINPUT-pudp-mconntrack--ctstateNEW-jUDP sudo iptables-AINPUT-ptcp--syn-mconntrack--ctstateNEW-j TCP sudo iptables-AINPUT-picmp-mconntrack--ctstateNEW-jICMP Finally, a rule was created to reject all other traffic hitting the server. The commands below was used to create the rules; sudo iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable sudo iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset sudo iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable sudo iptables -P INPUT DROP sudo iptables -P FORWARD DROP sudo ip6tables -P INPUT DROP sudo ip6tables -P FORWARD DROP sudo ip6tables -P OUTPUT DROP sudo service iptables-persistent save
The final state of the iptables is as shown below; Part 3: Remote File Access This part will install and configure FTP service on Ubuntu [server2] Step 1 — Install vsftpd The following command was used to install vsftpd sudo apt-getinstallvsftpd Step 2: Configure firewall rules to allow FTP service This configuration will open port 20 and port 21 which are used by the FTP service; for this server the firewall rules were set using iptables. For that reason we need to add a rule in the iptables to allow FTP traffic. The following commands were used;
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT The iptables after adding port 21 and 22. Step 3 — Prepare User Directory First add a test user;sudo adduser saffioti Then create a directory for the user and assign rights; sudo mkdir/home/saffioti/ftp sudo chownnobody:nogroup/home/saffioti/ftp sudo chmoda-w/home/saffioti/ftp
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Next we create directory for uploading files into and change the rights; sudo mkdir /home/saffioti/ftp/files sudo chown saffioti:saffioti /home/saffioti/ftp/files Step 4 — Configuring FTP Access To configure access to FTP we edit the file; sudo nano/etc/vsftpd.conf
Step 5 — Test FTP Access Testing with anonymous connection
Part 4: Making DNS Robust Installing a bind on server2, to make it the secondary DNS server. Installing BIND:apt-getinstallbind9 Configurations for BIND nano /etc/bind/named.conf.local Then configurethezonesfile named;saffioti.org.au
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Define a reverse DNS lookup nano /etc/bind/zones/rev.3.2.1.in-addr.arpa Testing the DNS confirmed it was up and running
Part 5: Simple Web Services Step 1: Generate the self signed certificate Then we sign the certificates followed by modification of Apache's default ssl configuration file; Finally we edit the file /etc/apache2/sites-available/default-ssl.conf
Reference Helmke, M. (2012).Ubuntu Unleashed 2012 Edition: Covering 11.10 and 12.04. Sams publishing.