Managing Services and Security
VerifiedAdded on 2023/06/04
|19
|1665
|145
AI Summary
This assignment covers the installation and configuration of virtual machines running Ubuntu and CentOS, BIND, LAMP, and FTP servers. It also covers hardening the web server using IPTables and making DNS robust. The article provides step-by-step instructions and screenshots. Course code and college/university not mentioned.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Managing Services and Security
Name
Institution
Name
Institution
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Introduction
In this assignment, two virtual machine running Ubuntu and CentOS were installed and
configured on a VMware Workstation Player. The first machine was installed with a BIND,
to provide DNS & SSH services, while the second one was installed with a Web Server. The
name server on virtual machine 1 was configured to manage the domain saffioti.org.au. A
zone was also set up for the reverse zone and hardened by use of firewall rules, which
allowed access to the services. The virtual machine running Ubuntu OS was the web server,
where LAMP was installed. The Apache Web Server in the LAMP software was used to host
a website. Additionally, an FTP server was configured on the same virtual machine.
Part 1: Virtual Machine One – DNS & SSH Server
This virtual machine was installed with CentOs, and a BIND (DNS) installed and configured
on it. The name server was configured to manage the domain;
saffioti.org.au
Step 1: Install Bind
sudo yum install bind bind-utils
Step 2: Configure DNS
The namde.conf file was edited as shown below.
nano -w /etc/named.conf
In this assignment, two virtual machine running Ubuntu and CentOS were installed and
configured on a VMware Workstation Player. The first machine was installed with a BIND,
to provide DNS & SSH services, while the second one was installed with a Web Server. The
name server on virtual machine 1 was configured to manage the domain saffioti.org.au. A
zone was also set up for the reverse zone and hardened by use of firewall rules, which
allowed access to the services. The virtual machine running Ubuntu OS was the web server,
where LAMP was installed. The Apache Web Server in the LAMP software was used to host
a website. Additionally, an FTP server was configured on the same virtual machine.
Part 1: Virtual Machine One – DNS & SSH Server
This virtual machine was installed with CentOs, and a BIND (DNS) installed and configured
on it. The name server was configured to manage the domain;
saffioti.org.au
Step 1: Install Bind
sudo yum install bind bind-utils
Step 2: Configure DNS
The namde.conf file was edited as shown below.
nano -w /etc/named.conf
Step 3: Configure bind zone
nano -w /var/named/saffioti.org.au.zone
Restart the Service, then enable it to start automatically at boot time;
the following commands were used;
service named restart
chkconfig named on
nano -w /var/named/saffioti.org.au.zone
Restart the Service, then enable it to start automatically at boot time;
the following commands were used;
service named restart
chkconfig named on
Part 2: Virtual Machine Two: Server2
Ubuntu Operating system was installed on this virtual machine, and used as a web server. To
enable it server as a web server, LAMP was installed.
By definition LAMP is a stack of open source software tools, that are normally installed
together to facilitate hosting of dynamic websites and web applications. LAMP translates to
Linux, Apache, MySQL, PHP. The three software are installed on Linux along each other to
facilitate web hosting. In this exercise, the software were installed in a series of steps as
outlined below.
step 1: Install Apache
To install Apache, the following commands were used;
sudo apt-get update : this command is used to update the list of packages and their
version. The command only gets and updates information about the packages but does
not install the updates.
sudo apt-get install apache2: the command installs apache web server.
Figure 1.0 Updating the package information.
Figure 2.0 Installing Apache
Ubuntu Operating system was installed on this virtual machine, and used as a web server. To
enable it server as a web server, LAMP was installed.
By definition LAMP is a stack of open source software tools, that are normally installed
together to facilitate hosting of dynamic websites and web applications. LAMP translates to
Linux, Apache, MySQL, PHP. The three software are installed on Linux along each other to
facilitate web hosting. In this exercise, the software were installed in a series of steps as
outlined below.
step 1: Install Apache
To install Apache, the following commands were used;
sudo apt-get update : this command is used to update the list of packages and their
version. The command only gets and updates information about the packages but does
not install the updates.
sudo apt-get install apache2: the command installs apache web server.
Figure 1.0 Updating the package information.
Figure 2.0 Installing Apache
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
To confirm that the Apache Web server was successfully installed, the default apache page
was accessed from a web browser;
Figure 3.0 Confirmation that the Apache was running on the local machine.
Figure 4.0 The server was also accessible from the host machine.
was accessed from a web browser;
Figure 3.0 Confirmation that the Apache was running on the local machine.
Figure 4.0 The server was also accessible from the host machine.
Step 2: Install MySQL
MySQL database was installed using the command;
sudo apt install mysql-server
Figure 5.0 MySQL installation
Step 3. Install PHP
For PhP to work, a number of packages had to be installed as outlined below.
sudo apt install php-pear php-fpm php-dev php-zip php-curl php-xmlrpc php-gd php-
mysql php-mbstring php-xml libapache2-mod-php
Figure 6.0 PhP installation with its additional packages
MySQL database was installed using the command;
sudo apt install mysql-server
Figure 5.0 MySQL installation
Step 3. Install PHP
For PhP to work, a number of packages had to be installed as outlined below.
sudo apt install php-pear php-fpm php-dev php-zip php-curl php-xmlrpc php-gd php-
mysql php-mbstring php-xml libapache2-mod-php
Figure 6.0 PhP installation with its additional packages
Hardening the Web Server
To harden the web server, which makes it more secure, by only allowing access to the web
hosting services, the firewall was configured using IPTables. The process is as outline below.
Step 1: Install the Persistent Firewall Service
For the firewall service to run on the machine, it was necessary to install the iptables-
persistent package. The packages allows the rules set to be persisted and be applied
automatically at boot time. The following command was used to install the package
sudo apt-get install iptables-persistent
Figure 6.0 Installation of the iptables-persistent package which will facilitate automatic
saving of rules and their application when the computer boots up.
Step 2: edit the iptables for IPv4
sudo nano /etc/iptables/rules.v4
To harden the web server, which makes it more secure, by only allowing access to the web
hosting services, the firewall was configured using IPTables. The process is as outline below.
Step 1: Install the Persistent Firewall Service
For the firewall service to run on the machine, it was necessary to install the iptables-
persistent package. The packages allows the rules set to be persisted and be applied
automatically at boot time. The following command was used to install the package
sudo apt-get install iptables-persistent
Figure 6.0 Installation of the iptables-persistent package which will facilitate automatic
saving of rules and their application when the computer boots up.
Step 2: edit the iptables for IPv4
sudo nano /etc/iptables/rules.v4
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Figure 7 IPv4 IP tables before editing
Figure 8. Modified IPTables for IPv4
The same was done for IPTables for IPv6 with the command;
Figure 8. Modified IPTables for IPv4
The same was done for IPTables for IPv6 with the command;
sudo nano /etc/iptables/rules.v6
To test for errors in the modified files, the following two commands
were used;
sudo iptables-restore -t /etc/iptables/rules.v4
sudo ip6tables-restore -t /etc/iptables/rules.v6
No error was reported, meaning the iptables files were okay. The next command was used to
activate the rules.
Difficulties Encountered
Major difficulties were encountered trying to harden the web server. The iptables-persistent
service was not running and attempts to start it failed with the error;
"Failed to start iptables-persistent.service: Unit iptables-persistent.service not found"
After an hour of headache and Googling, I finally found a command to start the service.
sudo service netfilter-persistent start
I realized that the failure to start was a problem with some versions of Ubuntu; the above
configurations seemed not to work and I had to do the following steps to harden the server
with a firewall using IPTables.
Step1; resetting the firewall
sudo service netfilter-persistent flush
Figure 9.0 Flushing the firewall rules
After flushing, I verified that the rules were removed.
Figure 10 verifying that the firewall rules were flushed.
Create Protocols
To test for errors in the modified files, the following two commands
were used;
sudo iptables-restore -t /etc/iptables/rules.v4
sudo ip6tables-restore -t /etc/iptables/rules.v6
No error was reported, meaning the iptables files were okay. The next command was used to
activate the rules.
Difficulties Encountered
Major difficulties were encountered trying to harden the web server. The iptables-persistent
service was not running and attempts to start it failed with the error;
"Failed to start iptables-persistent.service: Unit iptables-persistent.service not found"
After an hour of headache and Googling, I finally found a command to start the service.
sudo service netfilter-persistent start
I realized that the failure to start was a problem with some versions of Ubuntu; the above
configurations seemed not to work and I had to do the following steps to harden the server
with a firewall using IPTables.
Step1; resetting the firewall
sudo service netfilter-persistent flush
Figure 9.0 Flushing the firewall rules
After flushing, I verified that the rules were removed.
Figure 10 verifying that the firewall rules were flushed.
Create Protocols
The next step was to crete specific chain of protocols that the web server will accept; UDP,
TCP and ICMP
sudo iptables -N UDP
sudo iptables -N TCP
sudo iptables -N ICMP
Since SSH traffic uses TCP protocol, I had to add an exception for SSH on the firewall. SSH
traffic uses port 22. The following command was used to create the exception.
sudo iptables -A TCP -p tcp --dport 22 -j ACCEPT
Figure 11.0 Verifying that the new rules were added
General Purpose Accept/Deny Rules
To facilitate filtering of traffic, some general purpose rules were created to accept of drop
packets. For a start traffic for an already established connection was accepted; this was
implemented by the command.
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Figure 12.0 Accept traffic for already established connections
The firewall rule for filtering makes use of conntrack package, which enables internal
tracking, allowing the iptables have the context to facilitate evaluation of packets.
Allow Loopback traffic
To allow traffic from the loopback interface, the following command was executed
TCP and ICMP
sudo iptables -N UDP
sudo iptables -N TCP
sudo iptables -N ICMP
Since SSH traffic uses TCP protocol, I had to add an exception for SSH on the firewall. SSH
traffic uses port 22. The following command was used to create the exception.
sudo iptables -A TCP -p tcp --dport 22 -j ACCEPT
Figure 11.0 Verifying that the new rules were added
General Purpose Accept/Deny Rules
To facilitate filtering of traffic, some general purpose rules were created to accept of drop
packets. For a start traffic for an already established connection was accepted; this was
implemented by the command.
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Figure 12.0 Accept traffic for already established connections
The firewall rule for filtering makes use of conntrack package, which enables internal
tracking, allowing the iptables have the context to facilitate evaluation of packets.
Allow Loopback traffic
To allow traffic from the loopback interface, the following command was executed
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Deny all invalid Packets
Packets that are invalid such as those that address a non-existing port has to be denied. This
was implemented using the command.
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
Jump Rule for Protocol-Specific Chain
To allow traffic reach the desired protocols, some jump rules were created. The rules will
filter the traffic and only allow the genuine and valid traffic. For example TCP traffic will be
filtered to only allow SYN packets, since SYN is the only valid traffic for TCP type
connection.
The following commands were executed to allow the rules to be create;
sudo iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
sudo iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j
TCP
sudo iptables -A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP
Finally, a rule was created to reject all other traffic hitting the server. The commands below
was used to create the rules;
sudo iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
sudo iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo ip6tables -P INPUT DROP
sudo ip6tables -P FORWARD DROP
sudo ip6tables -P OUTPUT DROP
sudo service iptables-persistent save
Packets that are invalid such as those that address a non-existing port has to be denied. This
was implemented using the command.
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
Jump Rule for Protocol-Specific Chain
To allow traffic reach the desired protocols, some jump rules were created. The rules will
filter the traffic and only allow the genuine and valid traffic. For example TCP traffic will be
filtered to only allow SYN packets, since SYN is the only valid traffic for TCP type
connection.
The following commands were executed to allow the rules to be create;
sudo iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
sudo iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j
TCP
sudo iptables -A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP
Finally, a rule was created to reject all other traffic hitting the server. The commands below
was used to create the rules;
sudo iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
sudo iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo ip6tables -P INPUT DROP
sudo ip6tables -P FORWARD DROP
sudo ip6tables -P OUTPUT DROP
sudo service iptables-persistent save
The final state of the iptables is as shown below;
Part 3: Remote File Access
This part will install and configure FTP service on Ubuntu [server2]
Step 1 — Install vsftpd
The following command was used to install vsftpd
sudo apt-get install vsftpd
Step 2: Configure firewall rules to allow FTP service
This configuration will open port 20 and port 21 which are used by the FTP service; for this server the
firewall rules were set using iptables. For that reason we need to add a rule in the iptables to allow
FTP traffic. The following commands were used;
Part 3: Remote File Access
This part will install and configure FTP service on Ubuntu [server2]
Step 1 — Install vsftpd
The following command was used to install vsftpd
sudo apt-get install vsftpd
Step 2: Configure firewall rules to allow FTP service
This configuration will open port 20 and port 21 which are used by the FTP service; for this server the
firewall rules were set using iptables. For that reason we need to add a rule in the iptables to allow
FTP traffic. The following commands were used;
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
The iptables after adding port 21 and 22.
Step 3 — Prepare User Directory
First add a test user; sudo adduser saffioti
Then create a directory for the user and assign rights;
sudo mkdir /home/ saffioti /ftp
sudo chown nobody:nogroup /home/ saffioti /ftp
sudo chmod a-w /home/ saffioti /ftp
The iptables after adding port 21 and 22.
Step 3 — Prepare User Directory
First add a test user; sudo adduser saffioti
Then create a directory for the user and assign rights;
sudo mkdir /home/ saffioti /ftp
sudo chown nobody:nogroup /home/ saffioti /ftp
sudo chmod a-w /home/ saffioti /ftp
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Next we create directory for uploading files into and change the rights;
sudo mkdir /home/saffioti/ftp/files
sudo chown saffioti:saffioti /home/saffioti/ftp/files
Step 4 — Configuring FTP Access
To configure access to FTP we edit the file;
sudo nano /etc/vsftpd.conf
sudo mkdir /home/saffioti/ftp/files
sudo chown saffioti:saffioti /home/saffioti/ftp/files
Step 4 — Configuring FTP Access
To configure access to FTP we edit the file;
sudo nano /etc/vsftpd.conf
Step 5 — Test FTP Access
Testing with anonymous connection
Testing with anonymous connection
Part 4: Making DNS Robust
Installing a bind on server2, to make it the secondary DNS server.
Installing BIND: apt-get install bind9
Configurations for BIND
nano /etc/bind/named.conf.local
Then configure the zones file named; saffioti.org.au
Installing a bind on server2, to make it the secondary DNS server.
Installing BIND: apt-get install bind9
Configurations for BIND
nano /etc/bind/named.conf.local
Then configure the zones file named; saffioti.org.au
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Define a reverse DNS lookup
nano /etc/bind/zones/rev.3.2.1.in-addr.arpa
Testing the DNS confirmed it was up and running
nano /etc/bind/zones/rev.3.2.1.in-addr.arpa
Testing the DNS confirmed it was up and running
Part 5: Simple Web Services
Step 1: Generate the self signed certificate
Then we sign the certificates followed by modification of Apache's default ssl configuration
file;
Finally we edit the file /etc/apache2/sites-available/default-ssl.conf
Step 1: Generate the self signed certificate
Then we sign the certificates followed by modification of Apache's default ssl configuration
file;
Finally we edit the file /etc/apache2/sites-available/default-ssl.conf
Reference
Helmke, M. (2012). Ubuntu Unleashed 2012 Edition: Covering 11.10 and 12.04. Sams publishing.
Helmke, M. (2012). Ubuntu Unleashed 2012 Edition: Covering 11.10 and 12.04. Sams publishing.
1 out of 19
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.