This lab consists of two parts. Make sure you label each section accordingly and answer all the questions.
For this lab it is recommended that you review the Demo Lab presentations in the Unit 5 and Unit 6 Learning Space. Click the PRACTICE link > DEMO LAB > then click the hyperlink to launch the demonstration.
Part #1
Apply Hardened Security for Linux Services & Applications
Learning Objectives and Outcomes
Upon completing this lab, students will learn about the following tasks:
• Harden Linux server services when enabling and installing them, and keep a security perspective during configuration
• Create an Apache Web Server installation and perform basic security configurations to assure that the system has been hardened …show more content…
before hosting a web site
• Configure and perform basic security for a MySQL database, understanding the ramifications of a default installation and recommending hardening steps for the database instance
• Install, setup and perform basic security configuration for Sendmail to be able to leverage the built-in messaging capabilities of the Linux System
• Enable and implement secure SSH for encrypted remote access over the network or across the Internet of a Linux server system
Overview
This lab is an extension of the previous hands-on labs, and it incorporates security hardening for Linux services and applications loaded in the physical server. This demonstration will configure security and hardened services and applications to ensure C-I-A of these services. It will take the steps to configure and secure an Apache web server and MySQL database and the components necessary to security harden the implementation of both. The students will also see how to use and configure the Sendmail application for secure local messaging and will enable secure, encrypted remote access using Secure Shell (SSH). Lab Assessment Questions & Answers
1. When configuring services, what Linux directory typically contains server configuration files? Apache HTTP Server is configured by placing directives in plain text configuration files. The main configuration file is usually called httpd.conf. The location of this file is set at compile-time, but may be overridden with the -f command line flag. In addition, other configuration files may be added using the Include directive, and wildcards can be used to include many configuration files. Any directive may be placed in any of these configuration files. Changes to the main configuration files are only recognized by httpd when it is started or restarted.
The lab covered some very basic security hardening settings for MySQL Database server and application.
2. What command disables remote access to the MySQL Database? Is this a security hardening best practice?
If remote access is used, ensure that only defined hosts can access the server. This is typically done through TCP wrappers, iptables, or any other firewall software or hardware available on the market.
To restrict MySQL from opening a network socket, the following parameter should be added in the [mysqld] section of my.cnf or my.ini:
Skip-networking
The file is located in the "C:\Program Files\MySQL\MySQL Server 5.1" directory on the Windows operating system or "/etc/my.cnf" or "/etc/mysql/my.cnf" on Linux.
This line disables the initiation of networking during MySQL startup. Please note that a local connection can still be established to the MySQL server.
Another possible solution is to force MySQL to listen only to the localhost by adding the following line in the [mysqld] section of my.cnf
This procedure is considered essential for best practices.
3. What is a Linux runlevel for a specific service or application? What command allows you to define the runlevel uniquely for a service or application?
The term runlevel refers to a mode of operation in one of the computer operating systems that implement Unix System V-style initialization. Conventionally, seven runlevels exist, numbered from zero to six; though up to ten, from zero to nine, may be used. S is sometimes used as a synonym for one of the levels. Only one "runlevel" is executed on bootup - run levels are not executed sequentially, i.e. either runlevel 2 OR 3 OR 4 is executed, not 2 then 3 then 4.
The "/etc/inittab" file tells init which runlevel to start the system at and describes the processes to be run at each runlevel.
4. What is the Apache Web Server. Review the /etc/httpd/conf/httpd.conf configuration file, and point out a setting that could enhance security.
5. OpenSSH is the de facto method to remotely access Linux systems. Explain why the use of telnet is discouraged.
Use of telnet is strongly discouraged, as your information and passwords will be sent in clear-text and susceptible to 'snooping'.
6. What are Symbolic links?
A symbolic link, also termed a soft link, is a special kind of file that points to another file, much like a shortcut in Windows or a Macintosh alias.
Unlike a hard link, a symbolic link does not contain the data in the target file. It simply points to another entry somewhere in the file system. This difference gives symbolic links certain qualities that hard links do not have, such as the ability to link to directories, or to files on remote computers networked through NFS. Also, when you delete a target file, symbolic links to that file become unusable, whereas hard links preserve the contents of the file.
7. Why is it recommended to disable Symbolic Links in MySQL? symbolic links are enabled by default. If you don't need them, you can disable them with the skip-symbolic-links option.
8. Why would you add the ‘skip-networking’ command?
You may even have services that are listening on a TCP port but don’t need to be. Database servers such as MySQL are often used in conjunction with Apache, and are frequently set up to coexist on the same server when used in this way. Connections that come from the same machine that MySQL is installed on use a domain socket in the filesystem for communications. Therefore, you don’t need to have MySQL listening on a TCP socket. To do this, you can either use the --skip-networking command-line option when starting MySQL or specify it in the [mysqld] section of your my.cnf file:
[mysqld]
... …show more content…
skip-networking
9. What two files does sendmail create while processing a message?
"df": which stores the body of the message.
"qf": which stores the headers and other information.
10. What command can you use locally to find the sendmail’s version number?
To find out which version of sendmail is installed on your system, you can try the following commands: sendmail -d0.4 –by root
Part #2
Apply Hardened Security for Controlling Access
Learning Objectives and Outcomes
Upon completing this lab, students will learn about the following tasks:
• Review current internal host-based firewall parameters and configuration settings to verify allowed and denied IP communications
• Configure an internal host-based firewall using iptables and create stringent allow/deny rules for services that may require access to the system over the network
• Harden the system by enabling TCPWrappers to deny and log unauthorized attempts against services and ports running on the system
• Secure processes running on the system by using and configuring SELinux to help perform more in-depth layered security
• Verify configurations of the settings applied by connecting to the Linux server using SSH and connect to other services running on a Linux server
Overview
This lab is an extension of the previous hands-on labs. It continues with the system and security hardening for the Fedora Core Linux Server and requires the students to first review current host-based, IP firewall services. The demonstration will flush the current firewall configuration and will re-configure with stringent permit/deny rule sets. The demo shows students how to configure security and hardened services, including a host-based IP firewall, TCPwrappers for unauthorized access controls and logging, and SELinux for implementation of a layered security strategy. Lab Assessment Questions & Answers
1. Suppose the domain hackers.com is denied for all services in the hosts.deny and the hosts.allow file has the rule ALL: ALL. Will TCPWrappers allow hackers.com access?
Not at all because the first matching rule applies
2. How do you enable SELinux?
From the command line, you can edit the /etc/sysconfig/selinux file. This file is a symlink to /etc/selinux/config. The configuration file is self-explanatory. Changing the value of SELINUX or SELINUXTYPE changes the state of SELinux and the name of the policy to be used the next time the system boots.
3. What are three modes of SELinux? Explain their basic functionality.
Enforcing
This should be the default mode.
The kernel is blocking all access unless they are explicitly allowed. All denied accesses are reported in the logging system as AVC (Access Vector Cache), unless policy writers have explicitly told the kernel to dontaudit the message.
Permissive
The kernel will report Access Violations in the form of AVC messages but will allow the access.
The kernel will also continue to create properly labeled files.
There is a couple of major differences with the way the kernel reports these avc messages.
The kernel will only report the first access violation in permissive mode for a confined domain on a particular object, where as in enforcing mode, it will report each and every denied access.
You can get many additional AVC messages that would never have shown up in enforcing mode. For example if a confined domain was not allowed to read a directory or any of the files in it. In enforcing mode the directory access would be denied and one AVC message would be generated. In Permissive mode, the directory access would generate an AVC, and each file read would generate an AVC.
When reporting AVC Messages we would prefer that you report avc messages in Enforcing mode. But sometimes Permissive mode is necessary to get all the AVC Messages. You can boot the kernel in permissive mode with the enforcing=0 switch.
You can use setenforce 0 to turn on permissive mode. setenforce 1 to turn on enforcing mode.
Disabled
Turns off SELinux enforcement entirely and also stops the creation of proper labels on the files.
You should only disable SELinux if you do not intend to use it. You should use permissive mode when diagnosing a problem.
If you want to disable SELinux, you need to edit /etc/selinux/config and change the SELINUX line to disabled. You will then need to reboot the machine, since SELinux is running within the kernel.
If you wish to reenable SELinux you will need to relabel the entire file system.
4. Consider the following firewall rule, and describe what this permits or denies.
No firewall rule was given to consider or describe
5.
What command would you use to allow all the traffic from the loopback?
-A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - allows all traffic to the loopback network coming from the loopback device.
6. What command would you use to view the network port configuration for the iptables? iptables -vnL | more will give some port information, but portmap will provide even more.
7. If a service is to allow in one place and to deny in another what is the outcome?
First encountered rule takes priority.
8. Is the order of the rules important? If you deny something within the IP network layer, but permit something within the TCP transport layer that uses the IP network layer that you just denied, will your TCP traffic be permitted?
Yes. See #1 and #7. No, TCP traffic will not be allowed because it was already blocked by IP.
9. If one of the files does not exist what happens?
TCPWrappers will continue down its list without incident. Rules apply when matched.
10. Are the rules from TCP wrapped services cached? TCP wrapped services do not cache the rules from the hosts access files, so any changes to hosts.allow or hosts.deny take effect immediately without restarting network
services.