https://wiki.ihitc.net/mediawiki/api.php?action=feedcontributions&feedformat=atom&user=JonQuinnITCwiki - User contributions [en]2026-04-30T15:31:36ZUser contributionsMediaWiki 1.38.5https://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9604Mail server mnjk2021-04-16T01:57:07Z<p>JonQuinn: /* Auto Maildir Clean Up */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
: <code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
:<code>sudo apt install open-vm-tools</code><br />
<br><br />
<li>Install nmap</li><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
:* Run the following command at the command line.<br />
:<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li> Use the '''links''' browser or '''wget''' to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
: <code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
:* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
:* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
:* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
:* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
: * Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
: * Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
:* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
:* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
:* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
:* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
:* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<ol><br />
<li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li><br />
<li>Open up ''/etc/bind/named.conf.options''</li><br />
<ul><br />
* You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul><br />
: [[File:Bind_named_conf.png | 500px]]<br />
<li>Next, open up your interfaces file (''/etc/network/interfaces'').</li><br />
<ul><br />
* Change the dns server for the primary network interface to ''127.0.0.1''.</ul><br />
<li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings:<br />
<pre>Zone type: Forward (Names to Addresses)<br />
Domain name / Network: *.itc2480.campus.ihitc.net<br />
Records file: Automatic<br />
Master server: *.itc2480.campus.ihitc.net.<br />
Email address: root@ *.itc2480.campus.ihitc.net</pre><br />
* '''NOTE:''' the * stands for your system name, "automail" was used when setting the mail server up.</li><br />
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li><br />
* For the ''Name'' enter ''@''.<br />
* In the ''address'' field enter your VM's static IP and click ''Create''.<br />
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well. (This will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li><br />
<li>Make sure to apply the changes using the button in the top right that shows two arrows in a cricle.</li><br />
<li>After applying the changes and rebooting everything should be working. just make sure to test it using the nslookup and dig commands.</li><br />
</ol><br />
<br />
<br />
== Install the Postfix MTA ==<br />
'''''[https://www.youtube.com/watch?v=6VsgO5695Z4&feature=youtu.be Video Tutorial - Install Postfix MTA]'''''<br />
<ol><br />
<li> Use a package manager to install the ''postfix'' package.<br />
* During the installation process select ''Internet Site'' as the type of mail server and set the domain name to ''*.itc2480.campus.ihitc.net'' where * is the hostname letter of your system.</li><br />
: MTA software listens for incoming connections from other MTA servers on port 25 and accepts mail on behalf of users on the system. Once the mail is received it is stored locally for users to retrieve. The most common methods for storing messages is in an .mbox file, where all messages are stored in a single file, or in a Maildir, which is a directory where each message is stored in a separate file. The MTA also listens for connections from client software (MUA) and accepts outbound messages from them and forwards them on to the destination domain's mail server. Advanced configuration of MTA software can allow for anti-spam filtering, mailing list support or other programs to intercept and manipulate mail as it passes through the server.<br />
<li>Test the connection an verify the port is open</li><br />
:* Use Telnet to connect to the Postfix SMTP server on port 25: '''telnet localhost 25'''<br />
: [[File:Lab9_open_telnet.png|link=https://wiki.ihitc.net/mediawiki/images/1/10/Lab9_open_telnet.png|500px]]<br />
: [[Media:Lab9_open_telnet.png | Click here for larger image]]<br />
:* Type '''quit''' and press enter after verifying Postfix is running.<br />
<br />
<li>Configure Maildir</li><br />
: Because the Courier IMAP and POP3 server software only supports Maildir style message stores and Postfix stores in mbox files by default you must edit the ''/etc/postfix/main.cf'' file to fix this. <br />
:* Add the line <br />
:<pre>home_mailbox = Maildir/</pre> <br />
: Edit or add the ''mailbox_command'' parameter so there is nothing on the line after the equals sign, delete the portion of the line referencing procmail if it exists. The line should look like: <br />
:<pre>mailbox_command = </pre><br />
<li> Restart the ''postfix'' service to apply your change. Postfix is now saving new incoming messages into the Maildir folder inside each user's home directory. This folder is automatically created by Postfix the first time a new message comes in for a user.</li><br />
<li> Set your shell to recognize the maildir as your mail location</li><br />
:* Edit the ''/etc/login.defs'' file and comment out the ''MAIL_DIR /var/mail'' line (place a # in front of the line) and add a line setting ''MAIL_FILE'' like this:<br />
<pre><br />
#MAIL_DIR /var/mail<br />
MAIL_FILE Maildir/<br />
</pre><br />
:* Edit the ''/etc/pam.d/login'' file, find and comment out the ''session optional pam_mail.so standard'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so standard<br />
session optional pam_mail.so dir=~/Maildir standard<br />
</pre><br />
:* Edit the ''/etc/pam.d/su'' file, find and comment out the ''session optional pam_mail.so nopen'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so nopen<br />
session optional pam_mail.so dir=~/Maildir nopen<br />
</pre><br />
:* Edit the ''/etc/pam.d/sshd'' file, find and comment out the ''session optional pam_mail.so standard noenv'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so standard noenv<br />
session optional pam_mail.so dir=~/Maildir standard<br />
</pre><br />
:* Edit the ''/etc/profile'' file and at the end of the file add the line: <pre>export MAIL=~/Maildir</pre></li><br />
<li> Test sending and receiving mail as a locally logged on user.</li><br />
<br />
:* Install the ''mailutils'' package.</li><br />
:* Try sending a message (replace username with your username): <pre>echo "This is my message" | mail -s "Email Subject" username@localhost</pre><br />
:* Log out of your SSH session and open a new SSH session to apply the changes to the ''/etc/profile'' and ''/etc/login.defs'' files.<br />
:* Check to see if the message was received using the '''mail''' command, press ''q'' to return to the command line.<br />
:[[File:Lab9_cli_send_mail.png|link=https://wiki.ihitc.net/mediawiki/images/4/4f/Lab9_cli_send_mail.png|500px]]<br />
:[[Media:Lab9_cli_send_mail.png|Click here for a larger image]]<br />
: You should also be able to see the message in ''~/Maildir/'' in either the ''new/'' or ''cur/'' directory depending on whether you have viewed the message list yet or not. In either case, the message will appear as a text file with a random-looking name. It's just a text file so you can use '''cat''' or '''less''' to view it.<br />
<li> Create Aliases </li><br />
: You can create aliases and forward mail between users by editing the ''/etc/aliases'' file and then running the '''newaliases''' program. <br />
:* Create an "alias" for ''sysadmin'' which forwards mail sent to sysadmin@localhost to your username <br />
:* Send a copy of all mail to the ''root'' account to your username <br />
<br />
: Now would be a good time to try logging on to Webmin again, re-scanning for modules and then taking a look at the Postfix module in the ''Servers'' section.<br />
<li>Explore the mail log file</li><br />
: Take a look at your ''/var/log/mail.info'' log to see Postfix sending and receiving messages for users.<br />
</ol><br />
<br />
== Install Courier MDA ==<br />
'''''[https://www.youtube.com/watch?v=uvZlSiQHlxs&feature=youtu.be Video Tutorial - Install Courier MDA]'''''<br />
<ol><br />
<li>Install required courier packages </li><br />
: Most users prefer to retrieve mail from a mail server using an MDA protocol like POP3 or IMAP which can be provided by the Courier programs. Install the ''courier-pop'', ''courier-imap'', and ''fam'' packages.<br />
:* Do not create the directories for web-based administration as they are unneeded for our setup<br />
: Local users accessing their mailbox with MUA software can read and write to the .mbox file or Maildir directly. If a user not locally logged on to the system wants to access their mailbox the server runs MDA software which typically uses the POP3 or IMAP protocol for accessing the .mbox file or Maildir remotely.<br />
</ol><br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol><br />
<br />
==Auto Maildir Clean Up==<br />
<ol><br />
<li>Create script to delete emails older than 45 days</li><br />
:''NOTE: The script must be owned by root and executable. Additionally, the crontab must be created with sudo priviledges<br />
:<code>sudo nano '''<scriptname.sh>'''</code><br />
<pre><br />
#!/bin/bash<br />
find /home/ping/Maildir/cur -type f -mtime +7 -exec rm {} \;<br />
find /home/ping/Maildir/new -type f -mtime +7 -exec rm {} \;<br />
find /home/ping/Maildir/tmp -type f -mtime +7 -exec rm {} \;<br />
</pre><br />
:[[File:MAILSVR_emailflush_sh.png|link=https://wiki.ihitc.net/mediawiki/images/b/b5/MAILSVR_emailflush_sh.png|500px]]<br />
:[[Media:MAILSVR_emailflush_sh.png|Click here for a larger image]]<br />
<li>Make executable</li><br />
:<code>sudo chmod +x '''<sciptname.sh>'''</code><br />
<li>Create a '''crontab''' job</li><br />
:<code>sudo crontab -e</code><br />
: ''NOTE: the astricks at the start of the following command are respective to the scheduling of time. A good additional resource for '''cron''' can be found at [https://vitux.com/how-to-setup-a-cron-job-in-debian-10 Vitux]. Each astrik represents [Minute] [hour] [Day_of_the_Month] [Month_of_the_Year] [Day_of_the_Week] <br />
:* Add the following line to the chrontab file to schedule the job at 8PM every day.<br />
<pre>* 20 * * * * /home/ping/scriptname.sh</pre><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Admin_instructions_mail_server&diff=9603Admin instructions mail server2021-04-16T01:56:10Z<p>JonQuinn: /* Auto Maildir Clean Up */</p>
<hr />
<div>==Mail Server Documentation==<br />
:Basic configuration of server should follow the standard class server (see labs 1 and 9)<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<li>Install Debian Linux</li><br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li>Set a static IP for your server, capstone group used 172.17.50.28</li><br />
<li>Apply your static IP address</li><br />
<li>Install postfix, see lab 9</li><br />
</ol><br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol><br />
==Auto Maildir Clean Up==<br />
<ol><br />
<li>Create script to delete emails older than 45 days</li><br />
:''NOTE: The script must be owned by root and executable. Additionally, the crontab must be created with sudo priviledges<br />
:<code>sudo nano '''<scriptname.sh>'''</code><br />
<pre><br />
#!/bin/bash<br />
find /home/ping/Maildir/cur -type f -mtime +7 -exec rm {} \;<br />
find /home/ping/Maildir/new -type f -mtime +7 -exec rm {} \;<br />
find /home/ping/Maildir/tmp -type f -mtime +7 -exec rm {} \;<br />
</pre><br />
:[[File:MAILSVR_emailflush_sh.png|link=https://wiki.ihitc.net/mediawiki/images/b/b5/MAILSVR_emailflush_sh.png|500px]]<br />
:[[Media:MAILSVR_emailflush_sh.png|Click here for a larger image]]<br />
<li>Make executable</li><br />
:<code>sudo chmod +x '''<sciptname.sh>'''</code><br />
<li>Create a '''crontab''' job</li><br />
:<code>sudo crontab -e</code><br />
: ''NOTE: the astricks at the start of the following command are respective to the scheduling of time. A good additional resource for '''cron''' can be found at [https://vitux.com/how-to-setup-a-cron-job-in-debian-10 Vitux]. Each astrik represents [Minute] [hour] [Day_of_the_Month] [Month_of_the_Year] [Day_of_the_Week] <br />
:* Add the following line to the chrontab file to schedule the job at 8PM every day.<br />
<pre>* 20 * * * * /home/ping/scriptname.sh</pre><br />
<br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Admin_instructions_mail_server&diff=9602Admin instructions mail server2021-04-16T01:54:52Z<p>JonQuinn: /* Auto Maildir Clean Up */</p>
<hr />
<div>==Mail Server Documentation==<br />
:Basic configuration of server should follow the standard class server (see labs 1 and 9)<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<li>Install Debian Linux</li><br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li>Set a static IP for your server, capstone group used 172.17.50.28</li><br />
<li>Apply your static IP address</li><br />
<li>Install postfix, see lab 9</li><br />
</ol><br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol><br />
==Auto Maildir Clean Up==<br />
<ol><br />
<li>Create script to delete emails older than 45 days</li><br />
:''NOTE: The script must be owned by root and executable. Additionally, the crontab must be created with sudo priviledges<br />
:<code>sudo nano '''<scriptname.sh>'''</code><br />
<pre><br />
#!/bin/bash<br />
find /home/ping/Maildir/cur -type f -mtime +45 -exec rm {} \;<br />
find /home/ping/Maildir/new -type f -mtime +45 -exec rm {} \;<br />
find /home/ping/Maildir/tmp -type f -mtime +45 -exec rm {} \;<br />
</pre><br />
:[[File:MAILSVR_emailflush_sh.png|link=https://wiki.ihitc.net/mediawiki/images/b/b5/MAILSVR_emailflush_sh.png|500px]]<br />
:[[Media:MAILSVR_emailflush_sh.png|Click here for a larger image]]<br />
<li>Make executable</li><br />
:<code>sudo chmod +x '''<sciptname.sh>'''</code><br />
<li>Create a '''crontab''' job</li><br />
:<code>sudo crontab -e</code><br />
: ''NOTE: the astricks at the start of the following command are respective to the scheduling of time. A good additional resource for '''cron''' can be found at [https://vitux.com/how-to-setup-a-cron-job-in-debian-10 Vitux]. Each astrik represents [Minute] [hour] [Day_of_the_Month] [Month_of_the_Year] [Day_of_the_Week] <br />
:* Add the following line to the chrontab file to schedule the job at 8PM every day.<br />
<pre>* 20 * * * * /home/ping/scriptname.sh</pre><br />
<br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9601Mail server mnjk2021-04-16T01:53:37Z<p>JonQuinn: /* Auto Maildir Clean Up */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
: <code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
:<code>sudo apt install open-vm-tools</code><br />
<br><br />
<li>Install nmap</li><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
:* Run the following command at the command line.<br />
:<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li> Use the '''links''' browser or '''wget''' to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
: <code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
:* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
:* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
:* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
:* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
: * Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
: * Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
:* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
:* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
:* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
:* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
:* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<ol><br />
<li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li><br />
<li>Open up ''/etc/bind/named.conf.options''</li><br />
<ul><br />
* You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul><br />
: [[File:Bind_named_conf.png | 500px]]<br />
<li>Next, open up your interfaces file (''/etc/network/interfaces'').</li><br />
<ul><br />
* Change the dns server for the primary network interface to ''127.0.0.1''.</ul><br />
<li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings:<br />
<pre>Zone type: Forward (Names to Addresses)<br />
Domain name / Network: *.itc2480.campus.ihitc.net<br />
Records file: Automatic<br />
Master server: *.itc2480.campus.ihitc.net.<br />
Email address: root@ *.itc2480.campus.ihitc.net</pre><br />
* '''NOTE:''' the * stands for your system name, "automail" was used when setting the mail server up.</li><br />
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li><br />
* For the ''Name'' enter ''@''.<br />
* In the ''address'' field enter your VM's static IP and click ''Create''.<br />
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well. (This will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li><br />
<li>Make sure to apply the changes using the button in the top right that shows two arrows in a cricle.</li><br />
<li>After applying the changes and rebooting everything should be working. just make sure to test it using the nslookup and dig commands.</li><br />
</ol><br />
<br />
<br />
== Install the Postfix MTA ==<br />
'''''[https://www.youtube.com/watch?v=6VsgO5695Z4&feature=youtu.be Video Tutorial - Install Postfix MTA]'''''<br />
<ol><br />
<li> Use a package manager to install the ''postfix'' package.<br />
* During the installation process select ''Internet Site'' as the type of mail server and set the domain name to ''*.itc2480.campus.ihitc.net'' where * is the hostname letter of your system.</li><br />
: MTA software listens for incoming connections from other MTA servers on port 25 and accepts mail on behalf of users on the system. Once the mail is received it is stored locally for users to retrieve. The most common methods for storing messages is in an .mbox file, where all messages are stored in a single file, or in a Maildir, which is a directory where each message is stored in a separate file. The MTA also listens for connections from client software (MUA) and accepts outbound messages from them and forwards them on to the destination domain's mail server. Advanced configuration of MTA software can allow for anti-spam filtering, mailing list support or other programs to intercept and manipulate mail as it passes through the server.<br />
<li>Test the connection an verify the port is open</li><br />
:* Use Telnet to connect to the Postfix SMTP server on port 25: '''telnet localhost 25'''<br />
: [[File:Lab9_open_telnet.png|link=https://wiki.ihitc.net/mediawiki/images/1/10/Lab9_open_telnet.png|500px]]<br />
: [[Media:Lab9_open_telnet.png | Click here for larger image]]<br />
:* Type '''quit''' and press enter after verifying Postfix is running.<br />
<br />
<li>Configure Maildir</li><br />
: Because the Courier IMAP and POP3 server software only supports Maildir style message stores and Postfix stores in mbox files by default you must edit the ''/etc/postfix/main.cf'' file to fix this. <br />
:* Add the line <br />
:<pre>home_mailbox = Maildir/</pre> <br />
: Edit or add the ''mailbox_command'' parameter so there is nothing on the line after the equals sign, delete the portion of the line referencing procmail if it exists. The line should look like: <br />
:<pre>mailbox_command = </pre><br />
<li> Restart the ''postfix'' service to apply your change. Postfix is now saving new incoming messages into the Maildir folder inside each user's home directory. This folder is automatically created by Postfix the first time a new message comes in for a user.</li><br />
<li> Set your shell to recognize the maildir as your mail location</li><br />
:* Edit the ''/etc/login.defs'' file and comment out the ''MAIL_DIR /var/mail'' line (place a # in front of the line) and add a line setting ''MAIL_FILE'' like this:<br />
<pre><br />
#MAIL_DIR /var/mail<br />
MAIL_FILE Maildir/<br />
</pre><br />
:* Edit the ''/etc/pam.d/login'' file, find and comment out the ''session optional pam_mail.so standard'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so standard<br />
session optional pam_mail.so dir=~/Maildir standard<br />
</pre><br />
:* Edit the ''/etc/pam.d/su'' file, find and comment out the ''session optional pam_mail.so nopen'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so nopen<br />
session optional pam_mail.so dir=~/Maildir nopen<br />
</pre><br />
:* Edit the ''/etc/pam.d/sshd'' file, find and comment out the ''session optional pam_mail.so standard noenv'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so standard noenv<br />
session optional pam_mail.so dir=~/Maildir standard<br />
</pre><br />
:* Edit the ''/etc/profile'' file and at the end of the file add the line: <pre>export MAIL=~/Maildir</pre></li><br />
<li> Test sending and receiving mail as a locally logged on user.</li><br />
<br />
:* Install the ''mailutils'' package.</li><br />
:* Try sending a message (replace username with your username): <pre>echo "This is my message" | mail -s "Email Subject" username@localhost</pre><br />
:* Log out of your SSH session and open a new SSH session to apply the changes to the ''/etc/profile'' and ''/etc/login.defs'' files.<br />
:* Check to see if the message was received using the '''mail''' command, press ''q'' to return to the command line.<br />
:[[File:Lab9_cli_send_mail.png|link=https://wiki.ihitc.net/mediawiki/images/4/4f/Lab9_cli_send_mail.png|500px]]<br />
:[[Media:Lab9_cli_send_mail.png|Click here for a larger image]]<br />
: You should also be able to see the message in ''~/Maildir/'' in either the ''new/'' or ''cur/'' directory depending on whether you have viewed the message list yet or not. In either case, the message will appear as a text file with a random-looking name. It's just a text file so you can use '''cat''' or '''less''' to view it.<br />
<li> Create Aliases </li><br />
: You can create aliases and forward mail between users by editing the ''/etc/aliases'' file and then running the '''newaliases''' program. <br />
:* Create an "alias" for ''sysadmin'' which forwards mail sent to sysadmin@localhost to your username <br />
:* Send a copy of all mail to the ''root'' account to your username <br />
<br />
: Now would be a good time to try logging on to Webmin again, re-scanning for modules and then taking a look at the Postfix module in the ''Servers'' section.<br />
<li>Explore the mail log file</li><br />
: Take a look at your ''/var/log/mail.info'' log to see Postfix sending and receiving messages for users.<br />
</ol><br />
<br />
== Install Courier MDA ==<br />
'''''[https://www.youtube.com/watch?v=uvZlSiQHlxs&feature=youtu.be Video Tutorial - Install Courier MDA]'''''<br />
<ol><br />
<li>Install required courier packages </li><br />
: Most users prefer to retrieve mail from a mail server using an MDA protocol like POP3 or IMAP which can be provided by the Courier programs. Install the ''courier-pop'', ''courier-imap'', and ''fam'' packages.<br />
:* Do not create the directories for web-based administration as they are unneeded for our setup<br />
: Local users accessing their mailbox with MUA software can read and write to the .mbox file or Maildir directly. If a user not locally logged on to the system wants to access their mailbox the server runs MDA software which typically uses the POP3 or IMAP protocol for accessing the .mbox file or Maildir remotely.<br />
</ol><br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol><br />
<br />
==Auto Maildir Clean Up==<br />
<ol><br />
<li>Create script to delete emails older than 45 days</li><br />
:''NOTE: The script must be owned by root and executable. Additionally, the crontab must be created with sudo priviledges<br />
:<code>sudo nano '''<scriptname.sh>'''</code><br />
<pre><br />
#!/bin/bash<br />
find /home/ping/Maildir/cur -type f -mtime +45 -exec rm {} \;<br />
find /home/ping/Maildir/new -type f -mtime +45 -exec rm {} \;<br />
find /home/ping/Maildir/tmp -type f -mtime +45 -exec rm {} \;<br />
</pre><br />
:[[File:MAILSVR_emailflush_sh.png|link=https://wiki.ihitc.net/mediawiki/images/b/b5/MAILSVR_emailflush_sh.png|500px]]<br />
:[[Media:MAILSVR_emailflush_sh.png|Click here for a larger image]]<br />
<li>Make executable</li><br />
:<code>sudo chmod +x '''<sciptname.sh>'''</code><br />
<li>Create a '''crontab''' job</li><br />
:<code>sudo crontab -e</code><br />
: ''NOTE: the astricks at the start of the following command are respective to the scheduling of time. A good additional resource for '''cron''' can be found at [https://vitux.com/how-to-setup-a-cron-job-in-debian-10 Vitux]. Each astrik represents [Minute] [hour] [Day_of_the_Month] [Month_of_the_Year] [Day_of_the_Week] <br />
:* Add the following line to the chrontab file to schedule the job at 8PM every day.<br />
<pre>* 20 * * * * /home/ping/scriptname.sh</pre><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_1_mnjk&diff=9598Lab 1 mnjk2021-04-05T23:42:02Z<p>JonQuinn: /* Install Curl */</p>
<hr />
<div>=Introduction=<br />
:In this lab you will perform the following tasks:<br />
*Access NetLab to access the environment for you virtual machine<br />
*Install the latest version of Debian Linux in a virtual machine<br />
*Learn how to login and check the IP address of the system<br />
*Learn to remotely access the system with SSH and SFTP.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/apt apt]'''<br />
*'''[https://linux.die.net/man/8/sudo sudo]'''<br />
*'''[https://linux.die.net/man/8/useradd adduser]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://linux.die.net/man/8/ip ip address show]'''<br />
<br />
=Lab Procedure=<br />
==Netlab Access==<br />
'''''[https://www.youtube.com/watch?v=-hLejbDfPGM&feature=youtu.be Video Tutorial - NetLab Access]'''''<br />
<ol><br />
<li> Connect to the ITCnet </li> <br />
: This can be accomplished by directly plugging into an ITCnet port in one of the ITC labs or by connecting to the [[ITC_VPN_Instructions|VPN]].<br />
:'' Note: If you want to connect using a wireless connection on campus you need to [[Connecting to Eduroam|connect to the eduroam network]] before connecting to the VPN.<br />
<li> After you are connected to ITCnet (by VPN or wired connection) you simply need to open a web browser and access https://ihcc-netlab.campus.ihitc.net</li><br />
* The first time you visit this site in a browser you may need to accept a self-signed security certificate<br />
* You will need to log in with a username and password established by your instructor.<br />
* The first time you log in you will need to change your password and set your timezone. Make sure your timezone is set correctly so you can schedule reservations to work with equipment at convenient times.<br />
<li> Once you are logged in click the blue "New Lab Reservation" button</li><br />
: Next, in the lower left corner of the screen, select "Schedule a Lab for Myself". Reservations are used to hold a place on the Netlab system to work on labs during a specific time. You only need reservations in this class when working with the GUI, which will come later in the class, if you need to turn the power back on to your VM, or during the installation process. The rest of the time you will be able to connect directly to your Linux server using the SSH protocol, but more on that in a bit.<br />
:'' Note: If you are enrolled in more than one class that is using Netlab you will be presented with a list of classes you are enrolled in, click on your Linux System Administration course of you see this screen.<br />
: All of our lab work in this class is done in a single "Lab Environment" and your progress will be saved from one reservation to another. As a result there is only one lab listed in this course "Linux System Administration Labs". Click on this lab title.<br />
<li> Use the calendar to choose a date, time, and specific pod to reserve for your lab activity (when you will begin your Debian server installation).</li><br />
: The red line on this screen indicates the current time. If you want to get started right away you can click just below this line. Pay attention to the title of the column at the top, it will say something like "LSA Pod Z". The letter at the end of this pod name is your "pod letter" which you will use to set the host name and IP address of your machine in the future so make note of it.<br />
: You will be presented with a summary screen for your reservation where you can set the end time of your reservation (up to a maximum). It is suggested to make your reservation a couple hours long the first time you plan to install Debian, though you can extend it if needed. Click submit once you are ready to make the reservation.<br />
<li>You will see a confirmation screen that your reservation has been made.</li><br />
: You are now ready to progress on to the Debian Linux Installation (as long as your reservation is right away).<br />
</ol><br />
<br />
==Debian Linux Installation==<br />
'''''[https://www.youtube.com/watch?v=H0DcdEytpFQ&feature=youtu.be Video Tutorial - Debian Linux Installation]'''''<br />
<ol><br />
<li> Log in to the Netlab system</li><br />
: Access this using a web browser at https://ihcc-netlab.campus.ihitc.net if you are not already logged in.<br />
: If you have a currently active reservation you will see a green "Enter Lab" button on your list of reservations. Click the green "Enter Lab" button. If not, you will need to make a reservation (see above) and then click the "Enter Lab" button.<br />
: Your virtual machines (VMs) will automatically power on when your reservation begins and because there is no operating system currently installed to their virtual hard drives they will boot from their virtual CD/DVD drives which have been pre-loaded with the installation discs for Linux.<br />
<li> Access you virtual machine console</li><br />
: Once you are in your pod you can either click on the image of the "Linux Server" on the topology diagram or use the tabs across the top of your screen to access the console of your Linux Server VM.<br />
: The console shows the display of your VM and allows you to type and interact with your VM just as if you were physically sitting down in front of a server with a monitor, keyboard, and mouse attached. Just like a separate physical machine you will not be able to copy and paste text or drag and drop files in and out of this console window. We will use other utilities across the network connection to do those things just like we would with a physical server.<br />
<li>Learn to "Power Cycle" your virtual machine</li><br />
: By now your VM has likely already booted from it's virtual CD/DVD drive and should be at the "Debian GNU/Linux installer menu". Before continuing let's practice rebooting your system so you can watch the system boot and see how to reboot the system if needed. Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power Off" then click the red "Power Off" button on the popup to power off your VM. This is the equivalent of just pulling out the power cord, at least until we install the VMware Tools software which allows for a graceful shutdown, so you'll want to be careful to only do this if absolutely needed until then.<br />
<li>Power on you Virtual machine</li><br />
: Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power On", or press the blue "Power On" button in the middle of your screen, then press the green "Power On" button to boot your system.<br />
<li>Install Debian Linux</li><br />
: Once the system has rebooted and is back to the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Installing sudo and Checking Your IP Address==<br />
'''''[https://www.youtube.com/watch?v=TwXp5YfAvlw&feature=youtu.be Video Tutorial - Installing sudo and checking your IP address]'''''<br />
<ol><br />
<li>Log in to NetLab</li><br />
: Login through the Netlab local console with your root account and password (username ''root'', password as set during the installation)<br />
:'' Note: When entering a password on the command line of a Linux system it is normal that nothing should appear and the cursor will not move when you are typing. This prevents someone who is able to see your computer screen from seeing what your password is or even how long it is. Just type your password and trust that the system is receiving it, press enter to submit your password.<br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
<code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
[[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
<code>sudo ip address show</code><br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
</ol><br />
<br />
==Logging in to a Remote Terminal==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Logging into a remote terminal]'''''<br />
<br />
A faster way to interact with your system is not through the Netlab local console but through a remote SSH session over the network directly to your server. Once you have mastered this you will be able to copy and paste text to your Linux server and will not need to make a reservation in Netlab to work on labs. For our purposes you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install Putty</li><br />
: Assuming you are running Windows, install the PuTTY software on your home PC from [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html this website].<br />
: '' Note: For other operating systems there are other ways and software you can use to make an SSH connection, you will need to research what tools are used for making SSH connections from your particular operating system.<br />
<li>Open an SSH session</li><br />
:* Run the PuTTY software on your computer and enter in the IP address of your VM in the "Host Name" box and click the "Open" button.<br />
:[[File:Lab1_putty.png|link=https://wiki.ihitc.net/mediawiki/images/f/f5/Lab1_putty.png|500px]]<br />
:[[Media:Lab1_putty.png| Click here for larger image]]<br />
:* Click Yes to save the host key on your system<br />
: [[File:Lab1_puttycert.png|link=https://wiki.ihitc.net/mediawiki/images/4/4b/Lab1_puttycert.png|500px]]<br />
: [[Media:Lab1_puttycert.png|Click here for larger image]]<br />
:* Enter the standard username and password for your Linux system to connect.<br />
: '' Note: You should receive a prompt just like the one you had on the Netlab local console but it is now a direct connection from your computer over the ITCnet to your server.<br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Remote File Transfer==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Remote File Transfer]'''''<br />
<br />
The easiest way to transfer files to and from your VM is with SFTP software. For our purposes, you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install FileZilla</li><br />
: Install the FileZilla client software on your home PC from [https://filezilla-project.org/download.php?type=client this website]<br />
<li>Open a SFTP session to your server</li><br />
: Run FileZilla and use the Quick Connect bar at the top of the screen to access your system. <br />
:* Enter the IP address of your Linux system in the "Host:" box<br />
:* Enter your standard username and password in the appropriate boxes<br />
:* Enter ''22'' in the "Port:" box<br />
:* Click the "Quickconnect" button.<br />
: [[File:Lab1_filezillanew.png|link=https://wiki.ihitc.net/mediawiki/images/b/b1/Lab1_filezillanew.png|500px]]<br />
: [[Media:Lab1_filezillanew.png|Click here for larger image]]<br />
: You should see some connection text scroll on the top of the screen and some files on the right side of the screen now such as ''.bashrc'' and ''.profile'' The right side of the screen is the drive on your Linux system and the left side of the screen is the drive on your home system. Files and folders can be dragged between the two sides to transfer them back and forth.<br />
: [[File:Lab1_filezillaconnected.png|link=https://wiki.ihitc.net/mediawiki/images/c/ca/Lab1_filezillaconnected.png|500px]]<br />
: [[Media:Lab1_filezillaconnected.png|Click here for larger image]]<br />
<li>Close the FileZilla software to disconnect.</li><br />
</ol><br />
<br />
==Install VM Tools==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Install VM Tools]'''''<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect into your system using the remote SSH console method explained above.<br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<code>sudo apt install open-vm-tools</code><br />
</ol><br />
<br />
==Install Python==<br />
In order to check your work in the labs of this course you will need to have an application called [https://www.python.org/ Python] installed on your Linux system.<br />
<ol><br />
<li> Download ''python3'' using '''apt'''</li><br />
* When prompted type Y to install the app and its dependencies</li><br />
<ul>''NOTE: This may take a while.''</ul><br />
* When prompted to specify the name of the host where the TANGO database server is running, just select ok.</li><br />
<ul> [[File:Python_tango.png|link=https://wiki.ihitc.net/mediawiki/images/4/4c/Python_tango.png|500px]]</ul><br />
<ul> [[Media:Python_tango.png | Click for Larger Image]]</ul><br />
<li> Run the following command to verify that python version 3.6 is installed.</li><br />
<code>python3 --version</code><br />
<ul> [[File:Python_version.png|link=https://wiki.ihitc.net/mediawiki/images/7/70/Python_version.png|500px]]</ul><br />
<ul> [[Media:Python_version.png | Click for Larger Image]]</ul><br />
</ol><br />
<br />
==Install Nmap==<br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:* ''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Run the following command at the command line.<br />
<code>sudo apt install nmap</code><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
</ol><br />
<br />
==Install Curl==<br />
:Curl is a tool that lets you run scripts that are not saved to your virtual machine. It will be used to check the labs for completion while working through the course. <br />
<ol><br />
<li> Run the following command at the command line. </li><br />
<code>sudo apt install curl</code><br />
: If prompted to install additional packages type "y"<br />
<li> Automatically check your results by running this command:</li><br />
: Installing Curl will allow you to check each of your labs for completion of some of the critical objectives of the lab work using a command in the "Checking your Work" section of the labs. This will usually be completed as the last step of the lab, but for this lab please run the following command now to check your work.<br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_01_revised.py | python3<br />
</nowiki></code><br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Safely Shutdown==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Safely Shutdown]'''''<br />
:We will normally leave our VM running but it is important that you know how to shutdown a Linux system correctly so this time we'll turn it off.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect in to your system using the remote SSH console method explained above.<br />
<li> Safely shutdown you server</li><br />
:* Run the '''sudo shutdown -h now''' at the command line to safely shutdown the system.<br />
<code>sudo shutdown -h now</code><br />
: You should soon get a message that PuTTY has lost it's connection. Click OK and then you can close the PuTTY window.<br />
<li>End NetLab Reservation</li><br />
: If you still have time left in your reservation in Netlab it's polite to end the reservation so other users can work on the system, only a limited number of reservations can be made at one time. You can do this by logging into Netlab, opening your lab, and clicking the "Reservation" menu at the top of the screen and choose to "End Reservation Now" followed by confirming that you want to end the reservation.<br />
</ol><br />
<br />
=Checking your Work=<br />
<ol><br />
<li>This section will cover ways to manually check your work</li><br />
<ul>For this lab each section was tested in the process of the lab. You should have successfully connected an SSH session with putty, and an ftp session with FileZilla.</ul><br />
<ul>You should have shut down you server in one of the last steps, so no further testing is necessary at this time.</ul><br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_01_revised.py | python3<br />
</nowiki></code><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_1_mnjk&diff=9597Lab 1 mnjk2021-04-05T23:41:31Z<p>JonQuinn: /* Install Curl */</p>
<hr />
<div>=Introduction=<br />
:In this lab you will perform the following tasks:<br />
*Access NetLab to access the environment for you virtual machine<br />
*Install the latest version of Debian Linux in a virtual machine<br />
*Learn how to login and check the IP address of the system<br />
*Learn to remotely access the system with SSH and SFTP.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/apt apt]'''<br />
*'''[https://linux.die.net/man/8/sudo sudo]'''<br />
*'''[https://linux.die.net/man/8/useradd adduser]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://linux.die.net/man/8/ip ip address show]'''<br />
<br />
=Lab Procedure=<br />
==Netlab Access==<br />
'''''[https://www.youtube.com/watch?v=-hLejbDfPGM&feature=youtu.be Video Tutorial - NetLab Access]'''''<br />
<ol><br />
<li> Connect to the ITCnet </li> <br />
: This can be accomplished by directly plugging into an ITCnet port in one of the ITC labs or by connecting to the [[ITC_VPN_Instructions|VPN]].<br />
:'' Note: If you want to connect using a wireless connection on campus you need to [[Connecting to Eduroam|connect to the eduroam network]] before connecting to the VPN.<br />
<li> After you are connected to ITCnet (by VPN or wired connection) you simply need to open a web browser and access https://ihcc-netlab.campus.ihitc.net</li><br />
* The first time you visit this site in a browser you may need to accept a self-signed security certificate<br />
* You will need to log in with a username and password established by your instructor.<br />
* The first time you log in you will need to change your password and set your timezone. Make sure your timezone is set correctly so you can schedule reservations to work with equipment at convenient times.<br />
<li> Once you are logged in click the blue "New Lab Reservation" button</li><br />
: Next, in the lower left corner of the screen, select "Schedule a Lab for Myself". Reservations are used to hold a place on the Netlab system to work on labs during a specific time. You only need reservations in this class when working with the GUI, which will come later in the class, if you need to turn the power back on to your VM, or during the installation process. The rest of the time you will be able to connect directly to your Linux server using the SSH protocol, but more on that in a bit.<br />
:'' Note: If you are enrolled in more than one class that is using Netlab you will be presented with a list of classes you are enrolled in, click on your Linux System Administration course of you see this screen.<br />
: All of our lab work in this class is done in a single "Lab Environment" and your progress will be saved from one reservation to another. As a result there is only one lab listed in this course "Linux System Administration Labs". Click on this lab title.<br />
<li> Use the calendar to choose a date, time, and specific pod to reserve for your lab activity (when you will begin your Debian server installation).</li><br />
: The red line on this screen indicates the current time. If you want to get started right away you can click just below this line. Pay attention to the title of the column at the top, it will say something like "LSA Pod Z". The letter at the end of this pod name is your "pod letter" which you will use to set the host name and IP address of your machine in the future so make note of it.<br />
: You will be presented with a summary screen for your reservation where you can set the end time of your reservation (up to a maximum). It is suggested to make your reservation a couple hours long the first time you plan to install Debian, though you can extend it if needed. Click submit once you are ready to make the reservation.<br />
<li>You will see a confirmation screen that your reservation has been made.</li><br />
: You are now ready to progress on to the Debian Linux Installation (as long as your reservation is right away).<br />
</ol><br />
<br />
==Debian Linux Installation==<br />
'''''[https://www.youtube.com/watch?v=H0DcdEytpFQ&feature=youtu.be Video Tutorial - Debian Linux Installation]'''''<br />
<ol><br />
<li> Log in to the Netlab system</li><br />
: Access this using a web browser at https://ihcc-netlab.campus.ihitc.net if you are not already logged in.<br />
: If you have a currently active reservation you will see a green "Enter Lab" button on your list of reservations. Click the green "Enter Lab" button. If not, you will need to make a reservation (see above) and then click the "Enter Lab" button.<br />
: Your virtual machines (VMs) will automatically power on when your reservation begins and because there is no operating system currently installed to their virtual hard drives they will boot from their virtual CD/DVD drives which have been pre-loaded with the installation discs for Linux.<br />
<li> Access you virtual machine console</li><br />
: Once you are in your pod you can either click on the image of the "Linux Server" on the topology diagram or use the tabs across the top of your screen to access the console of your Linux Server VM.<br />
: The console shows the display of your VM and allows you to type and interact with your VM just as if you were physically sitting down in front of a server with a monitor, keyboard, and mouse attached. Just like a separate physical machine you will not be able to copy and paste text or drag and drop files in and out of this console window. We will use other utilities across the network connection to do those things just like we would with a physical server.<br />
<li>Learn to "Power Cycle" your virtual machine</li><br />
: By now your VM has likely already booted from it's virtual CD/DVD drive and should be at the "Debian GNU/Linux installer menu". Before continuing let's practice rebooting your system so you can watch the system boot and see how to reboot the system if needed. Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power Off" then click the red "Power Off" button on the popup to power off your VM. This is the equivalent of just pulling out the power cord, at least until we install the VMware Tools software which allows for a graceful shutdown, so you'll want to be careful to only do this if absolutely needed until then.<br />
<li>Power on you Virtual machine</li><br />
: Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power On", or press the blue "Power On" button in the middle of your screen, then press the green "Power On" button to boot your system.<br />
<li>Install Debian Linux</li><br />
: Once the system has rebooted and is back to the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Installing sudo and Checking Your IP Address==<br />
'''''[https://www.youtube.com/watch?v=TwXp5YfAvlw&feature=youtu.be Video Tutorial - Installing sudo and checking your IP address]'''''<br />
<ol><br />
<li>Log in to NetLab</li><br />
: Login through the Netlab local console with your root account and password (username ''root'', password as set during the installation)<br />
:'' Note: When entering a password on the command line of a Linux system it is normal that nothing should appear and the cursor will not move when you are typing. This prevents someone who is able to see your computer screen from seeing what your password is or even how long it is. Just type your password and trust that the system is receiving it, press enter to submit your password.<br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
<code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
[[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
<code>sudo ip address show</code><br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
</ol><br />
<br />
==Logging in to a Remote Terminal==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Logging into a remote terminal]'''''<br />
<br />
A faster way to interact with your system is not through the Netlab local console but through a remote SSH session over the network directly to your server. Once you have mastered this you will be able to copy and paste text to your Linux server and will not need to make a reservation in Netlab to work on labs. For our purposes you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install Putty</li><br />
: Assuming you are running Windows, install the PuTTY software on your home PC from [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html this website].<br />
: '' Note: For other operating systems there are other ways and software you can use to make an SSH connection, you will need to research what tools are used for making SSH connections from your particular operating system.<br />
<li>Open an SSH session</li><br />
:* Run the PuTTY software on your computer and enter in the IP address of your VM in the "Host Name" box and click the "Open" button.<br />
:[[File:Lab1_putty.png|link=https://wiki.ihitc.net/mediawiki/images/f/f5/Lab1_putty.png|500px]]<br />
:[[Media:Lab1_putty.png| Click here for larger image]]<br />
:* Click Yes to save the host key on your system<br />
: [[File:Lab1_puttycert.png|link=https://wiki.ihitc.net/mediawiki/images/4/4b/Lab1_puttycert.png|500px]]<br />
: [[Media:Lab1_puttycert.png|Click here for larger image]]<br />
:* Enter the standard username and password for your Linux system to connect.<br />
: '' Note: You should receive a prompt just like the one you had on the Netlab local console but it is now a direct connection from your computer over the ITCnet to your server.<br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Remote File Transfer==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Remote File Transfer]'''''<br />
<br />
The easiest way to transfer files to and from your VM is with SFTP software. For our purposes, you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install FileZilla</li><br />
: Install the FileZilla client software on your home PC from [https://filezilla-project.org/download.php?type=client this website]<br />
<li>Open a SFTP session to your server</li><br />
: Run FileZilla and use the Quick Connect bar at the top of the screen to access your system. <br />
:* Enter the IP address of your Linux system in the "Host:" box<br />
:* Enter your standard username and password in the appropriate boxes<br />
:* Enter ''22'' in the "Port:" box<br />
:* Click the "Quickconnect" button.<br />
: [[File:Lab1_filezillanew.png|link=https://wiki.ihitc.net/mediawiki/images/b/b1/Lab1_filezillanew.png|500px]]<br />
: [[Media:Lab1_filezillanew.png|Click here for larger image]]<br />
: You should see some connection text scroll on the top of the screen and some files on the right side of the screen now such as ''.bashrc'' and ''.profile'' The right side of the screen is the drive on your Linux system and the left side of the screen is the drive on your home system. Files and folders can be dragged between the two sides to transfer them back and forth.<br />
: [[File:Lab1_filezillaconnected.png|link=https://wiki.ihitc.net/mediawiki/images/c/ca/Lab1_filezillaconnected.png|500px]]<br />
: [[Media:Lab1_filezillaconnected.png|Click here for larger image]]<br />
<li>Close the FileZilla software to disconnect.</li><br />
</ol><br />
<br />
==Install VM Tools==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Install VM Tools]'''''<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect into your system using the remote SSH console method explained above.<br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<code>sudo apt install open-vm-tools</code><br />
</ol><br />
<br />
==Install Python==<br />
In order to check your work in the labs of this course you will need to have an application called [https://www.python.org/ Python] installed on your Linux system.<br />
<ol><br />
<li> Download ''python3'' using '''apt'''</li><br />
* When prompted type Y to install the app and its dependencies</li><br />
<ul>''NOTE: This may take a while.''</ul><br />
* When prompted to specify the name of the host where the TANGO database server is running, just select ok.</li><br />
<ul> [[File:Python_tango.png|link=https://wiki.ihitc.net/mediawiki/images/4/4c/Python_tango.png|500px]]</ul><br />
<ul> [[Media:Python_tango.png | Click for Larger Image]]</ul><br />
<li> Run the following command to verify that python version 3.6 is installed.</li><br />
<code>python3 --version</code><br />
<ul> [[File:Python_version.png|link=https://wiki.ihitc.net/mediawiki/images/7/70/Python_version.png|500px]]</ul><br />
<ul> [[Media:Python_version.png | Click for Larger Image]]</ul><br />
</ol><br />
<br />
==Install Nmap==<br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:* ''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Run the following command at the command line.<br />
<code>sudo apt install nmap</code><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
</ol><br />
<br />
==Install Curl==<br />
:Curl is a tool that lets you run scripts that are not saved to your virtual machine. It will be used to check the labs for completion while working through the course. <br />
<ol><br />
<li> Run the following command at the command line. </li><br />
<code>sudo apt install curl</code><br />
: If prompted to install additional packages type "y"<br />
<li> Automatically check your results by running this command:</li><br />
: Installing Curl will allow you to check each of your labs for completion of some of the critical objectives of the lab work using a command in the Checking your Work section of the labs. This will usually be completed as the last step of the lab, but for this lab please run the following command now to check your work.<br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_01_revised.py | python3<br />
</nowiki></code><br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Safely Shutdown==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Safely Shutdown]'''''<br />
:We will normally leave our VM running but it is important that you know how to shutdown a Linux system correctly so this time we'll turn it off.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect in to your system using the remote SSH console method explained above.<br />
<li> Safely shutdown you server</li><br />
:* Run the '''sudo shutdown -h now''' at the command line to safely shutdown the system.<br />
<code>sudo shutdown -h now</code><br />
: You should soon get a message that PuTTY has lost it's connection. Click OK and then you can close the PuTTY window.<br />
<li>End NetLab Reservation</li><br />
: If you still have time left in your reservation in Netlab it's polite to end the reservation so other users can work on the system, only a limited number of reservations can be made at one time. You can do this by logging into Netlab, opening your lab, and clicking the "Reservation" menu at the top of the screen and choose to "End Reservation Now" followed by confirming that you want to end the reservation.<br />
</ol><br />
<br />
=Checking your Work=<br />
<ol><br />
<li>This section will cover ways to manually check your work</li><br />
<ul>For this lab each section was tested in the process of the lab. You should have successfully connected an SSH session with putty, and an ftp session with FileZilla.</ul><br />
<ul>You should have shut down you server in one of the last steps, so no further testing is necessary at this time.</ul><br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_01_revised.py | python3<br />
</nowiki></code><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_1_mnjk&diff=9596Lab 1 mnjk2021-04-05T23:40:13Z<p>JonQuinn: /* Install Curl */</p>
<hr />
<div>=Introduction=<br />
:In this lab you will perform the following tasks:<br />
*Access NetLab to access the environment for you virtual machine<br />
*Install the latest version of Debian Linux in a virtual machine<br />
*Learn how to login and check the IP address of the system<br />
*Learn to remotely access the system with SSH and SFTP.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/apt apt]'''<br />
*'''[https://linux.die.net/man/8/sudo sudo]'''<br />
*'''[https://linux.die.net/man/8/useradd adduser]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://linux.die.net/man/8/ip ip address show]'''<br />
<br />
=Lab Procedure=<br />
==Netlab Access==<br />
'''''[https://www.youtube.com/watch?v=-hLejbDfPGM&feature=youtu.be Video Tutorial - NetLab Access]'''''<br />
<ol><br />
<li> Connect to the ITCnet </li> <br />
: This can be accomplished by directly plugging into an ITCnet port in one of the ITC labs or by connecting to the [[ITC_VPN_Instructions|VPN]].<br />
:'' Note: If you want to connect using a wireless connection on campus you need to [[Connecting to Eduroam|connect to the eduroam network]] before connecting to the VPN.<br />
<li> After you are connected to ITCnet (by VPN or wired connection) you simply need to open a web browser and access https://ihcc-netlab.campus.ihitc.net</li><br />
* The first time you visit this site in a browser you may need to accept a self-signed security certificate<br />
* You will need to log in with a username and password established by your instructor.<br />
* The first time you log in you will need to change your password and set your timezone. Make sure your timezone is set correctly so you can schedule reservations to work with equipment at convenient times.<br />
<li> Once you are logged in click the blue "New Lab Reservation" button</li><br />
: Next, in the lower left corner of the screen, select "Schedule a Lab for Myself". Reservations are used to hold a place on the Netlab system to work on labs during a specific time. You only need reservations in this class when working with the GUI, which will come later in the class, if you need to turn the power back on to your VM, or during the installation process. The rest of the time you will be able to connect directly to your Linux server using the SSH protocol, but more on that in a bit.<br />
:'' Note: If you are enrolled in more than one class that is using Netlab you will be presented with a list of classes you are enrolled in, click on your Linux System Administration course of you see this screen.<br />
: All of our lab work in this class is done in a single "Lab Environment" and your progress will be saved from one reservation to another. As a result there is only one lab listed in this course "Linux System Administration Labs". Click on this lab title.<br />
<li> Use the calendar to choose a date, time, and specific pod to reserve for your lab activity (when you will begin your Debian server installation).</li><br />
: The red line on this screen indicates the current time. If you want to get started right away you can click just below this line. Pay attention to the title of the column at the top, it will say something like "LSA Pod Z". The letter at the end of this pod name is your "pod letter" which you will use to set the host name and IP address of your machine in the future so make note of it.<br />
: You will be presented with a summary screen for your reservation where you can set the end time of your reservation (up to a maximum). It is suggested to make your reservation a couple hours long the first time you plan to install Debian, though you can extend it if needed. Click submit once you are ready to make the reservation.<br />
<li>You will see a confirmation screen that your reservation has been made.</li><br />
: You are now ready to progress on to the Debian Linux Installation (as long as your reservation is right away).<br />
</ol><br />
<br />
==Debian Linux Installation==<br />
'''''[https://www.youtube.com/watch?v=H0DcdEytpFQ&feature=youtu.be Video Tutorial - Debian Linux Installation]'''''<br />
<ol><br />
<li> Log in to the Netlab system</li><br />
: Access this using a web browser at https://ihcc-netlab.campus.ihitc.net if you are not already logged in.<br />
: If you have a currently active reservation you will see a green "Enter Lab" button on your list of reservations. Click the green "Enter Lab" button. If not, you will need to make a reservation (see above) and then click the "Enter Lab" button.<br />
: Your virtual machines (VMs) will automatically power on when your reservation begins and because there is no operating system currently installed to their virtual hard drives they will boot from their virtual CD/DVD drives which have been pre-loaded with the installation discs for Linux.<br />
<li> Access you virtual machine console</li><br />
: Once you are in your pod you can either click on the image of the "Linux Server" on the topology diagram or use the tabs across the top of your screen to access the console of your Linux Server VM.<br />
: The console shows the display of your VM and allows you to type and interact with your VM just as if you were physically sitting down in front of a server with a monitor, keyboard, and mouse attached. Just like a separate physical machine you will not be able to copy and paste text or drag and drop files in and out of this console window. We will use other utilities across the network connection to do those things just like we would with a physical server.<br />
<li>Learn to "Power Cycle" your virtual machine</li><br />
: By now your VM has likely already booted from it's virtual CD/DVD drive and should be at the "Debian GNU/Linux installer menu". Before continuing let's practice rebooting your system so you can watch the system boot and see how to reboot the system if needed. Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power Off" then click the red "Power Off" button on the popup to power off your VM. This is the equivalent of just pulling out the power cord, at least until we install the VMware Tools software which allows for a graceful shutdown, so you'll want to be careful to only do this if absolutely needed until then.<br />
<li>Power on you Virtual machine</li><br />
: Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power On", or press the blue "Power On" button in the middle of your screen, then press the green "Power On" button to boot your system.<br />
<li>Install Debian Linux</li><br />
: Once the system has rebooted and is back to the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Installing sudo and Checking Your IP Address==<br />
'''''[https://www.youtube.com/watch?v=TwXp5YfAvlw&feature=youtu.be Video Tutorial - Installing sudo and checking your IP address]'''''<br />
<ol><br />
<li>Log in to NetLab</li><br />
: Login through the Netlab local console with your root account and password (username ''root'', password as set during the installation)<br />
:'' Note: When entering a password on the command line of a Linux system it is normal that nothing should appear and the cursor will not move when you are typing. This prevents someone who is able to see your computer screen from seeing what your password is or even how long it is. Just type your password and trust that the system is receiving it, press enter to submit your password.<br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
<code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
[[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
<code>sudo ip address show</code><br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
</ol><br />
<br />
==Logging in to a Remote Terminal==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Logging into a remote terminal]'''''<br />
<br />
A faster way to interact with your system is not through the Netlab local console but through a remote SSH session over the network directly to your server. Once you have mastered this you will be able to copy and paste text to your Linux server and will not need to make a reservation in Netlab to work on labs. For our purposes you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install Putty</li><br />
: Assuming you are running Windows, install the PuTTY software on your home PC from [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html this website].<br />
: '' Note: For other operating systems there are other ways and software you can use to make an SSH connection, you will need to research what tools are used for making SSH connections from your particular operating system.<br />
<li>Open an SSH session</li><br />
:* Run the PuTTY software on your computer and enter in the IP address of your VM in the "Host Name" box and click the "Open" button.<br />
:[[File:Lab1_putty.png|link=https://wiki.ihitc.net/mediawiki/images/f/f5/Lab1_putty.png|500px]]<br />
:[[Media:Lab1_putty.png| Click here for larger image]]<br />
:* Click Yes to save the host key on your system<br />
: [[File:Lab1_puttycert.png|link=https://wiki.ihitc.net/mediawiki/images/4/4b/Lab1_puttycert.png|500px]]<br />
: [[Media:Lab1_puttycert.png|Click here for larger image]]<br />
:* Enter the standard username and password for your Linux system to connect.<br />
: '' Note: You should receive a prompt just like the one you had on the Netlab local console but it is now a direct connection from your computer over the ITCnet to your server.<br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Remote File Transfer==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Remote File Transfer]'''''<br />
<br />
The easiest way to transfer files to and from your VM is with SFTP software. For our purposes, you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install FileZilla</li><br />
: Install the FileZilla client software on your home PC from [https://filezilla-project.org/download.php?type=client this website]<br />
<li>Open a SFTP session to your server</li><br />
: Run FileZilla and use the Quick Connect bar at the top of the screen to access your system. <br />
:* Enter the IP address of your Linux system in the "Host:" box<br />
:* Enter your standard username and password in the appropriate boxes<br />
:* Enter ''22'' in the "Port:" box<br />
:* Click the "Quickconnect" button.<br />
: [[File:Lab1_filezillanew.png|link=https://wiki.ihitc.net/mediawiki/images/b/b1/Lab1_filezillanew.png|500px]]<br />
: [[Media:Lab1_filezillanew.png|Click here for larger image]]<br />
: You should see some connection text scroll on the top of the screen and some files on the right side of the screen now such as ''.bashrc'' and ''.profile'' The right side of the screen is the drive on your Linux system and the left side of the screen is the drive on your home system. Files and folders can be dragged between the two sides to transfer them back and forth.<br />
: [[File:Lab1_filezillaconnected.png|link=https://wiki.ihitc.net/mediawiki/images/c/ca/Lab1_filezillaconnected.png|500px]]<br />
: [[Media:Lab1_filezillaconnected.png|Click here for larger image]]<br />
<li>Close the FileZilla software to disconnect.</li><br />
</ol><br />
<br />
==Install VM Tools==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Install VM Tools]'''''<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect into your system using the remote SSH console method explained above.<br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<code>sudo apt install open-vm-tools</code><br />
</ol><br />
<br />
==Install Python==<br />
In order to check your work in the labs of this course you will need to have an application called [https://www.python.org/ Python] installed on your Linux system.<br />
<ol><br />
<li> Download ''python3'' using '''apt'''</li><br />
* When prompted type Y to install the app and its dependencies</li><br />
<ul>''NOTE: This may take a while.''</ul><br />
* When prompted to specify the name of the host where the TANGO database server is running, just select ok.</li><br />
<ul> [[File:Python_tango.png|link=https://wiki.ihitc.net/mediawiki/images/4/4c/Python_tango.png|500px]]</ul><br />
<ul> [[Media:Python_tango.png | Click for Larger Image]]</ul><br />
<li> Run the following command to verify that python version 3.6 is installed.</li><br />
<code>python3 --version</code><br />
<ul> [[File:Python_version.png|link=https://wiki.ihitc.net/mediawiki/images/7/70/Python_version.png|500px]]</ul><br />
<ul> [[Media:Python_version.png | Click for Larger Image]]</ul><br />
</ol><br />
<br />
==Install Nmap==<br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:* ''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Run the following command at the command line.<br />
<code>sudo apt install nmap</code><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
</ol><br />
<br />
==Install Curl==<br />
:Curl is a tool that lets you run scripts that are not saved to your virtual machine. It will be used to check the labs for completion while working through the course. <br />
<ol><br />
<li> Run the following command at the command line. </li><br />
<code>sudo apt install curl</code><br />
: If prompted to install additional packages type "y"<br />
<li> Automatically check your results by running this command:</li><br />
: Installing Curl will allow you to check each of your labs for completion of some of the critical objectives of the lab work using a command in the Checking your work section of the labs.<br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_01_revised.py | python3<br />
</nowiki></code><br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Safely Shutdown==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Safely Shutdown]'''''<br />
:We will normally leave our VM running but it is important that you know how to shutdown a Linux system correctly so this time we'll turn it off.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect in to your system using the remote SSH console method explained above.<br />
<li> Safely shutdown you server</li><br />
:* Run the '''sudo shutdown -h now''' at the command line to safely shutdown the system.<br />
<code>sudo shutdown -h now</code><br />
: You should soon get a message that PuTTY has lost it's connection. Click OK and then you can close the PuTTY window.<br />
<li>End NetLab Reservation</li><br />
: If you still have time left in your reservation in Netlab it's polite to end the reservation so other users can work on the system, only a limited number of reservations can be made at one time. You can do this by logging into Netlab, opening your lab, and clicking the "Reservation" menu at the top of the screen and choose to "End Reservation Now" followed by confirming that you want to end the reservation.<br />
</ol><br />
<br />
=Checking your Work=<br />
<ol><br />
<li>This section will cover ways to manually check your work</li><br />
<ul>For this lab each section was tested in the process of the lab. You should have successfully connected an SSH session with putty, and an ftp session with FileZilla.</ul><br />
<ul>You should have shut down you server in one of the last steps, so no further testing is necessary at this time.</ul><br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_01_revised.py | python3<br />
</nowiki></code><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_9_mnjk&diff=9589Lab 9 mnjk2021-03-22T23:44:31Z<p>JonQuinn: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
<br />
In this lab you will perform the following tasks:<br />
*Install a basic email server <br />
*Install Courier MDA software<br />
*Learn how to allow remote users to send mail<br />
<br><br />
You will be introduced to the following commands:<br />
*'''[https://linux.die.net/man/1/telnet telnet]'''<br />
<br><br />
This lab assumes that you know the IP address of your Linux system and are connected to the ITCnet VPN network. Additionally, this lab assumes that you have completed the Bind DNS and have created a MX record that directs mail to your mail server. <br />
*[[Lab_8_mnjk#Install_BIND_&_Enable_Caching | Installing Bind]]<br />
*[[Lab_8_mnjk#Adding_a_Delegated_Domain | Creating a MX record in DNS]]<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account<br />
# Make sure that webmin is installed on your system. <br />
# Get the username and domain name of someone else's system in the class who you can send mail to<br />
# This lab requires that you have appropriate domain name records (at least a correct A and MX record) for your system working from the DNS lab before things will work.<br />
<br />
== Install the Postfix MTA ==<br />
'''''[https://www.youtube.com/watch?v=6VsgO5695Z4&feature=youtu.be Video Tutorial - Install Postfix MTA]'''''<br />
<ol><br />
<li> Use a package manager to install the ''postfix'' package.<br />
* During the installation process select ''Internet Site'' as the type of mail server and set the domain name to ''*.itc2480.campus.ihitc.net'' where * is the hostname letter of your system.</li><br />
: MTA software listens for incoming connections from other MTA servers on port 25 and accepts mail on behalf of users on the system. Once the mail is received it is stored locally for users to retrieve. The most common methods for storing messages is in an .mbox file, where all messages are stored in a single file, or in a Maildir, which is a directory where each message is stored in a separate file. The MTA also listens for connections from client software (MUA) and accepts outbound messages from them and forwards them on to the destination domain's mail server. Advanced configuration of MTA software can allow for anti-spam filtering, mailing list support or other programs to intercept and manipulate mail as it passes through the server.<br />
<li>Test the connection an verify the port is open</li><br />
:* Use Telnet to connect to the Postfix SMTP server on port 25: '''telnet localhost 25'''<br />
: [[File:Lab9_open_telnet.png|link=https://wiki.ihitc.net/mediawiki/images/1/10/Lab9_open_telnet.png|500px]]<br />
: [[Media:Lab9_open_telnet.png | Click here for larger image]]<br />
:* Type '''quit''' and press enter after verifying Postfix is running.<br />
<br />
<li>Configure Maildir</li><br />
: Because the Courier IMAP and POP3 server software only supports Maildir style message stores and Postfix stores in mbox files by default you must edit the ''/etc/postfix/main.cf'' file to fix this. <br />
:* Add the line <br />
:<pre>home_mailbox = Maildir/</pre> <br />
: Edit or add the ''mailbox_command'' parameter so there is nothing on the line after the equals sign, delete the portion of the line referencing procmail if it exists. The line should look like: <br />
:<pre>mailbox_command = </pre><br />
<li> Restart the ''postfix'' service to apply your change. Postfix is now saving new incoming messages into the Maildir folder inside each user's home directory. This folder is automatically created by Postfix the first time a new message comes in for a user.</li><br />
<li> Set your shell to recognize the maildir as your mail location</li><br />
:* Edit the ''/etc/login.defs'' file and comment out the ''MAIL_DIR /var/mail'' line (place a # in front of the line) and add a line setting ''MAIL_FILE'' like this:<br />
<pre><br />
#MAIL_DIR /var/mail<br />
MAIL_FILE Maildir/<br />
</pre><br />
:* Edit the ''/etc/pam.d/login'' file, find and comment out the ''session optional pam_mail.so standard'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so standard<br />
session optional pam_mail.so dir=~/Maildir standard<br />
</pre><br />
:* Edit the ''/etc/pam.d/su'' file, find and comment out the ''session optional pam_mail.so nopen'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so nopen<br />
session optional pam_mail.so dir=~/Maildir nopen<br />
</pre><br />
:* Edit the ''/etc/pam.d/sshd'' file, find and comment out the ''session optional pam_mail.so standard noenv'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so standard noenv<br />
session optional pam_mail.so dir=~/Maildir standard<br />
</pre><br />
:* Edit the ''/etc/profile'' file and at the end of the file add the line: <pre>export MAIL=~/Maildir</pre></li><br />
<li> Test sending and receiving mail as a locally logged on user.</li><br />
<br />
:* Install the ''mailutils'' package.</li><br />
:* Try sending a message (replace username with your username): <pre>echo "This is my message" | mail -s "Email Subject" username@localhost</pre><br />
:* Log out of your SSH session and open a new SSH session to apply the changes to the ''/etc/profile'' and ''/etc/login.defs'' files.<br />
:* Check to see if the message was received using the '''mail''' command, press ''q'' to return to the command line.<br />
:[[File:Lab9_cli_send_mail.png|link=https://wiki.ihitc.net/mediawiki/images/4/4f/Lab9_cli_send_mail.png|500px]]<br />
:[[Media:Lab9_cli_send_mail.png|Click here for a larger image]]<br />
: You should also be able to see the message in ''~/Maildir/'' in either the ''new/'' or ''cur/'' directory depending on whether you have viewed the message list yet or not. In either case, the message will appear as a text file with a random-looking name. It's just a text file so you can use '''cat''' or '''less''' to view it.<br />
<li> Create Aliases </li><br />
: You can create aliases and forward mail between users by editing the ''/etc/aliases'' file and then running the '''newaliases''' program. <br />
:* Create an "alias" for ''sysadmin'' which forwards mail sent to sysadmin@localhost to your username <br />
:* Send a copy of all mail to the ''root'' account to your username <br />
<br />
: Now would be a good time to try logging on to Webmin again, re-scanning for modules and then taking a look at the Postfix module in the ''Servers'' section.<br />
<li>Explore the mail log file</li><br />
: Take a look at your ''/var/log/mail.info'' log to see Postfix sending and receiving messages for users.<br />
</ol><br />
<br />
== Install Courier MDA ==<br />
'''''[https://www.youtube.com/watch?v=uvZlSiQHlxs&feature=youtu.be Video Tutorial - Install Courier MDA]'''''<br />
<ol><br />
<li>Install required courier packages </li><br />
: Most users prefer to retrieve mail from a mail server using an MDA protocol like POP3 or IMAP which can be provided by the Courier programs. Install the ''courier-pop'', ''courier-imap'', and ''fam'' packages.<br />
:* Do not create the directories for web-based administration as they are unneeded for our setup<br />
: Local users accessing their mailbox with MUA software can read and write to the .mbox file or Maildir directly. If a user not locally logged on to the system wants to access their mailbox the server runs MDA software which typically uses the POP3 or IMAP protocol for accessing the .mbox file or Maildir remotely.<br />
<br />
<li> Install MUA Client on remote system</li><br />
:*Install an email client (MUA) on your host (home) system such as [http://www.mozilla.org/en-US/thunderbird/ Mozilla Thunderbird]<br />
:* Setup two user accounts in your MUA, the usernames and passwords should be the same as users and their passwords on your system. Use ''IMAP'' as the protocol for retrieving mail. The email address for each should be ''username@*.itc2480.campus.ihitc.net'' where the * is replaced by the host letter of your system. You can verify the IMAP and SMTP settings that are detected, both server addresses should be ''*.itc2480.campus.ihitc.net'' where the * is replaced by the host letter of your system.<br />
:'' NOTE: The first time you check messages and the first time you send messages to your server from Thunderbird you will need to accept an invalid security certificate in the Thunderbird window.<br />
:[[File:Lab9_thunderbird_cert.png|link=https://wiki.ihitc.net/mediawiki/images/9/9a/Lab9_thunderbird_cert.png|500px]]<br />
:[[Media:Lab9_thunderbird_cert.png|Click here for a larger image]]<br />
:'' NOTE: To see the ''Tools'' menu with the ''Account Settings'' window in recent versions of Thunderbird (where you can add more accounts) you need to press ALT-F and then the menu bar will temporarily appear.<br />
:[[File:Lab9_thunderbird_menu.png|link=https://wiki.ihitc.net/mediawiki/images/6/60/Lab9_thunderbird_menu.png|500px]]<br />
:[[Media:Lab9_thunderbird_menu.png|Click here for a larger image]]<br />
<li>Send mail between local users</li><br />
:* Try sending a message from one user to the other user by sending a message to the other account like ''username@localhost'' Verify that you can receive and read the messages.<br />
:* Note: If a user has not yet received any mail Postfix has not created a Maildir for the user and the Courier software will send an error to the client software. Use the mail program explained above to send some mail to the user, see that the ''~/Maildir'' is then created and try retrieving the messages again with your MUA.<br />
</ol><br />
<br />
== Allow Remote Users to Send Mail ==<br />
'''''[https://www.youtube.com/watch?v=0qh3mCMIzn4&feature=youtu.be Video tutorial - Allow Remote Users to Send Mail]'''''<br />
<ol><br />
<li>Testing SMTP mail to another domain</li><br />
:* Try setting up your MUA software to send mail by creating an SMTP server entry and sending an email to ''anotheruser@localhost'' This should work because localhost is your own server but if you try sending email to ''someuser@somedomain.com'' like ''root@ben.itc2480.campus.ihitc.net'' that will fail.<br />
: The problem is you don't want just anyone to send mail through your mailserver (we did allow this in the olden days) because a spammer could then use your server to send mail worldwide and it would all trace back to the IP of your server, we call servers setup like this "open relays" because they relay mail for anyone and they are generally considered very bad practice and can get your mailserver on lists of servers to ignore all messages from. There are a number of ways to solve this. By default Postfix will only allow mail relaying from computers on the same network (based on IP) as set in the ''/etc/postfix/main.cf'' ''mynetworks'' parameter but this is inconvenient for remote users as you would need to know the remote IP address they are connecting from. The SASL protocol allows users to authenticate with a username and password before sending mail and then relay messages are accepted from them.<br />
<li>Configure Simple Autherntication and Security Layer - SASL</li><br />
:* See if you can follow [https://wiki.debian.org/PostfixAndSASL these instructions] for setting up SASL with Postfix.<br />
:'' Note: You do NOT need to setup TLS to support SASL (more on that in the additional considerations section below)<br />
<li>Test and troubleshoot SASL</li><br />
:* Modify your MUA to use a username and password when connecting to your SMTP server and try sending mail to someone else's system from your MUA using a destination address like ''root@*.itc2480.campus.ihitc.net'' where the * is replaced by the host letter of your system.<br />
:'' NOTE: You MUST actually exchange messages with someone else in the class (both sending to them and receiving from them). It is not possible to test using an outside email account of your own (you will not be able to send a message back to your server because it is behind a firewall). It is not enough to just be able to send a message to another system. It is not enough to just be able to receive a message from another user.<br />
:* Troubleshoot as needed using the mail log files on your system.<br />
</ol><br />
<br />
=Additional Considerations=<br />
Running a mailserver is tricky business. The basic server we have setup does not use valid certificates for encrypting connections meaning usernames, passwords, and mail contents are all being sent to an unverified server. This is very undesirable from a security standpoint and it would be suggested to support SSL/TLS encryption for both the MTA and MDA portions with a valid certificate purchased from a certificate authority (CA) or from a free CA like [https://letsencrypt.org/ Let's Encrypt]. In addition, you will almost certainly want spam filtering at the server. More complicated setups also use database tables for users, passwords and domains so that you can host multiple domains on a single server and have email user boxes for people who do not have local logins on the system.<br />
<br />
=Additional Resources=<br />
* [https://help.ubuntu.com/community/PostfixBasicSetupHowto Ubuntu Postfix Basic Setup]<br />
* [https://wiki.debian.org/Postfix Debian Wiki - Postfix Installation]<br />
<br />
==Checking Your Work==<br />
<ol><br />
<li>Send a test email to ping@itc2480.camus.ihitc.net from your Thunderbird or other MTA mail program.</li><br />
<ul>You should receive a response titled "Success! Auto Response form Ping Auto Mailer"</ul><br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_09_test.py | python3<br />
</nowiki></code><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_5_mnjk&diff=9588Lab 5 mnjk2021-03-22T23:37:32Z<p>JonQuinn: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
In this lab you will perform the following tasks:<br />
*Learn about static network configuration of Debian Linux systems<br />
*Install '''[https://www.php.net PHP]'''<br />
*Install '''[https://www.php.net MariaDB]''' on your server, this is an open-source MySQL alternative<br />
*Experiment with websites and databases<br />
*Explore the standard log files on your system.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/ifup ifup]'''<br />
*'''[https://linux.die.net/man/8/ifdown ifdown]'''<br />
*'''[https://linux.die.net/man/8/ping ping]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://www.commandlinux.com/man-page/man8/a2dissite.8.html a2ensite]'''<br />
*'''[https://www.commandlinux.com/man-page/man8/a2dissite.8.html a2dissite]'''<br />
*'''[https://linux.die.net/man/1/wget wget]'''<br />
*'''[https://linux.die.net/man/1/zcat zcat]'''<br />
*'''[https://linux.die.net/man/8/service service]'''<br />
*'''[https://linux.die.net/man/1/tail tail]'''<br />
<br />
You will also use the following MySQL (MariaDB) commands:<br />
<br />
*'''[https://mariadb.com/kb/en/use USE]'''<br />
*'''[https://mariadb.com/kb/en/show SHOW]'''<br />
*'''[https://mariadb.com/kb/en/select SELECT]'''<br />
*'''[https://mariadb.com/kb/en/drop-database DROP database]'''<br />
<br />
=Lab Procedure=<br />
==Prerequisites==<br />
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account<br />
# Make a note of the static IP address information for your particular system in the table below, it is based on the system name identification letter in vmWare. These IP addresses will ONLY be valid in the ITC vmWare Linux class subnet. If you are working on a local VirtualBox system you will need to select an available static IP from the correct subnet for your system or skip the static IP addressing section. All vmWare systems will use a gateway address of 172.17.50.1 and a subnet mask of 255.255.255.0 with two nameservers 172.17.139.11 and 172.17.139.111<br />
{| {{table}}<br />
| align="center" style="background:#f0f0f0;"|'''System ID'''<br />
| align="center" style="background:#f0f0f0;"|'''Static IP'''<br />
|-<br />
| A||172.17.50.11<br />
|-<br />
| B||172.17.50.12<br />
|-<br />
| C||172.17.50.13<br />
|-<br />
| D||172.17.50.14<br />
|-<br />
| E||172.17.50.15<br />
|-<br />
| F||172.17.50.16<br />
|-<br />
| G||172.17.50.17<br />
|-<br />
| H||172.17.50.18<br />
|-<br />
| I||172.17.50.19<br />
|-<br />
| J||172.17.50.20<br />
|-<br />
| K||172.17.50.21<br />
|-<br />
| L||172.17.50.22<br />
|-<br />
| M||172.17.50.23<br />
|-<br />
| N||172.17.50.24<br />
|-<br />
| O||172.17.50.25<br />
|-<br />
| P||172.17.50.26<br />
|-<br />
| Q||172.17.50.27<br />
|-<br />
| R||172.17.50.28<br />
|-<br />
| S||172.17.50.29<br />
|-<br />
| T||172.17.50.30<br />
|-<br />
| U||172.17.50.31<br />
|-<br />
| V||172.17.50.32<br />
|-<br />
| W||172.17.50.33<br />
|-<br />
| X||172.17.50.34<br />
|-<br />
| Y||172.17.50.35<br />
|-<br />
| Z||172.17.50.36<br />
|}<br />
<br />
<br />
<br />
==Set a static IP==<br />
'''''[https://www.youtube.com/watch?v=VcPA6gJ0Ohw&feature=youtu.be Video Tutorial - Setting a Static IP Address]'''''<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
* Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
* Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
:'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==Install PHP & MySQL/MariaDB==<br />
<br />
'''''[https://www.youtube.com/watch?v=Az0qtg4LSjA&feature=youtu.be Video Tutorial - Install PHP and MySQL MariaDB]'''''<br />
<ol><br />
<li>Install packages</li><br />
:* Using '''apt''', install the ''php'' and ''mariadb-server'' packages as well as the ''php-mysql'' package which provides the link between php and mysql and the ''libapache2-mod-php'' package which provides a copy of PHP which allows the Apache webserver to run website PHP scripts.<br />
'' Note: Remember to do an '''apt update''' before installing packages to make sure you get the latest versions<br />
'' Note: Maria-DB is a fully compatible replacement for MySQL that isn't controlled by Oracle.<br />
* After the dependencies are found, go ahead and accept them to continue the install.<br />
<li> After the install is complete, '''cd''' to ''/var/www/html'' which is the root directory of your webserver and so where all website files are served from.</li><br />
<li> In order to fully enable the PHP-MySQL module you should restart your Apache webserver. You don't need to restart your entire system to do this. Do some research on the "apache2ctl" or the "service apache2" commands which can be used to do this.<br />
<li> At this point we will test to verify that php is working properly with Apache. Create a new file named ''phptest.php'', and then open it in a text editor.</li><br />
: '' Note: you may have to use sudo to create and edit files in this directory. as your standard user account may not have privilidges to create and edit files in this directory.<br />
:<code>sudo touch phptest.php</code><br />
:<code>sudo nano phptest.php</code><br />
<li>Enter the following into the file:<br />
<pre><?php<br />
phpinfo();<br />
?></pre></li><br />
<li>Now save the file, and on your local machine go to xxx.xxx.xxx.xxx/phptest.php in a web browser where xxx.xxx.xxx.xxx is your VM's static IP. You should now be on a page that shows your PHP Version, and system information.</li> <br />
:[[File:Lab5_php_info.png|500px]]<br />
:[[Media:Lab5_php_info.png|Click here for a larger image]]<br />
<li>Use the "View Source" option in your browser to see what the HTML source code is for the page you're viewing is. Is it the same or different than the .php file you created? Why? How is this different than a standard .html file?</li><br />
:[[File:Lab5_php_info_devtab.png|500px]]<br />
:[[Media:Lab5_php_info_devtab.png|Click here for a larger image]]<br />
</ol><br />
<br />
==Experiment with Website PHP==<br />
<br />
'''''[https://www.youtube.com/watch?v=m_sUrt_quX4&feature=youtu.be Video Tutorial - Experiment with Website PHP]'''''<br />
<ol><br />
<li> Explore Apache symlinks</li><br />
:In a previous lab we learned about editing the ''/var/www/index.html'' file to change the default web page displayed by your server. In a future lab you will install some PHP/MySQL based software which powers many Internet sites with forums, blogs, etc. Before we can do that we need to learn a little more about PHP and about databases. Like most software on Linux the Apache webserver configuration files are stored in the ''/etc'' directory. Specifically, you can find several of them which work together and are called from each other in ''/etc/apache2/'' take a look in the ''/etc/apache2/sites-enabled/'' directory. See how symlinks are used to point to configuration files which actually reside in the ''/etc/apache2/sites-available/'' directory? This allows us to turn off and on various sites by creating or removing a symlink rather than by deleting the actual configuration file, a handy thing if we just want to temporarily disable a site. In fact Apache provides a utility to automatically add and remove these links called '''a2ensite''' and '''a2dissite'''. Check the '''man''' pages for these commands to see how they work.<br />
<li>Explore '''/etc/apche2/sites-enabled'''</li><br />
:As you might have guessed the default site for your system is configured by the file linked to at ''/etc/apache2/sites-enabled/000-default'' If you open this file in your favorite text editor you will see a series of what Apache calls "directives" which explain how the webserver should function, what port it should listen on, where the website files will reside (''/var/www/html''), etc. <br />
:'' NOTE: Going into all of the different Apache directives is outside of the scope of this course but you will find a lot of documentation about them on the Internet.<br />
<li>Explore the Apache configuration files in Webmin</li><br />
:In addition to configuring Apache directly through it's configuration files you can also configure it through an interface like Webmin which we installed in a previous lab. Bring up the Webmin configuration page for Apache and take a look at the settings for the default site. Note how the things you saw directly in the configuration file match up with what you see in Webmin. One of the things you may be interested in seeing is how the webserver knows to display the index.html file from a directory if it exists and no specific file is requested in the URL. Take a look on the "Directory Indexing" page for the default virtualhost and see if you can find this information. You'll notice that there is a list of files, not just index.html which the server will display.<br />
:'' NOTE: You may need to refresh your Webmin modules or "scan for new modules" if you haven't done that since installing Apache and Webmin. Webmin scans your system for compatible server software packages (like Apache) when it is installed but needs to re-scan it's modules after you install new server software before you can configure it through Webmin.<br />
<li>Expiriment with and learn PHP basics</li><br />
:In another section of this lab you created a basic ''phptest.php'' file and saw how the server executed the PHP code and turned it into an HTML page your browser could display. Because PHP offers an easy way to write web applications it powers much of the Internet. To prepare us for setting up some PHP applications in a future lab it will be helpful to know a little about how PHP scripts work. Read through the [http://www.w3schools.com/php/default.asp W3 Schools PHP Basics Tutorial] (PHP Intro through PHP Superglobals) and try creating some PHP scripts on your own Linux server like the examples given in the tutorial pages to see if you can get them to run, try modifying them a little bit and see what the results are. There are many great Internet resources devoted to understanding how to do things with PHP so take some time to see how this language can be easily integrated in websites. You should definitely be familiar with editing PHP files to change variables, echo statements, etc. work which are all skills you'll need when installing PHP based website software.<br />
<li>Create your own PHP files</li><br />
:*Try writing some simple PHP scripts on your own using variables and echo statements and make them available through your webserver.<br />
:*A good place to create these would be in your home directory, using your favorite text editor.<br />
<li>Create your own "home" page by editing your ''index.html'' file located in the '''/var/www/html''' directory.</li><br />
:''NOTE: You will need to be familiar with the very basics of editing HTML files in order to create links, etc. If you haven't done this before there are many introductory HTML tutorials available online. A good starting place is [https://www.w3schools.com/html/html_basic.asp W3 Schools HTML Basics Examples]<br />
:'' NOTE:It is importatnt to know that an '''html''' file must include the <!DOCTYPE HTML> tag. Additionally, you will notice that all tags have an opening tag and a closing tag. The information between the tags is what will have the features of the tag<br />
:*Backup your ''index.html'' file by copying to a new file name.<br />
:<code>sudo cp /var/www/html/index.html /var/www/html/index.html.bak</code><br />
:*Edit your ''index.html'' file (or create a new ''index.php'' file which will be loaded instead if it exists) so there is a list and links to the various scripts you have created as part of your PHP experimentation.<br />
:* Open your index.html file in your favorite text editor,<br />
:<code>sudo nano /var/www/html/index.html</code><br />
:*Since you have backed up the original index.html file I would edit this file to only include the basics.<br />
<pre> <br />
<!DOCTYPE HTML><br />
<html><br />
<body><br />
<h1>My ITC-2480 Server</h1><br />
<p>This is a server on Pod-R in NetLab at 172.17.50.XX</p><br />
<br><br />
<p>Here are some of the Projects I am working on:</p><br />
<a href="http://172.17.50.XX/phptest.php">PHP Version Information</a><br />
</body><br />
</html><br />
</pre><br />
:'' NOTE: Make sure to replace the XX in the IP with the IP address of your server.<br />
:<br />
:[[File:Lab5_basic_html.png|link=https://wiki.ihitc.net/mediawiki/images/2/29/Lab5_basic_html.png|500px]]<br />
:[[Media:Lab5_basic_html.png|Click here for a larger image]]<br />
:A first look for a basic page<br />
:[[File:Lab5_initial_home.png|link=https://wiki.ihitc.net/mediawiki/images/9/92/Lab5_initial_home.png|500px]]<br />
:[[Media:Lab5_initial_home.png|Click for a larger image]]<br />
<li>Try to add additional features to your "home" page.</li><br />
:''NOTE: You may get some ideas of features you might like to add by looking at the original ''index.html'' file that we backed up in step 6 of this lab.<br />
:*As you complete your labs consider what you can add to this page.<br />
:*Add links to the PHP scripts you created<br />
:*A few good chalanges would be to add a title, change font size, style or color.<br />
<br />
</ol><br />
<br />
==Experiment with Databases==<br />
<br />
'''''[https://www.youtube.com/watch?v=1zYXiWLoGdM&feature=youtu.be Video Tutorial - Experiment with Databases]'''''<br />
<ol><br />
: In order to do really powerful things with a website we need a database where we can store dynamic content which can be queried to automatically build site pages from a template. One of the most common databases is an SQL database, and MySQL has long been the most prevalent Linux SQL software. These days MariaDB, which we installed, has been taking some MySQL marketshare because it is a community developed program instead of MySQL which is now owned by Oracle. The MariaDB software and MySQL software are essentially equivalent, especially for small sites/databases, and the same commands are used interchangeably including using the '''mysql''' command to access them. SQL itself is a standard language for interacting with a specific type of database called a relational database, we'll see why it's called a relational database in a minute. Each database is a collection of data stored in tables. You can think of a table as something like a spreadsheet with rows and columns, except we call the columns fields and the rows records (sometimes we actually call them rows too). The different tables are often related to one another, of course they are usually being used by the same web application, but usually the relationship goes deeper than that as we'll see in a little bit.<br />
<li>Download a sample database</li><br />
: To jumpstart our exploration of databases we'll download a pre-built sample database with a few tables and many records already in it and import it into our MySQL database server. Download the employees database file [https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2 employees_db-full-1.0.6.tar.bz2] (about 26MB) and get it into your home directory. Instead of using the '''links''' browser to do this or downloading to your computer and then pushing this large file back across the Internet with an SCP/SFTP client like FileZilla a better choice might be to learn about the '''wget''' program which can be used like "'''wget https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2'''" to download the file into your current working directory.<br />
<code>wget https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2</code><br />
<li>Unpack the database file</li><br />
: Figure out how to use the '''tar''' program to unpack this .tar.bz2 file. Note that this file uses bz2 compression which takes longer to compress than gzip but can compress the files more. Once unpacked you should have an "employees_db" folder.<br />
<li>Explore the files included with sample database</li><br />
: Inside the ''employees_db'' folder you should have a number of ''.sql'' script files and dump files which can be used to restore the database to your system.<br />
:*Take a look at the ''employees.sql'' file, it's just a text file, which describes the format of the database. <br />
:*Also take a look at the ''load_employees.dump'' file, also just a text file, which contains all of the records from the employees table of the database. :'' NOTE: there are 300,000 some employee records in this database so you probably don't want to just use '''cat''' to view these files as it could take a while to print them out to your screen. Using the '''less''' program would be a better choice as it will allow you to exit viewing the file by pressing q at any time.<br />
<li>Open the MySQL (MariaDB) command line</li><br />
: We can interact with the MySQL/MariaDB server in many different ways. The first way we'll take a look at is through the command line '''mysql''' program. Run the "'''sudo mysql'''" command. <br />
:'' NOTE: that we are running this command with system administrator permissions which allows us to log in to the MySQL server with database administrator permissions as well. The MySQL program actually stores it's own usernames and passwords as a MySQL database itself, you can create and modify these permissions from the mysql command line but we'll learn more about modifying them through the Webmin interface later.<br />
:<code>sudo MySQL</code><br />
<br><br />
:[[File:Lab5_mariadb_cli.png|link=https://wiki.ihitc.net/mediawiki/images/4/4f/Lab5_mariadb_cli.png|500px]]<br />
:[[Media:Lab5_mariadb_cli.png|Click here for a larger image]]<br />
<li>Explore MySQL (MariaDB) Commands</li><br />
: MySQL has it's own command line language the you can use through the "mysql>" prompt you are now running. For example, if we want to see a list of databases on the system we can run "'''SHOW databases;'''" run the command and note the databases that already exist by default.<br />
<code>SHOW databases;</code><br />
:'' NOTE: Each MySQL/MariaDB statement ends with a semicolon (;) if you do not put the semicolon at the end of the line the command will not execute when you press enter and you will be able to continue to add more commands to the statement before finishing with a semicolon. If you accidentally press enter without ending with a semicolon you can just enter a semicolon on the next line and press enter.<br />
<li>Import the sample database</li><br />
: To import the employee database we can use the "'''source employees.sql;'''" command (assuming we were already working in the directory which contains the employees.sql file when we launched mysql. Import the employee database and verify the system now has an employees database.<br />
<code>SOURCE employees.sql;</code><br />
<li>Use the employees database</li><br />
<code>USE employees;</code><br />
: If we want to see all of the tables in the employees database we must first select the database we want to work on using the "'''USE employees;'''" command.<br />
<li>Explore the employee table</li><br />
: Use the "'''SHOW tables;'''" command to see a list of tables.<br />
<code>SHOW tables;</code><br />
<li>View a list of employees in table</li><br />
: To see a list of all the records in a table we need to run a SELECT query "'''SELECT * from ''<tablename>'''''" like "'''SELECT * from employees'''" which will list all the records in the ''employees'' table of the employees database and display them.<br />
<code>SELECT * from employees;</code><br />
<br><br />
:[[File:Lab5_mariadb_show_tables.png|link=https://wiki.ihitc.net/mediawiki/images/d/d5/Lab5_mariadb_show_tables.png|350px]]<br />
:[[Media:Lab5_mariadb_show_tables.png|Click here for a larger image]]<br />
:* Remember that we previously selected to USE the ''employees'' database, this will be remembered until we USE a different database. Try displaying the records in a couple of different tables like employees and departments.<br />
:'' NOTE: The output can be broken by using CTRL-C on your local machine if you do not wish to wait for all of the records to be displayed.<br />
:<br />
: There is much more that we can do from the MySQL/MariaDB command line but that would be a whole class or more itself. The MySQL/MariaDB programs are well documented on the Internet and with these basic skills you should be able to figure out most of it. Remember, the vast majority of what you read about MySQL will also work in MariaDB and vice-versa.<br />
<li>Explore the MySQL interface in Webmin<br />
: Now that you have learned a bit about MySQL databases from the command line let's see how they look in the Webmin web management interface. Log back in to your Webmin interface through a browser on your host system.<br />
:* Because MySQL was not installed when we first setup Webmin you need to "scan for new modules" first. Once that process has finished refresh the page to see that MySQL has been added to the server section of Webmin.<br />
:* Take a look at the Webmin MySQL module and see how MySQL users and permissions are configured.<br />
:* Try browsing through the ''employees'' database using the Webmin interface including viewing tables and records inside of the tables.<br />
<li>Drop database and exit MySQL (MariaDB)</li><br />
:* Go back to your MySQL command line window and run the command "'''DROP DATABASE employees;'''" to delete the entire database.<br />
:* Type "'''exit;'''" to quit the MySQL program and return to a Linux shell.<br />
<br />
:'' NOTE: Obviously, the DROP command is one to be careful with as you can easily wipe out a huge database with one line! <br />
</ol><br />
<br />
==View Logfiles==<br />
<br />
'''''[https://www.youtube.com/watch?v=cxIOQF-eMy0&feature=youtu.be Video Tutorial - Tutorial 5 View Logfiles]'''''<br />
<br />
<ol><br />
: Linux stores most of log files in the ''/var/log'' directory so change your working directory to ''/var/log''.<br />
: Some log files are viewable by all users on the system but other log files may be restricted and you will need to use '''sudo''' to view them.<br />
<li>View last 20 lines in '''/var/log/syslog'''</li><br />
:<code>tail -20 /var/log/syslog</code><br />
:[[File:Lab5_tail.png|link=https://wiki.ihitc.net/mediawiki/images/8/88/Lab5_tail.png|500px]]<br />
:[[Media:Lab5_tail.png|Click here for a larger image]]<br />
: Linux log files are typically standard text files and can be read with standard text file utilities like cat or less. One additional utility which comes in hand is the '''tail''' program which displays the last 10 lines (by default) of a text file and which can be configured to display more or less lines using a command like '''tail -20 /var/log/syslog''' which will display the last 20 lines of the main system log file. The manual page for the '''tail''' command contains additional information like how to use the ''-f'' option to view a log in realtime (exit with Ctrl-C).<br />
<li>Save the tail output to a file</li><br />
: Often we may want to save the output from a '''tail''' command to share with others or document an issue. This can easily be done using redirection we learned in a previous lab. Experiment with how to save some tail commands. Keep in mind you may need to escalate privileges for some files to be redirected. Try the following:<br />
: <code>sudo tail -20 /var/log/syslog > logtail.txt</code><br />
<li>Explore some other log files</li><br />
: Take a look at some of the log files on your system and see what kinds of information they contain specifically you should probably look at ''syslog'', ''auth.log'', ''kern.log'', ''apache2/access.log'', and ''apache2/error.log'' <br />
:* Use the tail command to explore these logs<br />
: In order to prevent log files from completely filling your drive old log files are eventually rotated on the system and compressed and then finally deleted. Take a look at some of the rotated log files like ''/var/log/syslog.1'' or ''/var/log/kern.log.1'' which will contain slightly older log entries.<br />
:'' Note: After the first rotated file other files are usually compressed with gzip. You can decompress and view these on the fly using the '''zcat''' program.<br />
</ol><br />
==Checking Your Work==<br />
<ol><br />
<li>Ping your assigned IP for your pod</li><br />
<ul>Your ping should return a response.</ul><br />
<li>Open a browser on your own PC and navigate to your IP address.</li><br />
<ul>Your custom link page should appear in your browser window.</ul><br />
<li>Check your home directory for the logtail.txt file you created.</li><br />
<ul>The logtail.txt file should be in your home directory.</ul><br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_05_test.py | python3<br />
</nowiki></code><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_5_mnjk&diff=9587Lab 5 mnjk2021-03-22T23:35:14Z<p>JonQuinn: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
In this lab you will perform the following tasks:<br />
*Learn about static network configuration of Debian Linux systems<br />
*Install '''[https://www.php.net PHP]'''<br />
*Install '''[https://www.php.net MariaDB]''' on your server, this is an open-source MySQL alternative<br />
*Experiment with websites and databases<br />
*Explore the standard log files on your system.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/ifup ifup]'''<br />
*'''[https://linux.die.net/man/8/ifdown ifdown]'''<br />
*'''[https://linux.die.net/man/8/ping ping]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://www.commandlinux.com/man-page/man8/a2dissite.8.html a2ensite]'''<br />
*'''[https://www.commandlinux.com/man-page/man8/a2dissite.8.html a2dissite]'''<br />
*'''[https://linux.die.net/man/1/wget wget]'''<br />
*'''[https://linux.die.net/man/1/zcat zcat]'''<br />
*'''[https://linux.die.net/man/8/service service]'''<br />
*'''[https://linux.die.net/man/1/tail tail]'''<br />
<br />
You will also use the following MySQL (MariaDB) commands:<br />
<br />
*'''[https://mariadb.com/kb/en/use USE]'''<br />
*'''[https://mariadb.com/kb/en/show SHOW]'''<br />
*'''[https://mariadb.com/kb/en/select SELECT]'''<br />
*'''[https://mariadb.com/kb/en/drop-database DROP database]'''<br />
<br />
=Lab Procedure=<br />
==Prerequisites==<br />
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account<br />
# Make a note of the static IP address information for your particular system in the table below, it is based on the system name identification letter in vmWare. These IP addresses will ONLY be valid in the ITC vmWare Linux class subnet. If you are working on a local VirtualBox system you will need to select an available static IP from the correct subnet for your system or skip the static IP addressing section. All vmWare systems will use a gateway address of 172.17.50.1 and a subnet mask of 255.255.255.0 with two nameservers 172.17.139.11 and 172.17.139.111<br />
{| {{table}}<br />
| align="center" style="background:#f0f0f0;"|'''System ID'''<br />
| align="center" style="background:#f0f0f0;"|'''Static IP'''<br />
|-<br />
| A||172.17.50.11<br />
|-<br />
| B||172.17.50.12<br />
|-<br />
| C||172.17.50.13<br />
|-<br />
| D||172.17.50.14<br />
|-<br />
| E||172.17.50.15<br />
|-<br />
| F||172.17.50.16<br />
|-<br />
| G||172.17.50.17<br />
|-<br />
| H||172.17.50.18<br />
|-<br />
| I||172.17.50.19<br />
|-<br />
| J||172.17.50.20<br />
|-<br />
| K||172.17.50.21<br />
|-<br />
| L||172.17.50.22<br />
|-<br />
| M||172.17.50.23<br />
|-<br />
| N||172.17.50.24<br />
|-<br />
| O||172.17.50.25<br />
|-<br />
| P||172.17.50.26<br />
|-<br />
| Q||172.17.50.27<br />
|-<br />
| R||172.17.50.28<br />
|-<br />
| S||172.17.50.29<br />
|-<br />
| T||172.17.50.30<br />
|-<br />
| U||172.17.50.31<br />
|-<br />
| V||172.17.50.32<br />
|-<br />
| W||172.17.50.33<br />
|-<br />
| X||172.17.50.34<br />
|-<br />
| Y||172.17.50.35<br />
|-<br />
| Z||172.17.50.36<br />
|}<br />
<br />
<br />
<br />
==Set a static IP==<br />
'''''[https://www.youtube.com/watch?v=VcPA6gJ0Ohw&feature=youtu.be Video Tutorial - Setting a Static IP Address]'''''<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
* Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
* Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
:'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==Install PHP & MySQL/MariaDB==<br />
<br />
'''''[https://www.youtube.com/watch?v=Az0qtg4LSjA&feature=youtu.be Video Tutorial - Install PHP and MySQL MariaDB]'''''<br />
<ol><br />
<li>Install packages</li><br />
:* Using '''apt''', install the ''php'' and ''mariadb-server'' packages as well as the ''php-mysql'' package which provides the link between php and mysql and the ''libapache2-mod-php'' package which provides a copy of PHP which allows the Apache webserver to run website PHP scripts.<br />
'' Note: Remember to do an '''apt update''' before installing packages to make sure you get the latest versions<br />
'' Note: Maria-DB is a fully compatible replacement for MySQL that isn't controlled by Oracle.<br />
* After the dependencies are found, go ahead and accept them to continue the install.<br />
<li> After the install is complete, '''cd''' to ''/var/www/html'' which is the root directory of your webserver and so where all website files are served from.</li><br />
<li> In order to fully enable the PHP-MySQL module you should restart your Apache webserver. You don't need to restart your entire system to do this. Do some research on the "apache2ctl" or the "service apache2" commands which can be used to do this.<br />
<li> At this point we will test to verify that php is working properly with Apache. Create a new file named ''phptest.php'', and then open it in a text editor.</li><br />
: '' Note: you may have to use sudo to create and edit files in this directory. as your standard user account may not have privilidges to create and edit files in this directory.<br />
:<code>sudo touch phptest.php</code><br />
:<code>sudo nano phptest.php</code><br />
<li>Enter the following into the file:<br />
<pre><?php<br />
phpinfo();<br />
?></pre></li><br />
<li>Now save the file, and on your local machine go to xxx.xxx.xxx.xxx/phptest.php in a web browser where xxx.xxx.xxx.xxx is your VM's static IP. You should now be on a page that shows your PHP Version, and system information.</li> <br />
:[[File:Lab5_php_info.png|500px]]<br />
:[[Media:Lab5_php_info.png|Click here for a larger image]]<br />
<li>Use the "View Source" option in your browser to see what the HTML source code is for the page you're viewing is. Is it the same or different than the .php file you created? Why? How is this different than a standard .html file?</li><br />
:[[File:Lab5_php_info_devtab.png|500px]]<br />
:[[Media:Lab5_php_info_devtab.png|Click here for a larger image]]<br />
</ol><br />
<br />
==Experiment with Website PHP==<br />
<br />
'''''[https://www.youtube.com/watch?v=m_sUrt_quX4&feature=youtu.be Video Tutorial - Experiment with Website PHP]'''''<br />
<ol><br />
<li> Explore Apache symlinks</li><br />
:In a previous lab we learned about editing the ''/var/www/index.html'' file to change the default web page displayed by your server. In a future lab you will install some PHP/MySQL based software which powers many Internet sites with forums, blogs, etc. Before we can do that we need to learn a little more about PHP and about databases. Like most software on Linux the Apache webserver configuration files are stored in the ''/etc'' directory. Specifically, you can find several of them which work together and are called from each other in ''/etc/apache2/'' take a look in the ''/etc/apache2/sites-enabled/'' directory. See how symlinks are used to point to configuration files which actually reside in the ''/etc/apache2/sites-available/'' directory? This allows us to turn off and on various sites by creating or removing a symlink rather than by deleting the actual configuration file, a handy thing if we just want to temporarily disable a site. In fact Apache provides a utility to automatically add and remove these links called '''a2ensite''' and '''a2dissite'''. Check the '''man''' pages for these commands to see how they work.<br />
<li>Explore '''/etc/apche2/sites-enabled'''</li><br />
:As you might have guessed the default site for your system is configured by the file linked to at ''/etc/apache2/sites-enabled/000-default'' If you open this file in your favorite text editor you will see a series of what Apache calls "directives" which explain how the webserver should function, what port it should listen on, where the website files will reside (''/var/www/html''), etc. <br />
:'' NOTE: Going into all of the different Apache directives is outside of the scope of this course but you will find a lot of documentation about them on the Internet.<br />
<li>Explore the Apache configuration files in Webmin</li><br />
:In addition to configuring Apache directly through it's configuration files you can also configure it through an interface like Webmin which we installed in a previous lab. Bring up the Webmin configuration page for Apache and take a look at the settings for the default site. Note how the things you saw directly in the configuration file match up with what you see in Webmin. One of the things you may be interested in seeing is how the webserver knows to display the index.html file from a directory if it exists and no specific file is requested in the URL. Take a look on the "Directory Indexing" page for the default virtualhost and see if you can find this information. You'll notice that there is a list of files, not just index.html which the server will display.<br />
:'' NOTE: You may need to refresh your Webmin modules or "scan for new modules" if you haven't done that since installing Apache and Webmin. Webmin scans your system for compatible server software packages (like Apache) when it is installed but needs to re-scan it's modules after you install new server software before you can configure it through Webmin.<br />
<li>Expiriment with and learn PHP basics</li><br />
:In another section of this lab you created a basic ''phptest.php'' file and saw how the server executed the PHP code and turned it into an HTML page your browser could display. Because PHP offers an easy way to write web applications it powers much of the Internet. To prepare us for setting up some PHP applications in a future lab it will be helpful to know a little about how PHP scripts work. Read through the [http://www.w3schools.com/php/default.asp W3 Schools PHP Basics Tutorial] (PHP Intro through PHP Superglobals) and try creating some PHP scripts on your own Linux server like the examples given in the tutorial pages to see if you can get them to run, try modifying them a little bit and see what the results are. There are many great Internet resources devoted to understanding how to do things with PHP so take some time to see how this language can be easily integrated in websites. You should definitely be familiar with editing PHP files to change variables, echo statements, etc. work which are all skills you'll need when installing PHP based website software.<br />
<li>Create your own PHP files</li><br />
:*Try writing some simple PHP scripts on your own using variables and echo statements and make them available through your webserver.<br />
:*A good place to create these would be in your home directory, using your favorite text editor.<br />
<li>Create your own "home" page by editing your ''index.html'' file located in the '''/var/www/html''' directory.</li><br />
:''NOTE: You will need to be familiar with the very basics of editing HTML files in order to create links, etc. If you haven't done this before there are many introductory HTML tutorials available online. A good starting place is [https://www.w3schools.com/html/html_basic.asp W3 Schools HTML Basics Examples]<br />
:'' NOTE:It is importatnt to know that an '''html''' file must include the <!DOCTYPE HTML> tag. Additionally, you will notice that all tags have an opening tag and a closing tag. The information between the tags is what will have the features of the tag<br />
:*Backup your ''index.html'' file by copying to a new file name.<br />
:<code>sudo cp /var/www/html/index.html /var/www/html/index.html.bak</code><br />
:*Edit your ''index.html'' file (or create a new ''index.php'' file which will be loaded instead if it exists) so there is a list and links to the various scripts you have created as part of your PHP experimentation.<br />
:* Open your index.html file in your favorite text editor,<br />
:<code>sudo nano /var/www/html/index.html</code><br />
:*Since you have backed up the original index.html file I would edit this file to only include the basics.<br />
<pre> <br />
<!DOCTYPE HTML><br />
<html><br />
<body><br />
<h1>My ITC-2480 Server</h1><br />
<p>This is a server on Pod-R in NetLab at 172.17.50.XX</p><br />
<br><br />
<p>Here are some of the Projects I am working on:</p><br />
<a href="http://172.17.50.XX/phptest.php">PHP Version Information</a><br />
</body><br />
</html><br />
</pre><br />
:'' NOTE: Make sure to replace the XX in the IP with the IP address of your server.<br />
:<br />
:[[File:Lab5_basic_html.png|link=https://wiki.ihitc.net/mediawiki/images/2/29/Lab5_basic_html.png|500px]]<br />
:[[Media:Lab5_basic_html.png|Click here for a larger image]]<br />
:A first look for a basic page<br />
:[[File:Lab5_initial_home.png|link=https://wiki.ihitc.net/mediawiki/images/9/92/Lab5_initial_home.png|500px]]<br />
:[[Media:Lab5_initial_home.png|Click for a larger image]]<br />
<li>Try to add additional features to your "home" page.</li><br />
:''NOTE: You may get some ideas of features you might like to add by looking at the original ''index.html'' file that we backed up in step 6 of this lab.<br />
:*As you complete your labs consider what you can add to this page.<br />
:*Add links to the PHP scripts you created<br />
:*A few good chalanges would be to add a title, change font size, style or color.<br />
<br />
</ol><br />
<br />
==Experiment with Databases==<br />
<br />
'''''[https://www.youtube.com/watch?v=1zYXiWLoGdM&feature=youtu.be Video Tutorial - Experiment with Databases]'''''<br />
<ol><br />
: In order to do really powerful things with a website we need a database where we can store dynamic content which can be queried to automatically build site pages from a template. One of the most common databases is an SQL database, and MySQL has long been the most prevalent Linux SQL software. These days MariaDB, which we installed, has been taking some MySQL marketshare because it is a community developed program instead of MySQL which is now owned by Oracle. The MariaDB software and MySQL software are essentially equivalent, especially for small sites/databases, and the same commands are used interchangeably including using the '''mysql''' command to access them. SQL itself is a standard language for interacting with a specific type of database called a relational database, we'll see why it's called a relational database in a minute. Each database is a collection of data stored in tables. You can think of a table as something like a spreadsheet with rows and columns, except we call the columns fields and the rows records (sometimes we actually call them rows too). The different tables are often related to one another, of course they are usually being used by the same web application, but usually the relationship goes deeper than that as we'll see in a little bit.<br />
<li>Download a sample database</li><br />
: To jumpstart our exploration of databases we'll download a pre-built sample database with a few tables and many records already in it and import it into our MySQL database server. Download the employees database file [https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2 employees_db-full-1.0.6.tar.bz2] (about 26MB) and get it into your home directory. Instead of using the '''links''' browser to do this or downloading to your computer and then pushing this large file back across the Internet with an SCP/SFTP client like FileZilla a better choice might be to learn about the '''wget''' program which can be used like "'''wget https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2'''" to download the file into your current working directory.<br />
<code>wget https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2</code><br />
<li>Unpack the database file</li><br />
: Figure out how to use the '''tar''' program to unpack this .tar.bz2 file. Note that this file uses bz2 compression which takes longer to compress than gzip but can compress the files more. Once unpacked you should have an "employees_db" folder.<br />
<li>Explore the files included with sample database</li><br />
: Inside the ''employees_db'' folder you should have a number of ''.sql'' script files and dump files which can be used to restore the database to your system.<br />
:*Take a look at the ''employees.sql'' file, it's just a text file, which describes the format of the database. <br />
:*Also take a look at the ''load_employees.dump'' file, also just a text file, which contains all of the records from the employees table of the database. :'' NOTE: there are 300,000 some employee records in this database so you probably don't want to just use '''cat''' to view these files as it could take a while to print them out to your screen. Using the '''less''' program would be a better choice as it will allow you to exit viewing the file by pressing q at any time.<br />
<li>Open the MySQL (MariaDB) command line</li><br />
: We can interact with the MySQL/MariaDB server in many different ways. The first way we'll take a look at is through the command line '''mysql''' program. Run the "'''sudo mysql'''" command. <br />
:'' NOTE: that we are running this command with system administrator permissions which allows us to log in to the MySQL server with database administrator permissions as well. The MySQL program actually stores it's own usernames and passwords as a MySQL database itself, you can create and modify these permissions from the mysql command line but we'll learn more about modifying them through the Webmin interface later.<br />
:<code>sudo MySQL</code><br />
<br><br />
:[[File:Lab5_mariadb_cli.png|link=https://wiki.ihitc.net/mediawiki/images/4/4f/Lab5_mariadb_cli.png|500px]]<br />
:[[Media:Lab5_mariadb_cli.png|Click here for a larger image]]<br />
<li>Explore MySQL (MariaDB) Commands</li><br />
: MySQL has it's own command line language the you can use through the "mysql>" prompt you are now running. For example, if we want to see a list of databases on the system we can run "'''SHOW databases;'''" run the command and note the databases that already exist by default.<br />
<code>SHOW databases;</code><br />
:'' NOTE: Each MySQL/MariaDB statement ends with a semicolon (;) if you do not put the semicolon at the end of the line the command will not execute when you press enter and you will be able to continue to add more commands to the statement before finishing with a semicolon. If you accidentally press enter without ending with a semicolon you can just enter a semicolon on the next line and press enter.<br />
<li>Import the sample database</li><br />
: To import the employee database we can use the "'''source employees.sql;'''" command (assuming we were already working in the directory which contains the employees.sql file when we launched mysql. Import the employee database and verify the system now has an employees database.<br />
<code>SOURCE employees.sql;</code><br />
<li>Use the employees database</li><br />
<code>USE employees;</code><br />
: If we want to see all of the tables in the employees database we must first select the database we want to work on using the "'''USE employees;'''" command.<br />
<li>Explore the employee table</li><br />
: Use the "'''SHOW tables;'''" command to see a list of tables.<br />
<code>SHOW tables;</code><br />
<li>View a list of employees in table</li><br />
: To see a list of all the records in a table we need to run a SELECT query "'''SELECT * from ''<tablename>'''''" like "'''SELECT * from employees'''" which will list all the records in the ''employees'' table of the employees database and display them.<br />
<code>SELECT * from employees;</code><br />
<br><br />
:[[File:Lab5_mariadb_show_tables.png|link=https://wiki.ihitc.net/mediawiki/images/d/d5/Lab5_mariadb_show_tables.png|350px]]<br />
:[[Media:Lab5_mariadb_show_tables.png|Click here for a larger image]]<br />
:* Remember that we previously selected to USE the ''employees'' database, this will be remembered until we USE a different database. Try displaying the records in a couple of different tables like employees and departments.<br />
:'' NOTE: The output can be broken by using CTRL-C on your local machine if you do not wish to wait for all of the records to be displayed.<br />
:<br />
: There is much more that we can do from the MySQL/MariaDB command line but that would be a whole class or more itself. The MySQL/MariaDB programs are well documented on the Internet and with these basic skills you should be able to figure out most of it. Remember, the vast majority of what you read about MySQL will also work in MariaDB and vice-versa.<br />
<li>Explore the MySQL interface in Webmin<br />
: Now that you have learned a bit about MySQL databases from the command line let's see how they look in the Webmin web management interface. Log back in to your Webmin interface through a browser on your host system.<br />
:* Because MySQL was not installed when we first setup Webmin you need to "scan for new modules" first. Once that process has finished refresh the page to see that MySQL has been added to the server section of Webmin.<br />
:* Take a look at the Webmin MySQL module and see how MySQL users and permissions are configured.<br />
:* Try browsing through the ''employees'' database using the Webmin interface including viewing tables and records inside of the tables.<br />
<li>Drop database and exit MySQL (MariaDB)</li><br />
:* Go back to your MySQL command line window and run the command "'''DROP DATABASE employees;'''" to delete the entire database.<br />
:* Type "'''exit;'''" to quit the MySQL program and return to a Linux shell.<br />
<br />
:'' NOTE: Obviously, the DROP command is one to be careful with as you can easily wipe out a huge database with one line! <br />
</ol><br />
<br />
==View Logfiles==<br />
<br />
'''''[https://www.youtube.com/watch?v=cxIOQF-eMy0&feature=youtu.be Video Tutorial - Tutorial 5 View Logfiles]'''''<br />
<br />
<ol><br />
: Linux stores most of log files in the ''/var/log'' directory so change your working directory to ''/var/log''.<br />
: Some log files are viewable by all users on the system but other log files may be restricted and you will need to use '''sudo''' to view them.<br />
<li>View last 20 lines in '''/var/log/syslog'''</li><br />
:<code>tail -20 /var/log/syslog</code><br />
:[[File:Lab5_tail.png|link=https://wiki.ihitc.net/mediawiki/images/8/88/Lab5_tail.png|500px]]<br />
:[[Media:Lab5_tail.png|Click here for a larger image]]<br />
: Linux log files are typically standard text files and can be read with standard text file utilities like cat or less. One additional utility which comes in hand is the '''tail''' program which displays the last 10 lines (by default) of a text file and which can be configured to display more or less lines using a command like '''tail -20 /var/log/syslog''' which will display the last 20 lines of the main system log file. The manual page for the '''tail''' command contains additional information like how to use the ''-f'' option to view a log in realtime (exit with Ctrl-C).<br />
<li>Save the tail output to a file</li><br />
: Often we may want to save the output from a '''tail''' command to share with others or document an issue. This can easily be done using redirection we learned in a previous lab. Experiment with how to save some tail commands. Keep in mind you may need to escalate privileges for some files to be redirected. Try the following:<br />
: <code>sudo tail -20 /var/log/syslog > logtail.txt</code><br />
<li>Explore some other log files</li><br />
: Take a look at some of the log files on your system and see what kinds of information they contain specifically you should probably look at ''syslog'', ''auth.log'', ''kern.log'', ''apache2/access.log'', and ''apache2/error.log'' <br />
:* Use the tail command to explore these logs<br />
: In order to prevent log files from completely filling your drive old log files are eventually rotated on the system and compressed and then finally deleted. Take a look at some of the rotated log files like ''/var/log/syslog.1'' or ''/var/log/kern.log.1'' which will contain slightly older log entries.<br />
:'' Note: After the first rotated file other files are usually compressed with gzip. You can decompress and view these on the fly using the '''zcat''' program.<br />
</ol><br />
==Checking Your Work==<br />
<br><br><br />
<ol><br />
<li>Ping your assigned IP for your pod</li><br />
<ul>Your ping should return a response.</ul><br />
<li>Open a browser on your own PC and navigate to your IP address</li><br />
<ul>Your custom link page should appear in your browser window.</ul><br />
<li>Check your home directory for the logtail.txt file you created</li><br />
<ul>The logtail.yxy file should be in your home directory</ul><br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_05_test.py | python3<br />
</nowiki></code><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_1_mnjk&diff=9586Lab 1 mnjk2021-03-22T23:25:17Z<p>JonQuinn: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
:In this lab you will perform the following tasks:<br />
*Access NetLab to access the environment for you virtual machine<br />
*Install the latest version of Debian Linux in a virtual machine<br />
*Learn how to login and check the IP address of the system<br />
*Learn to remotely access the system with SSH and SFTP.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/apt apt]'''<br />
*'''[https://linux.die.net/man/8/sudo sudo]'''<br />
*'''[https://linux.die.net/man/8/useradd adduser]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://linux.die.net/man/8/ip ip address show]'''<br />
<br />
=Lab Procedure=<br />
==Netlab Access==<br />
'''''[https://www.youtube.com/watch?v=-hLejbDfPGM&feature=youtu.be Video Tutorial - NetLab Access]'''''<br />
<ol><br />
<li> Connect to the ITCnet </li> <br />
: This can be accomplished by directly plugging into an ITCnet port in one of the ITC labs or by connecting to the [[ITC_VPN_Instructions|VPN]].<br />
:'' Note: If you want to connect using a wireless connection on campus you need to [[Connecting to Eduroam|connect to the eduroam network]] before connecting to the VPN.<br />
<li> After you are connected to ITCnet (by VPN or wired connection) you simply need to open a web browser and access https://ihcc-netlab.campus.ihitc.net</li><br />
* The first time you visit this site in a browser you may need to accept a self-signed security certificate<br />
* You will need to log in with a username and password established by your instructor.<br />
* The first time you log in you will need to change your password and set your timezone. Make sure your timezone is set correctly so you can schedule reservations to work with equipment at convenient times.<br />
<li> Once you are logged in click the blue "New Lab Reservation" button</li><br />
: Next, in the lower left corner of the screen, select "Schedule a Lab for Myself". Reservations are used to hold a place on the Netlab system to work on labs during a specific time. You only need reservations in this class when working with the GUI, which will come later in the class, if you need to turn the power back on to your VM, or during the installation process. The rest of the time you will be able to connect directly to your Linux server using the SSH protocol, but more on that in a bit.<br />
:'' Note: If you are enrolled in more than one class that is using Netlab you will be presented with a list of classes you are enrolled in, click on your Linux System Administration course of you see this screen.<br />
: All of our lab work in this class is done in a single "Lab Environment" and your progress will be saved from one reservation to another. As a result there is only one lab listed in this course "Linux System Administration Labs". Click on this lab title.<br />
<li> Use the calendar to choose a date, time, and specific pod to reserve for your lab activity (when you will begin your Debian server installation).</li><br />
: The red line on this screen indicates the current time. If you want to get started right away you can click just below this line. Pay attention to the title of the column at the top, it will say something like "LSA Pod Z". The letter at the end of this pod name is your "pod letter" which you will use to set the host name and IP address of your machine in the future so make note of it.<br />
: You will be presented with a summary screen for your reservation where you can set the end time of your reservation (up to a maximum). It is suggested to make your reservation a couple hours long the first time you plan to install Debian, though you can extend it if needed. Click submit once you are ready to make the reservation.<br />
<li>You will see a confirmation screen that your reservation has been made.</li><br />
: You are now ready to progress on to the Debian Linux Installation (as long as your reservation is right away).<br />
</ol><br />
<br />
==Debian Linux Installation==<br />
'''''[https://www.youtube.com/watch?v=H0DcdEytpFQ&feature=youtu.be Video Tutorial - Debian Linux Installation]'''''<br />
<ol><br />
<li> Log in to the Netlab system</li><br />
: Access this using a web browser at https://ihcc-netlab.campus.ihitc.net if you are not already logged in.<br />
: If you have a currently active reservation you will see a green "Enter Lab" button on your list of reservations. Click the green "Enter Lab" button. If not, you will need to make a reservation (see above) and then click the "Enter Lab" button.<br />
: Your virtual machines (VMs) will automatically power on when your reservation begins and because there is no operating system currently installed to their virtual hard drives they will boot from their virtual CD/DVD drives which have been pre-loaded with the installation discs for Linux.<br />
<li> Access you virtual machine console</li><br />
: Once you are in your pod you can either click on the image of the "Linux Server" on the topology diagram or use the tabs across the top of your screen to access the console of your Linux Server VM.<br />
: The console shows the display of your VM and allows you to type and interact with your VM just as if you were physically sitting down in front of a server with a monitor, keyboard, and mouse attached. Just like a separate physical machine you will not be able to copy and paste text or drag and drop files in and out of this console window. We will use other utilities across the network connection to do those things just like we would with a physical server.<br />
<li>Learn to "Power Cycle" your virtual machine</li><br />
: By now your VM has likely already booted from it's virtual CD/DVD drive and should be at the "Debian GNU/Linux installer menu". Before continuing let's practice rebooting your system so you can watch the system boot and see how to reboot the system if needed. Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power Off" then click the red "Power Off" button on the popup to power off your VM. This is the equivalent of just pulling out the power cord, at least until we install the VMware Tools software which allows for a graceful shutdown, so you'll want to be careful to only do this if absolutely needed until then.<br />
<li>Power on you Virtual machine</li><br />
: Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power On", or press the blue "Power On" button in the middle of your screen, then press the green "Power On" button to boot your system.<br />
<li>Install Debian Linux</li><br />
: Once the system has rebooted and is back to the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Installing sudo and Checking Your IP Address==<br />
'''''[https://www.youtube.com/watch?v=TwXp5YfAvlw&feature=youtu.be Video Tutorial - Installing sudo and checking your IP address]'''''<br />
<ol><br />
<li>Log in to NetLab</li><br />
: Login through the Netlab local console with your root account and password (username ''root'', password as set during the installation)<br />
:'' Note: When entering a password on the command line of a Linux system it is normal that nothing should appear and the cursor will not move when you are typing. This prevents someone who is able to see your computer screen from seeing what your password is or even how long it is. Just type your password and trust that the system is receiving it, press enter to submit your password.<br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
<code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
[[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
<code>sudo ip address show</code><br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
</ol><br />
<br />
==Logging in to a Remote Terminal==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Logging into a remote terminal]'''''<br />
<br />
A faster way to interact with your system is not through the Netlab local console but through a remote SSH session over the network directly to your server. Once you have mastered this you will be able to copy and paste text to your Linux server and will not need to make a reservation in Netlab to work on labs. For our purposes you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install Putty</li><br />
: Assuming you are running Windows, install the PuTTY software on your home PC from [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html this website].<br />
: '' Note: For other operating systems there are other ways and software you can use to make an SSH connection, you will need to research what tools are used for making SSH connections from your particular operating system.<br />
<li>Open an SSH session</li><br />
:* Run the PuTTY software on your computer and enter in the IP address of your VM in the "Host Name" box and click the "Open" button.<br />
:[[File:Lab1_putty.png|link=https://wiki.ihitc.net/mediawiki/images/f/f5/Lab1_putty.png|500px]]<br />
:[[Media:Lab1_putty.png| Click here for larger image]]<br />
:* Click Yes to save the host key on your system<br />
: [[File:Lab1_puttycert.png|link=https://wiki.ihitc.net/mediawiki/images/4/4b/Lab1_puttycert.png|500px]]<br />
: [[Media:Lab1_puttycert.png|Click here for larger image]]<br />
:* Enter the standard username and password for your Linux system to connect.<br />
: '' Note: You should receive a prompt just like the one you had on the Netlab local console but it is now a direct connection from your computer over the ITCnet to your server.<br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Remote File Transfer==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Remote File Transfer]'''''<br />
<br />
The easiest way to transfer files to and from your VM is with SFTP software. For our purposes, you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install FileZilla</li><br />
: Install the FileZilla client software on your home PC from [https://filezilla-project.org/download.php?type=client this website]<br />
<li>Open a SFTP session to your server</li><br />
: Run FileZilla and use the Quick Connect bar at the top of the screen to access your system. <br />
:* Enter the IP address of your Linux system in the "Host:" box<br />
:* Enter your standard username and password in the appropriate boxes<br />
:* Enter ''22'' in the "Port:" box<br />
:* Click the "Quickconnect" button.<br />
: [[File:Lab1_filezillanew.png|link=https://wiki.ihitc.net/mediawiki/images/b/b1/Lab1_filezillanew.png|500px]]<br />
: [[Media:Lab1_filezillanew.png|Click here for larger image]]<br />
: You should see some connection text scroll on the top of the screen and some files on the right side of the screen now such as ''.bashrc'' and ''.profile'' The right side of the screen is the drive on your Linux system and the left side of the screen is the drive on your home system. Files and folders can be dragged between the two sides to transfer them back and forth.<br />
: [[File:Lab1_filezillaconnected.png|link=https://wiki.ihitc.net/mediawiki/images/c/ca/Lab1_filezillaconnected.png|500px]]<br />
: [[Media:Lab1_filezillaconnected.png|Click here for larger image]]<br />
<li>Close the FileZilla software to disconnect.</li><br />
</ol><br />
<br />
==Install VM Tools==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Install VM Tools]'''''<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect into your system using the remote SSH console method explained above.<br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<code>sudo apt install open-vm-tools</code><br />
</ol><br />
<br />
==Install Python==<br />
In order to check your work in the labs of this course you will need to have an application called [https://www.python.org/ Python] installed on your Linux system.<br />
<ol><br />
<li> Download ''python3'' using '''apt'''</li><br />
* When prompted type Y to install the app and its dependencies</li><br />
<ul>''NOTE: This may take a while.''</ul><br />
* When prompted to specify the name of the host where the TANGO database server is running, just select ok.</li><br />
<ul> [[File:Python_tango.png|link=https://wiki.ihitc.net/mediawiki/images/4/4c/Python_tango.png|500px]]</ul><br />
<ul> [[Media:Python_tango.png | Click for Larger Image]]</ul><br />
<li> Run the following command to verify that python version 3.6 is installed.</li><br />
<code>python3 --version</code><br />
<ul> [[File:Python_version.png|link=https://wiki.ihitc.net/mediawiki/images/7/70/Python_version.png|500px]]</ul><br />
<ul> [[Media:Python_version.png | Click for Larger Image]]</ul><br />
</ol><br />
<br />
==Install Nmap==<br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:* ''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Run the following command at the command line.<br />
<code>sudo apt install nmap</code><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
</ol><br />
<br />
==Install Curl==<br />
:Curl is a tool that lets you run scripts that are not saved to your virtual machine. It will be used to check the labs for completion while working through the course. <br />
<ol><br />
<li> Run the following command at the command line. </li><br />
<code>sudo apt install curl</code><br />
: If prompted to install additional packages type "y"<br />
<br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Safely Shutdown==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Safely Shutdown]'''''<br />
:We will normally leave our VM running but it is important that you know how to shutdown a Linux system correctly so this time we'll turn it off.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect in to your system using the remote SSH console method explained above.<br />
<li> Safely shutdown you server</li><br />
:* Run the '''sudo shutdown -h now''' at the command line to safely shutdown the system.<br />
<code>sudo shutdown -h now</code><br />
: You should soon get a message that PuTTY has lost it's connection. Click OK and then you can close the PuTTY window.<br />
<li>End NetLab Reservation</li><br />
: If you still have time left in your reservation in Netlab it's polite to end the reservation so other users can work on the system, only a limited number of reservations can be made at one time. You can do this by logging into Netlab, opening your lab, and clicking the "Reservation" menu at the top of the screen and choose to "End Reservation Now" followed by confirming that you want to end the reservation.<br />
</ol><br />
<br />
=Checking your Work=<br />
<ol><br />
<li>This section will cover ways to manually check your work</li><br />
<ul>For this lab each section was tested in the process of the lab. You should have successfully connected an SSH session with putty, and an ftp session with FileZilla.</ul><br />
<ul>You should have shut down you server in one of the last steps, so no further testing is necessary at this time.</ul><br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_01_revised.py | python3<br />
</nowiki></code><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9566Mail server mnjk2021-03-05T01:24:17Z<p>JonQuinn: /* Install the Postfix MTA */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
: <code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
:<code>sudo apt install open-vm-tools</code><br />
<br><br />
<li>Install nmap</li><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
:* Run the following command at the command line.<br />
:<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li> Use the '''links''' browser or '''wget''' to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
: <code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
:* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
:* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
:* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
:* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
: * Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
: * Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
:* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
:* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
:* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
:* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
:* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<ol><br />
<li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li><br />
<li>Open up ''/etc/bind/named.conf.options''</li><br />
<ul><br />
* You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul><br />
: [[File:Bind_named_conf.png | 500px]]<br />
<li>Next, open up your interfaces file (''/etc/network/interfaces'').</li><br />
<ul><br />
* Change the dns server for the primary network interface to ''127.0.0.1''.</ul><br />
<li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings:<br />
<pre>Zone type: Forward (Names to Addresses)<br />
Domain name / Network: *.itc2480.campus.ihitc.net<br />
Records file: Automatic<br />
Master server: *.itc2480.campus.ihitc.net.<br />
Email address: root@ *.itc2480.campus.ihitc.net</pre><br />
* '''NOTE:''' the * stands for your system name, "automail" was used when setting the mail server up.</li><br />
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li><br />
* For the ''Name'' enter ''@''.<br />
* In the ''address'' field enter your VM's static IP and click ''Create''.<br />
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well. (This will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li><br />
<li>Make sure to apply the changes using the button in the top right that shows two arrows in a cricle.</li><br />
<li>After applying the changes and rebooting everything should be working. just make sure to test it using the nslookup and dig commands.</li><br />
</ol><br />
<br />
<br />
== Install the Postfix MTA ==<br />
'''''[https://www.youtube.com/watch?v=6VsgO5695Z4&feature=youtu.be Video Tutorial - Install Postfix MTA]'''''<br />
<ol><br />
<li> Use a package manager to install the ''postfix'' package.<br />
* During the installation process select ''Internet Site'' as the type of mail server and set the domain name to ''*.itc2480.campus.ihitc.net'' where * is the hostname letter of your system.</li><br />
: MTA software listens for incoming connections from other MTA servers on port 25 and accepts mail on behalf of users on the system. Once the mail is received it is stored locally for users to retrieve. The most common methods for storing messages is in an .mbox file, where all messages are stored in a single file, or in a Maildir, which is a directory where each message is stored in a separate file. The MTA also listens for connections from client software (MUA) and accepts outbound messages from them and forwards them on to the destination domain's mail server. Advanced configuration of MTA software can allow for anti-spam filtering, mailing list support or other programs to intercept and manipulate mail as it passes through the server.<br />
<li>Test the connection an verify the port is open</li><br />
:* Use Telnet to connect to the Postfix SMTP server on port 25: '''telnet localhost 25'''<br />
: [[File:Lab9_open_telnet.png|link=https://wiki.ihitc.net/mediawiki/images/1/10/Lab9_open_telnet.png|500px]]<br />
: [[Media:Lab9_open_telnet.png | Click here for larger image]]<br />
:* Type '''quit''' and press enter after verifying Postfix is running.<br />
<br />
<li>Configure Maildir</li><br />
: Because the Courier IMAP and POP3 server software only supports Maildir style message stores and Postfix stores in mbox files by default you must edit the ''/etc/postfix/main.cf'' file to fix this. <br />
:* Add the line <br />
:<pre>home_mailbox = Maildir/</pre> <br />
: Edit or add the ''mailbox_command'' parameter so there is nothing on the line after the equals sign, delete the portion of the line referencing procmail if it exists. The line should look like: <br />
:<pre>mailbox_command = </pre><br />
<li> Restart the ''postfix'' service to apply your change. Postfix is now saving new incoming messages into the Maildir folder inside each user's home directory. This folder is automatically created by Postfix the first time a new message comes in for a user.</li><br />
<li> Set your shell to recognize the maildir as your mail location</li><br />
:* Edit the ''/etc/login.defs'' file and comment out the ''MAIL_DIR /var/mail'' line (place a # in front of the line) and add a line setting ''MAIL_FILE'' like this:<br />
<pre><br />
#MAIL_DIR /var/mail<br />
MAIL_FILE Maildir/<br />
</pre><br />
:* Edit the ''/etc/pam.d/login'' file, find and comment out the ''session optional pam_mail.so standard'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so standard<br />
session optional pam_mail.so dir=~/Maildir standard<br />
</pre><br />
:* Edit the ''/etc/pam.d/su'' file, find and comment out the ''session optional pam_mail.so nopen'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so nopen<br />
session optional pam_mail.so dir=~/Maildir nopen<br />
</pre><br />
:* Edit the ''/etc/pam.d/sshd'' file, find and comment out the ''session optional pam_mail.so standard noenv'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so standard noenv<br />
session optional pam_mail.so dir=~/Maildir standard<br />
</pre><br />
:* Edit the ''/etc/profile'' file and at the end of the file add the line: <pre>export MAIL=~/Maildir</pre></li><br />
<li> Test sending and receiving mail as a locally logged on user.</li><br />
<br />
:* Install the ''mailutils'' package.</li><br />
:* Try sending a message (replace username with your username): <pre>echo "This is my message" | mail -s "Email Subject" username@localhost</pre><br />
:* Log out of your SSH session and open a new SSH session to apply the changes to the ''/etc/profile'' and ''/etc/login.defs'' files.<br />
:* Check to see if the message was received using the '''mail''' command, press ''q'' to return to the command line.<br />
:[[File:Lab9_cli_send_mail.png|link=https://wiki.ihitc.net/mediawiki/images/4/4f/Lab9_cli_send_mail.png|500px]]<br />
:[[Media:Lab9_cli_send_mail.png|Click here for a larger image]]<br />
: You should also be able to see the message in ''~/Maildir/'' in either the ''new/'' or ''cur/'' directory depending on whether you have viewed the message list yet or not. In either case, the message will appear as a text file with a random-looking name. It's just a text file so you can use '''cat''' or '''less''' to view it.<br />
<li> Create Aliases </li><br />
: You can create aliases and forward mail between users by editing the ''/etc/aliases'' file and then running the '''newaliases''' program. <br />
:* Create an "alias" for ''sysadmin'' which forwards mail sent to sysadmin@localhost to your username <br />
:* Send a copy of all mail to the ''root'' account to your username <br />
<br />
: Now would be a good time to try logging on to Webmin again, re-scanning for modules and then taking a look at the Postfix module in the ''Servers'' section.<br />
<li>Explore the mail log file</li><br />
: Take a look at your ''/var/log/mail.info'' log to see Postfix sending and receiving messages for users.<br />
</ol><br />
<br />
== Install Courier MDA ==<br />
'''''[https://www.youtube.com/watch?v=uvZlSiQHlxs&feature=youtu.be Video Tutorial - Install Courier MDA]'''''<br />
<ol><br />
<li>Install required courier packages </li><br />
: Most users prefer to retrieve mail from a mail server using an MDA protocol like POP3 or IMAP which can be provided by the Courier programs. Install the ''courier-pop'', ''courier-imap'', and ''fam'' packages.<br />
:* Do not create the directories for web-based administration as they are unneeded for our setup<br />
: Local users accessing their mailbox with MUA software can read and write to the .mbox file or Maildir directly. If a user not locally logged on to the system wants to access their mailbox the server runs MDA software which typically uses the POP3 or IMAP protocol for accessing the .mbox file or Maildir remotely.<br />
</ol><br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol><br />
<br />
==Auto Maildir Clean Up==<br />
<ol><br />
<li>Create script to delete emails older than 45 days</li><br />
:''NOTE: The script must be owned by root and executable. Additionally, the crontab must be created with sudo priviledges<br />
:<code>sudo nano '''<scriptname.sh>'''</code><br />
<pre><br />
#!/bin/bash<br />
find /home/testuser/Maildir/cur -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/new -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/tmp -type f -mtime +45 -exec rm {} \;<br />
</pre><br />
:[[File:MAILSVR_emailflush_sh.png|link=https://wiki.ihitc.net/mediawiki/images/b/b5/MAILSVR_emailflush_sh.png|500px]]<br />
:[[Media:MAILSVR_emailflush_sh.png|Click here for a larger image]]<br />
<li>Make executable</li><br />
:<code>sudo chmod +x '''<sciptname.sh>'''</code><br />
<li>Create a '''crontab''' job</li><br />
:<code>sudo crontab -e</code><br />
: ''NOTE: the astricks at the start of the following command are respective to the scheduling of time. A good additional resource for '''cron''' can be found at [https://vitux.com/how-to-setup-a-cron-job-in-debian-10 Vitux]. Each astrik represents [Minute] [hour] [Day_of_the_Month] [Month_of_the_Year] [Day_of_the_Week] <br />
:* Add the following line to the chrontab file to schedule the job at 8PM every day.<br />
<pre>* 20 * * * * /home/ping/scriptname.sh</pre><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9565Mail server mnjk2021-03-05T01:23:13Z<p>JonQuinn: /* Install Postfix */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
: <code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
:<code>sudo apt install open-vm-tools</code><br />
<br><br />
<li>Install nmap</li><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
:* Run the following command at the command line.<br />
:<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li> Use the '''links''' browser or '''wget''' to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
: <code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
:* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
:* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
:* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
:* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
: * Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
: * Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
:* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
:* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
:* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
:* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
:* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<ol><br />
<li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li><br />
<li>Open up ''/etc/bind/named.conf.options''</li><br />
<ul><br />
* You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul><br />
: [[File:Bind_named_conf.png | 500px]]<br />
<li>Next, open up your interfaces file (''/etc/network/interfaces'').</li><br />
<ul><br />
* Change the dns server for the primary network interface to ''127.0.0.1''.</ul><br />
<li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings:<br />
<pre>Zone type: Forward (Names to Addresses)<br />
Domain name / Network: *.itc2480.campus.ihitc.net<br />
Records file: Automatic<br />
Master server: *.itc2480.campus.ihitc.net.<br />
Email address: root@ *.itc2480.campus.ihitc.net</pre><br />
* '''NOTE:''' the * stands for your system name, "automail" was used when setting the mail server up.</li><br />
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li><br />
* For the ''Name'' enter ''@''.<br />
* In the ''address'' field enter your VM's static IP and click ''Create''.<br />
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well. (This will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li><br />
<li>Make sure to apply the changes using the button in the top right that shows two arrows in a cricle.</li><br />
<li>After applying the changes and rebooting everything should be working. just make sure to test it using the nslookup and dig commands.</li><br />
</ol><br />
<br />
<br />
== Install the Postfix MTA ==<br />
'''''[https://www.youtube.com/watch?v=6VsgO5695Z4&feature=youtu.be Video Tutorial - Install Postfix MTA]'''''<br />
<ol><br />
<li> Use a package manager to install the ''postfix'' package.<br />
* During the installation process select ''Internet Site'' as the type of mail server and set the domain name to ''*.itc2480.campus.ihitc.net'' where * is the hostname letter of your system.</li><br />
: MTA software listens for incoming connections from other MTA servers on port 25 and accepts mail on behalf of users on the system. Once the mail is received it is stored locally for users to retrieve. The most common methods for storing messages is in an .mbox file, where all messages are stored in a single file, or in a Maildir, which is a directory where each message is stored in a separate file. The MTA also listens for connections from client software (MUA) and accepts outbound messages from them and forwards them on to the destination domain's mail server. Advanced configuration of MTA software can allow for anti-spam filtering, mailing list support or other programs to intercept and manipulate mail as it passes through the server.<br />
<li>Test the connection an verify the port is open</li><br />
:* Use Telnet to connect to the Postfix SMTP server on port 25: '''telnet localhost 25'''<br />
: [[File:Lab9_open_telnet.png|link=https://wiki.ihitc.net/mediawiki/images/1/10/Lab9_open_telnet.png|500px]]<br />
: [[Media:Lab9_open_telnet.png | Click here for larger image]]<br />
:* Type '''quit''' and press enter after verifying Postfix is running.<br />
<br />
<li>Configure Maildir</li><br />
: Because the Courier IMAP and POP3 server software only supports Maildir style message stores and Postfix stores in mbox files by default you must edit the ''/etc/postfix/main.cf'' file to fix this. <br />
:* Add the line <br />
:<pre>home_mailbox = Maildir/</pre> <br />
: Edit or add the ''mailbox_command'' parameter so there is nothing on the line after the equals sign, delete the portion of the line referencing procmail if it exists. The line should look like: <br />
:<pre>mailbox_command = </pre><br />
<li> Restart the ''postfix'' service to apply your change. Postfix is now saving new incoming messages into the Maildir folder inside each user's home directory. This folder is automatically created by Postfix the first time a new message comes in for a user.</li><br />
<li> Set your shell to recognize the maildir as your mail location</li><br />
:* Edit the ''/etc/login.defs'' file and comment out the ''MAIL_DIR /var/mail'' line (place a # in front of the line) and add a line setting ''MAIL_FILE'' like this:<br />
<pre><br />
#MAIL_DIR /var/mail<br />
MAIL_FILE Maildir/<br />
</pre><br />
:* Edit the ''/etc/pam.d/login'' file, find and comment out the ''session optional pam_mail.so standard'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so standard<br />
session optional pam_mail.so dir=~/Maildir standard<br />
</pre><br />
:* Edit the ''/etc/pam.d/su'' file, find and comment out the ''session optional pam_mail.so nopen'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so nopen<br />
session optional pam_mail.so dir=~/Maildir nopen<br />
</pre><br />
:* Edit the ''/etc/pam.d/sshd'' file, find and comment out the ''session optional pam_mail.so standard noenv'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so standard noenv<br />
session optional pam_mail.so dir=~/Maildir standard<br />
</pre><br />
:* Edit the ''/etc/profile'' file and at the end of the file add the line: <pre>export MAIL=~/Maildir</pre></li><br />
<li> Test sending and receiving mail as a locally logged on user.</li><br />
<br />
:* Install the ''mailutils'' package.</li><br />
:* Try sending a message (replace username with your username): <pre>echo "This is my message" | mail -s "Email Subject" username@localhost</pre><br />
:* Log out of your SSH session and open a new SSH session to apply the changes to the ''/etc/profile'' and ''/etc/login.defs'' files.<br />
:* Check to see if the message was received using the '''mail''' command, press ''q'' to return to the command line.<br />
:[[File:Lab9_cli_send_mail.png|link=https://wiki.ihitc.net/mediawiki/images/4/4f/Lab9_cli_send_mail.png|500px]]<br />
:[[Media:Lab9_cli_send_mail.png|Click here for a larger image]]<br />
: You should also be able to see the message in ''~/Maildir/'' in either the ''new/'' or ''cur/'' directory depending on whether you have viewed the message list yet or not. In either case, the message will appear as a text file with a random-looking name. It's just a text file so you can use '''cat''' or '''less''' to view it.<br />
<li> Create Aliases </li><br />
: You can create aliases and forward mail between users by editing the ''/etc/aliases'' file and then running the '''newaliases''' program. <br />
:* Create an "alias" for ''sysadmin'' which forwards mail sent to sysadmin@localhost to your username <br />
:* Send a copy of all mail to the ''root'' account to your username <br />
<br />
: Now would be a good time to try logging on to Webmin again, re-scanning for modules and then taking a look at the Postfix module in the ''Servers'' section.<br />
<li>Explore the mail log file</li><br />
: Take a look at your ''/var/log/mail.info'' log to see Postfix sending and receiving messages for users.<br />
</ol><br />
== Install Courier MDA ==<br />
'''''[https://www.youtube.com/watch?v=uvZlSiQHlxs&feature=youtu.be Video Tutorial - Install Courier MDA]'''''<br />
<ol><br />
<li>Install required courier packages </li><br />
: Most users prefer to retrieve mail from a mail server using an MDA protocol like POP3 or IMAP which can be provided by the Courier programs. Install the ''courier-pop'', ''courier-imap'', and ''fam'' packages.<br />
:* Do not create the directories for web-based administration as they are unneeded for our setup<br />
: Local users accessing their mailbox with MUA software can read and write to the .mbox file or Maildir directly. If a user not locally logged on to the system wants to access their mailbox the server runs MDA software which typically uses the POP3 or IMAP protocol for accessing the .mbox file or Maildir remotely.<br />
</ol><br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol><br />
<br />
==Auto Maildir Clean Up==<br />
<ol><br />
<li>Create script to delete emails older than 45 days</li><br />
:''NOTE: The script must be owned by root and executable. Additionally, the crontab must be created with sudo priviledges<br />
:<code>sudo nano '''<scriptname.sh>'''</code><br />
<pre><br />
#!/bin/bash<br />
find /home/testuser/Maildir/cur -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/new -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/tmp -type f -mtime +45 -exec rm {} \;<br />
</pre><br />
:[[File:MAILSVR_emailflush_sh.png|link=https://wiki.ihitc.net/mediawiki/images/b/b5/MAILSVR_emailflush_sh.png|500px]]<br />
:[[Media:MAILSVR_emailflush_sh.png|Click here for a larger image]]<br />
<li>Make executable</li><br />
:<code>sudo chmod +x '''<sciptname.sh>'''</code><br />
<li>Create a '''crontab''' job</li><br />
:<code>sudo crontab -e</code><br />
: ''NOTE: the astricks at the start of the following command are respective to the scheduling of time. A good additional resource for '''cron''' can be found at [https://vitux.com/how-to-setup-a-cron-job-in-debian-10 Vitux]. Each astrik represents [Minute] [hour] [Day_of_the_Month] [Month_of_the_Year] [Day_of_the_Week] <br />
:* Add the following line to the chrontab file to schedule the job at 8PM every day.<br />
<pre>* 20 * * * * /home/ping/scriptname.sh</pre><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9564Mail server mnjk2021-03-05T01:21:05Z<p>JonQuinn: /* Auto Reply Configuration */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
: <code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
:<code>sudo apt install open-vm-tools</code><br />
<br><br />
<li>Install nmap</li><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
:* Run the following command at the command line.<br />
:<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li> Use the '''links''' browser or '''wget''' to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
: <code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
:* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
:* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
:* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
:* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
: * Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
: * Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
:* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
:* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
:* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
:* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
:* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<ol><br />
<li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li><br />
<li>Open up ''/etc/bind/named.conf.options''</li><br />
<ul><br />
* You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul><br />
: [[File:Bind_named_conf.png | 500px]]<br />
<li>Next, open up your interfaces file (''/etc/network/interfaces'').</li><br />
<ul><br />
* Change the dns server for the primary network interface to ''127.0.0.1''.</ul><br />
<li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings:<br />
<pre>Zone type: Forward (Names to Addresses)<br />
Domain name / Network: *.itc2480.campus.ihitc.net<br />
Records file: Automatic<br />
Master server: *.itc2480.campus.ihitc.net.<br />
Email address: root@ *.itc2480.campus.ihitc.net</pre><br />
* '''NOTE:''' the * stands for your system name, "automail" was used when setting the mail server up.</li><br />
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li><br />
* For the ''Name'' enter ''@''.<br />
* In the ''address'' field enter your VM's static IP and click ''Create''.<br />
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well. (This will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li><br />
<li>Make sure to apply the changes using the button in the top right that shows two arrows in a cricle.</li><br />
<li>After applying the changes and rebooting everything should be working. just make sure to test it using the nslookup and dig commands.</li><br />
</ol><br />
<br />
==Install Postfix==<br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol><br />
<br />
==Auto Maildir Clean Up==<br />
<ol><br />
<li>Create script to delete emails older than 45 days</li><br />
:''NOTE: The script must be owned by root and executable. Additionally, the crontab must be created with sudo priviledges<br />
:<code>sudo nano '''<scriptname.sh>'''</code><br />
<pre><br />
#!/bin/bash<br />
find /home/testuser/Maildir/cur -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/new -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/tmp -type f -mtime +45 -exec rm {} \;<br />
</pre><br />
:[[File:MAILSVR_emailflush_sh.png|link=https://wiki.ihitc.net/mediawiki/images/b/b5/MAILSVR_emailflush_sh.png|500px]]<br />
:[[Media:MAILSVR_emailflush_sh.png|Click here for a larger image]]<br />
<li>Make executable</li><br />
:<code>sudo chmod +x '''<sciptname.sh>'''</code><br />
<li>Create a '''crontab''' job</li><br />
:<code>sudo crontab -e</code><br />
: ''NOTE: the astricks at the start of the following command are respective to the scheduling of time. A good additional resource for '''cron''' can be found at [https://vitux.com/how-to-setup-a-cron-job-in-debian-10 Vitux]. Each astrik represents [Minute] [hour] [Day_of_the_Month] [Month_of_the_Year] [Day_of_the_Week] <br />
:* Add the following line to the chrontab file to schedule the job at 8PM every day.<br />
<pre>* 20 * * * * /home/ping/scriptname.sh</pre><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_10_mnjk&diff=9545Lab 10 mnjk2021-03-02T01:36:35Z<p>JonQuinn: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
'''''[https://www.youtube.com/watch?v=dQw4w9WgXcQ Watch the video introduction]'''''<br />
<br />
This lab assumes you have successfully set up [[Lab_8_mnjk#Install_BIND_.26_Enable_Caching | DNS]] and [[Lab_9_mnjk#Install_the_Postfix_MTA |email]]. If you had any issues with those labs, you should resolve them before attempting this lab, since you will be unable to properly test the tasks in this lab if those are not fully functional.<br />
<br />
In this lab you will perform the following tasks:<br />
*Configuring a [https://firewalld.org/ Firewall]<br />
*Enabling a 2nd interface<br />
*Configuring [https://en.wikipedia.org/wiki/Network_address_translation NAT]<br />
*Setting up [https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP]<br />
*Installing [https://linuxmint.com/ Linux Mint] on a second VM<br />
*Enabling [https://en.wikipedia.org/wiki/Port_forwarding Port Forwarding]<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://firewalld.org/documentation/man-pages/firewall-cmd.html firewall-cmd]'''<br />
*'''[https://linux.die.net/man/1/echo echo]'''<br />
*'''[https://linux.die.net/man/8/ifconfig ifconfig]'''<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software.<br />
# Login with your standard user account.<br />
# Have a browser window set to the webmin interface for your linux VM.<br />
<br />
== Configure a Firewall ==<br />
''NOTE: It is suggested that instead of managing a firewall directly using nftables tools (which would also require us to create a script to reload our rules each time the system is restarted) we use a firewall daemon program to manage it based on a set of rules we create and automatically setup the firewall based on those rules each time the system boots. There are many command line firewall management programs out there but for this lab we will use the [https://firewalld.org/ firewalld] package suggested by Debian. ''<br />
<ol><br />
<li>Begin by installing the ''firewalld'' package on your system.</li><br />
<li>First, let's check to see if the firewall is now up and running using the following command:</li><br />
<code>firewall-cmd --state</code><br />
: The firewall has been pre-configured with a couple of rules in it to prevent us from getting locked out. <br />
: [[File:Lab10_firewalld_state.png | link=https://wiki.ihitc.net/mediawiki/images/1/11/Lab10_firewalld_state.png|500px]]<br />
: [[Media:Lab10_firewalld_state.png | Click for larger image]]<br />
<li>Let's see what those rules are by using this command: </li><br />
<code>firewall-cmd --list-all</code><br />
: [[File:Lab10_firewalld_initial_rules.png | link=https://wiki.ihitc.net/mediawiki/images/1/14/Lab10_firewalld_initial_rules.png|500px]]<br />
: [[Media:Lab10_firewalld_initial_rules.png | Click for larger image]]<br />
: By default all interfaces are in the public zone (this is set in the ''/etc/firewalld/firewalld.conf'' file). <br />
: Before we start working on rules for our firewall we should assign our outside interface to the external zone which is designed for NAT routing which we'll be setting up shortly. <br />
<li> We can do this with the command:</li><br />
<code>firewall-cmd --zone=external --add-interface=ens192</code><br />
: We can create custom zones or use pre-defined security zones which will speed up configuring the firewall. Learn more about the [https://firewalld.org/documentation/zone/predefined-zones.html pre-defined zones in firewalld documentation].<br />
<li>Since we have changed zones on our interface let's check and see what rules we have started with. Let's see what those rules are:</li><br />
<code>firewall-cmd --zone=external --list-all</code><br />
: ''NOTE: You can also use the '''firewall-cmd --list-all-zones''' command to see a list of all available zones and their rules.</li>''<br />
: If you were watching carefully you may have noted that the dhcpv6-client service which was allowed in the public zone but is not allowed by default on the external zone. <br />
<li>In our case we want to allow DHCPv6 to operate on our outside interface so we can re-enable it with the following command: </li><br />
<code> firewall-cmd --zone=external --add-service="dhcpv6-client"</code><br />
<li>Check to see what other services can be allowed on an interface with:</li><br />
<code>firewall-cmd --get-services</code><br />
: If you check you will see that although you can connect with ssh (by default it's on the allowed service list you saw above) you can't connect to your webserver or Webmin anymore. Webmin is not a pre-defined service in the list we saw above so we could either set it up as a new service and then allow it or we could create a manual rule to allow the TCP traffic on port 10000 needed to access Webmin. In this case because the service only uses a single port and to see how manual rules can be created let's manually create a rule to allow access to TCP port 10000. <br />
<li>Do this by running this command: </li><br />
<code>firewall-cmd --zone=external --add-port=10000/tcp </code><br />
:You should now be able to access Webmin again.<br />
<li> Using either service rules or manual port rules create additional rules so that the other services on your VM are again accessible from the outside (such as from your home PC over the VPN). </li><br />
:''HINT: Services we have setup so far include SSH, DNS, SMTP, IMAP, Samba, and HTTP.''<br />
: Make sure to test and ensure they are all working again!<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code> firewall-cmd --runtime-to-permanent </code><br />
</ol><br />
<br />
== Setup a 2nd NIC Interface ==<br />
To start this lab we will need to configure a second network interface, named ens224 on our virtual machines. In our simulated setup our existing ens192 interface will be our WAN interface and ens224 will be our LAN interface which could be connected to a switch and then to multiple allow other computers which will connect to the Internet through our server.<br />
<ol><br />
<li> Open ''/etc/network/interfaces'' with your favorite text editor. </li><br />
* Go to the bottom of the file.<br />
: [[File:Lab10_network_interfaces_before.png | link=https://wiki.ihitc.net/mediawiki/images/f/f8/Lab10_network_interfaces_before.png|500px]]<br />
: [[Media:Lab10_network_interfaces_before.png | Click for larger image]]<br />
* Add the following to configure the second interface with a static IP of 192.168.1.1/24:<br />
<pre>auto ens224<br />
iface ens224 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0</pre></li><br />
<br />
: [[File:Lab10_network_interfaces_after.png | link=https://wiki.ihitc.net/mediawiki/images/8/80/Lab10_network_interfaces_after.png|500px]]<br />
: [[Media:Lab10_network_interfaces_after.png | Click for larger image]]<br />
: ''NOTE: As this is a LAN only interface, we do not need to define a gateway for the server VM, as the server VM itself will be the gateway for this network.''<br />
<li>Once this is done, save the file <br />
<li> Run the following command to enable the new interface.</li><br />
<code>ifup ens224</code><br />
<li>Verify the second interface is up and running with the correct IP address</li><br />
</ol><br />
<br />
== Enable Routing ==<br />
Now we will need to enable NAT so we can route LAN traffic to the Internet and responding Internet traffic back to our LAN interface.<br />
<ol><br />
<li>In your console, you will need to edit ''/etc/sysctl.conf''. This file is used to change and tweak multiple system variables. </li><br />
* Scroll down until you find the following:<br />
<pre># Uncomment the next line to enable packet forwarding for IPv4<br />
#net.ipv4.ip_forward=1<br />
</pre><br />
* Follow the instructions in the file to enable packet forwarding in the kernel. <br />
: [[File:Lab10_sysctl_after.png | link=https://wiki.ihitc.net/mediawiki/images/1/1e/Lab10_sysctl_after.png|500px]]<br />
: [[Media:Lab10_sysctl_after.png | Click for larger image]]<br />
* When you are done, save the file.<br />
: Changes to the ''sysctl.conf'' file require a reboot, but most can be set without a reboot by echoing response codes to "files" in ''/proc''. <br />
<li> We will get into that more in a later chapter, but for now run the following command to enable ip_forwarding without rebooting the machine: </li><br />
<code>'''echo 1 > /proc/sys/net/ipv4/ip_forward</code><br />
: ''NOTE: If you are receiving an error when trying to run that command it's likely that the user you are running it as does not have permission to modify the '''/proc/sys/net/ipv4/ip_forward''' file (check the permissions by using '''ls'''). Read [http://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr this similar question] for more details and possible solutions.''<br />
</ol><br />
<br />
== Setup a DHCP Server ==<br />
To setup a DHCP server, we will first need to install the required software. <br />
<ol><br />
<li>In your SSH console use your favorite package manager to install the ''isc-dhcp-server'' package.</li><br />
: After you install the package you may get a warning about ''isc-dhcp-server'' being unable to start. This is normal as we have yet to define the interface and settings we want used.<br />
<li>Now back in Webmin, select the Refresh Modules option. .</li><br />
* After it is done, go to Servers, then DHCP Server<br />
: Before we define our DHCP range, we need to set our listening interface. <br />
* Click on the ''Edit Network Interface'' option. <br />
*Select ''ens224''. <br />
* Press save.<br />
<li>Now under Subnets and Shared Networks, select Add a new subnet. </li><br />
* Use the following settings:<br />
<pre>Subnet description: LAN DHCP Range<br />
Network Address: 192.168.1.0<br />
Netmask: 255.255.255.0<br />
Address Ranges: 192.168.1.100-192.168.1.254</pre><br />
: [[File:Lab10_webmin_dhcp_create_subnet.png | link=https://wiki.ihitc.net/mediawiki/images/4/4e/Lab10_webmin_dhcp_create_subnet.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_create_subnet.png | Click for larger image]]<br />
* When you are done, press Create. <br />
* Now, click on the network you just created to review the settings, then press Edit Client Options at the bottom.<br />
: From here we will setup the default gateway and DNS servers for the clients to use. <br />
<li> Under Default Routers, set the option to 192.168.1.1 <br />
* Under DNS servers, set it to 192.168.1.1. <br />
: [[File:Lab10_webmin_dhcp_client_options.png | link=https://wiki.ihitc.net/mediawiki/images/d/d7/Lab10_webmin_dhcp_client_options.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_client_options.png | Click for larger image]]<br />
: Notice how we are setting these options to the IP of ens224 that we setup. This is because our Linux VM will act as the router and DNS for our clients as well.<br />
* When you are done, press save<br />
* Then on the Edit Subnet page, press save again.<br />
<li>Now that you are back on the DHCP server page, press the Start Server button. <br />
: If all goes well, the button should change to "Stop Server". If this does not happen, then the server was unable start. If that happens, re-check your DHCP server configurations to make sure everything is correct.<br />
</ol><br />
<br />
== Enabling NAT and Firewall Rules for the LAN ==<br />
Now we will use firewalld to setup NAT so that we can use private addresses on our internal LAN but still have access to the public Internet. <br />
<ol><br />
<li>First, let's set our ens224 interface (LAN) to be in the internal zone with the following command.</li><br />
<code>firewall-cmd --zone=internal --add-interface=ens224</code><br />
<li>You should now take a minute to allow all of the same services and ports on the internal network that you have allowed on the external network. </li><br />
:In other words, make sure that Webmin, Samba, DNS, etc. are also allowed on the internal zone.<br />
:In order to activate NAT you need to turn on the "masquerade" feature on your outside interface. This is probably already done if you correctly assigned your outside interface to the pre-defined external zone (it's one of the features of that zone). <br />
: ''HINT: you can do this manually as well in case you setup a custom zone by running the '''firewall-cmd --add-masquerade --zone=external''' command.''<br />
: While routing and NAT should be working for hosts on your LAN interface now they probably still can't get an IP address! Just like all the other services being blocked by the firewall DHCP is also blocked unless you specifically allow it. <br />
<li>To do this run the following command:</li><br />
<code>firewall-cmd --add-service=dhcp --zone=internal</code><br />
<li>Once you are satisfied your firewall is running correctly you can use this command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code></ol><br />
<br />
== Setup a 2nd VM as a LAN Host ==<br />
Now we are going to setup a 2nd VM on the VMware server so we can have a client to connect to the LAN network segment we just created. For this though, we will be using Linux Mint instead of Debian so we have a graphical user interface to help us with testing.<br />
<ol><br />
<li> You'll need to make a Netlab reservation to work with your Mint system's GUI so go ahead and do that. </li><br />
* Enter the lab on Netlab<br />
* Click the "Linux Desktop" tab to access your Mint machine.<br />
: The VM should be booting from a Linux Mint virtual CD image. <br />
<li> Get Linux Mint installed using the link on the desktop.</li><br />
: Installation settings are not critical as we'll be using the system primarily to explore a Linux GUI and to test web browsing capability from our private network.<br />
: [[File:Lab10_linux_mint_desktop.png | link=https://wiki.ihitc.net/mediawiki/images/f/f1/Lab10_linux_mint_desktop.png|500px]]<br />
: [[Media:Lab10_linux_mint_desktop.png | Click for larger image]]<br />
: ''NOTE: By default Linux Mint will boot into a "Live CD" environment where you can use the system without installing. However, the Live CD environment is much slower and memory limited compared with a full installation to the hard drive so be sure to start an installation and reboot into the installed copy instead of from the Live CD. You will know you're working from an installed copy if you are prompted for your username and password when logging in and don't see a link on the desktop to Install Linux Mint anymore.''<br />
<li> Once you have Linux Mint installed, reboot the machine and login. </li><br />
: Hopefully the machine is able to connect to the Internet through your Debian server which is acting as a DHCP server and router (see the topology diagram tab in Netlab to see a diagram of how they are connected).<br />
<li> Press the Menu icon in the lower left corner, and enter "Terminal". </li><br />
* Then, open the terminal application.<br />
<li> You now have a shell on the system. From here, use the following command to check your network settings. </li><br />
<code>ip address show</code><br />
: Notice how you have a IP from the DHCP pool we created earlier. <br />
<li> Now try pinging ''172.17.50.1''. </li><br />
: Are you able to ping? If so, NAT is working properly on your network because the 172.17.50.0/24 network is outside of the LAN segment this machine is attached to (192.168.1.0/24).<br />
: ''NOTE: Notice how some Linux distributions like Mint haven't switched from the old naming of network interfaces with ''eth'' to the new ''ens'' style. You can also try using the older '''ifconfig''' way of checking the IP address and compare the output to the new '''ip address show''' method which we have been using so far in Debian.''<br />
<li> Now run '''ping google.com'''. </li><br />
: If you are able to ping, this shows that not only is NAT working, but DNS resolving as well.<br />
<li> Open a web browser on the system (you can use a graphical browser this time since you have a GUI) and test browsing to a few websites.</li><br />
: At this point we have a fully functional LAN environment.<br />
<li> In order to allow automatic safe shutdown of your Linux Mint system and improve speed/efficiency use the package manager to install the ''open-vm-tools-desktop'' package. </li><br />
:This provides better drivers and integration between the vmWare host which is running your Linux Mint virtual machine and the virtual machine itself.<br />
<li> Finally, in the next section we'll be setting up SSH access to Mint through the Firewall so you'll want to install the ''openssh-server package'' through the package manager. </li><br />
: Once you've done this you should be able to use the ssh program on the command line in Debian to access your Mint system like '''ssh mintusername@192.168.1.x''' where you are using a valid username on the Mint system and the IP address of the Mint system.<br />
<li> Spend a few more minutes exploring the functionality of the Linux GUI and desktop.</li></ol><br />
<br />
== Port Forwarding and Firewalling ==<br />
Now we are going to enable port forwarding to our VM. This will allow you to access the 2nd VM from the ITC network and VPN.<br />
Because we are already using port 22 on our outside interface to provide SSH access to our main Debian system we need to use a different port to access the Mint system. Instead of changing the port number in the SSH server software on Mint we can have our firewall do it at the same time the NAT masquerading is occurring. <br />
<ol><br />
<li>Set up a rule by running the following command:</li><br />
<code>firewall-cmd --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.1.100 --zone=external</code><br />
:NOTE: this rule is a little unstable because it forwards the port to 192.168.1.100 which is currently the IP of our Mint system (if yours has a different IP you should change it in the command) but because that system gets an IP from DHCP it is subject to change which would break the rule. Therefore, if we wanted this to be stable in the long term, we would want to set up a static IP on any machines we were forwarding ports to.<br />
:''HINT: If your connection is refused, it may be because SSH is not installed in Mint. Try installing SSH using the package manager or apt.''<br />
<li> From a computer on the ITC network, such as one connected to the VPN, try to SSH to port 2222 on the outside (172.17.50.xx) IP address of your Debian system. </li><br />
:If everything was set up successfully, you should be able to sign into the Mint VM based on the port forwarding rule we have put in place.<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code><br><br />
</ol><br />
When you are done testing this section of the lab please power off your new Linux Mint VM as these require far more resources to run than the Debian VMs on our servers.<br><br />
: [[File:Lab10_linux_mint_shutdown.png | link=https://wiki.ihitc.net/mediawiki/images/1/1c/Lab10_linux_mint_shutdown.png|500px]]<br />
: [[Media:Lab10_linux_mint_shutdown.png | Click for larger image]]<br />
<br />
=Checking your Work=<br />
For this lab there are many things you need to check.<br />
<br />
#Firewall - attempt to connect using FTP on port 21, this should fail<br />
#SSH - connect using FTP on port 22<br />
#DNS - navigate to url of server<br />
#SMTP - send a mail to auto-respond server<br />
#IMAP - receive a mail from auto-respond server<br />
#Samba - Create a file on server using file sharing<br />
#HTTP - Navigate to ip address of server<br />
#Webmin - Navigate to <your-ip>:10000<br />
#PuTTY into linux mint using your ip address and port 2222<br />
#Linux Mint DNS/NAT - ping google.com from within Linux Mint<br><br><br />
<br><br />
Run this script to automatically check your lab<br><br />
<code> curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_10_test.py | sudo python3 </code></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_10_mnjk&diff=9544Lab 10 mnjk2021-03-02T01:36:21Z<p>JonQuinn: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
'''''[https://www.youtube.com/watch?v=dQw4w9WgXcQ Watch the video introduction]'''''<br />
<br />
This lab assumes you have successfully set up [[Lab_8_mnjk#Install_BIND_.26_Enable_Caching | DNS]] and [[Lab_9_mnjk#Install_the_Postfix_MTA |email]]. If you had any issues with those labs, you should resolve them before attempting this lab, since you will be unable to properly test the tasks in this lab if those are not fully functional.<br />
<br />
In this lab you will perform the following tasks:<br />
*Configuring a [https://firewalld.org/ Firewall]<br />
*Enabling a 2nd interface<br />
*Configuring [https://en.wikipedia.org/wiki/Network_address_translation NAT]<br />
*Setting up [https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP]<br />
*Installing [https://linuxmint.com/ Linux Mint] on a second VM<br />
*Enabling [https://en.wikipedia.org/wiki/Port_forwarding Port Forwarding]<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://firewalld.org/documentation/man-pages/firewall-cmd.html firewall-cmd]'''<br />
*'''[https://linux.die.net/man/1/echo echo]'''<br />
*'''[https://linux.die.net/man/8/ifconfig ifconfig]'''<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software.<br />
# Login with your standard user account.<br />
# Have a browser window set to the webmin interface for your linux VM.<br />
<br />
== Configure a Firewall ==<br />
''NOTE: It is suggested that instead of managing a firewall directly using nftables tools (which would also require us to create a script to reload our rules each time the system is restarted) we use a firewall daemon program to manage it based on a set of rules we create and automatically setup the firewall based on those rules each time the system boots. There are many command line firewall management programs out there but for this lab we will use the [https://firewalld.org/ firewalld] package suggested by Debian. ''<br />
<ol><br />
<li>Begin by installing the ''firewalld'' package on your system.</li><br />
<li>First, let's check to see if the firewall is now up and running using the following command:</li><br />
<code>firewall-cmd --state</code><br />
: The firewall has been pre-configured with a couple of rules in it to prevent us from getting locked out. <br />
: [[File:Lab10_firewalld_state.png | link=https://wiki.ihitc.net/mediawiki/images/1/11/Lab10_firewalld_state.png|500px]]<br />
: [[Media:Lab10_firewalld_state.png | Click for larger image]]<br />
<li>Let's see what those rules are by using this command: </li><br />
<code>firewall-cmd --list-all</code><br />
: [[File:Lab10_firewalld_initial_rules.png | link=https://wiki.ihitc.net/mediawiki/images/1/14/Lab10_firewalld_initial_rules.png|500px]]<br />
: [[Media:Lab10_firewalld_initial_rules.png | Click for larger image]]<br />
: By default all interfaces are in the public zone (this is set in the ''/etc/firewalld/firewalld.conf'' file). <br />
: Before we start working on rules for our firewall we should assign our outside interface to the external zone which is designed for NAT routing which we'll be setting up shortly. <br />
<li> We can do this with the command:</li><br />
<code>firewall-cmd --zone=external --add-interface=ens192</code><br />
: We can create custom zones or use pre-defined security zones which will speed up configuring the firewall. Learn more about the [https://firewalld.org/documentation/zone/predefined-zones.html pre-defined zones in firewalld documentation].<br />
<li>Since we have changed zones on our interface let's check and see what rules we have started with. Let's see what those rules are:</li><br />
<code>firewall-cmd --zone=external --list-all</code><br />
: ''NOTE: You can also use the '''firewall-cmd --list-all-zones''' command to see a list of all available zones and their rules.</li>''<br />
: If you were watching carefully you may have noted that the dhcpv6-client service which was allowed in the public zone but is not allowed by default on the external zone. <br />
<li>In our case we want to allow DHCPv6 to operate on our outside interface so we can re-enable it with the following command: </li><br />
<code> firewall-cmd --zone=external --add-service="dhcpv6-client"</code><br />
<li>Check to see what other services can be allowed on an interface with:</li><br />
<code>firewall-cmd --get-services</code><br />
: If you check you will see that although you can connect with ssh (by default it's on the allowed service list you saw above) you can't connect to your webserver or Webmin anymore. Webmin is not a pre-defined service in the list we saw above so we could either set it up as a new service and then allow it or we could create a manual rule to allow the TCP traffic on port 10000 needed to access Webmin. In this case because the service only uses a single port and to see how manual rules can be created let's manually create a rule to allow access to TCP port 10000. <br />
<li>Do this by running this command: </li><br />
<code>firewall-cmd --zone=external --add-port=10000/tcp </code><br />
:You should now be able to access Webmin again.<br />
<li> Using either service rules or manual port rules create additional rules so that the other services on your VM are again accessible from the outside (such as from your home PC over the VPN). </li><br />
:''HINT: Services we have setup so far include SSH, DNS, SMTP, IMAP, Samba, and HTTP.''<br />
: Make sure to test and ensure they are all working again!<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code> firewall-cmd --runtime-to-permanent </code><br />
</ol><br />
<br />
== Setup a 2nd NIC Interface ==<br />
To start this lab we will need to configure a second network interface, named ens224 on our virtual machines. In our simulated setup our existing ens192 interface will be our WAN interface and ens224 will be our LAN interface which could be connected to a switch and then to multiple allow other computers which will connect to the Internet through our server.<br />
<ol><br />
<li> Open ''/etc/network/interfaces'' with your favorite text editor. </li><br />
* Go to the bottom of the file.<br />
: [[File:Lab10_network_interfaces_before.png | link=https://wiki.ihitc.net/mediawiki/images/f/f8/Lab10_network_interfaces_before.png|500px]]<br />
: [[Media:Lab10_network_interfaces_before.png | Click for larger image]]<br />
* Add the following to configure the second interface with a static IP of 192.168.1.1/24:<br />
<pre>auto ens224<br />
iface ens224 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0</pre></li><br />
<br />
: [[File:Lab10_network_interfaces_after.png | link=https://wiki.ihitc.net/mediawiki/images/8/80/Lab10_network_interfaces_after.png|500px]]<br />
: [[Media:Lab10_network_interfaces_after.png | Click for larger image]]<br />
: ''NOTE: As this is a LAN only interface, we do not need to define a gateway for the server VM, as the server VM itself will be the gateway for this network.''<br />
<li>Once this is done, save the file <br />
<li> Run the following command to enable the new interface.</li><br />
<code>ifup ens224</code><br />
<li>Verify the second interface is up and running with the correct IP address</li><br />
</ol><br />
<br />
== Enable Routing ==<br />
Now we will need to enable NAT so we can route LAN traffic to the Internet and responding Internet traffic back to our LAN interface.<br />
<ol><br />
<li>In your console, you will need to edit ''/etc/sysctl.conf''. This file is used to change and tweak multiple system variables. </li><br />
* Scroll down until you find the following:<br />
<pre># Uncomment the next line to enable packet forwarding for IPv4<br />
#net.ipv4.ip_forward=1<br />
</pre><br />
* Follow the instructions in the file to enable packet forwarding in the kernel. <br />
: [[File:Lab10_sysctl_after.png | link=https://wiki.ihitc.net/mediawiki/images/1/1e/Lab10_sysctl_after.png|500px]]<br />
: [[Media:Lab10_sysctl_after.png | Click for larger image]]<br />
* When you are done, save the file.<br />
: Changes to the ''sysctl.conf'' file require a reboot, but most can be set without a reboot by echoing response codes to "files" in ''/proc''. <br />
<li> We will get into that more in a later chapter, but for now run the following command to enable ip_forwarding without rebooting the machine: </li><br />
<code>'''echo 1 > /proc/sys/net/ipv4/ip_forward</code><br />
: ''NOTE: If you are receiving an error when trying to run that command it's likely that the user you are running it as does not have permission to modify the '''/proc/sys/net/ipv4/ip_forward''' file (check the permissions by using '''ls'''). Read [http://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr this similar question] for more details and possible solutions.''<br />
</ol><br />
<br />
== Setup a DHCP Server ==<br />
To setup a DHCP server, we will first need to install the required software. <br />
<ol><br />
<li>In your SSH console use your favorite package manager to install the ''isc-dhcp-server'' package.</li><br />
: After you install the package you may get a warning about ''isc-dhcp-server'' being unable to start. This is normal as we have yet to define the interface and settings we want used.<br />
<li>Now back in Webmin, select the Refresh Modules option. .</li><br />
* After it is done, go to Servers, then DHCP Server<br />
: Before we define our DHCP range, we need to set our listening interface. <br />
* Click on the ''Edit Network Interface'' option. <br />
*Select ''ens224''. <br />
* Press save.<br />
<li>Now under Subnets and Shared Networks, select Add a new subnet. </li><br />
* Use the following settings:<br />
<pre>Subnet description: LAN DHCP Range<br />
Network Address: 192.168.1.0<br />
Netmask: 255.255.255.0<br />
Address Ranges: 192.168.1.100-192.168.1.254</pre><br />
: [[File:Lab10_webmin_dhcp_create_subnet.png | link=https://wiki.ihitc.net/mediawiki/images/4/4e/Lab10_webmin_dhcp_create_subnet.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_create_subnet.png | Click for larger image]]<br />
* When you are done, press Create. <br />
* Now, click on the network you just created to review the settings, then press Edit Client Options at the bottom.<br />
: From here we will setup the default gateway and DNS servers for the clients to use. <br />
<li> Under Default Routers, set the option to 192.168.1.1 <br />
* Under DNS servers, set it to 192.168.1.1. <br />
: [[File:Lab10_webmin_dhcp_client_options.png | link=https://wiki.ihitc.net/mediawiki/images/d/d7/Lab10_webmin_dhcp_client_options.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_client_options.png | Click for larger image]]<br />
: Notice how we are setting these options to the IP of ens224 that we setup. This is because our Linux VM will act as the router and DNS for our clients as well.<br />
* When you are done, press save<br />
* Then on the Edit Subnet page, press save again.<br />
<li>Now that you are back on the DHCP server page, press the Start Server button. <br />
: If all goes well, the button should change to "Stop Server". If this does not happen, then the server was unable start. If that happens, re-check your DHCP server configurations to make sure everything is correct.<br />
</ol><br />
<br />
== Enabling NAT and Firewall Rules for the LAN ==<br />
Now we will use firewalld to setup NAT so that we can use private addresses on our internal LAN but still have access to the public Internet. <br />
<ol><br />
<li>First, let's set our ens224 interface (LAN) to be in the internal zone with the following command.</li><br />
<code>firewall-cmd --zone=internal --add-interface=ens224</code><br />
<li>You should now take a minute to allow all of the same services and ports on the internal network that you have allowed on the external network. </li><br />
:In other words, make sure that Webmin, Samba, DNS, etc. are also allowed on the internal zone.<br />
:In order to activate NAT you need to turn on the "masquerade" feature on your outside interface. This is probably already done if you correctly assigned your outside interface to the pre-defined external zone (it's one of the features of that zone). <br />
: ''HINT: you can do this manually as well in case you setup a custom zone by running the '''firewall-cmd --add-masquerade --zone=external''' command.''<br />
: While routing and NAT should be working for hosts on your LAN interface now they probably still can't get an IP address! Just like all the other services being blocked by the firewall DHCP is also blocked unless you specifically allow it. <br />
<li>To do this run the following command:</li><br />
<code>firewall-cmd --add-service=dhcp --zone=internal</code><br />
<li>Once you are satisfied your firewall is running correctly you can use this command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code></ol><br />
<br />
== Setup a 2nd VM as a LAN Host ==<br />
Now we are going to setup a 2nd VM on the VMware server so we can have a client to connect to the LAN network segment we just created. For this though, we will be using Linux Mint instead of Debian so we have a graphical user interface to help us with testing.<br />
<ol><br />
<li> You'll need to make a Netlab reservation to work with your Mint system's GUI so go ahead and do that. </li><br />
* Enter the lab on Netlab<br />
* Click the "Linux Desktop" tab to access your Mint machine.<br />
: The VM should be booting from a Linux Mint virtual CD image. <br />
<li> Get Linux Mint installed using the link on the desktop.</li><br />
: Installation settings are not critical as we'll be using the system primarily to explore a Linux GUI and to test web browsing capability from our private network.<br />
: [[File:Lab10_linux_mint_desktop.png | link=https://wiki.ihitc.net/mediawiki/images/f/f1/Lab10_linux_mint_desktop.png|500px]]<br />
: [[Media:Lab10_linux_mint_desktop.png | Click for larger image]]<br />
: ''NOTE: By default Linux Mint will boot into a "Live CD" environment where you can use the system without installing. However, the Live CD environment is much slower and memory limited compared with a full installation to the hard drive so be sure to start an installation and reboot into the installed copy instead of from the Live CD. You will know you're working from an installed copy if you are prompted for your username and password when logging in and don't see a link on the desktop to Install Linux Mint anymore.''<br />
<li> Once you have Linux Mint installed, reboot the machine and login. </li><br />
: Hopefully the machine is able to connect to the Internet through your Debian server which is acting as a DHCP server and router (see the topology diagram tab in Netlab to see a diagram of how they are connected).<br />
<li> Press the Menu icon in the lower left corner, and enter "Terminal". </li><br />
* Then, open the terminal application.<br />
<li> You now have a shell on the system. From here, use the following command to check your network settings. </li><br />
<code>ip address show</code><br />
: Notice how you have a IP from the DHCP pool we created earlier. <br />
<li> Now try pinging ''172.17.50.1''. </li><br />
: Are you able to ping? If so, NAT is working properly on your network because the 172.17.50.0/24 network is outside of the LAN segment this machine is attached to (192.168.1.0/24).<br />
: ''NOTE: Notice how some Linux distributions like Mint haven't switched from the old naming of network interfaces with ''eth'' to the new ''ens'' style. You can also try using the older '''ifconfig''' way of checking the IP address and compare the output to the new '''ip address show''' method which we have been using so far in Debian.''<br />
<li> Now run '''ping google.com'''. </li><br />
: If you are able to ping, this shows that not only is NAT working, but DNS resolving as well.<br />
<li> Open a web browser on the system (you can use a graphical browser this time since you have a GUI) and test browsing to a few websites.</li><br />
: At this point we have a fully functional LAN environment.<br />
<li> In order to allow automatic safe shutdown of your Linux Mint system and improve speed/efficiency use the package manager to install the ''open-vm-tools-desktop'' package. </li><br />
:This provides better drivers and integration between the vmWare host which is running your Linux Mint virtual machine and the virtual machine itself.<br />
<li> Finally, in the next section we'll be setting up SSH access to Mint through the Firewall so you'll want to install the ''openssh-server package'' through the package manager. </li><br />
: Once you've done this you should be able to use the ssh program on the command line in Debian to access your Mint system like '''ssh mintusername@192.168.1.x''' where you are using a valid username on the Mint system and the IP address of the Mint system.<br />
<li> Spend a few more minutes exploring the functionality of the Linux GUI and desktop.</li></ol><br />
<br />
== Port Forwarding and Firewalling ==<br />
Now we are going to enable port forwarding to our VM. This will allow you to access the 2nd VM from the ITC network and VPN.<br />
Because we are already using port 22 on our outside interface to provide SSH access to our main Debian system we need to use a different port to access the Mint system. Instead of changing the port number in the SSH server software on Mint we can have our firewall do it at the same time the NAT masquerading is occurring. <br />
<ol><br />
<li>Set up a rule by running the following command:</li><br />
<code>firewall-cmd --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.1.100 --zone=external</code><br />
:NOTE: this rule is a little unstable because it forwards the port to 192.168.1.100 which is currently the IP of our Mint system (if yours has a different IP you should change it in the command) but because that system gets an IP from DHCP it is subject to change which would break the rule. Therefore, if we wanted this to be stable in the long term, we would want to set up a static IP on any machines we were forwarding ports to.<br />
:''HINT: If your connection is refused, it may be because SSH is not installed in Mint. Try installing SSH using the package manager or apt.''<br />
<li> From a computer on the ITC network, such as one connected to the VPN, try to SSH to port 2222 on the outside (172.17.50.xx) IP address of your Debian system. </li><br />
:If everything was set up successfully, you should be able to sign into the Mint VM based on the port forwarding rule we have put in place.<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code><br><br />
</ol><br />
When you are done testing this section of the lab please power off your new Linux Mint VM as these require far more resources to run than the Debian VMs on our servers.<br><br />
: [[File:Lab10_linux_mint_shutdown.png | link=https://wiki.ihitc.net/mediawiki/images/1/1c/Lab10_linux_mint_shutdown.png|500px]]<br />
: [[Media:Lab10_linux_mint_shutdown.png | Click for larger image]]<br />
<br />
=Checking your Work=<br />
For this lab there are many things you need to check.<br />
<br />
#Firewall - attempt to connect using FTP on port 21, this should fail<br />
#SSH - connect using FTP on port 22<br />
#DNS - navigate to url of server<br />
#SMTP - send a mail to auto-respond server<br />
#IMAP - receive a mail from auto-respond server<br />
#Samba - Create a file on server using file sharing<br />
#HTTP - Navigate to ip address of server<br />
#Webmin - Navigate to <your-ip>:10000<br />
#PuTTY into linux mint using your ip address and port 2222<br />
#Linux Mint DNS/NAT - ping google.com from within Linux Mint<br><br><br />
<br><br />
Run this script to automatically check your lab<br><br />
<code> curl https<nolink>://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_10_test.py | sudo python3 </code></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_10_mnjk&diff=9543Lab 10 mnjk2021-03-02T01:35:29Z<p>JonQuinn: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
'''''[https://www.youtube.com/watch?v=dQw4w9WgXcQ Watch the video introduction]'''''<br />
<br />
This lab assumes you have successfully set up [[Lab_8_mnjk#Install_BIND_.26_Enable_Caching | DNS]] and [[Lab_9_mnjk#Install_the_Postfix_MTA |email]]. If you had any issues with those labs, you should resolve them before attempting this lab, since you will be unable to properly test the tasks in this lab if those are not fully functional.<br />
<br />
In this lab you will perform the following tasks:<br />
*Configuring a [https://firewalld.org/ Firewall]<br />
*Enabling a 2nd interface<br />
*Configuring [https://en.wikipedia.org/wiki/Network_address_translation NAT]<br />
*Setting up [https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP]<br />
*Installing [https://linuxmint.com/ Linux Mint] on a second VM<br />
*Enabling [https://en.wikipedia.org/wiki/Port_forwarding Port Forwarding]<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://firewalld.org/documentation/man-pages/firewall-cmd.html firewall-cmd]'''<br />
*'''[https://linux.die.net/man/1/echo echo]'''<br />
*'''[https://linux.die.net/man/8/ifconfig ifconfig]'''<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software.<br />
# Login with your standard user account.<br />
# Have a browser window set to the webmin interface for your linux VM.<br />
<br />
== Configure a Firewall ==<br />
''NOTE: It is suggested that instead of managing a firewall directly using nftables tools (which would also require us to create a script to reload our rules each time the system is restarted) we use a firewall daemon program to manage it based on a set of rules we create and automatically setup the firewall based on those rules each time the system boots. There are many command line firewall management programs out there but for this lab we will use the [https://firewalld.org/ firewalld] package suggested by Debian. ''<br />
<ol><br />
<li>Begin by installing the ''firewalld'' package on your system.</li><br />
<li>First, let's check to see if the firewall is now up and running using the following command:</li><br />
<code>firewall-cmd --state</code><br />
: The firewall has been pre-configured with a couple of rules in it to prevent us from getting locked out. <br />
: [[File:Lab10_firewalld_state.png | link=https://wiki.ihitc.net/mediawiki/images/1/11/Lab10_firewalld_state.png|500px]]<br />
: [[Media:Lab10_firewalld_state.png | Click for larger image]]<br />
<li>Let's see what those rules are by using this command: </li><br />
<code>firewall-cmd --list-all</code><br />
: [[File:Lab10_firewalld_initial_rules.png | link=https://wiki.ihitc.net/mediawiki/images/1/14/Lab10_firewalld_initial_rules.png|500px]]<br />
: [[Media:Lab10_firewalld_initial_rules.png | Click for larger image]]<br />
: By default all interfaces are in the public zone (this is set in the ''/etc/firewalld/firewalld.conf'' file). <br />
: Before we start working on rules for our firewall we should assign our outside interface to the external zone which is designed for NAT routing which we'll be setting up shortly. <br />
<li> We can do this with the command:</li><br />
<code>firewall-cmd --zone=external --add-interface=ens192</code><br />
: We can create custom zones or use pre-defined security zones which will speed up configuring the firewall. Learn more about the [https://firewalld.org/documentation/zone/predefined-zones.html pre-defined zones in firewalld documentation].<br />
<li>Since we have changed zones on our interface let's check and see what rules we have started with. Let's see what those rules are:</li><br />
<code>firewall-cmd --zone=external --list-all</code><br />
: ''NOTE: You can also use the '''firewall-cmd --list-all-zones''' command to see a list of all available zones and their rules.</li>''<br />
: If you were watching carefully you may have noted that the dhcpv6-client service which was allowed in the public zone but is not allowed by default on the external zone. <br />
<li>In our case we want to allow DHCPv6 to operate on our outside interface so we can re-enable it with the following command: </li><br />
<code> firewall-cmd --zone=external --add-service="dhcpv6-client"</code><br />
<li>Check to see what other services can be allowed on an interface with:</li><br />
<code>firewall-cmd --get-services</code><br />
: If you check you will see that although you can connect with ssh (by default it's on the allowed service list you saw above) you can't connect to your webserver or Webmin anymore. Webmin is not a pre-defined service in the list we saw above so we could either set it up as a new service and then allow it or we could create a manual rule to allow the TCP traffic on port 10000 needed to access Webmin. In this case because the service only uses a single port and to see how manual rules can be created let's manually create a rule to allow access to TCP port 10000. <br />
<li>Do this by running this command: </li><br />
<code>firewall-cmd --zone=external --add-port=10000/tcp </code><br />
:You should now be able to access Webmin again.<br />
<li> Using either service rules or manual port rules create additional rules so that the other services on your VM are again accessible from the outside (such as from your home PC over the VPN). </li><br />
:''HINT: Services we have setup so far include SSH, DNS, SMTP, IMAP, Samba, and HTTP.''<br />
: Make sure to test and ensure they are all working again!<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code> firewall-cmd --runtime-to-permanent </code><br />
</ol><br />
<br />
== Setup a 2nd NIC Interface ==<br />
To start this lab we will need to configure a second network interface, named ens224 on our virtual machines. In our simulated setup our existing ens192 interface will be our WAN interface and ens224 will be our LAN interface which could be connected to a switch and then to multiple allow other computers which will connect to the Internet through our server.<br />
<ol><br />
<li> Open ''/etc/network/interfaces'' with your favorite text editor. </li><br />
* Go to the bottom of the file.<br />
: [[File:Lab10_network_interfaces_before.png | link=https://wiki.ihitc.net/mediawiki/images/f/f8/Lab10_network_interfaces_before.png|500px]]<br />
: [[Media:Lab10_network_interfaces_before.png | Click for larger image]]<br />
* Add the following to configure the second interface with a static IP of 192.168.1.1/24:<br />
<pre>auto ens224<br />
iface ens224 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0</pre></li><br />
<br />
: [[File:Lab10_network_interfaces_after.png | link=https://wiki.ihitc.net/mediawiki/images/8/80/Lab10_network_interfaces_after.png|500px]]<br />
: [[Media:Lab10_network_interfaces_after.png | Click for larger image]]<br />
: ''NOTE: As this is a LAN only interface, we do not need to define a gateway for the server VM, as the server VM itself will be the gateway for this network.''<br />
<li>Once this is done, save the file <br />
<li> Run the following command to enable the new interface.</li><br />
<code>ifup ens224</code><br />
<li>Verify the second interface is up and running with the correct IP address</li><br />
</ol><br />
<br />
== Enable Routing ==<br />
Now we will need to enable NAT so we can route LAN traffic to the Internet and responding Internet traffic back to our LAN interface.<br />
<ol><br />
<li>In your console, you will need to edit ''/etc/sysctl.conf''. This file is used to change and tweak multiple system variables. </li><br />
* Scroll down until you find the following:<br />
<pre># Uncomment the next line to enable packet forwarding for IPv4<br />
#net.ipv4.ip_forward=1<br />
</pre><br />
* Follow the instructions in the file to enable packet forwarding in the kernel. <br />
: [[File:Lab10_sysctl_after.png | link=https://wiki.ihitc.net/mediawiki/images/1/1e/Lab10_sysctl_after.png|500px]]<br />
: [[Media:Lab10_sysctl_after.png | Click for larger image]]<br />
* When you are done, save the file.<br />
: Changes to the ''sysctl.conf'' file require a reboot, but most can be set without a reboot by echoing response codes to "files" in ''/proc''. <br />
<li> We will get into that more in a later chapter, but for now run the following command to enable ip_forwarding without rebooting the machine: </li><br />
<code>'''echo 1 > /proc/sys/net/ipv4/ip_forward</code><br />
: ''NOTE: If you are receiving an error when trying to run that command it's likely that the user you are running it as does not have permission to modify the '''/proc/sys/net/ipv4/ip_forward''' file (check the permissions by using '''ls'''). Read [http://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr this similar question] for more details and possible solutions.''<br />
</ol><br />
<br />
== Setup a DHCP Server ==<br />
To setup a DHCP server, we will first need to install the required software. <br />
<ol><br />
<li>In your SSH console use your favorite package manager to install the ''isc-dhcp-server'' package.</li><br />
: After you install the package you may get a warning about ''isc-dhcp-server'' being unable to start. This is normal as we have yet to define the interface and settings we want used.<br />
<li>Now back in Webmin, select the Refresh Modules option. .</li><br />
* After it is done, go to Servers, then DHCP Server<br />
: Before we define our DHCP range, we need to set our listening interface. <br />
* Click on the ''Edit Network Interface'' option. <br />
*Select ''ens224''. <br />
* Press save.<br />
<li>Now under Subnets and Shared Networks, select Add a new subnet. </li><br />
* Use the following settings:<br />
<pre>Subnet description: LAN DHCP Range<br />
Network Address: 192.168.1.0<br />
Netmask: 255.255.255.0<br />
Address Ranges: 192.168.1.100-192.168.1.254</pre><br />
: [[File:Lab10_webmin_dhcp_create_subnet.png | link=https://wiki.ihitc.net/mediawiki/images/4/4e/Lab10_webmin_dhcp_create_subnet.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_create_subnet.png | Click for larger image]]<br />
* When you are done, press Create. <br />
* Now, click on the network you just created to review the settings, then press Edit Client Options at the bottom.<br />
: From here we will setup the default gateway and DNS servers for the clients to use. <br />
<li> Under Default Routers, set the option to 192.168.1.1 <br />
* Under DNS servers, set it to 192.168.1.1. <br />
: [[File:Lab10_webmin_dhcp_client_options.png | link=https://wiki.ihitc.net/mediawiki/images/d/d7/Lab10_webmin_dhcp_client_options.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_client_options.png | Click for larger image]]<br />
: Notice how we are setting these options to the IP of ens224 that we setup. This is because our Linux VM will act as the router and DNS for our clients as well.<br />
* When you are done, press save<br />
* Then on the Edit Subnet page, press save again.<br />
<li>Now that you are back on the DHCP server page, press the Start Server button. <br />
: If all goes well, the button should change to "Stop Server". If this does not happen, then the server was unable start. If that happens, re-check your DHCP server configurations to make sure everything is correct.<br />
</ol><br />
<br />
== Enabling NAT and Firewall Rules for the LAN ==<br />
Now we will use firewalld to setup NAT so that we can use private addresses on our internal LAN but still have access to the public Internet. <br />
<ol><br />
<li>First, let's set our ens224 interface (LAN) to be in the internal zone with the following command.</li><br />
<code>firewall-cmd --zone=internal --add-interface=ens224</code><br />
<li>You should now take a minute to allow all of the same services and ports on the internal network that you have allowed on the external network. </li><br />
:In other words, make sure that Webmin, Samba, DNS, etc. are also allowed on the internal zone.<br />
:In order to activate NAT you need to turn on the "masquerade" feature on your outside interface. This is probably already done if you correctly assigned your outside interface to the pre-defined external zone (it's one of the features of that zone). <br />
: ''HINT: you can do this manually as well in case you setup a custom zone by running the '''firewall-cmd --add-masquerade --zone=external''' command.''<br />
: While routing and NAT should be working for hosts on your LAN interface now they probably still can't get an IP address! Just like all the other services being blocked by the firewall DHCP is also blocked unless you specifically allow it. <br />
<li>To do this run the following command:</li><br />
<code>firewall-cmd --add-service=dhcp --zone=internal</code><br />
<li>Once you are satisfied your firewall is running correctly you can use this command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code></ol><br />
<br />
== Setup a 2nd VM as a LAN Host ==<br />
Now we are going to setup a 2nd VM on the VMware server so we can have a client to connect to the LAN network segment we just created. For this though, we will be using Linux Mint instead of Debian so we have a graphical user interface to help us with testing.<br />
<ol><br />
<li> You'll need to make a Netlab reservation to work with your Mint system's GUI so go ahead and do that. </li><br />
* Enter the lab on Netlab<br />
* Click the "Linux Desktop" tab to access your Mint machine.<br />
: The VM should be booting from a Linux Mint virtual CD image. <br />
<li> Get Linux Mint installed using the link on the desktop.</li><br />
: Installation settings are not critical as we'll be using the system primarily to explore a Linux GUI and to test web browsing capability from our private network.<br />
: [[File:Lab10_linux_mint_desktop.png | link=https://wiki.ihitc.net/mediawiki/images/f/f1/Lab10_linux_mint_desktop.png|500px]]<br />
: [[Media:Lab10_linux_mint_desktop.png | Click for larger image]]<br />
: ''NOTE: By default Linux Mint will boot into a "Live CD" environment where you can use the system without installing. However, the Live CD environment is much slower and memory limited compared with a full installation to the hard drive so be sure to start an installation and reboot into the installed copy instead of from the Live CD. You will know you're working from an installed copy if you are prompted for your username and password when logging in and don't see a link on the desktop to Install Linux Mint anymore.''<br />
<li> Once you have Linux Mint installed, reboot the machine and login. </li><br />
: Hopefully the machine is able to connect to the Internet through your Debian server which is acting as a DHCP server and router (see the topology diagram tab in Netlab to see a diagram of how they are connected).<br />
<li> Press the Menu icon in the lower left corner, and enter "Terminal". </li><br />
* Then, open the terminal application.<br />
<li> You now have a shell on the system. From here, use the following command to check your network settings. </li><br />
<code>ip address show</code><br />
: Notice how you have a IP from the DHCP pool we created earlier. <br />
<li> Now try pinging ''172.17.50.1''. </li><br />
: Are you able to ping? If so, NAT is working properly on your network because the 172.17.50.0/24 network is outside of the LAN segment this machine is attached to (192.168.1.0/24).<br />
: ''NOTE: Notice how some Linux distributions like Mint haven't switched from the old naming of network interfaces with ''eth'' to the new ''ens'' style. You can also try using the older '''ifconfig''' way of checking the IP address and compare the output to the new '''ip address show''' method which we have been using so far in Debian.''<br />
<li> Now run '''ping google.com'''. </li><br />
: If you are able to ping, this shows that not only is NAT working, but DNS resolving as well.<br />
<li> Open a web browser on the system (you can use a graphical browser this time since you have a GUI) and test browsing to a few websites.</li><br />
: At this point we have a fully functional LAN environment.<br />
<li> In order to allow automatic safe shutdown of your Linux Mint system and improve speed/efficiency use the package manager to install the ''open-vm-tools-desktop'' package. </li><br />
:This provides better drivers and integration between the vmWare host which is running your Linux Mint virtual machine and the virtual machine itself.<br />
<li> Finally, in the next section we'll be setting up SSH access to Mint through the Firewall so you'll want to install the ''openssh-server package'' through the package manager. </li><br />
: Once you've done this you should be able to use the ssh program on the command line in Debian to access your Mint system like '''ssh mintusername@192.168.1.x''' where you are using a valid username on the Mint system and the IP address of the Mint system.<br />
<li> Spend a few more minutes exploring the functionality of the Linux GUI and desktop.</li></ol><br />
<br />
== Port Forwarding and Firewalling ==<br />
Now we are going to enable port forwarding to our VM. This will allow you to access the 2nd VM from the ITC network and VPN.<br />
Because we are already using port 22 on our outside interface to provide SSH access to our main Debian system we need to use a different port to access the Mint system. Instead of changing the port number in the SSH server software on Mint we can have our firewall do it at the same time the NAT masquerading is occurring. <br />
<ol><br />
<li>Set up a rule by running the following command:</li><br />
<code>firewall-cmd --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.1.100 --zone=external</code><br />
:NOTE: this rule is a little unstable because it forwards the port to 192.168.1.100 which is currently the IP of our Mint system (if yours has a different IP you should change it in the command) but because that system gets an IP from DHCP it is subject to change which would break the rule. Therefore, if we wanted this to be stable in the long term, we would want to set up a static IP on any machines we were forwarding ports to.<br />
:''HINT: If your connection is refused, it may be because SSH is not installed in Mint. Try installing SSH using the package manager or apt.''<br />
<li> From a computer on the ITC network, such as one connected to the VPN, try to SSH to port 2222 on the outside (172.17.50.xx) IP address of your Debian system. </li><br />
:If everything was set up successfully, you should be able to sign into the Mint VM based on the port forwarding rule we have put in place.<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code><br><br />
</ol><br />
When you are done testing this section of the lab please power off your new Linux Mint VM as these require far more resources to run than the Debian VMs on our servers.<br><br />
: [[File:Lab10_linux_mint_shutdown.png | link=https://wiki.ihitc.net/mediawiki/images/1/1c/Lab10_linux_mint_shutdown.png|500px]]<br />
: [[Media:Lab10_linux_mint_shutdown.png | Click for larger image]]<br />
<br />
=Checking your Work=<br />
For this lab there are many things you need to check.<br />
<br />
#Firewall - attempt to connect using FTP on port 21, this should fail<br />
#SSH - connect using FTP on port 22<br />
#DNS - navigate to url of server<br />
#SMTP - send a mail to auto-respond server<br />
#IMAP - receive a mail from auto-respond server<br />
#Samba - Create a file on server using file sharing<br />
#HTTP - Navigate to ip address of server<br />
#Webmin - Navigate to <your-ip>:10000<br />
#PuTTY into linux mint using your ip address and port 2222<br />
#Linux Mint DNS/NAT - ping google.com from within Linux Mint<br><br><br />
<br><br />
Run this script to automatically check your lab<br><br />
<code> curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_10_test.py | sudo python3 </code></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_10_mnjk&diff=9542Lab 10 mnjk2021-03-02T01:35:04Z<p>JonQuinn: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
'''''[https://www.youtube.com/watch?v=dQw4w9WgXcQ Watch the video introduction]'''''<br />
<br />
This lab assumes you have successfully set up [[Lab_8_mnjk#Install_BIND_.26_Enable_Caching | DNS]] and [[Lab_9_mnjk#Install_the_Postfix_MTA |email]]. If you had any issues with those labs, you should resolve them before attempting this lab, since you will be unable to properly test the tasks in this lab if those are not fully functional.<br />
<br />
In this lab you will perform the following tasks:<br />
*Configuring a [https://firewalld.org/ Firewall]<br />
*Enabling a 2nd interface<br />
*Configuring [https://en.wikipedia.org/wiki/Network_address_translation NAT]<br />
*Setting up [https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP]<br />
*Installing [https://linuxmint.com/ Linux Mint] on a second VM<br />
*Enabling [https://en.wikipedia.org/wiki/Port_forwarding Port Forwarding]<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://firewalld.org/documentation/man-pages/firewall-cmd.html firewall-cmd]'''<br />
*'''[https://linux.die.net/man/1/echo echo]'''<br />
*'''[https://linux.die.net/man/8/ifconfig ifconfig]'''<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software.<br />
# Login with your standard user account.<br />
# Have a browser window set to the webmin interface for your linux VM.<br />
<br />
== Configure a Firewall ==<br />
''NOTE: It is suggested that instead of managing a firewall directly using nftables tools (which would also require us to create a script to reload our rules each time the system is restarted) we use a firewall daemon program to manage it based on a set of rules we create and automatically setup the firewall based on those rules each time the system boots. There are many command line firewall management programs out there but for this lab we will use the [https://firewalld.org/ firewalld] package suggested by Debian. ''<br />
<ol><br />
<li>Begin by installing the ''firewalld'' package on your system.</li><br />
<li>First, let's check to see if the firewall is now up and running using the following command:</li><br />
<code>firewall-cmd --state</code><br />
: The firewall has been pre-configured with a couple of rules in it to prevent us from getting locked out. <br />
: [[File:Lab10_firewalld_state.png | link=https://wiki.ihitc.net/mediawiki/images/1/11/Lab10_firewalld_state.png|500px]]<br />
: [[Media:Lab10_firewalld_state.png | Click for larger image]]<br />
<li>Let's see what those rules are by using this command: </li><br />
<code>firewall-cmd --list-all</code><br />
: [[File:Lab10_firewalld_initial_rules.png | link=https://wiki.ihitc.net/mediawiki/images/1/14/Lab10_firewalld_initial_rules.png|500px]]<br />
: [[Media:Lab10_firewalld_initial_rules.png | Click for larger image]]<br />
: By default all interfaces are in the public zone (this is set in the ''/etc/firewalld/firewalld.conf'' file). <br />
: Before we start working on rules for our firewall we should assign our outside interface to the external zone which is designed for NAT routing which we'll be setting up shortly. <br />
<li> We can do this with the command:</li><br />
<code>firewall-cmd --zone=external --add-interface=ens192</code><br />
: We can create custom zones or use pre-defined security zones which will speed up configuring the firewall. Learn more about the [https://firewalld.org/documentation/zone/predefined-zones.html pre-defined zones in firewalld documentation].<br />
<li>Since we have changed zones on our interface let's check and see what rules we have started with. Let's see what those rules are:</li><br />
<code>firewall-cmd --zone=external --list-all</code><br />
: ''NOTE: You can also use the '''firewall-cmd --list-all-zones''' command to see a list of all available zones and their rules.</li>''<br />
: If you were watching carefully you may have noted that the dhcpv6-client service which was allowed in the public zone but is not allowed by default on the external zone. <br />
<li>In our case we want to allow DHCPv6 to operate on our outside interface so we can re-enable it with the following command: </li><br />
<code> firewall-cmd --zone=external --add-service="dhcpv6-client"</code><br />
<li>Check to see what other services can be allowed on an interface with:</li><br />
<code>firewall-cmd --get-services</code><br />
: If you check you will see that although you can connect with ssh (by default it's on the allowed service list you saw above) you can't connect to your webserver or Webmin anymore. Webmin is not a pre-defined service in the list we saw above so we could either set it up as a new service and then allow it or we could create a manual rule to allow the TCP traffic on port 10000 needed to access Webmin. In this case because the service only uses a single port and to see how manual rules can be created let's manually create a rule to allow access to TCP port 10000. <br />
<li>Do this by running this command: </li><br />
<code>firewall-cmd --zone=external --add-port=10000/tcp </code><br />
:You should now be able to access Webmin again.<br />
<li> Using either service rules or manual port rules create additional rules so that the other services on your VM are again accessible from the outside (such as from your home PC over the VPN). </li><br />
:''HINT: Services we have setup so far include SSH, DNS, SMTP, IMAP, Samba, and HTTP.''<br />
: Make sure to test and ensure they are all working again!<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code> firewall-cmd --runtime-to-permanent </code><br />
</ol><br />
<br />
== Setup a 2nd NIC Interface ==<br />
To start this lab we will need to configure a second network interface, named ens224 on our virtual machines. In our simulated setup our existing ens192 interface will be our WAN interface and ens224 will be our LAN interface which could be connected to a switch and then to multiple allow other computers which will connect to the Internet through our server.<br />
<ol><br />
<li> Open ''/etc/network/interfaces'' with your favorite text editor. </li><br />
* Go to the bottom of the file.<br />
: [[File:Lab10_network_interfaces_before.png | link=https://wiki.ihitc.net/mediawiki/images/f/f8/Lab10_network_interfaces_before.png|500px]]<br />
: [[Media:Lab10_network_interfaces_before.png | Click for larger image]]<br />
* Add the following to configure the second interface with a static IP of 192.168.1.1/24:<br />
<pre>auto ens224<br />
iface ens224 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0</pre></li><br />
<br />
: [[File:Lab10_network_interfaces_after.png | link=https://wiki.ihitc.net/mediawiki/images/8/80/Lab10_network_interfaces_after.png|500px]]<br />
: [[Media:Lab10_network_interfaces_after.png | Click for larger image]]<br />
: ''NOTE: As this is a LAN only interface, we do not need to define a gateway for the server VM, as the server VM itself will be the gateway for this network.''<br />
<li>Once this is done, save the file <br />
<li> Run the following command to enable the new interface.</li><br />
<code>ifup ens224</code><br />
<li>Verify the second interface is up and running with the correct IP address</li><br />
</ol><br />
<br />
== Enable Routing ==<br />
Now we will need to enable NAT so we can route LAN traffic to the Internet and responding Internet traffic back to our LAN interface.<br />
<ol><br />
<li>In your console, you will need to edit ''/etc/sysctl.conf''. This file is used to change and tweak multiple system variables. </li><br />
* Scroll down until you find the following:<br />
<pre># Uncomment the next line to enable packet forwarding for IPv4<br />
#net.ipv4.ip_forward=1<br />
</pre><br />
* Follow the instructions in the file to enable packet forwarding in the kernel. <br />
: [[File:Lab10_sysctl_after.png | link=https://wiki.ihitc.net/mediawiki/images/1/1e/Lab10_sysctl_after.png|500px]]<br />
: [[Media:Lab10_sysctl_after.png | Click for larger image]]<br />
* When you are done, save the file.<br />
: Changes to the ''sysctl.conf'' file require a reboot, but most can be set without a reboot by echoing response codes to "files" in ''/proc''. <br />
<li> We will get into that more in a later chapter, but for now run the following command to enable ip_forwarding without rebooting the machine: </li><br />
<code>'''echo 1 > /proc/sys/net/ipv4/ip_forward</code><br />
: ''NOTE: If you are receiving an error when trying to run that command it's likely that the user you are running it as does not have permission to modify the '''/proc/sys/net/ipv4/ip_forward''' file (check the permissions by using '''ls'''). Read [http://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr this similar question] for more details and possible solutions.''<br />
</ol><br />
<br />
== Setup a DHCP Server ==<br />
To setup a DHCP server, we will first need to install the required software. <br />
<ol><br />
<li>In your SSH console use your favorite package manager to install the ''isc-dhcp-server'' package.</li><br />
: After you install the package you may get a warning about ''isc-dhcp-server'' being unable to start. This is normal as we have yet to define the interface and settings we want used.<br />
<li>Now back in Webmin, select the Refresh Modules option. .</li><br />
* After it is done, go to Servers, then DHCP Server<br />
: Before we define our DHCP range, we need to set our listening interface. <br />
* Click on the ''Edit Network Interface'' option. <br />
*Select ''ens224''. <br />
* Press save.<br />
<li>Now under Subnets and Shared Networks, select Add a new subnet. </li><br />
* Use the following settings:<br />
<pre>Subnet description: LAN DHCP Range<br />
Network Address: 192.168.1.0<br />
Netmask: 255.255.255.0<br />
Address Ranges: 192.168.1.100-192.168.1.254</pre><br />
: [[File:Lab10_webmin_dhcp_create_subnet.png | link=https://wiki.ihitc.net/mediawiki/images/4/4e/Lab10_webmin_dhcp_create_subnet.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_create_subnet.png | Click for larger image]]<br />
* When you are done, press Create. <br />
* Now, click on the network you just created to review the settings, then press Edit Client Options at the bottom.<br />
: From here we will setup the default gateway and DNS servers for the clients to use. <br />
<li> Under Default Routers, set the option to 192.168.1.1 <br />
* Under DNS servers, set it to 192.168.1.1. <br />
: [[File:Lab10_webmin_dhcp_client_options.png | link=https://wiki.ihitc.net/mediawiki/images/d/d7/Lab10_webmin_dhcp_client_options.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_client_options.png | Click for larger image]]<br />
: Notice how we are setting these options to the IP of ens224 that we setup. This is because our Linux VM will act as the router and DNS for our clients as well.<br />
* When you are done, press save<br />
* Then on the Edit Subnet page, press save again.<br />
<li>Now that you are back on the DHCP server page, press the Start Server button. <br />
: If all goes well, the button should change to "Stop Server". If this does not happen, then the server was unable start. If that happens, re-check your DHCP server configurations to make sure everything is correct.<br />
</ol><br />
<br />
== Enabling NAT and Firewall Rules for the LAN ==<br />
Now we will use firewalld to setup NAT so that we can use private addresses on our internal LAN but still have access to the public Internet. <br />
<ol><br />
<li>First, let's set our ens224 interface (LAN) to be in the internal zone with the following command.</li><br />
<code>firewall-cmd --zone=internal --add-interface=ens224</code><br />
<li>You should now take a minute to allow all of the same services and ports on the internal network that you have allowed on the external network. </li><br />
:In other words, make sure that Webmin, Samba, DNS, etc. are also allowed on the internal zone.<br />
:In order to activate NAT you need to turn on the "masquerade" feature on your outside interface. This is probably already done if you correctly assigned your outside interface to the pre-defined external zone (it's one of the features of that zone). <br />
: ''HINT: you can do this manually as well in case you setup a custom zone by running the '''firewall-cmd --add-masquerade --zone=external''' command.''<br />
: While routing and NAT should be working for hosts on your LAN interface now they probably still can't get an IP address! Just like all the other services being blocked by the firewall DHCP is also blocked unless you specifically allow it. <br />
<li>To do this run the following command:</li><br />
<code>firewall-cmd --add-service=dhcp --zone=internal</code><br />
<li>Once you are satisfied your firewall is running correctly you can use this command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code></ol><br />
<br />
== Setup a 2nd VM as a LAN Host ==<br />
Now we are going to setup a 2nd VM on the VMware server so we can have a client to connect to the LAN network segment we just created. For this though, we will be using Linux Mint instead of Debian so we have a graphical user interface to help us with testing.<br />
<ol><br />
<li> You'll need to make a Netlab reservation to work with your Mint system's GUI so go ahead and do that. </li><br />
* Enter the lab on Netlab<br />
* Click the "Linux Desktop" tab to access your Mint machine.<br />
: The VM should be booting from a Linux Mint virtual CD image. <br />
<li> Get Linux Mint installed using the link on the desktop.</li><br />
: Installation settings are not critical as we'll be using the system primarily to explore a Linux GUI and to test web browsing capability from our private network.<br />
: [[File:Lab10_linux_mint_desktop.png | link=https://wiki.ihitc.net/mediawiki/images/f/f1/Lab10_linux_mint_desktop.png|500px]]<br />
: [[Media:Lab10_linux_mint_desktop.png | Click for larger image]]<br />
: ''NOTE: By default Linux Mint will boot into a "Live CD" environment where you can use the system without installing. However, the Live CD environment is much slower and memory limited compared with a full installation to the hard drive so be sure to start an installation and reboot into the installed copy instead of from the Live CD. You will know you're working from an installed copy if you are prompted for your username and password when logging in and don't see a link on the desktop to Install Linux Mint anymore.''<br />
<li> Once you have Linux Mint installed, reboot the machine and login. </li><br />
: Hopefully the machine is able to connect to the Internet through your Debian server which is acting as a DHCP server and router (see the topology diagram tab in Netlab to see a diagram of how they are connected).<br />
<li> Press the Menu icon in the lower left corner, and enter "Terminal". </li><br />
* Then, open the terminal application.<br />
<li> You now have a shell on the system. From here, use the following command to check your network settings. </li><br />
<code>ip address show</code><br />
: Notice how you have a IP from the DHCP pool we created earlier. <br />
<li> Now try pinging ''172.17.50.1''. </li><br />
: Are you able to ping? If so, NAT is working properly on your network because the 172.17.50.0/24 network is outside of the LAN segment this machine is attached to (192.168.1.0/24).<br />
: ''NOTE: Notice how some Linux distributions like Mint haven't switched from the old naming of network interfaces with ''eth'' to the new ''ens'' style. You can also try using the older '''ifconfig''' way of checking the IP address and compare the output to the new '''ip address show''' method which we have been using so far in Debian.''<br />
<li> Now run '''ping google.com'''. </li><br />
: If you are able to ping, this shows that not only is NAT working, but DNS resolving as well.<br />
<li> Open a web browser on the system (you can use a graphical browser this time since you have a GUI) and test browsing to a few websites.</li><br />
: At this point we have a fully functional LAN environment.<br />
<li> In order to allow automatic safe shutdown of your Linux Mint system and improve speed/efficiency use the package manager to install the ''open-vm-tools-desktop'' package. </li><br />
:This provides better drivers and integration between the vmWare host which is running your Linux Mint virtual machine and the virtual machine itself.<br />
<li> Finally, in the next section we'll be setting up SSH access to Mint through the Firewall so you'll want to install the ''openssh-server package'' through the package manager. </li><br />
: Once you've done this you should be able to use the ssh program on the command line in Debian to access your Mint system like '''ssh mintusername@192.168.1.x''' where you are using a valid username on the Mint system and the IP address of the Mint system.<br />
<li> Spend a few more minutes exploring the functionality of the Linux GUI and desktop.</li></ol><br />
<br />
== Port Forwarding and Firewalling ==<br />
Now we are going to enable port forwarding to our VM. This will allow you to access the 2nd VM from the ITC network and VPN.<br />
Because we are already using port 22 on our outside interface to provide SSH access to our main Debian system we need to use a different port to access the Mint system. Instead of changing the port number in the SSH server software on Mint we can have our firewall do it at the same time the NAT masquerading is occurring. <br />
<ol><br />
<li>Set up a rule by running the following command:</li><br />
<code>firewall-cmd --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.1.100 --zone=external</code><br />
:NOTE: this rule is a little unstable because it forwards the port to 192.168.1.100 which is currently the IP of our Mint system (if yours has a different IP you should change it in the command) but because that system gets an IP from DHCP it is subject to change which would break the rule. Therefore, if we wanted this to be stable in the long term, we would want to set up a static IP on any machines we were forwarding ports to.<br />
:''HINT: If your connection is refused, it may be because SSH is not installed in Mint. Try installing SSH using the package manager or apt.''<br />
<li> From a computer on the ITC network, such as one connected to the VPN, try to SSH to port 2222 on the outside (172.17.50.xx) IP address of your Debian system. </li><br />
:If everything was set up successfully, you should be able to sign into the Mint VM based on the port forwarding rule we have put in place.<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code><br><br />
</ol><br />
When you are done testing this section of the lab please power off your new Linux Mint VM as these require far more resources to run than the Debian VMs on our servers.<br><br />
: [[File:Lab10_linux_mint_shutdown.png | link=https://wiki.ihitc.net/mediawiki/images/1/1c/Lab10_linux_mint_shutdown.png|500px]]<br />
: [[Media:Lab10_linux_mint_shutdown.png | Click for larger image]]<br />
<br />
=Checking your Work=<br />
For this lab there are many things you need to check.<br />
<br />
#Firewall - attempt to connect using FTP on port 21, this should fail<br />
#SSH - connect using FTP on port 22<br />
#DNS - navigate to url of server<br />
#SMTP - send a mail to auto-respond server<br />
#IMAP - receive a mail from auto-respond server<br />
#Samba - Create a file on server using file sharing<br />
#HTTP - Navigate to ip address of server<br />
#Webmin - Navigate to <your-ip>:10000<br />
#PuTTY into linux mint using your ip address and port 2222<br />
#Linux Mint DNS/NAT - ping google.com from within Linux Mint<br><br><br />
<br><br />
Run this script to automatically check your lab<br><br />
<code> curl <span>https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_10_test.py</span> | sudo python3 </code></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_10_mnjk&diff=9541Lab 10 mnjk2021-03-02T01:34:10Z<p>JonQuinn: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
'''''[https://www.youtube.com/watch?v=dQw4w9WgXcQ Watch the video introduction]'''''<br />
<br />
This lab assumes you have successfully set up [[Lab_8_mnjk#Install_BIND_.26_Enable_Caching | DNS]] and [[Lab_9_mnjk#Install_the_Postfix_MTA |email]]. If you had any issues with those labs, you should resolve them before attempting this lab, since you will be unable to properly test the tasks in this lab if those are not fully functional.<br />
<br />
In this lab you will perform the following tasks:<br />
*Configuring a [https://firewalld.org/ Firewall]<br />
*Enabling a 2nd interface<br />
*Configuring [https://en.wikipedia.org/wiki/Network_address_translation NAT]<br />
*Setting up [https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP]<br />
*Installing [https://linuxmint.com/ Linux Mint] on a second VM<br />
*Enabling [https://en.wikipedia.org/wiki/Port_forwarding Port Forwarding]<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://firewalld.org/documentation/man-pages/firewall-cmd.html firewall-cmd]'''<br />
*'''[https://linux.die.net/man/1/echo echo]'''<br />
*'''[https://linux.die.net/man/8/ifconfig ifconfig]'''<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software.<br />
# Login with your standard user account.<br />
# Have a browser window set to the webmin interface for your linux VM.<br />
<br />
== Configure a Firewall ==<br />
''NOTE: It is suggested that instead of managing a firewall directly using nftables tools (which would also require us to create a script to reload our rules each time the system is restarted) we use a firewall daemon program to manage it based on a set of rules we create and automatically setup the firewall based on those rules each time the system boots. There are many command line firewall management programs out there but for this lab we will use the [https://firewalld.org/ firewalld] package suggested by Debian. ''<br />
<ol><br />
<li>Begin by installing the ''firewalld'' package on your system.</li><br />
<li>First, let's check to see if the firewall is now up and running using the following command:</li><br />
<code>firewall-cmd --state</code><br />
: The firewall has been pre-configured with a couple of rules in it to prevent us from getting locked out. <br />
: [[File:Lab10_firewalld_state.png | link=https://wiki.ihitc.net/mediawiki/images/1/11/Lab10_firewalld_state.png|500px]]<br />
: [[Media:Lab10_firewalld_state.png | Click for larger image]]<br />
<li>Let's see what those rules are by using this command: </li><br />
<code>firewall-cmd --list-all</code><br />
: [[File:Lab10_firewalld_initial_rules.png | link=https://wiki.ihitc.net/mediawiki/images/1/14/Lab10_firewalld_initial_rules.png|500px]]<br />
: [[Media:Lab10_firewalld_initial_rules.png | Click for larger image]]<br />
: By default all interfaces are in the public zone (this is set in the ''/etc/firewalld/firewalld.conf'' file). <br />
: Before we start working on rules for our firewall we should assign our outside interface to the external zone which is designed for NAT routing which we'll be setting up shortly. <br />
<li> We can do this with the command:</li><br />
<code>firewall-cmd --zone=external --add-interface=ens192</code><br />
: We can create custom zones or use pre-defined security zones which will speed up configuring the firewall. Learn more about the [https://firewalld.org/documentation/zone/predefined-zones.html pre-defined zones in firewalld documentation].<br />
<li>Since we have changed zones on our interface let's check and see what rules we have started with. Let's see what those rules are:</li><br />
<code>firewall-cmd --zone=external --list-all</code><br />
: ''NOTE: You can also use the '''firewall-cmd --list-all-zones''' command to see a list of all available zones and their rules.</li>''<br />
: If you were watching carefully you may have noted that the dhcpv6-client service which was allowed in the public zone but is not allowed by default on the external zone. <br />
<li>In our case we want to allow DHCPv6 to operate on our outside interface so we can re-enable it with the following command: </li><br />
<code> firewall-cmd --zone=external --add-service="dhcpv6-client"</code><br />
<li>Check to see what other services can be allowed on an interface with:</li><br />
<code>firewall-cmd --get-services</code><br />
: If you check you will see that although you can connect with ssh (by default it's on the allowed service list you saw above) you can't connect to your webserver or Webmin anymore. Webmin is not a pre-defined service in the list we saw above so we could either set it up as a new service and then allow it or we could create a manual rule to allow the TCP traffic on port 10000 needed to access Webmin. In this case because the service only uses a single port and to see how manual rules can be created let's manually create a rule to allow access to TCP port 10000. <br />
<li>Do this by running this command: </li><br />
<code>firewall-cmd --zone=external --add-port=10000/tcp </code><br />
:You should now be able to access Webmin again.<br />
<li> Using either service rules or manual port rules create additional rules so that the other services on your VM are again accessible from the outside (such as from your home PC over the VPN). </li><br />
:''HINT: Services we have setup so far include SSH, DNS, SMTP, IMAP, Samba, and HTTP.''<br />
: Make sure to test and ensure they are all working again!<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code> firewall-cmd --runtime-to-permanent </code><br />
</ol><br />
<br />
== Setup a 2nd NIC Interface ==<br />
To start this lab we will need to configure a second network interface, named ens224 on our virtual machines. In our simulated setup our existing ens192 interface will be our WAN interface and ens224 will be our LAN interface which could be connected to a switch and then to multiple allow other computers which will connect to the Internet through our server.<br />
<ol><br />
<li> Open ''/etc/network/interfaces'' with your favorite text editor. </li><br />
* Go to the bottom of the file.<br />
: [[File:Lab10_network_interfaces_before.png | link=https://wiki.ihitc.net/mediawiki/images/f/f8/Lab10_network_interfaces_before.png|500px]]<br />
: [[Media:Lab10_network_interfaces_before.png | Click for larger image]]<br />
* Add the following to configure the second interface with a static IP of 192.168.1.1/24:<br />
<pre>auto ens224<br />
iface ens224 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0</pre></li><br />
<br />
: [[File:Lab10_network_interfaces_after.png | link=https://wiki.ihitc.net/mediawiki/images/8/80/Lab10_network_interfaces_after.png|500px]]<br />
: [[Media:Lab10_network_interfaces_after.png | Click for larger image]]<br />
: ''NOTE: As this is a LAN only interface, we do not need to define a gateway for the server VM, as the server VM itself will be the gateway for this network.''<br />
<li>Once this is done, save the file <br />
<li> Run the following command to enable the new interface.</li><br />
<code>ifup ens224</code><br />
<li>Verify the second interface is up and running with the correct IP address</li><br />
</ol><br />
<br />
== Enable Routing ==<br />
Now we will need to enable NAT so we can route LAN traffic to the Internet and responding Internet traffic back to our LAN interface.<br />
<ol><br />
<li>In your console, you will need to edit ''/etc/sysctl.conf''. This file is used to change and tweak multiple system variables. </li><br />
* Scroll down until you find the following:<br />
<pre># Uncomment the next line to enable packet forwarding for IPv4<br />
#net.ipv4.ip_forward=1<br />
</pre><br />
* Follow the instructions in the file to enable packet forwarding in the kernel. <br />
: [[File:Lab10_sysctl_after.png | link=https://wiki.ihitc.net/mediawiki/images/1/1e/Lab10_sysctl_after.png|500px]]<br />
: [[Media:Lab10_sysctl_after.png | Click for larger image]]<br />
* When you are done, save the file.<br />
: Changes to the ''sysctl.conf'' file require a reboot, but most can be set without a reboot by echoing response codes to "files" in ''/proc''. <br />
<li> We will get into that more in a later chapter, but for now run the following command to enable ip_forwarding without rebooting the machine: </li><br />
<code>'''echo 1 > /proc/sys/net/ipv4/ip_forward</code><br />
: ''NOTE: If you are receiving an error when trying to run that command it's likely that the user you are running it as does not have permission to modify the '''/proc/sys/net/ipv4/ip_forward''' file (check the permissions by using '''ls'''). Read [http://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr this similar question] for more details and possible solutions.''<br />
</ol><br />
<br />
== Setup a DHCP Server ==<br />
To setup a DHCP server, we will first need to install the required software. <br />
<ol><br />
<li>In your SSH console use your favorite package manager to install the ''isc-dhcp-server'' package.</li><br />
: After you install the package you may get a warning about ''isc-dhcp-server'' being unable to start. This is normal as we have yet to define the interface and settings we want used.<br />
<li>Now back in Webmin, select the Refresh Modules option. .</li><br />
* After it is done, go to Servers, then DHCP Server<br />
: Before we define our DHCP range, we need to set our listening interface. <br />
* Click on the ''Edit Network Interface'' option. <br />
*Select ''ens224''. <br />
* Press save.<br />
<li>Now under Subnets and Shared Networks, select Add a new subnet. </li><br />
* Use the following settings:<br />
<pre>Subnet description: LAN DHCP Range<br />
Network Address: 192.168.1.0<br />
Netmask: 255.255.255.0<br />
Address Ranges: 192.168.1.100-192.168.1.254</pre><br />
: [[File:Lab10_webmin_dhcp_create_subnet.png | link=https://wiki.ihitc.net/mediawiki/images/4/4e/Lab10_webmin_dhcp_create_subnet.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_create_subnet.png | Click for larger image]]<br />
* When you are done, press Create. <br />
* Now, click on the network you just created to review the settings, then press Edit Client Options at the bottom.<br />
: From here we will setup the default gateway and DNS servers for the clients to use. <br />
<li> Under Default Routers, set the option to 192.168.1.1 <br />
* Under DNS servers, set it to 192.168.1.1. <br />
: [[File:Lab10_webmin_dhcp_client_options.png | link=https://wiki.ihitc.net/mediawiki/images/d/d7/Lab10_webmin_dhcp_client_options.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_client_options.png | Click for larger image]]<br />
: Notice how we are setting these options to the IP of ens224 that we setup. This is because our Linux VM will act as the router and DNS for our clients as well.<br />
* When you are done, press save<br />
* Then on the Edit Subnet page, press save again.<br />
<li>Now that you are back on the DHCP server page, press the Start Server button. <br />
: If all goes well, the button should change to "Stop Server". If this does not happen, then the server was unable start. If that happens, re-check your DHCP server configurations to make sure everything is correct.<br />
</ol><br />
<br />
== Enabling NAT and Firewall Rules for the LAN ==<br />
Now we will use firewalld to setup NAT so that we can use private addresses on our internal LAN but still have access to the public Internet. <br />
<ol><br />
<li>First, let's set our ens224 interface (LAN) to be in the internal zone with the following command.</li><br />
<code>firewall-cmd --zone=internal --add-interface=ens224</code><br />
<li>You should now take a minute to allow all of the same services and ports on the internal network that you have allowed on the external network. </li><br />
:In other words, make sure that Webmin, Samba, DNS, etc. are also allowed on the internal zone.<br />
:In order to activate NAT you need to turn on the "masquerade" feature on your outside interface. This is probably already done if you correctly assigned your outside interface to the pre-defined external zone (it's one of the features of that zone). <br />
: ''HINT: you can do this manually as well in case you setup a custom zone by running the '''firewall-cmd --add-masquerade --zone=external''' command.''<br />
: While routing and NAT should be working for hosts on your LAN interface now they probably still can't get an IP address! Just like all the other services being blocked by the firewall DHCP is also blocked unless you specifically allow it. <br />
<li>To do this run the following command:</li><br />
<code>firewall-cmd --add-service=dhcp --zone=internal</code><br />
<li>Once you are satisfied your firewall is running correctly you can use this command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code></ol><br />
<br />
== Setup a 2nd VM as a LAN Host ==<br />
Now we are going to setup a 2nd VM on the VMware server so we can have a client to connect to the LAN network segment we just created. For this though, we will be using Linux Mint instead of Debian so we have a graphical user interface to help us with testing.<br />
<ol><br />
<li> You'll need to make a Netlab reservation to work with your Mint system's GUI so go ahead and do that. </li><br />
* Enter the lab on Netlab<br />
* Click the "Linux Desktop" tab to access your Mint machine.<br />
: The VM should be booting from a Linux Mint virtual CD image. <br />
<li> Get Linux Mint installed using the link on the desktop.</li><br />
: Installation settings are not critical as we'll be using the system primarily to explore a Linux GUI and to test web browsing capability from our private network.<br />
: [[File:Lab10_linux_mint_desktop.png | link=https://wiki.ihitc.net/mediawiki/images/f/f1/Lab10_linux_mint_desktop.png|500px]]<br />
: [[Media:Lab10_linux_mint_desktop.png | Click for larger image]]<br />
: ''NOTE: By default Linux Mint will boot into a "Live CD" environment where you can use the system without installing. However, the Live CD environment is much slower and memory limited compared with a full installation to the hard drive so be sure to start an installation and reboot into the installed copy instead of from the Live CD. You will know you're working from an installed copy if you are prompted for your username and password when logging in and don't see a link on the desktop to Install Linux Mint anymore.''<br />
<li> Once you have Linux Mint installed, reboot the machine and login. </li><br />
: Hopefully the machine is able to connect to the Internet through your Debian server which is acting as a DHCP server and router (see the topology diagram tab in Netlab to see a diagram of how they are connected).<br />
<li> Press the Menu icon in the lower left corner, and enter "Terminal". </li><br />
* Then, open the terminal application.<br />
<li> You now have a shell on the system. From here, use the following command to check your network settings. </li><br />
<code>ip address show</code><br />
: Notice how you have a IP from the DHCP pool we created earlier. <br />
<li> Now try pinging ''172.17.50.1''. </li><br />
: Are you able to ping? If so, NAT is working properly on your network because the 172.17.50.0/24 network is outside of the LAN segment this machine is attached to (192.168.1.0/24).<br />
: ''NOTE: Notice how some Linux distributions like Mint haven't switched from the old naming of network interfaces with ''eth'' to the new ''ens'' style. You can also try using the older '''ifconfig''' way of checking the IP address and compare the output to the new '''ip address show''' method which we have been using so far in Debian.''<br />
<li> Now run '''ping google.com'''. </li><br />
: If you are able to ping, this shows that not only is NAT working, but DNS resolving as well.<br />
<li> Open a web browser on the system (you can use a graphical browser this time since you have a GUI) and test browsing to a few websites.</li><br />
: At this point we have a fully functional LAN environment.<br />
<li> In order to allow automatic safe shutdown of your Linux Mint system and improve speed/efficiency use the package manager to install the ''open-vm-tools-desktop'' package. </li><br />
:This provides better drivers and integration between the vmWare host which is running your Linux Mint virtual machine and the virtual machine itself.<br />
<li> Finally, in the next section we'll be setting up SSH access to Mint through the Firewall so you'll want to install the ''openssh-server package'' through the package manager. </li><br />
: Once you've done this you should be able to use the ssh program on the command line in Debian to access your Mint system like '''ssh mintusername@192.168.1.x''' where you are using a valid username on the Mint system and the IP address of the Mint system.<br />
<li> Spend a few more minutes exploring the functionality of the Linux GUI and desktop.</li></ol><br />
<br />
== Port Forwarding and Firewalling ==<br />
Now we are going to enable port forwarding to our VM. This will allow you to access the 2nd VM from the ITC network and VPN.<br />
Because we are already using port 22 on our outside interface to provide SSH access to our main Debian system we need to use a different port to access the Mint system. Instead of changing the port number in the SSH server software on Mint we can have our firewall do it at the same time the NAT masquerading is occurring. <br />
<ol><br />
<li>Set up a rule by running the following command:</li><br />
<code>firewall-cmd --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.1.100 --zone=external</code><br />
:NOTE: this rule is a little unstable because it forwards the port to 192.168.1.100 which is currently the IP of our Mint system (if yours has a different IP you should change it in the command) but because that system gets an IP from DHCP it is subject to change which would break the rule. Therefore, if we wanted this to be stable in the long term, we would want to set up a static IP on any machines we were forwarding ports to.<br />
:''HINT: If your connection is refused, it may be because SSH is not installed in Mint. Try installing SSH using the package manager or apt.''<br />
<li> From a computer on the ITC network, such as one connected to the VPN, try to SSH to port 2222 on the outside (172.17.50.xx) IP address of your Debian system. </li><br />
:If everything was set up successfully, you should be able to sign into the Mint VM based on the port forwarding rule we have put in place.<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code><br><br />
</ol><br />
When you are done testing this section of the lab please power off your new Linux Mint VM as these require far more resources to run than the Debian VMs on our servers.<br><br />
: [[File:Lab10_linux_mint_shutdown.png | link=https://wiki.ihitc.net/mediawiki/images/1/1c/Lab10_linux_mint_shutdown.png|500px]]<br />
: [[Media:Lab10_linux_mint_shutdown.png | Click for larger image]]<br />
<br />
=Checking your Work=<br />
For this lab there are many things you need to check.<br />
<br />
#Firewall - attempt to connect using FTP on port 21, this should fail<br />
#SSH - connect using FTP on port 22<br />
#DNS - navigate to url of server<br />
#SMTP - send a mail to auto-respond server<br />
#IMAP - receive a mail from auto-respond server<br />
#Samba - Create a file on server using file sharing<br />
#HTTP - Navigate to ip address of server<br />
#Webmin - Navigate to <your-ip>:10000<br />
#PuTTY into linux mint using your ip address and port 2222<br />
#Linux Mint DNS/NAT - ping google.com from within Linux Mint<br><br><br />
<br><br />
Run this script to automatically check your lab<br><br />
<code> curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_10_test.py | sudo python3 </code></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_10_mnjk&diff=9540Lab 10 mnjk2021-03-02T01:33:55Z<p>JonQuinn: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
'''''[https://www.youtube.com/watch?v=dQw4w9WgXcQ Watch the video introduction]'''''<br />
<br />
This lab assumes you have successfully set up [[Lab_8_mnjk#Install_BIND_.26_Enable_Caching | DNS]] and [[Lab_9_mnjk#Install_the_Postfix_MTA |email]]. If you had any issues with those labs, you should resolve them before attempting this lab, since you will be unable to properly test the tasks in this lab if those are not fully functional.<br />
<br />
In this lab you will perform the following tasks:<br />
*Configuring a [https://firewalld.org/ Firewall]<br />
*Enabling a 2nd interface<br />
*Configuring [https://en.wikipedia.org/wiki/Network_address_translation NAT]<br />
*Setting up [https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP]<br />
*Installing [https://linuxmint.com/ Linux Mint] on a second VM<br />
*Enabling [https://en.wikipedia.org/wiki/Port_forwarding Port Forwarding]<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://firewalld.org/documentation/man-pages/firewall-cmd.html firewall-cmd]'''<br />
*'''[https://linux.die.net/man/1/echo echo]'''<br />
*'''[https://linux.die.net/man/8/ifconfig ifconfig]'''<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software.<br />
# Login with your standard user account.<br />
# Have a browser window set to the webmin interface for your linux VM.<br />
<br />
== Configure a Firewall ==<br />
''NOTE: It is suggested that instead of managing a firewall directly using nftables tools (which would also require us to create a script to reload our rules each time the system is restarted) we use a firewall daemon program to manage it based on a set of rules we create and automatically setup the firewall based on those rules each time the system boots. There are many command line firewall management programs out there but for this lab we will use the [https://firewalld.org/ firewalld] package suggested by Debian. ''<br />
<ol><br />
<li>Begin by installing the ''firewalld'' package on your system.</li><br />
<li>First, let's check to see if the firewall is now up and running using the following command:</li><br />
<code>firewall-cmd --state</code><br />
: The firewall has been pre-configured with a couple of rules in it to prevent us from getting locked out. <br />
: [[File:Lab10_firewalld_state.png | link=https://wiki.ihitc.net/mediawiki/images/1/11/Lab10_firewalld_state.png|500px]]<br />
: [[Media:Lab10_firewalld_state.png | Click for larger image]]<br />
<li>Let's see what those rules are by using this command: </li><br />
<code>firewall-cmd --list-all</code><br />
: [[File:Lab10_firewalld_initial_rules.png | link=https://wiki.ihitc.net/mediawiki/images/1/14/Lab10_firewalld_initial_rules.png|500px]]<br />
: [[Media:Lab10_firewalld_initial_rules.png | Click for larger image]]<br />
: By default all interfaces are in the public zone (this is set in the ''/etc/firewalld/firewalld.conf'' file). <br />
: Before we start working on rules for our firewall we should assign our outside interface to the external zone which is designed for NAT routing which we'll be setting up shortly. <br />
<li> We can do this with the command:</li><br />
<code>firewall-cmd --zone=external --add-interface=ens192</code><br />
: We can create custom zones or use pre-defined security zones which will speed up configuring the firewall. Learn more about the [https://firewalld.org/documentation/zone/predefined-zones.html pre-defined zones in firewalld documentation].<br />
<li>Since we have changed zones on our interface let's check and see what rules we have started with. Let's see what those rules are:</li><br />
<code>firewall-cmd --zone=external --list-all</code><br />
: ''NOTE: You can also use the '''firewall-cmd --list-all-zones''' command to see a list of all available zones and their rules.</li>''<br />
: If you were watching carefully you may have noted that the dhcpv6-client service which was allowed in the public zone but is not allowed by default on the external zone. <br />
<li>In our case we want to allow DHCPv6 to operate on our outside interface so we can re-enable it with the following command: </li><br />
<code> firewall-cmd --zone=external --add-service="dhcpv6-client"</code><br />
<li>Check to see what other services can be allowed on an interface with:</li><br />
<code>firewall-cmd --get-services</code><br />
: If you check you will see that although you can connect with ssh (by default it's on the allowed service list you saw above) you can't connect to your webserver or Webmin anymore. Webmin is not a pre-defined service in the list we saw above so we could either set it up as a new service and then allow it or we could create a manual rule to allow the TCP traffic on port 10000 needed to access Webmin. In this case because the service only uses a single port and to see how manual rules can be created let's manually create a rule to allow access to TCP port 10000. <br />
<li>Do this by running this command: </li><br />
<code>firewall-cmd --zone=external --add-port=10000/tcp </code><br />
:You should now be able to access Webmin again.<br />
<li> Using either service rules or manual port rules create additional rules so that the other services on your VM are again accessible from the outside (such as from your home PC over the VPN). </li><br />
:''HINT: Services we have setup so far include SSH, DNS, SMTP, IMAP, Samba, and HTTP.''<br />
: Make sure to test and ensure they are all working again!<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code> firewall-cmd --runtime-to-permanent </code><br />
</ol><br />
<br />
== Setup a 2nd NIC Interface ==<br />
To start this lab we will need to configure a second network interface, named ens224 on our virtual machines. In our simulated setup our existing ens192 interface will be our WAN interface and ens224 will be our LAN interface which could be connected to a switch and then to multiple allow other computers which will connect to the Internet through our server.<br />
<ol><br />
<li> Open ''/etc/network/interfaces'' with your favorite text editor. </li><br />
* Go to the bottom of the file.<br />
: [[File:Lab10_network_interfaces_before.png | link=https://wiki.ihitc.net/mediawiki/images/f/f8/Lab10_network_interfaces_before.png|500px]]<br />
: [[Media:Lab10_network_interfaces_before.png | Click for larger image]]<br />
* Add the following to configure the second interface with a static IP of 192.168.1.1/24:<br />
<pre>auto ens224<br />
iface ens224 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0</pre></li><br />
<br />
: [[File:Lab10_network_interfaces_after.png | link=https://wiki.ihitc.net/mediawiki/images/8/80/Lab10_network_interfaces_after.png|500px]]<br />
: [[Media:Lab10_network_interfaces_after.png | Click for larger image]]<br />
: ''NOTE: As this is a LAN only interface, we do not need to define a gateway for the server VM, as the server VM itself will be the gateway for this network.''<br />
<li>Once this is done, save the file <br />
<li> Run the following command to enable the new interface.</li><br />
<code>ifup ens224</code><br />
<li>Verify the second interface is up and running with the correct IP address</li><br />
</ol><br />
<br />
== Enable Routing ==<br />
Now we will need to enable NAT so we can route LAN traffic to the Internet and responding Internet traffic back to our LAN interface.<br />
<ol><br />
<li>In your console, you will need to edit ''/etc/sysctl.conf''. This file is used to change and tweak multiple system variables. </li><br />
* Scroll down until you find the following:<br />
<pre># Uncomment the next line to enable packet forwarding for IPv4<br />
#net.ipv4.ip_forward=1<br />
</pre><br />
* Follow the instructions in the file to enable packet forwarding in the kernel. <br />
: [[File:Lab10_sysctl_after.png | link=https://wiki.ihitc.net/mediawiki/images/1/1e/Lab10_sysctl_after.png|500px]]<br />
: [[Media:Lab10_sysctl_after.png | Click for larger image]]<br />
* When you are done, save the file.<br />
: Changes to the ''sysctl.conf'' file require a reboot, but most can be set without a reboot by echoing response codes to "files" in ''/proc''. <br />
<li> We will get into that more in a later chapter, but for now run the following command to enable ip_forwarding without rebooting the machine: </li><br />
<code>'''echo 1 > /proc/sys/net/ipv4/ip_forward</code><br />
: ''NOTE: If you are receiving an error when trying to run that command it's likely that the user you are running it as does not have permission to modify the '''/proc/sys/net/ipv4/ip_forward''' file (check the permissions by using '''ls'''). Read [http://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr this similar question] for more details and possible solutions.''<br />
</ol><br />
<br />
== Setup a DHCP Server ==<br />
To setup a DHCP server, we will first need to install the required software. <br />
<ol><br />
<li>In your SSH console use your favorite package manager to install the ''isc-dhcp-server'' package.</li><br />
: After you install the package you may get a warning about ''isc-dhcp-server'' being unable to start. This is normal as we have yet to define the interface and settings we want used.<br />
<li>Now back in Webmin, select the Refresh Modules option. .</li><br />
* After it is done, go to Servers, then DHCP Server<br />
: Before we define our DHCP range, we need to set our listening interface. <br />
* Click on the ''Edit Network Interface'' option. <br />
*Select ''ens224''. <br />
* Press save.<br />
<li>Now under Subnets and Shared Networks, select Add a new subnet. </li><br />
* Use the following settings:<br />
<pre>Subnet description: LAN DHCP Range<br />
Network Address: 192.168.1.0<br />
Netmask: 255.255.255.0<br />
Address Ranges: 192.168.1.100-192.168.1.254</pre><br />
: [[File:Lab10_webmin_dhcp_create_subnet.png | link=https://wiki.ihitc.net/mediawiki/images/4/4e/Lab10_webmin_dhcp_create_subnet.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_create_subnet.png | Click for larger image]]<br />
* When you are done, press Create. <br />
* Now, click on the network you just created to review the settings, then press Edit Client Options at the bottom.<br />
: From here we will setup the default gateway and DNS servers for the clients to use. <br />
<li> Under Default Routers, set the option to 192.168.1.1 <br />
* Under DNS servers, set it to 192.168.1.1. <br />
: [[File:Lab10_webmin_dhcp_client_options.png | link=https://wiki.ihitc.net/mediawiki/images/d/d7/Lab10_webmin_dhcp_client_options.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_client_options.png | Click for larger image]]<br />
: Notice how we are setting these options to the IP of ens224 that we setup. This is because our Linux VM will act as the router and DNS for our clients as well.<br />
* When you are done, press save<br />
* Then on the Edit Subnet page, press save again.<br />
<li>Now that you are back on the DHCP server page, press the Start Server button. <br />
: If all goes well, the button should change to "Stop Server". If this does not happen, then the server was unable start. If that happens, re-check your DHCP server configurations to make sure everything is correct.<br />
</ol><br />
<br />
== Enabling NAT and Firewall Rules for the LAN ==<br />
Now we will use firewalld to setup NAT so that we can use private addresses on our internal LAN but still have access to the public Internet. <br />
<ol><br />
<li>First, let's set our ens224 interface (LAN) to be in the internal zone with the following command.</li><br />
<code>firewall-cmd --zone=internal --add-interface=ens224</code><br />
<li>You should now take a minute to allow all of the same services and ports on the internal network that you have allowed on the external network. </li><br />
:In other words, make sure that Webmin, Samba, DNS, etc. are also allowed on the internal zone.<br />
:In order to activate NAT you need to turn on the "masquerade" feature on your outside interface. This is probably already done if you correctly assigned your outside interface to the pre-defined external zone (it's one of the features of that zone). <br />
: ''HINT: you can do this manually as well in case you setup a custom zone by running the '''firewall-cmd --add-masquerade --zone=external''' command.''<br />
: While routing and NAT should be working for hosts on your LAN interface now they probably still can't get an IP address! Just like all the other services being blocked by the firewall DHCP is also blocked unless you specifically allow it. <br />
<li>To do this run the following command:</li><br />
<code>firewall-cmd --add-service=dhcp --zone=internal</code><br />
<li>Once you are satisfied your firewall is running correctly you can use this command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code></ol><br />
<br />
== Setup a 2nd VM as a LAN Host ==<br />
Now we are going to setup a 2nd VM on the VMware server so we can have a client to connect to the LAN network segment we just created. For this though, we will be using Linux Mint instead of Debian so we have a graphical user interface to help us with testing.<br />
<ol><br />
<li> You'll need to make a Netlab reservation to work with your Mint system's GUI so go ahead and do that. </li><br />
* Enter the lab on Netlab<br />
* Click the "Linux Desktop" tab to access your Mint machine.<br />
: The VM should be booting from a Linux Mint virtual CD image. <br />
<li> Get Linux Mint installed using the link on the desktop.</li><br />
: Installation settings are not critical as we'll be using the system primarily to explore a Linux GUI and to test web browsing capability from our private network.<br />
: [[File:Lab10_linux_mint_desktop.png | link=https://wiki.ihitc.net/mediawiki/images/f/f1/Lab10_linux_mint_desktop.png|500px]]<br />
: [[Media:Lab10_linux_mint_desktop.png | Click for larger image]]<br />
: ''NOTE: By default Linux Mint will boot into a "Live CD" environment where you can use the system without installing. However, the Live CD environment is much slower and memory limited compared with a full installation to the hard drive so be sure to start an installation and reboot into the installed copy instead of from the Live CD. You will know you're working from an installed copy if you are prompted for your username and password when logging in and don't see a link on the desktop to Install Linux Mint anymore.''<br />
<li> Once you have Linux Mint installed, reboot the machine and login. </li><br />
: Hopefully the machine is able to connect to the Internet through your Debian server which is acting as a DHCP server and router (see the topology diagram tab in Netlab to see a diagram of how they are connected).<br />
<li> Press the Menu icon in the lower left corner, and enter "Terminal". </li><br />
* Then, open the terminal application.<br />
<li> You now have a shell on the system. From here, use the following command to check your network settings. </li><br />
<code>ip address show</code><br />
: Notice how you have a IP from the DHCP pool we created earlier. <br />
<li> Now try pinging ''172.17.50.1''. </li><br />
: Are you able to ping? If so, NAT is working properly on your network because the 172.17.50.0/24 network is outside of the LAN segment this machine is attached to (192.168.1.0/24).<br />
: ''NOTE: Notice how some Linux distributions like Mint haven't switched from the old naming of network interfaces with ''eth'' to the new ''ens'' style. You can also try using the older '''ifconfig''' way of checking the IP address and compare the output to the new '''ip address show''' method which we have been using so far in Debian.''<br />
<li> Now run '''ping google.com'''. </li><br />
: If you are able to ping, this shows that not only is NAT working, but DNS resolving as well.<br />
<li> Open a web browser on the system (you can use a graphical browser this time since you have a GUI) and test browsing to a few websites.</li><br />
: At this point we have a fully functional LAN environment.<br />
<li> In order to allow automatic safe shutdown of your Linux Mint system and improve speed/efficiency use the package manager to install the ''open-vm-tools-desktop'' package. </li><br />
:This provides better drivers and integration between the vmWare host which is running your Linux Mint virtual machine and the virtual machine itself.<br />
<li> Finally, in the next section we'll be setting up SSH access to Mint through the Firewall so you'll want to install the ''openssh-server package'' through the package manager. </li><br />
: Once you've done this you should be able to use the ssh program on the command line in Debian to access your Mint system like '''ssh mintusername@192.168.1.x''' where you are using a valid username on the Mint system and the IP address of the Mint system.<br />
<li> Spend a few more minutes exploring the functionality of the Linux GUI and desktop.</li></ol><br />
<br />
== Port Forwarding and Firewalling ==<br />
Now we are going to enable port forwarding to our VM. This will allow you to access the 2nd VM from the ITC network and VPN.<br />
Because we are already using port 22 on our outside interface to provide SSH access to our main Debian system we need to use a different port to access the Mint system. Instead of changing the port number in the SSH server software on Mint we can have our firewall do it at the same time the NAT masquerading is occurring. <br />
<ol><br />
<li>Set up a rule by running the following command:</li><br />
<code>firewall-cmd --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.1.100 --zone=external</code><br />
:NOTE: this rule is a little unstable because it forwards the port to 192.168.1.100 which is currently the IP of our Mint system (if yours has a different IP you should change it in the command) but because that system gets an IP from DHCP it is subject to change which would break the rule. Therefore, if we wanted this to be stable in the long term, we would want to set up a static IP on any machines we were forwarding ports to.<br />
:''HINT: If your connection is refused, it may be because SSH is not installed in Mint. Try installing SSH using the package manager or apt.''<br />
<li> From a computer on the ITC network, such as one connected to the VPN, try to SSH to port 2222 on the outside (172.17.50.xx) IP address of your Debian system. </li><br />
:If everything was set up successfully, you should be able to sign into the Mint VM based on the port forwarding rule we have put in place.<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code><br><br />
</ol><br />
When you are done testing this section of the lab please power off your new Linux Mint VM as these require far more resources to run than the Debian VMs on our servers.<br><br />
: [[File:Lab10_linux_mint_shutdown.png | link=https://wiki.ihitc.net/mediawiki/images/1/1c/Lab10_linux_mint_shutdown.png|500px]]<br />
: [[Media:Lab10_linux_mint_shutdown.png | Click for larger image]]<br />
<br />
=Checking your Work=<br />
For this lab there are many things you need to check.<br />
<br />
#Firewall - attempt to connect using FTP on port 21, this should fail<br />
#SSH - connect using FTP on port 22<br />
#DNS - navigate to url of server<br />
#SMTP - send a mail to auto-respond server<br />
#IMAP - receive a mail from auto-respond server<br />
#Samba - Create a file on server using file sharing<br />
#HTTP - Navigate to ip address of server<br />
#Webmin - Navigate to <your-ip>:10000<br />
#PuTTY into linux mint using your ip address and port 2222<br />
#Linux Mint DNS/NAT - ping google.com from within Linux Mint<br><br><br />
<br><br />
Run this script to automatically check your lab<br><br />
<code> curl https[]()://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_10_test.py | sudo python3 </code></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Admin_instructions_mail_server&diff=9538Admin instructions mail server2021-03-02T00:43:20Z<p>JonQuinn: /* Mail Server Documentation */</p>
<hr />
<div>==Mail Server Documentation==<br />
:Basic configuration of server should follow the standard class server (see labs 1 and 9)<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<li>Install Debian Linux</li><br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li>Set a static IP for your server, capstone group used 172.17.50.28</li><br />
<li>Apply your static IP address</li><br />
<li>Install postfix, see lab 9</li><br />
</ol><br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol><br />
==Auto Maildir Clean Up==<br />
<ol><br />
<li>Create script to delete emails older than 45 days</li><br />
:''NOTE: The script must be owned by root and executable. Additionally, the crontab must be created with sudo priviledges<br />
:<code>sudo nano '''<scriptname.sh>'''</code><br />
<pre><br />
#!/bin/bash<br />
find /home/testuser/Maildir/cur -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/new -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/tmp -type f -mtime +45 -exec rm {} \;<br />
</pre><br />
:[[File:MAILSVR_emailflush_sh.png|link=https://wiki.ihitc.net/mediawiki/images/b/b5/MAILSVR_emailflush_sh.png|500px]]<br />
:[[Media:MAILSVR_emailflush_sh.png|Click here for a larger image]]<br />
<li>Make executable</li><br />
:<code>sudo chmod +x '''<sciptname.sh>'''</code><br />
<li>Create a '''crontab''' job</li><br />
:<code>sudo crontab -e</code><br />
: ''NOTE: the astricks at the start of the following command are respective to the scheduling of time. A good additional resource for '''cron''' can be found at [https://vitux.com/how-to-setup-a-cron-job-in-debian-10 Vitux]. Each astrik represents [Minute] [hour] [Day_of_the_Month] [Month_of_the_Year] [Day_of_the_Week] <br />
:* Add the following line to the chrontab file to schedule the job at 8PM every day.<br />
<pre>* 20 * * * * /home/ping/scriptname.sh</pre><br />
<br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Admin_instructions_mail_server&diff=9537Admin instructions mail server2021-03-02T00:42:04Z<p>JonQuinn: /* Mail Server Documentation */</p>
<hr />
<div>==Mail Server Documentation==<br />
:Basic configuration of server should follow the standard class server, see lab 1<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<li>Install Debian Linux</li><br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li>Set a static IP for your server, capstone group used 172.17.50.28</li><br />
<li>Apply your static IP address</li><br />
<li>Install postfix, see lab 9</li><br />
</ol><br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol><br />
==Auto Maildir Clean Up==<br />
<ol><br />
<li>Create script to delete emails older than 45 days</li><br />
:''NOTE: The script must be owned by root and executable. Additionally, the crontab must be created with sudo priviledges<br />
:<code>sudo nano '''<scriptname.sh>'''</code><br />
<pre><br />
#!/bin/bash<br />
find /home/testuser/Maildir/cur -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/new -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/tmp -type f -mtime +45 -exec rm {} \;<br />
</pre><br />
:[[File:MAILSVR_emailflush_sh.png|link=https://wiki.ihitc.net/mediawiki/images/b/b5/MAILSVR_emailflush_sh.png|500px]]<br />
:[[Media:MAILSVR_emailflush_sh.png|Click here for a larger image]]<br />
<li>Make executable</li><br />
:<code>sudo chmod +x '''<sciptname.sh>'''</code><br />
<li>Create a '''crontab''' job</li><br />
:<code>sudo crontab -e</code><br />
: ''NOTE: the astricks at the start of the following command are respective to the scheduling of time. A good additional resource for '''cron''' can be found at [https://vitux.com/how-to-setup-a-cron-job-in-debian-10 Vitux]. Each astrik represents [Minute] [hour] [Day_of_the_Month] [Month_of_the_Year] [Day_of_the_Week] <br />
:* Add the following line to the chrontab file to schedule the job at 8PM every day.<br />
<pre>* 20 * * * * /home/ping/scriptname.sh</pre><br />
<br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Admin_instructions_mail_server&diff=9536Admin instructions mail server2021-03-02T00:39:39Z<p>JonQuinn: /* Mail Server Documentation */</p>
<hr />
<div>==Mail Server Documentation==<br />
:Basic configuration of server should follow the standard class server, see lab 1<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<li>Install Debian Linux</li><br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li>Set a static IP for your server, capstone group used 172.17.50.28</li><br />
<li>Apply your static IP address</li><br />
</ol><br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol><br />
==Auto Maildir Clean Up==<br />
<ol><br />
<li>Create script to delete emails older than 45 days</li><br />
:''NOTE: The script must be owned by root and executable. Additionally, the crontab must be created with sudo priviledges<br />
:<code>sudo nano '''<scriptname.sh>'''</code><br />
<pre><br />
#!/bin/bash<br />
find /home/testuser/Maildir/cur -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/new -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/tmp -type f -mtime +45 -exec rm {} \;<br />
</pre><br />
:[[File:MAILSVR_emailflush_sh.png|link=https://wiki.ihitc.net/mediawiki/images/b/b5/MAILSVR_emailflush_sh.png|500px]]<br />
:[[Media:MAILSVR_emailflush_sh.png|Click here for a larger image]]<br />
<li>Make executable</li><br />
:<code>sudo chmod +x '''<sciptname.sh>'''</code><br />
<li>Create a '''crontab''' job</li><br />
:<code>sudo crontab -e</code><br />
: ''NOTE: the astricks at the start of the following command are respective to the scheduling of time. A good additional resource for '''cron''' can be found at [https://vitux.com/how-to-setup-a-cron-job-in-debian-10 Vitux]. Each astrik represents [Minute] [hour] [Day_of_the_Month] [Month_of_the_Year] [Day_of_the_Week] <br />
:* Add the following line to the chrontab file to schedule the job at 8PM every day.<br />
<pre>* 20 * * * * /home/ping/scriptname.sh</pre><br />
<br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Admin_instructions_mail_server&diff=9535Admin instructions mail server2021-03-02T00:38:26Z<p>JonQuinn: Created page with "==Mail Server Documentation== :Basic configuration of server should follow the standard class server, see lab 1 <ol> <li>Power on you Virtual machine</li> <li>Install Debian L..."</p>
<hr />
<div>==Mail Server Documentation==<br />
:Basic configuration of server should follow the standard class server, see lab 1<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<li>Install Debian Linux</li><br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li> Use the '''links''' browser or '''wget''' to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
: <code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
<li>Set a static IP for your server</li><br />
<li>Apply your static IP address</li><br />
</ol><br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol><br />
==Auto Maildir Clean Up==<br />
<ol><br />
<li>Create script to delete emails older than 45 days</li><br />
:''NOTE: The script must be owned by root and executable. Additionally, the crontab must be created with sudo priviledges<br />
:<code>sudo nano '''<scriptname.sh>'''</code><br />
<pre><br />
#!/bin/bash<br />
find /home/testuser/Maildir/cur -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/new -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/tmp -type f -mtime +45 -exec rm {} \;<br />
</pre><br />
:[[File:MAILSVR_emailflush_sh.png|link=https://wiki.ihitc.net/mediawiki/images/b/b5/MAILSVR_emailflush_sh.png|500px]]<br />
:[[Media:MAILSVR_emailflush_sh.png|Click here for a larger image]]<br />
<li>Make executable</li><br />
:<code>sudo chmod +x '''<sciptname.sh>'''</code><br />
<li>Create a '''crontab''' job</li><br />
:<code>sudo crontab -e</code><br />
: ''NOTE: the astricks at the start of the following command are respective to the scheduling of time. A good additional resource for '''cron''' can be found at [https://vitux.com/how-to-setup-a-cron-job-in-debian-10 Vitux]. Each astrik represents [Minute] [hour] [Day_of_the_Month] [Month_of_the_Year] [Day_of_the_Week] <br />
:* Add the following line to the chrontab file to schedule the job at 8PM every day.<br />
<pre>* 20 * * * * /home/ping/scriptname.sh</pre><br />
<br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mnjk-inver&diff=9534Mnjk-inver2021-03-02T00:32:43Z<p>JonQuinn: /* List of Labs */</p>
<hr />
<div>=Stylesheet=<br />
<br />
[[Stylesheet mnjk | Stylesheet]]<br />
<br />
=List of Labs=<br />
<br />
[[Lab 1 mnjk|Lab 1: Install Debian, check IP, remote access with ssh/sftp]]<br />
<br />
[[Lab 2 mnjk|Lab 2]]<br />
<br />
[[Lab 3 mnjk|Lab 3]]<br />
<br />
[[Lab 4 mnjk|Lab 4]]<br />
<br />
[[Lab 5 mnjk|Lab 5: Set static IP, install PHP/mySQL, experiment with websites and databases, view logfiles]]<br />
<br />
[[Lab 6 mnjk|Lab 6]]<br />
<br />
[[Lab 7 mnjk|Lab 7]]<br />
<br />
[[Lab 8 mnjk|Lab 8]]<br />
<br />
[[Lab 9 mnjk|Lab 9: Install Postfix MTA, courier-imap]]<br />
<br />
[[Lab 10 mnjk|Lab 10]]<br />
<br />
[[Lab 11 mnjk|Lab 11]]<br />
<br />
[[Lab 12 mnjk|Lab 12]]<br />
<br />
[[Lab 13 mnjk|Lab 13]]<br />
<br />
[[Lab 14 mnjk|Lab 14]]<br />
<br />
[[mail server mnjk|mail]]<br />
<br />
[[Admin instructions mail server|admin setup mail]]<br />
<br />
=Test pages=<br />
<br />
[[Mike mnjk|Mike]]<br />
<br />
[[Nate mnjk|Nate]]<br />
<br />
[[Jon mnjk|Jon]]<br />
<br />
[[Kreid mnjk|Kreid]]<br />
<br />
=Lab 11 Rewrites=<br />
<br />
[[Final Lab 11]]<br />
<br />
[[Mike Lab 11]]<br />
<br />
[[Nate Lab 11]]<br />
<br />
[[Jon Lab 11]]<br />
<br />
[[Kreid lab 11]]</div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_1_mnjk&diff=9533Lab 1 mnjk2021-02-28T14:52:00Z<p>JonQuinn: /* Install Nmap */</p>
<hr />
<div>=Introduction=<br />
:In this lab you will perform the following tasks:<br />
*Access NetLab to access the environment for you virtual machine<br />
*Install the latest version of Debian Linux in a virtual machine<br />
*Learn how to login and check the IP address of the system<br />
*Learn to remotely access the system with SSH and SFTP.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/apt apt]'''<br />
*'''[https://linux.die.net/man/8/sudo sudo]'''<br />
*'''[https://linux.die.net/man/8/useradd adduser]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://linux.die.net/man/8/ip ip address show]'''<br />
<br />
=Lab Procedure=<br />
==Netlab Access==<br />
'''''[https://www.youtube.com/watch?v=-hLejbDfPGM&feature=youtu.be Video Tutorial - NetLab Access]'''''<br />
<ol><br />
<li> Connect to the ITCnet </li> <br />
: This can be accomplished by directly plugging into an ITCnet port in one of the ITC labs or by connecting to the [[ITC_VPN_Instructions|VPN]].<br />
:'' Note: If you want to connect using a wireless connection on campus you need to [[Connecting to Eduroam|connect to the eduroam network]] before connecting to the VPN.<br />
<li> After you are connected to ITCnet (by VPN or wired connection) you simply need to open a web browser and access https://ihcc-netlab.campus.ihitc.net</li><br />
* The first time you visit this site in a browser you may need to accept a self-signed security certificate<br />
* You will need to log in with a username and password established by your instructor.<br />
* The first time you log in you will need to change your password and set your timezone. Make sure your timezone is set correctly so you can schedule reservations to work with equipment at convenient times.<br />
<li> Once you are logged in click the blue "New Lab Reservation" button</li><br />
: Next, in the lower left corner of the screen, select "Schedule a Lab for Myself". Reservations are used to hold a place on the Netlab system to work on labs during a specific time. You only need reservations in this class when working with the GUI, which will come later in the class, if you need to turn the power back on to your VM, or during the installation process. The rest of the time you will be able to connect directly to your Linux server using the SSH protocol, but more on that in a bit.<br />
:'' Note: If you are enrolled in more than one class that is using Netlab you will be presented with a list of classes you are enrolled in, click on your Linux System Administration course of you see this screen.<br />
: All of our lab work in this class is done in a single "Lab Environment" and your progress will be saved from one reservation to another. As a result there is only one lab listed in this course "Linux System Administration Labs". Click on this lab title.<br />
<li> Use the calendar to choose a date, time, and specific pod to reserve for your lab activity (when you will begin your Debian server installation).</li><br />
: The red line on this screen indicates the current time. If you want to get started right away you can click just below this line. Pay attention to the title of the column at the top, it will say something like "LSA Pod Z". The letter at the end of this pod name is your "pod letter" which you will use to set the host name and IP address of your machine in the future so make note of it.<br />
: You will be presented with a summary screen for your reservation where you can set the end time of your reservation (up to a maximum). It is suggested to make your reservation a couple hours long the first time you plan to install Debian, though you can extend it if needed. Click submit once you are ready to make the reservation.<br />
<li>You will see a confirmation screen that your reservation has been made.</li><br />
: You are now ready to progress on to the Debian Linux Installation (as long as your reservation is right away).<br />
</ol><br />
<br />
==Debian Linux Installation==<br />
'''''[https://www.youtube.com/watch?v=H0DcdEytpFQ&feature=youtu.be Video Tutorial - Debian Linux Installation]'''''<br />
<ol><br />
<li> Log in to the Netlab system</li><br />
: Access this using a web browser at https://ihcc-netlab.campus.ihitc.net if you are not already logged in.<br />
: If you have a currently active reservation you will see a green "Enter Lab" button on your list of reservations. Click the green "Enter Lab" button. If not, you will need to make a reservation (see above) and then click the "Enter Lab" button.<br />
: Your virtual machines (VMs) will automatically power on when your reservation begins and because there is no operating system currently installed to their virtual hard drives they will boot from their virtual CD/DVD drives which have been pre-loaded with the installation discs for Linux.<br />
<li> Access you virtual machine console</li><br />
: Once you are in your pod you can either click on the image of the "Linux Server" on the topology diagram or use the tabs across the top of your screen to access the console of your Linux Server VM.<br />
: The console shows the display of your VM and allows you to type and interact with your VM just as if you were physically sitting down in front of a server with a monitor, keyboard, and mouse attached. Just like a separate physical machine you will not be able to copy and paste text or drag and drop files in and out of this console window. We will use other utilities across the network connection to do those things just like we would with a physical server.<br />
<li>Learn to "Power Cycle" your virtual machine</li><br />
: By now your VM has likely already booted from it's virtual CD/DVD drive and should be at the "Debian GNU/Linux installer menu". Before continuing let's practice rebooting your system so you can watch the system boot and see how to reboot the system if needed. Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power Off" then click the red "Power Off" button on the popup to power off your VM. This is the equivalent of just pulling out the power cord, at least until we install the VMware Tools software which allows for a graceful shutdown, so you'll want to be careful to only do this if absolutely needed until then.<br />
<li>Power on you Virtual machine</li><br />
: Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power On", or press the blue "Power On" button in the middle of your screen, then press the green "Power On" button to boot your system.<br />
<li>Install Debian Linux</li><br />
: Once the system has rebooted and is back to the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Installing sudo and Checking Your IP Address==<br />
'''''[https://www.youtube.com/watch?v=TwXp5YfAvlw&feature=youtu.be Video Tutorial - Installing sudo and checking your IP address]'''''<br />
<ol><br />
<li>Log in to NetLab</li><br />
: Login through the Netlab local console with your root account and password (username ''root'', password as set during the installation)<br />
:'' Note: When entering a password on the command line of a Linux system it is normal that nothing should appear and the cursor will not move when you are typing. This prevents someone who is able to see your computer screen from seeing what your password is or even how long it is. Just type your password and trust that the system is receiving it, press enter to submit your password.<br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
<code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
[[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
<code>sudo ip address show</code><br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
</ol><br />
<br />
==Logging in to a Remote Terminal==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Logging into a remote terminal]'''''<br />
<br />
A faster way to interact with your system is not through the Netlab local console but through a remote SSH session over the network directly to your server. Once you have mastered this you will be able to copy and paste text to your Linux server and will not need to make a reservation in Netlab to work on labs. For our purposes you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install Putty</li><br />
: Assuming you are running Windows, install the PuTTY software on your home PC from [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html this website].<br />
: '' Note: For other operating systems there are other ways and software you can use to make an SSH connection, you will need to research what tools are used for making SSH connections from your particular operating system.<br />
<li>Open an SSH session</li><br />
:* Run the PuTTY software on your computer and enter in the IP address of your VM in the "Host Name" box and click the "Open" button.<br />
:[[File:Lab1_putty.png|link=https://wiki.ihitc.net/mediawiki/images/f/f5/Lab1_putty.png|500px]]<br />
:[[Media:Lab1_putty.png| Click here for larger image]]<br />
:* Click Yes to save the host key on your system<br />
: [[File:Lab1_puttycert.png|link=https://wiki.ihitc.net/mediawiki/images/4/4b/Lab1_puttycert.png|500px]]<br />
: [[Media:Lab1_puttycert.png|Click here for larger image]]<br />
:* Enter the standard username and password for your Linux system to connect.<br />
: '' Note: You should receive a prompt just like the one you had on the Netlab local console but it is now a direct connection from your computer over the ITCnet to your server.<br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Remote File Transfer==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Remote File Transfer]'''''<br />
<br />
The easiest way to transfer files to and from your VM is with SFTP software. For our purposes, you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install FileZilla</li><br />
: Install the FileZilla client software on your home PC from [https://filezilla-project.org/download.php?type=client this website]<br />
<li>Open a SFTP session to your server</li><br />
: Run FileZilla and use the Quick Connect bar at the top of the screen to access your system. <br />
:* Enter the IP address of your Linux system in the "Host:" box<br />
:* Enter your standard username and password in the appropriate boxes<br />
:* Enter ''22'' in the "Port:" box<br />
:* Click the "Quickconnect" button.<br />
: [[File:Lab1_filezillanew.png|link=https://wiki.ihitc.net/mediawiki/images/b/b1/Lab1_filezillanew.png|500px]]<br />
: [[Media:Lab1_filezillanew.png|Click here for larger image]]<br />
: You should see some connection text scroll on the top of the screen and some files on the right side of the screen now such as ''.bashrc'' and ''.profile'' The right side of the screen is the drive on your Linux system and the left side of the screen is the drive on your home system. Files and folders can be dragged between the two sides to transfer them back and forth.<br />
: [[File:Lab1_filezillaconnected.png|link=https://wiki.ihitc.net/mediawiki/images/c/ca/Lab1_filezillaconnected.png|500px]]<br />
: [[Media:Lab1_filezillaconnected.png|Click here for larger image]]<br />
<li>Close the FileZilla software to disconnect.</li><br />
</ol><br />
<br />
==Install VM Tools==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Install VM Tools]'''''<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect into your system using the remote SSH console method explained above.<br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<code>sudo apt install open-vm-tools</code><br />
</ol><br />
<br />
==Install Python==<br />
In order to check your work in the labs of this course you will need to have an application called [https://www.python.org/ Python] installed on your Linux system.<br />
<ol><br />
<li> Download ''python3'' using '''apt'''</li><br />
* When prompted type Y to install the app and its dependencies</li><br />
<ul>''NOTE: This may take a while.''</ul><br />
* When prompted to specify the name of the host where the TANGO database server is running, just select ok.</li><br />
<ul> [[File:Python_tango.png|link=https://wiki.ihitc.net/mediawiki/images/4/4c/Python_tango.png|500px]]</ul><br />
<ul> [[Media:Python_tango.png | Click for Larger Image]]</ul><br />
<li> Run the following command to verify that python version 3.6 is installed.</li><br />
<code>python3 --version</code><br />
<ul> [[File:Python_version.png|link=https://wiki.ihitc.net/mediawiki/images/7/70/Python_version.png|500px]]</ul><br />
<ul> [[Media:Python_version.png | Click for Larger Image]]</ul><br />
</ol><br />
<br />
==Install Nmap==<br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:* ''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Run the following command at the command line.<br />
<code>sudo apt install nmap</code><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
</ol><br />
<br />
==Install Curl==<br />
:Curl is a tool that lets you run scripts that are not saved to your virtual machine. It will be used to check the labs for completion while working through the course. <br />
<ol><br />
<li> Run the following command at the command line. </li><br />
<code>sudo apt install curl</code><br />
: If prompted to install additional packages type "y"<br />
<br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Safely Shutdown==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Safely Shutdown]'''''<br />
:We will normally leave our VM running but it is important that you know how to shutdown a Linux system correctly so this time we'll turn it off.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect in to your system using the remote SSH console method explained above.<br />
<li> Safely shutdown you server</li><br />
:* Run the '''sudo shutdown -h now''' at the command line to safely shutdown the system.<br />
<code>sudo shutdown -h now</code><br />
: You should soon get a message that PuTTY has lost it's connection. Click OK and then you can close the PuTTY window.<br />
<li>End NetLab Reservation</li><br />
: If you still have time left in your reservation in Netlab it's polite to end the reservation so other users can work on the system, only a limited number of reservations can be made at one time. You can do this by logging into Netlab, opening your lab, and clicking the "Reservation" menu at the top of the screen and choose to "End Reservation Now" followed by confirming that you want to end the reservation.<br />
</ol><br />
<br />
=Checking your Work=<br />
<ol><br />
<li> Testing your work goes here</li><br />
<code> Commands to use</code><br />
<ul> Description of what you should see</ul><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_9_mnjk&diff=9526Lab 9 mnjk2021-02-23T01:55:38Z<p>JonQuinn: /* Install the Postfix MTA */</p>
<hr />
<div>=Introduction=<br />
<br />
In this lab you will perform the following tasks:<br />
*Install a basic email server <br />
*Install Courier MDA software<br />
*Learn how to allow remote users to send mail<br />
<br><br />
You will be introduced to the following commands:<br />
*'''[https://linux.die.net/man/1/telnet telnet]'''<br />
<br><br />
This lab assumes that you know the IP address of your Linux system and are connected to the ITCnet VPN network. Additionally, this lab assumes that you have completed the Bind DNS and have created a MX record that directs mail to your mail server. <br />
*[[Lab_8_mnjk#Install_BIND_&_Enable_Caching | Installing Bind]]<br />
*[[Lab_8_mnjk#Adding_a_Delegated_Domain | Creating a MX record in DNS]]<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account<br />
# Make sure that webmin is installed on your system. <br />
# Get the username and domain name of someone else's system in the class who you can send mail to<br />
# This lab requires that you have appropriate domain name records (at least a correct A and MX record) for your system working from the DNS lab before things will work.<br />
<br />
== Install the Postfix MTA ==<br />
'''''[https://www.youtube.com/watch?v=6VsgO5695Z4&feature=youtu.be Video Tutorial - Install Postfix MTA]'''''<br />
<ol><br />
<li> Use a package manager to install the ''postfix'' package.<br />
* During the installation process select ''Internet Site'' as the type of mail server and set the domain name to ''*.itc2480.campus.ihitc.net'' where * is the hostname letter of your system.</li><br />
: MTA software listens for incoming connections from other MTA servers on port 25 and accepts mail on behalf of users on the system. Once the mail is received it is stored locally for users to retrieve. The most common methods for storing messages is in an .mbox file, where all messages are stored in a single file, or in a Maildir, which is a directory where each message is stored in a separate file. The MTA also listens for connections from client software (MUA) and accepts outbound messages from them and forwards them on to the destination domain's mail server. Advanced configuration of MTA software can allow for anti-spam filtering, mailing list support or other programs to intercept and manipulate mail as it passes through the server.<br />
<li>Test the connection an verify the port is open</li><br />
:* Use Telnet to connect to the Postfix SMTP server on port 25: '''telnet localhost 25'''<br />
: [[File:Lab9_open_telnet.png|link=https://wiki.ihitc.net/mediawiki/images/1/10/Lab9_open_telnet.png|500px]]<br />
: [[Media:Lab9_open_telnet.png | Click here for larger image]]<br />
:* Type '''quit''' and press enter after verifying Postfix is running.<br />
<br />
<li>Configure Maildir</li><br />
: Because the Courier IMAP and POP3 server software only supports Maildir style message stores and Postfix stores in mbox files by default you must edit the ''/etc/postfix/main.cf'' file to fix this. <br />
:* Add the line <br />
:<pre>home_mailbox = Maildir/</pre> <br />
: Edit or add the ''mailbox_command'' parameter so there is nothing on the line after the equals sign, delete the portion of the line referencing procmail if it exists. The line should look like: <br />
:<pre>mailbox_command = </pre><br />
<li> Restart the ''postfix'' service to apply your change. Postfix is now saving new incoming messages into the Maildir folder inside each user's home directory. This folder is automatically created by Postfix the first time a new message comes in for a user.</li><br />
<li> Set your shell to recognize the maildir as your mail location</li><br />
:* Edit the ''/etc/login.defs'' file and comment out the ''MAIL_DIR /var/mail'' line (place a # in front of the line) and add a line setting ''MAIL_FILE'' like this:<br />
<pre><br />
#MAIL_DIR /var/mail<br />
MAIL_FILE Maildir/<br />
</pre><br />
:* Edit the ''/etc/pam.d/login'' file, find and comment out the ''session optional pam_mail.so standard'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so standard<br />
session optional pam_mail.so dir=~/Maildir standard<br />
</pre><br />
:* Edit the ''/etc/pam.d/su'' file, find and comment out the ''session optional pam_mail.so nopen'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so nopen<br />
session optional pam_mail.so dir=~/Maildir nopen<br />
</pre><br />
:* Edit the ''/etc/pam.d/sshd'' file, find and comment out the ''session optional pam_mail.so standard noenv'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so standard noenv<br />
session optional pam_mail.so dir=~/Maildir standard<br />
</pre><br />
:* Edit the ''/etc/profile'' file and at the end of the file add the line: <pre>export MAIL=~/Maildir</pre></li><br />
<li> Test sending and receiving mail as a locally logged on user.</li><br />
<br />
:* Install the ''mailutils'' package.</li><br />
:* Try sending a message (replace username with your username): <pre>echo "This is my message" | mail -s "Email Subject" username@localhost</pre><br />
:* Log out of your SSH session and open a new SSH session to apply the changes to the ''/etc/profile'' and ''/etc/login.defs'' files.<br />
:* Check to see if the message was received using the '''mail''' command, press ''q'' to return to the command line.<br />
:[[File:Lab9_cli_send_mail.png|link=https://wiki.ihitc.net/mediawiki/images/4/4f/Lab9_cli_send_mail.png|500px]]<br />
:[[Media:Lab9_cli_send_mail.png|Click here for a larger image]]<br />
: You should also be able to see the message in ''~/Maildir/'' in either the ''new/'' or ''cur/'' directory depending on whether you have viewed the message list yet or not. In either case, the message will appear as a text file with a random-looking name. It's just a text file so you can use '''cat''' or '''less''' to view it.<br />
<li> Create Aliases </li><br />
: You can create aliases and forward mail between users by editing the ''/etc/aliases'' file and then running the '''newaliases''' program. <br />
:* Create an "alias" for ''sysadmin'' which forwards mail sent to sysadmin@localhost to your username <br />
:* Send a copy of all mail to the ''root'' account to your username <br />
<br />
: Now would be a good time to try logging on to Webmin again, re-scanning for modules and then taking a look at the Postfix module in the ''Servers'' section.<br />
<li>Explore the mail log file</li><br />
: Take a look at your ''/var/log/mail.info'' log to see Postfix sending and receiving messages for users.<br />
</ol><br />
<br />
== Install Courier MDA ==<br />
'''''[https://www.youtube.com/watch?v=uvZlSiQHlxs&feature=youtu.be Video Tutorial - Install Courier MDA]'''''<br />
<ol><br />
<li>Install required courier packages </li><br />
: Most users prefer to retrieve mail from a mail server using an MDA protocol like POP3 or IMAP which can be provided by the Courier programs. Install the ''courier-pop'', ''courier-imap'', and ''fam'' packages.<br />
:* Do not create the directories for web-based administration as they are unneeded for our setup<br />
: Local users accessing their mailbox with MUA software can read and write to the .mbox file or Maildir directly. If a user not locally logged on to the system wants to access their mailbox the server runs MDA software which typically uses the POP3 or IMAP protocol for accessing the .mbox file or Maildir remotely.<br />
<br />
<li> Install MUA Client on remote system</li><br />
:*Install an email client (MUA) on your host (home) system such as [http://www.mozilla.org/en-US/thunderbird/ Mozilla Thunderbird]<br />
:* Setup two user accounts in your MUA, the usernames and passwords should be the same as users and their passwords on your system. Use ''IMAP'' as the protocol for retrieving mail. The email address for each should be ''username@*.itc2480.campus.ihitc.net'' where the * is replaced by the host letter of your system. You can verify the IMAP and SMTP settings that are detected, both server addresses should be ''*.itc2480.campus.ihitc.net'' where the * is replaced by the host letter of your system.<br />
:'' NOTE: The first time you check messages and the first time you send messages to your server from Thunderbird you will need to accept an invalid security certificate in the Thunderbird window.<br />
:[[File:Lab9_thunderbird_cert.png|link=https://wiki.ihitc.net/mediawiki/images/9/9a/Lab9_thunderbird_cert.png|500px]]<br />
:[[Media:Lab9_thunderbird_cert.png|Click here for a larger image]]<br />
:'' NOTE: To see the ''Tools'' menu with the ''Account Settings'' window in recent versions of Thunderbird (where you can add more accounts) you need to press ALT-F and then the menu bar will temporarily appear.<br />
:[[File:Lab9_thunderbird_menu.png|link=https://wiki.ihitc.net/mediawiki/images/6/60/Lab9_thunderbird_menu.png|500px]]<br />
:[[Media:Lab9_thunderbird_menu.png|Click here for a larger image]]<br />
<li>Send mail between local users</li><br />
:* Try sending a message from one user to the other user by sending a message to the other account like ''username@localhost'' Verify that you can receive and read the messages.<br />
:* Note: If a user has not yet received any mail Postfix has not created a Maildir for the user and the Courier software will send an error to the client software. Use the mail program explained above to send some mail to the user, see that the ''~/Maildir'' is then created and try retrieving the messages again with your MUA.<br />
</ol><br />
<br />
== Allow Remote Users to Send Mail ==<br />
'''''[https://www.youtube.com/watch?v=0qh3mCMIzn4&feature=youtu.be Video tutorial - Allow Remote Users to Send Mail]'''''<br />
<ol><br />
<li>Testing SMTP mail to another domain</li><br />
:* Try setting up your MUA software to send mail by creating an SMTP server entry and sending an email to ''anotheruser@localhost'' This should work because localhost is your own server but if you try sending email to ''someuser@somedomain.com'' like ''root@ben.itc2480.campus.ihitc.net'' that will fail.<br />
: The problem is you don't want just anyone to send mail through your mailserver (we did allow this in the olden days) because a spammer could then use your server to send mail worldwide and it would all trace back to the IP of your server, we call servers setup like this "open relays" because they relay mail for anyone and they are generally considered very bad practice and can get your mailserver on lists of servers to ignore all messages from. There are a number of ways to solve this. By default Postfix will only allow mail relaying from computers on the same network (based on IP) as set in the ''/etc/postfix/main.cf'' ''mynetworks'' parameter but this is inconvenient for remote users as you would need to know the remote IP address they are connecting from. The SASL protocol allows users to authenticate with a username and password before sending mail and then relay messages are accepted from them.<br />
<li>Configure Simple Autherntication and Security Layer - SASL</li><br />
:* See if you can follow [https://wiki.debian.org/PostfixAndSASL these instructions] for setting up SASL with Postfix.<br />
:'' Note: You do NOT need to setup TLS to support SASL (more on that in the additional considerations section below)<br />
<li>Test and troubleshoot SASL</li><br />
:* Modify your MUA to use a username and password when connecting to your SMTP server and try sending mail to someone else's system from your MUA using a destination address like ''root@*.itc2480.campus.ihitc.net'' where the * is replaced by the host letter of your system.<br />
:'' NOTE: You MUST actually exchange messages with someone else in the class (both sending to them and receiving from them). It is not possible to test using an outside email account of your own (you will not be able to send a message back to your server because it is behind a firewall). It is not enough to just be able to send a message to another system. It is not enough to just be able to receive a message from another user.<br />
:* Troubleshoot as needed using the mail log files on your system.<br />
</ol><br />
<br />
=Additional Considerations=<br />
Running a mailserver is tricky business. The basic server we have setup does not use valid certificates for encrypting connections meaning usernames, passwords, and mail contents are all being sent to an unverified server. This is very undesirable from a security standpoint and it would be suggested to support SSL/TLS encryption for both the MTA and MDA portions with a valid certificate purchased from a certificate authority (CA) or from a free CA like [https://letsencrypt.org/ Let's Encrypt]. In addition, you will almost certainly want spam filtering at the server. More complicated setups also use database tables for users, passwords and domains so that you can host multiple domains on a single server and have email user boxes for people who do not have local logins on the system.<br />
<br />
=Additional Resources=<br />
* [https://help.ubuntu.com/community/PostfixBasicSetupHowto Ubuntu Postfix Basic Setup]<br />
* [https://wiki.debian.org/Postfix Debian Wiki - Postfix Installation]</div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_5_mnjk&diff=9521Lab 5 mnjk2021-02-20T12:42:11Z<p>JonQuinn: /* View Logfiles */</p>
<hr />
<div>=Introduction=<br />
In this lab you will perform the following tasks:<br />
*Learn about static network configuration of Debian Linux systems<br />
*Install '''[https://www.php.net PHP]'''<br />
*Install '''[https://www.php.net MariaDB]''' on your server, this is an open-source MySQL alternative<br />
*Experiment with websites and databases<br />
*Explore the standard log files on your system.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/ifup ifup]'''<br />
*'''[https://linux.die.net/man/8/ifdown ifdown]'''<br />
*'''[https://linux.die.net/man/8/ping ping]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://www.commandlinux.com/man-page/man8/a2dissite.8.html a2ensite]'''<br />
*'''[https://www.commandlinux.com/man-page/man8/a2dissite.8.html a2dissite]'''<br />
*'''[https://linux.die.net/man/1/wget wget]'''<br />
*'''[https://linux.die.net/man/1/zcat zcat]'''<br />
*'''[https://linux.die.net/man/8/service service]'''<br />
*'''[https://linux.die.net/man/1/tail tail]'''<br />
<br />
You will also use the following MySQL (MariaDB) commands:<br />
<br />
*'''[https://mariadb.com/kb/en/use USE]'''<br />
*'''[https://mariadb.com/kb/en/show SHOW]'''<br />
*'''[https://mariadb.com/kb/en/select SELECT]'''<br />
*'''[https://mariadb.com/kb/en/drop-database DROP database]'''<br />
<br />
=Lab Procedure=<br />
==Prerequisites==<br />
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account<br />
# Make a note of the static IP address information for your particular system in the table below, it is based on the system name identification letter in vmWare. These IP addresses will ONLY be valid in the ITC vmWare Linux class subnet. If you are working on a local VirtualBox system you will need to select an available static IP from the correct subnet for your system or skip the static IP addressing section. All vmWare systems will use a gateway address of 172.17.50.1 and a subnet mask of 255.255.255.0 with two nameservers 172.17.139.11 and 172.17.139.111<br />
{| {{table}}<br />
| align="center" style="background:#f0f0f0;"|'''System ID'''<br />
| align="center" style="background:#f0f0f0;"|'''Static IP'''<br />
|-<br />
| A||172.17.50.11<br />
|-<br />
| B||172.17.50.12<br />
|-<br />
| C||172.17.50.13<br />
|-<br />
| D||172.17.50.14<br />
|-<br />
| E||172.17.50.15<br />
|-<br />
| F||172.17.50.16<br />
|-<br />
| G||172.17.50.17<br />
|-<br />
| H||172.17.50.18<br />
|-<br />
| I||172.17.50.19<br />
|-<br />
| J||172.17.50.20<br />
|-<br />
| K||172.17.50.21<br />
|-<br />
| L||172.17.50.22<br />
|-<br />
| M||172.17.50.23<br />
|-<br />
| N||172.17.50.24<br />
|-<br />
| O||172.17.50.25<br />
|-<br />
| P||172.17.50.26<br />
|-<br />
| Q||172.17.50.27<br />
|-<br />
| R||172.17.50.28<br />
|-<br />
| S||172.17.50.29<br />
|-<br />
| T||172.17.50.30<br />
|-<br />
| U||172.17.50.31<br />
|-<br />
| V||172.17.50.32<br />
|-<br />
| W||172.17.50.33<br />
|-<br />
| X||172.17.50.34<br />
|-<br />
| Y||172.17.50.35<br />
|-<br />
| Z||172.17.50.36<br />
|}<br />
<br />
<br />
<br />
==Set a static IP==<br />
'''''[https://www.youtube.com/watch?v=VcPA6gJ0Ohw&feature=youtu.be Video Tutorial - Setting a Static IP Address]'''''<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
* Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
* Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
:'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==Install PHP & MySQL/MariaDB==<br />
<br />
'''''[https://www.youtube.com/watch?v=Az0qtg4LSjA&feature=youtu.be Video Tutorial - Install PHP and MySQL MariaDB]'''''<br />
<ol><br />
<li>Install packages</li><br />
:* Using '''apt''', install the ''php'' and ''mariadb-server'' packages as well as the ''php-mysql'' package which provides the link between php and mysql and the ''libapache2-mod-php'' package which provides a copy of PHP which allows the Apache webserver to run website PHP scripts.<br />
'' Note: Remember to do an '''apt update''' before installing packages to make sure you get the latest versions<br />
'' Note: Maria-DB is a fully compatible replacement for MySQL that isn't controlled by Oracle.<br />
* After the dependencies are found, go ahead and accept them to continue the install.<br />
<li> After the install is complete, '''cd''' to ''/var/www/html'' which is the root directory of your webserver and so where all website files are served from.</li><br />
<li> In order to fully enable the PHP-MySQL module you should restart your Apache webserver. You don't need to restart your entire system to do this. Do some research on the "apache2ctl" or the "service apache2" commands which can be used to do this.<br />
<li> At this point we will test to verify that php is working properly with Apache. Create a new file named ''phptest.php'', and then open it in a text editor.</li><br />
: '' Note: you may have to use sudo to create and edit files in this directory. as your standard user account may not have privilidges to create and edit files in this directory.<br />
:<code>sudo touch phptest.php</code><br />
:<code>sudo nano phptest.php</code><br />
<li>Enter the following into the file:<br />
<pre><?php<br />
phpinfo();<br />
?></pre></li><br />
<li>Now save the file, and on your local machine go to xxx.xxx.xxx.xxx/phptest.php in a web browser where xxx.xxx.xxx.xxx is your VM's static IP. You should now be on a page that shows your PHP Version, and system information.</li> <br />
:[[File:Lab5_php_info.png|500px]]<br />
:[[Media:Lab5_php_info.png|Click here for a larger image]]<br />
<li>Use the "View Source" option in your browser to see what the HTML source code is for the page you're viewing is. Is it the same or different than the .php file you created? Why? How is this different than a standard .html file?</li><br />
:[[File:Lab5_php_info_devtab.png|500px]]<br />
:[[Media:Lab5_php_info_devtab.png|Click here for a larger image]]<br />
</ol><br />
<br />
==Experiment with Website PHP==<br />
<br />
'''''[https://www.youtube.com/watch?v=m_sUrt_quX4&feature=youtu.be Video Tutorial - Experiment with Website PHP]'''''<br />
<ol><br />
<li> Explore Apache symlinks</li><br />
:In a previous lab we learned about editing the ''/var/www/index.html'' file to change the default web page displayed by your server. In a future lab you will install some PHP/MySQL based software which powers many Internet sites with forums, blogs, etc. Before we can do that we need to learn a little more about PHP and about databases. Like most software on Linux the Apache webserver configuration files are stored in the ''/etc'' directory. Specifically, you can find several of them which work together and are called from each other in ''/etc/apache2/'' take a look in the ''/etc/apache2/sites-enabled/'' directory. See how symlinks are used to point to configuration files which actually reside in the ''/etc/apache2/sites-available/'' directory? This allows us to turn off and on various sites by creating or removing a symlink rather than by deleting the actual configuration file, a handy thing if we just want to temporarily disable a site. In fact Apache provides a utility to automatically add and remove these links called '''a2ensite''' and '''a2dissite'''. Check the '''man''' pages for these commands to see how they work.<br />
<li>Explore '''/etc/apche2/sites-enabled'''</li><br />
:As you might have guessed the default site for your system is configured by the file linked to at ''/etc/apache2/sites-enabled/000-default'' If you open this file in your favorite text editor you will see a series of what Apache calls "directives" which explain how the webserver should function, what port it should listen on, where the website files will reside (''/var/www/html''), etc. <br />
:'' NOTE: Going into all of the different Apache directives is outside of the scope of this course but you will find a lot of documentation about them on the Internet.<br />
<li>Explore the Apache configuration files in Webmin</li><br />
:In addition to configuring Apache directly through it's configuration files you can also configure it through an interface like Webmin which we installed in a previous lab. Bring up the Webmin configuration page for Apache and take a look at the settings for the default site. Note how the things you saw directly in the configuration file match up with what you see in Webmin. One of the things you may be interested in seeing is how the webserver knows to display the index.html file from a directory if it exists and no specific file is requested in the URL. Take a look on the "Directory Indexing" page for the default virtualhost and see if you can find this information. You'll notice that there is a list of files, not just index.html which the server will display.<br />
:'' NOTE: You may need to refresh your Webmin modules or "scan for new modules" if you haven't done that since installing Apache and Webmin. Webmin scans your system for compatible server software packages (like Apache) when it is installed but needs to re-scan it's modules after you install new server software before you can configure it through Webmin.<br />
<li>Expiriment with and learn PHP basics</li><br />
:In another section of this lab you created a basic ''phptest.php'' file and saw how the server executed the PHP code and turned it into an HTML page your browser could display. Because PHP offers an easy way to write web applications it powers much of the Internet. To prepare us for setting up some PHP applications in a future lab it will be helpful to know a little about how PHP scripts work. Read through the [http://www.w3schools.com/php/default.asp W3 Schools PHP Basics Tutorial] (PHP Intro through PHP Superglobals) and try creating some PHP scripts on your own Linux server like the examples given in the tutorial pages to see if you can get them to run, try modifying them a little bit and see what the results are. There are many great Internet resources devoted to understanding how to do things with PHP so take some time to see how this language can be easily integrated in websites. You should definitely be familiar with editing PHP files to change variables, echo statements, etc. work which are all skills you'll need when installing PHP based website software.<br />
<li>Create your own PHP files</li><br />
:*Try writing some simple PHP scripts on your own using variables and echo statements and make them available through your webserver.<br />
:*A good place to create these would be in your home directory, using your favorite text editor.<br />
<li>Create your own "home" page by editing your ''index.html'' file located in the '''/var/www/html''' directory.</li><br />
:''NOTE: You will need to be familiar with the very basics of editing HTML files in order to create links, etc. If you haven't done this before there are many introductory HTML tutorials available online. A good starting place is [https://www.w3schools.com/html/html_basic.asp W3 Schools HTML Basics Examples]<br />
:'' NOTE:It is importatnt to know that an '''html''' file must include the <!DOCTYPE HTML> tag. Additionally, you will notice that all tags have an opening tag and a closing tag. The information between the tags is what will have the features of the tag<br />
:*Backup your ''index.html'' file by copying to a new file name.<br />
:<code>sudo cp /var/www/html/index.html /var/www/html/index.html.bak</code><br />
:*Edit your ''index.html'' file (or create a new ''index.php'' file which will be loaded instead if it exists) so there is a list and links to the various scripts you have created as part of your PHP experimentation.<br />
:* Open your index.html file in your favorite text editor,<br />
:<code>sudo nano /var/www/html/index.html</code><br />
:*Since you have backed up the original index.html file I would edit this file to only include the basics.<br />
<pre> <br />
<!DOCTYPE HTML><br />
<html><br />
<body><br />
<h1>My ITC-2480 Server</h1><br />
<p>This is a server on Pod-R in NetLab at 172.17.50.XX</p><br />
<br><br />
<p>Here are some of the Projects I am working on:</p><br />
<a href="http://172.17.50.XX/phptest.php">PHP Version Information</a><br />
</body><br />
</html><br />
</pre><br />
:'' NOTE: Make sure to replace the XX in the IP with the IP address of your server.<br />
:<br />
:[[File:Lab5_basic_html.png|link=https://wiki.ihitc.net/mediawiki/images/2/29/Lab5_basic_html.png|500px]]<br />
:[[Media:Lab5_basic_html.png|Click here for a larger image]]<br />
:A first look for a basic page<br />
:[[File:Lab5_initial_home.png|link=https://wiki.ihitc.net/mediawiki/images/9/92/Lab5_initial_home.png|500px]]<br />
:[[Media:Lab5_initial_home.png|Click for a larger image]]<br />
<li>Try to add additional features to your "home" page.</li><br />
:''NOTE: You may get some ideas of features you might like to add by looking at the original ''index.html'' file that we backed up in step 6 of this lab.<br />
:*As you complete your labs consider what you can add to this page.<br />
:*Add links to the PHP scripts you created<br />
:*A few good chalanges would be to add a title, change font size, style or color.<br />
<br />
</ol><br />
<br />
==Experiment with Databases==<br />
<br />
'''''[https://www.youtube.com/watch?v=1zYXiWLoGdM&feature=youtu.be Video Tutorial - Experiment with Databases]'''''<br />
<ol><br />
: In order to do really powerful things with a website we need a database where we can store dynamic content which can be queried to automatically build site pages from a template. One of the most common databases is an SQL database, and MySQL has long been the most prevalent Linux SQL software. These days MariaDB, which we installed, has been taking some MySQL marketshare because it is a community developed program instead of MySQL which is now owned by Oracle. The MariaDB software and MySQL software are essentially equivalent, especially for small sites/databases, and the same commands are used interchangeably including using the '''mysql''' command to access them. SQL itself is a standard language for interacting with a specific type of database called a relational database, we'll see why it's called a relational database in a minute. Each database is a collection of data stored in tables. You can think of a table as something like a spreadsheet with rows and columns, except we call the columns fields and the rows records (sometimes we actually call them rows too). The different tables are often related to one another, of course they are usually being used by the same web application, but usually the relationship goes deeper than that as we'll see in a little bit.<br />
<li>Download a sample database</li><br />
: To jumpstart our exploration of databases we'll download a pre-built sample database with a few tables and many records already in it and import it into our MySQL database server. Download the employees database file [https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2 employees_db-full-1.0.6.tar.bz2] (about 26MB) and get it into your home directory. Instead of using the '''links''' browser to do this or downloading to your computer and then pushing this large file back across the Internet with an SCP/SFTP client like FileZilla a better choice might be to learn about the '''wget''' program which can be used like "'''wget https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2'''" to download the file into your current working directory.<br />
<code>wget https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2</code><br />
<li>Unpack the database file</li><br />
: Figure out how to use the '''tar''' program to unpack this .tar.bz2 file. Note that this file uses bz2 compression which takes longer to compress than gzip but can compress the files more. Once unpacked you should have an "employees_db" folder.<br />
<li>Explore the files included with sample database</li><br />
: Inside the ''employees_db'' folder you should have a number of ''.sql'' script files and dump files which can be used to restore the database to your system.<br />
:*Take a look at the ''employees.sql'' file, it's just a text file, which describes the format of the database. <br />
:*Also take a look at the ''load_employees.dump'' file, also just a text file, which contains all of the records from the employees table of the database. :'' NOTE: there are 300,000 some employee records in this database so you probably don't want to just use '''cat''' to view these files as it could take a while to print them out to your screen. Using the '''less''' program would be a better choice as it will allow you to exit viewing the file by pressing q at any time.<br />
<li>Open the MySQL (MariaDB) command line</li><br />
: We can interact with the MySQL/MariaDB server in many different ways. The first way we'll take a look at is through the command line '''mysql''' program. Run the "'''sudo mysql'''" command. <br />
:'' NOTE: that we are running this command with system administrator permissions which allows us to log in to the MySQL server with database administrator permissions as well. The MySQL program actually stores it's own usernames and passwords as a MySQL database itself, you can create and modify these permissions from the mysql command line but we'll learn more about modifying them through the Webmin interface later.<br />
:<code>sudo MySQL</code><br />
<br><br />
:[[File:Lab5_mariadb_cli.png|link=https://wiki.ihitc.net/mediawiki/images/4/4f/Lab5_mariadb_cli.png|500px]]<br />
:[[Media:Lab5_mariadb_cli.png|Click here for a larger image]]<br />
<li>Explore MySQL (MariaDB) Commands</li><br />
: MySQL has it's own command line language the you can use through the "mysql>" prompt you are now running. For example, if we want to see a list of databases on the system we can run "'''SHOW databases;'''" run the command and note the databases that already exist by default.<br />
<code>SHOW databases;</code><br />
:'' NOTE: Each MySQL/MariaDB statement ends with a semicolon (;) if you do not put the semicolon at the end of the line the command will not execute when you press enter and you will be able to continue to add more commands to the statement before finishing with a semicolon. If you accidentally press enter without ending with a semicolon you can just enter a semicolon on the next line and press enter.<br />
<li>Import the sample database</li><br />
: To import the employee database we can use the "'''source employees.sql;'''" command (assuming we were already working in the directory which contains the employees.sql file when we launched mysql. Import the employee database and verify the system now has an employees database.<br />
<code>SOURCE employees.sql;</code><br />
<li>Use the employees database</li><br />
<code>USE employees;</code><br />
: If we want to see all of the tables in the employees database we must first select the database we want to work on using the "'''USE employees;'''" command.<br />
<li>Explore the employee table</li><br />
: Use the "'''SHOW tables;'''" command to see a list of tables.<br />
<code>SHOW tables;</code><br />
<li>View a list of employees in table</li><br />
: To see a list of all the records in a table we need to run a SELECT query "'''SELECT * from ''<tablename>'''''" like "'''SELECT * from employees'''" which will list all the records in the ''employees'' table of the employees database and display them.<br />
<code>SELECT * from employees;</code><br />
<br><br />
:[[File:Lab5_mariadb_show_tables.png|link=https://wiki.ihitc.net/mediawiki/images/d/d5/Lab5_mariadb_show_tables.png|350px]]<br />
:[[Media:Lab5_mariadb_show_tables.png|Click here for a larger image]]<br />
:* Remember that we previously selected to USE the ''employees'' database, this will be remembered until we USE a different database. Try displaying the records in a couple of different tables like employees and departments.<br />
:'' NOTE: The output can be broken by using CTRL-C on your local machine if you do not wish to wait for all of the records to be displayed.<br />
:<br />
: There is much more that we can do from the MySQL/MariaDB command line but that would be a whole class or more itself. The MySQL/MariaDB programs are well documented on the Internet and with these basic skills you should be able to figure out most of it. Remember, the vast majority of what you read about MySQL will also work in MariaDB and vice-versa.<br />
<li>Explore the MySQL interface in Webmin<br />
: Now that you have learned a bit about MySQL databases from the command line let's see how they look in the Webmin web management interface. Log back in to your Webmin interface through a browser on your host system.<br />
:* Because MySQL was not installed when we first setup Webmin you need to "scan for new modules" first. Once that process has finished refresh the page to see that MySQL has been added to the server section of Webmin.<br />
:* Take a look at the Webmin MySQL module and see how MySQL users and permissions are configured.<br />
:* Try browsing through the ''employees'' database using the Webmin interface including viewing tables and records inside of the tables.<br />
<li>Drop database and exit MySQL (MariaDB)</li><br />
:* Go back to your MySQL command line window and run the command "'''DROP DATABASE employees;'''" to delete the entire database.<br />
:* Type "'''exit;'''" to quit the MySQL program and return to a Linux shell.<br />
<br />
:'' NOTE: Obviously, the DROP command is one to be careful with as you can easily wipe out a huge database with one line! <br />
</ol><br />
<br />
==View Logfiles==<br />
<br />
'''''[https://www.youtube.com/watch?v=cxIOQF-eMy0&feature=youtu.be Video Tutorial - Tutorial 5 View Logfiles]'''''<br />
<br />
<ol><br />
: Linux stores most of log files in the ''/var/log'' directory so change your working directory to ''/var/log''.<br />
: Some log files are viewable by all users on the system but other log files may be restricted and you will need to use '''sudo''' to view them.<br />
<li>View last 20 lines in '''/var/log/syslog'''</li><br />
:<code>tail -20 /var/log/syslog</code><br />
:[[File:Lab5_tail.png|link=https://wiki.ihitc.net/mediawiki/images/8/88/Lab5_tail.png|500px]]<br />
:[[Media:Lab5_tail.png|Click here for a larger image]]<br />
: Linux log files are typically standard text files and can be read with standard text file utilities like cat or less. One additional utility which comes in hand is the '''tail''' program which displays the last 10 lines (by default) of a text file and which can be configured to display more or less lines using a command like '''tail -20 /var/log/syslog''' which will display the last 20 lines of the main system log file. The manual page for the '''tail''' command contains additional information like how to use the ''-f'' option to view a log in realtime (exit with Ctrl-C).<br />
<li>Save the tail output to a file</li><br />
: Often we may want to save the output from a '''tail''' command to share with others or document an issue. This can easily be done using redirection we learned in a previous lab. Experiment with how to save some tail commands. Keep in mind you may need to escalate privileges for some files to be redirected. Try the following:<br />
: <code>sudo tail -20 /var/log/syslog > logtail.txt</code><br />
<li>Explore some other log files</li><br />
: Take a look at some of the log files on your system and see what kinds of information they contain specifically you should probably look at ''syslog'', ''auth.log'', ''kern.log'', ''apache2/access.log'', and ''apache2/error.log'' <br />
:* Use the tail command to explore these logs<br />
: In order to prevent log files from completely filling your drive old log files are eventually rotated on the system and compressed and then finally deleted. Take a look at some of the rotated log files like ''/var/log/syslog.1'' or ''/var/log/kern.log.1'' which will contain slightly older log entries.<br />
:'' Note: After the first rotated file other files are usually compressed with gzip. You can decompress and view these on the fly using the '''zcat''' program.<br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_5_mnjk&diff=9520Lab 5 mnjk2021-02-20T12:40:03Z<p>JonQuinn: /* View Logfiles */</p>
<hr />
<div>=Introduction=<br />
In this lab you will perform the following tasks:<br />
*Learn about static network configuration of Debian Linux systems<br />
*Install '''[https://www.php.net PHP]'''<br />
*Install '''[https://www.php.net MariaDB]''' on your server, this is an open-source MySQL alternative<br />
*Experiment with websites and databases<br />
*Explore the standard log files on your system.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/ifup ifup]'''<br />
*'''[https://linux.die.net/man/8/ifdown ifdown]'''<br />
*'''[https://linux.die.net/man/8/ping ping]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://www.commandlinux.com/man-page/man8/a2dissite.8.html a2ensite]'''<br />
*'''[https://www.commandlinux.com/man-page/man8/a2dissite.8.html a2dissite]'''<br />
*'''[https://linux.die.net/man/1/wget wget]'''<br />
*'''[https://linux.die.net/man/1/zcat zcat]'''<br />
*'''[https://linux.die.net/man/8/service service]'''<br />
*'''[https://linux.die.net/man/1/tail tail]'''<br />
<br />
You will also use the following MySQL (MariaDB) commands:<br />
<br />
*'''[https://mariadb.com/kb/en/use USE]'''<br />
*'''[https://mariadb.com/kb/en/show SHOW]'''<br />
*'''[https://mariadb.com/kb/en/select SELECT]'''<br />
*'''[https://mariadb.com/kb/en/drop-database DROP database]'''<br />
<br />
=Lab Procedure=<br />
==Prerequisites==<br />
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account<br />
# Make a note of the static IP address information for your particular system in the table below, it is based on the system name identification letter in vmWare. These IP addresses will ONLY be valid in the ITC vmWare Linux class subnet. If you are working on a local VirtualBox system you will need to select an available static IP from the correct subnet for your system or skip the static IP addressing section. All vmWare systems will use a gateway address of 172.17.50.1 and a subnet mask of 255.255.255.0 with two nameservers 172.17.139.11 and 172.17.139.111<br />
{| {{table}}<br />
| align="center" style="background:#f0f0f0;"|'''System ID'''<br />
| align="center" style="background:#f0f0f0;"|'''Static IP'''<br />
|-<br />
| A||172.17.50.11<br />
|-<br />
| B||172.17.50.12<br />
|-<br />
| C||172.17.50.13<br />
|-<br />
| D||172.17.50.14<br />
|-<br />
| E||172.17.50.15<br />
|-<br />
| F||172.17.50.16<br />
|-<br />
| G||172.17.50.17<br />
|-<br />
| H||172.17.50.18<br />
|-<br />
| I||172.17.50.19<br />
|-<br />
| J||172.17.50.20<br />
|-<br />
| K||172.17.50.21<br />
|-<br />
| L||172.17.50.22<br />
|-<br />
| M||172.17.50.23<br />
|-<br />
| N||172.17.50.24<br />
|-<br />
| O||172.17.50.25<br />
|-<br />
| P||172.17.50.26<br />
|-<br />
| Q||172.17.50.27<br />
|-<br />
| R||172.17.50.28<br />
|-<br />
| S||172.17.50.29<br />
|-<br />
| T||172.17.50.30<br />
|-<br />
| U||172.17.50.31<br />
|-<br />
| V||172.17.50.32<br />
|-<br />
| W||172.17.50.33<br />
|-<br />
| X||172.17.50.34<br />
|-<br />
| Y||172.17.50.35<br />
|-<br />
| Z||172.17.50.36<br />
|}<br />
<br />
<br />
<br />
==Set a static IP==<br />
'''''[https://www.youtube.com/watch?v=VcPA6gJ0Ohw&feature=youtu.be Video Tutorial - Setting a Static IP Address]'''''<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
* Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
* Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
:'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==Install PHP & MySQL/MariaDB==<br />
<br />
'''''[https://www.youtube.com/watch?v=Az0qtg4LSjA&feature=youtu.be Video Tutorial - Install PHP and MySQL MariaDB]'''''<br />
<ol><br />
<li>Install packages</li><br />
:* Using '''apt''', install the ''php'' and ''mariadb-server'' packages as well as the ''php-mysql'' package which provides the link between php and mysql and the ''libapache2-mod-php'' package which provides a copy of PHP which allows the Apache webserver to run website PHP scripts.<br />
'' Note: Remember to do an '''apt update''' before installing packages to make sure you get the latest versions<br />
'' Note: Maria-DB is a fully compatible replacement for MySQL that isn't controlled by Oracle.<br />
* After the dependencies are found, go ahead and accept them to continue the install.<br />
<li> After the install is complete, '''cd''' to ''/var/www/html'' which is the root directory of your webserver and so where all website files are served from.</li><br />
<li> In order to fully enable the PHP-MySQL module you should restart your Apache webserver. You don't need to restart your entire system to do this. Do some research on the "apache2ctl" or the "service apache2" commands which can be used to do this.<br />
<li> At this point we will test to verify that php is working properly with Apache. Create a new file named ''phptest.php'', and then open it in a text editor.</li><br />
: '' Note: you may have to use sudo to create and edit files in this directory. as your standard user account may not have privilidges to create and edit files in this directory.<br />
:<code>sudo touch phptest.php</code><br />
:<code>sudo nano phptest.php</code><br />
<li>Enter the following into the file:<br />
<pre><?php<br />
phpinfo();<br />
?></pre></li><br />
<li>Now save the file, and on your local machine go to xxx.xxx.xxx.xxx/phptest.php in a web browser where xxx.xxx.xxx.xxx is your VM's static IP. You should now be on a page that shows your PHP Version, and system information.</li> <br />
:[[File:Lab5_php_info.png|500px]]<br />
:[[Media:Lab5_php_info.png|Click here for a larger image]]<br />
<li>Use the "View Source" option in your browser to see what the HTML source code is for the page you're viewing is. Is it the same or different than the .php file you created? Why? How is this different than a standard .html file?</li><br />
:[[File:Lab5_php_info_devtab.png|500px]]<br />
:[[Media:Lab5_php_info_devtab.png|Click here for a larger image]]<br />
</ol><br />
<br />
==Experiment with Website PHP==<br />
<br />
'''''[https://www.youtube.com/watch?v=m_sUrt_quX4&feature=youtu.be Video Tutorial - Experiment with Website PHP]'''''<br />
<ol><br />
<li> Explore Apache symlinks</li><br />
:In a previous lab we learned about editing the ''/var/www/index.html'' file to change the default web page displayed by your server. In a future lab you will install some PHP/MySQL based software which powers many Internet sites with forums, blogs, etc. Before we can do that we need to learn a little more about PHP and about databases. Like most software on Linux the Apache webserver configuration files are stored in the ''/etc'' directory. Specifically, you can find several of them which work together and are called from each other in ''/etc/apache2/'' take a look in the ''/etc/apache2/sites-enabled/'' directory. See how symlinks are used to point to configuration files which actually reside in the ''/etc/apache2/sites-available/'' directory? This allows us to turn off and on various sites by creating or removing a symlink rather than by deleting the actual configuration file, a handy thing if we just want to temporarily disable a site. In fact Apache provides a utility to automatically add and remove these links called '''a2ensite''' and '''a2dissite'''. Check the '''man''' pages for these commands to see how they work.<br />
<li>Explore '''/etc/apche2/sites-enabled'''</li><br />
:As you might have guessed the default site for your system is configured by the file linked to at ''/etc/apache2/sites-enabled/000-default'' If you open this file in your favorite text editor you will see a series of what Apache calls "directives" which explain how the webserver should function, what port it should listen on, where the website files will reside (''/var/www/html''), etc. <br />
:'' NOTE: Going into all of the different Apache directives is outside of the scope of this course but you will find a lot of documentation about them on the Internet.<br />
<li>Explore the Apache configuration files in Webmin</li><br />
:In addition to configuring Apache directly through it's configuration files you can also configure it through an interface like Webmin which we installed in a previous lab. Bring up the Webmin configuration page for Apache and take a look at the settings for the default site. Note how the things you saw directly in the configuration file match up with what you see in Webmin. One of the things you may be interested in seeing is how the webserver knows to display the index.html file from a directory if it exists and no specific file is requested in the URL. Take a look on the "Directory Indexing" page for the default virtualhost and see if you can find this information. You'll notice that there is a list of files, not just index.html which the server will display.<br />
:'' NOTE: You may need to refresh your Webmin modules or "scan for new modules" if you haven't done that since installing Apache and Webmin. Webmin scans your system for compatible server software packages (like Apache) when it is installed but needs to re-scan it's modules after you install new server software before you can configure it through Webmin.<br />
<li>Expiriment with and learn PHP basics</li><br />
:In another section of this lab you created a basic ''phptest.php'' file and saw how the server executed the PHP code and turned it into an HTML page your browser could display. Because PHP offers an easy way to write web applications it powers much of the Internet. To prepare us for setting up some PHP applications in a future lab it will be helpful to know a little about how PHP scripts work. Read through the [http://www.w3schools.com/php/default.asp W3 Schools PHP Basics Tutorial] (PHP Intro through PHP Superglobals) and try creating some PHP scripts on your own Linux server like the examples given in the tutorial pages to see if you can get them to run, try modifying them a little bit and see what the results are. There are many great Internet resources devoted to understanding how to do things with PHP so take some time to see how this language can be easily integrated in websites. You should definitely be familiar with editing PHP files to change variables, echo statements, etc. work which are all skills you'll need when installing PHP based website software.<br />
<li>Create your own PHP files</li><br />
:*Try writing some simple PHP scripts on your own using variables and echo statements and make them available through your webserver.<br />
:*A good place to create these would be in your home directory, using your favorite text editor.<br />
<li>Create your own "home" page by editing your ''index.html'' file located in the '''/var/www/html''' directory.</li><br />
:''NOTE: You will need to be familiar with the very basics of editing HTML files in order to create links, etc. If you haven't done this before there are many introductory HTML tutorials available online. A good starting place is [https://www.w3schools.com/html/html_basic.asp W3 Schools HTML Basics Examples]<br />
:'' NOTE:It is importatnt to know that an '''html''' file must include the <!DOCTYPE HTML> tag. Additionally, you will notice that all tags have an opening tag and a closing tag. The information between the tags is what will have the features of the tag<br />
:*Backup your ''index.html'' file by copying to a new file name.<br />
:<code>sudo cp /var/www/html/index.html /var/www/html/index.html.bak</code><br />
:*Edit your ''index.html'' file (or create a new ''index.php'' file which will be loaded instead if it exists) so there is a list and links to the various scripts you have created as part of your PHP experimentation.<br />
:* Open your index.html file in your favorite text editor,<br />
:<code>sudo nano /var/www/html/index.html</code><br />
:*Since you have backed up the original index.html file I would edit this file to only include the basics.<br />
<pre> <br />
<!DOCTYPE HTML><br />
<html><br />
<body><br />
<h1>My ITC-2480 Server</h1><br />
<p>This is a server on Pod-R in NetLab at 172.17.50.XX</p><br />
<br><br />
<p>Here are some of the Projects I am working on:</p><br />
<a href="http://172.17.50.XX/phptest.php">PHP Version Information</a><br />
</body><br />
</html><br />
</pre><br />
:'' NOTE: Make sure to replace the XX in the IP with the IP address of your server.<br />
:<br />
:[[File:Lab5_basic_html.png|link=https://wiki.ihitc.net/mediawiki/images/2/29/Lab5_basic_html.png|500px]]<br />
:[[Media:Lab5_basic_html.png|Click here for a larger image]]<br />
:A first look for a basic page<br />
:[[File:Lab5_initial_home.png|link=https://wiki.ihitc.net/mediawiki/images/9/92/Lab5_initial_home.png|500px]]<br />
:[[Media:Lab5_initial_home.png|Click for a larger image]]<br />
<li>Try to add additional features to your "home" page.</li><br />
:''NOTE: You may get some ideas of features you might like to add by looking at the original ''index.html'' file that we backed up in step 6 of this lab.<br />
:*As you complete your labs consider what you can add to this page.<br />
:*Add links to the PHP scripts you created<br />
:*A few good chalanges would be to add a title, change font size, style or color.<br />
<br />
</ol><br />
<br />
==Experiment with Databases==<br />
<br />
'''''[https://www.youtube.com/watch?v=1zYXiWLoGdM&feature=youtu.be Video Tutorial - Experiment with Databases]'''''<br />
<ol><br />
: In order to do really powerful things with a website we need a database where we can store dynamic content which can be queried to automatically build site pages from a template. One of the most common databases is an SQL database, and MySQL has long been the most prevalent Linux SQL software. These days MariaDB, which we installed, has been taking some MySQL marketshare because it is a community developed program instead of MySQL which is now owned by Oracle. The MariaDB software and MySQL software are essentially equivalent, especially for small sites/databases, and the same commands are used interchangeably including using the '''mysql''' command to access them. SQL itself is a standard language for interacting with a specific type of database called a relational database, we'll see why it's called a relational database in a minute. Each database is a collection of data stored in tables. You can think of a table as something like a spreadsheet with rows and columns, except we call the columns fields and the rows records (sometimes we actually call them rows too). The different tables are often related to one another, of course they are usually being used by the same web application, but usually the relationship goes deeper than that as we'll see in a little bit.<br />
<li>Download a sample database</li><br />
: To jumpstart our exploration of databases we'll download a pre-built sample database with a few tables and many records already in it and import it into our MySQL database server. Download the employees database file [https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2 employees_db-full-1.0.6.tar.bz2] (about 26MB) and get it into your home directory. Instead of using the '''links''' browser to do this or downloading to your computer and then pushing this large file back across the Internet with an SCP/SFTP client like FileZilla a better choice might be to learn about the '''wget''' program which can be used like "'''wget https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2'''" to download the file into your current working directory.<br />
<code>wget https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2</code><br />
<li>Unpack the database file</li><br />
: Figure out how to use the '''tar''' program to unpack this .tar.bz2 file. Note that this file uses bz2 compression which takes longer to compress than gzip but can compress the files more. Once unpacked you should have an "employees_db" folder.<br />
<li>Explore the files included with sample database</li><br />
: Inside the ''employees_db'' folder you should have a number of ''.sql'' script files and dump files which can be used to restore the database to your system.<br />
:*Take a look at the ''employees.sql'' file, it's just a text file, which describes the format of the database. <br />
:*Also take a look at the ''load_employees.dump'' file, also just a text file, which contains all of the records from the employees table of the database. :'' NOTE: there are 300,000 some employee records in this database so you probably don't want to just use '''cat''' to view these files as it could take a while to print them out to your screen. Using the '''less''' program would be a better choice as it will allow you to exit viewing the file by pressing q at any time.<br />
<li>Open the MySQL (MariaDB) command line</li><br />
: We can interact with the MySQL/MariaDB server in many different ways. The first way we'll take a look at is through the command line '''mysql''' program. Run the "'''sudo mysql'''" command. <br />
:'' NOTE: that we are running this command with system administrator permissions which allows us to log in to the MySQL server with database administrator permissions as well. The MySQL program actually stores it's own usernames and passwords as a MySQL database itself, you can create and modify these permissions from the mysql command line but we'll learn more about modifying them through the Webmin interface later.<br />
:<code>sudo MySQL</code><br />
<br><br />
:[[File:Lab5_mariadb_cli.png|link=https://wiki.ihitc.net/mediawiki/images/4/4f/Lab5_mariadb_cli.png|500px]]<br />
:[[Media:Lab5_mariadb_cli.png|Click here for a larger image]]<br />
<li>Explore MySQL (MariaDB) Commands</li><br />
: MySQL has it's own command line language the you can use through the "mysql>" prompt you are now running. For example, if we want to see a list of databases on the system we can run "'''SHOW databases;'''" run the command and note the databases that already exist by default.<br />
<code>SHOW databases;</code><br />
:'' NOTE: Each MySQL/MariaDB statement ends with a semicolon (;) if you do not put the semicolon at the end of the line the command will not execute when you press enter and you will be able to continue to add more commands to the statement before finishing with a semicolon. If you accidentally press enter without ending with a semicolon you can just enter a semicolon on the next line and press enter.<br />
<li>Import the sample database</li><br />
: To import the employee database we can use the "'''source employees.sql;'''" command (assuming we were already working in the directory which contains the employees.sql file when we launched mysql. Import the employee database and verify the system now has an employees database.<br />
<code>SOURCE employees.sql;</code><br />
<li>Use the employees database</li><br />
<code>USE employees;</code><br />
: If we want to see all of the tables in the employees database we must first select the database we want to work on using the "'''USE employees;'''" command.<br />
<li>Explore the employee table</li><br />
: Use the "'''SHOW tables;'''" command to see a list of tables.<br />
<code>SHOW tables;</code><br />
<li>View a list of employees in table</li><br />
: To see a list of all the records in a table we need to run a SELECT query "'''SELECT * from ''<tablename>'''''" like "'''SELECT * from employees'''" which will list all the records in the ''employees'' table of the employees database and display them.<br />
<code>SELECT * from employees;</code><br />
<br><br />
:[[File:Lab5_mariadb_show_tables.png|link=https://wiki.ihitc.net/mediawiki/images/d/d5/Lab5_mariadb_show_tables.png|350px]]<br />
:[[Media:Lab5_mariadb_show_tables.png|Click here for a larger image]]<br />
:* Remember that we previously selected to USE the ''employees'' database, this will be remembered until we USE a different database. Try displaying the records in a couple of different tables like employees and departments.<br />
:'' NOTE: The output can be broken by using CTRL-C on your local machine if you do not wish to wait for all of the records to be displayed.<br />
:<br />
: There is much more that we can do from the MySQL/MariaDB command line but that would be a whole class or more itself. The MySQL/MariaDB programs are well documented on the Internet and with these basic skills you should be able to figure out most of it. Remember, the vast majority of what you read about MySQL will also work in MariaDB and vice-versa.<br />
<li>Explore the MySQL interface in Webmin<br />
: Now that you have learned a bit about MySQL databases from the command line let's see how they look in the Webmin web management interface. Log back in to your Webmin interface through a browser on your host system.<br />
:* Because MySQL was not installed when we first setup Webmin you need to "scan for new modules" first. Once that process has finished refresh the page to see that MySQL has been added to the server section of Webmin.<br />
:* Take a look at the Webmin MySQL module and see how MySQL users and permissions are configured.<br />
:* Try browsing through the ''employees'' database using the Webmin interface including viewing tables and records inside of the tables.<br />
<li>Drop database and exit MySQL (MariaDB)</li><br />
:* Go back to your MySQL command line window and run the command "'''DROP DATABASE employees;'''" to delete the entire database.<br />
:* Type "'''exit;'''" to quit the MySQL program and return to a Linux shell.<br />
<br />
:'' NOTE: Obviously, the DROP command is one to be careful with as you can easily wipe out a huge database with one line! <br />
</ol><br />
<br />
==View Logfiles==<br />
<br />
'''''[https://www.youtube.com/watch?v=cxIOQF-eMy0&feature=youtu.be Video Tutorial - Tutorial 5 View Logfiles]'''''<br />
<br />
<ol><br />
: Linux stores most of log files in the ''/var/log'' directory so change your working directory to ''/var/log''.<br />
: Some log files are viewable by all users on the system but other log files may be restricted and you will need to use '''sudo''' to view them.<br />
<li>View last 20 lines in '''/var/log/syslog'''</li><br />
:<code>tail -20 /var/log/syslog</code><br />
:[[File:Lab5_tail.png|link=https://wiki.ihitc.net/mediawiki/images/8/88/Lab5_tail.png|500px]]<br />
:[[Media:Lab5_tail.png|Click here for a larger image]]<br />
: Linux log files are typically standard text files and can be read with standard text file utilities like cat or less. One additional utility which comes in hand is the '''tail''' program which displays the last 10 lines (by default) of a text file and which can be configured to display more or less lines using a command like '''tail -20 /var/log/syslog''' which will display the last 20 lines of the main system log file. The manual page for the '''tail''' command contains additional information like how to use the ''-f'' option to view a log in realtime (exit with Ctrl-C).<br />
<li>Save the tail output to a file</li><br />
: Often we may want to save the output from a '''tail''' command to share with others or document an issue. This can easily be done using redirection we learned in a previous lab. Experiment with how to save some tail commands.<br />
: <code>tail -20 /var/log/syslog > logtail.txt</code><br />
<li>Explore some other log files</li><br />
: Take a look at some of the log files on your system and see what kinds of information they contain specifically you should probably look at ''syslog'', ''auth.log'', ''kern.log'', ''apache2/access.log'', and ''apache2/error.log'' <br />
:* Use the tail command to explore these logs<br />
: In order to prevent log files from completely filling your drive old log files are eventually rotated on the system and compressed and then finally deleted. Take a look at some of the rotated log files like ''/var/log/syslog.1'' or ''/var/log/kern.log.1'' which will contain slightly older log entries.<br />
:'' Note: After the first rotated file other files are usually compressed with gzip. You can decompress and view these on the fly using the '''zcat''' program.<br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_5_mnjk&diff=9519Lab 5 mnjk2021-02-20T12:39:12Z<p>JonQuinn: /* View Logfiles */</p>
<hr />
<div>=Introduction=<br />
In this lab you will perform the following tasks:<br />
*Learn about static network configuration of Debian Linux systems<br />
*Install '''[https://www.php.net PHP]'''<br />
*Install '''[https://www.php.net MariaDB]''' on your server, this is an open-source MySQL alternative<br />
*Experiment with websites and databases<br />
*Explore the standard log files on your system.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/ifup ifup]'''<br />
*'''[https://linux.die.net/man/8/ifdown ifdown]'''<br />
*'''[https://linux.die.net/man/8/ping ping]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://www.commandlinux.com/man-page/man8/a2dissite.8.html a2ensite]'''<br />
*'''[https://www.commandlinux.com/man-page/man8/a2dissite.8.html a2dissite]'''<br />
*'''[https://linux.die.net/man/1/wget wget]'''<br />
*'''[https://linux.die.net/man/1/zcat zcat]'''<br />
*'''[https://linux.die.net/man/8/service service]'''<br />
*'''[https://linux.die.net/man/1/tail tail]'''<br />
<br />
You will also use the following MySQL (MariaDB) commands:<br />
<br />
*'''[https://mariadb.com/kb/en/use USE]'''<br />
*'''[https://mariadb.com/kb/en/show SHOW]'''<br />
*'''[https://mariadb.com/kb/en/select SELECT]'''<br />
*'''[https://mariadb.com/kb/en/drop-database DROP database]'''<br />
<br />
=Lab Procedure=<br />
==Prerequisites==<br />
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account<br />
# Make a note of the static IP address information for your particular system in the table below, it is based on the system name identification letter in vmWare. These IP addresses will ONLY be valid in the ITC vmWare Linux class subnet. If you are working on a local VirtualBox system you will need to select an available static IP from the correct subnet for your system or skip the static IP addressing section. All vmWare systems will use a gateway address of 172.17.50.1 and a subnet mask of 255.255.255.0 with two nameservers 172.17.139.11 and 172.17.139.111<br />
{| {{table}}<br />
| align="center" style="background:#f0f0f0;"|'''System ID'''<br />
| align="center" style="background:#f0f0f0;"|'''Static IP'''<br />
|-<br />
| A||172.17.50.11<br />
|-<br />
| B||172.17.50.12<br />
|-<br />
| C||172.17.50.13<br />
|-<br />
| D||172.17.50.14<br />
|-<br />
| E||172.17.50.15<br />
|-<br />
| F||172.17.50.16<br />
|-<br />
| G||172.17.50.17<br />
|-<br />
| H||172.17.50.18<br />
|-<br />
| I||172.17.50.19<br />
|-<br />
| J||172.17.50.20<br />
|-<br />
| K||172.17.50.21<br />
|-<br />
| L||172.17.50.22<br />
|-<br />
| M||172.17.50.23<br />
|-<br />
| N||172.17.50.24<br />
|-<br />
| O||172.17.50.25<br />
|-<br />
| P||172.17.50.26<br />
|-<br />
| Q||172.17.50.27<br />
|-<br />
| R||172.17.50.28<br />
|-<br />
| S||172.17.50.29<br />
|-<br />
| T||172.17.50.30<br />
|-<br />
| U||172.17.50.31<br />
|-<br />
| V||172.17.50.32<br />
|-<br />
| W||172.17.50.33<br />
|-<br />
| X||172.17.50.34<br />
|-<br />
| Y||172.17.50.35<br />
|-<br />
| Z||172.17.50.36<br />
|}<br />
<br />
<br />
<br />
==Set a static IP==<br />
'''''[https://www.youtube.com/watch?v=VcPA6gJ0Ohw&feature=youtu.be Video Tutorial - Setting a Static IP Address]'''''<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
* Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
* Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
:'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==Install PHP & MySQL/MariaDB==<br />
<br />
'''''[https://www.youtube.com/watch?v=Az0qtg4LSjA&feature=youtu.be Video Tutorial - Install PHP and MySQL MariaDB]'''''<br />
<ol><br />
<li>Install packages</li><br />
:* Using '''apt''', install the ''php'' and ''mariadb-server'' packages as well as the ''php-mysql'' package which provides the link between php and mysql and the ''libapache2-mod-php'' package which provides a copy of PHP which allows the Apache webserver to run website PHP scripts.<br />
'' Note: Remember to do an '''apt update''' before installing packages to make sure you get the latest versions<br />
'' Note: Maria-DB is a fully compatible replacement for MySQL that isn't controlled by Oracle.<br />
* After the dependencies are found, go ahead and accept them to continue the install.<br />
<li> After the install is complete, '''cd''' to ''/var/www/html'' which is the root directory of your webserver and so where all website files are served from.</li><br />
<li> In order to fully enable the PHP-MySQL module you should restart your Apache webserver. You don't need to restart your entire system to do this. Do some research on the "apache2ctl" or the "service apache2" commands which can be used to do this.<br />
<li> At this point we will test to verify that php is working properly with Apache. Create a new file named ''phptest.php'', and then open it in a text editor.</li><br />
: '' Note: you may have to use sudo to create and edit files in this directory. as your standard user account may not have privilidges to create and edit files in this directory.<br />
:<code>sudo touch phptest.php</code><br />
:<code>sudo nano phptest.php</code><br />
<li>Enter the following into the file:<br />
<pre><?php<br />
phpinfo();<br />
?></pre></li><br />
<li>Now save the file, and on your local machine go to xxx.xxx.xxx.xxx/phptest.php in a web browser where xxx.xxx.xxx.xxx is your VM's static IP. You should now be on a page that shows your PHP Version, and system information.</li> <br />
:[[File:Lab5_php_info.png|500px]]<br />
:[[Media:Lab5_php_info.png|Click here for a larger image]]<br />
<li>Use the "View Source" option in your browser to see what the HTML source code is for the page you're viewing is. Is it the same or different than the .php file you created? Why? How is this different than a standard .html file?</li><br />
:[[File:Lab5_php_info_devtab.png|500px]]<br />
:[[Media:Lab5_php_info_devtab.png|Click here for a larger image]]<br />
</ol><br />
<br />
==Experiment with Website PHP==<br />
<br />
'''''[https://www.youtube.com/watch?v=m_sUrt_quX4&feature=youtu.be Video Tutorial - Experiment with Website PHP]'''''<br />
<ol><br />
<li> Explore Apache symlinks</li><br />
:In a previous lab we learned about editing the ''/var/www/index.html'' file to change the default web page displayed by your server. In a future lab you will install some PHP/MySQL based software which powers many Internet sites with forums, blogs, etc. Before we can do that we need to learn a little more about PHP and about databases. Like most software on Linux the Apache webserver configuration files are stored in the ''/etc'' directory. Specifically, you can find several of them which work together and are called from each other in ''/etc/apache2/'' take a look in the ''/etc/apache2/sites-enabled/'' directory. See how symlinks are used to point to configuration files which actually reside in the ''/etc/apache2/sites-available/'' directory? This allows us to turn off and on various sites by creating or removing a symlink rather than by deleting the actual configuration file, a handy thing if we just want to temporarily disable a site. In fact Apache provides a utility to automatically add and remove these links called '''a2ensite''' and '''a2dissite'''. Check the '''man''' pages for these commands to see how they work.<br />
<li>Explore '''/etc/apche2/sites-enabled'''</li><br />
:As you might have guessed the default site for your system is configured by the file linked to at ''/etc/apache2/sites-enabled/000-default'' If you open this file in your favorite text editor you will see a series of what Apache calls "directives" which explain how the webserver should function, what port it should listen on, where the website files will reside (''/var/www/html''), etc. <br />
:'' NOTE: Going into all of the different Apache directives is outside of the scope of this course but you will find a lot of documentation about them on the Internet.<br />
<li>Explore the Apache configuration files in Webmin</li><br />
:In addition to configuring Apache directly through it's configuration files you can also configure it through an interface like Webmin which we installed in a previous lab. Bring up the Webmin configuration page for Apache and take a look at the settings for the default site. Note how the things you saw directly in the configuration file match up with what you see in Webmin. One of the things you may be interested in seeing is how the webserver knows to display the index.html file from a directory if it exists and no specific file is requested in the URL. Take a look on the "Directory Indexing" page for the default virtualhost and see if you can find this information. You'll notice that there is a list of files, not just index.html which the server will display.<br />
:'' NOTE: You may need to refresh your Webmin modules or "scan for new modules" if you haven't done that since installing Apache and Webmin. Webmin scans your system for compatible server software packages (like Apache) when it is installed but needs to re-scan it's modules after you install new server software before you can configure it through Webmin.<br />
<li>Expiriment with and learn PHP basics</li><br />
:In another section of this lab you created a basic ''phptest.php'' file and saw how the server executed the PHP code and turned it into an HTML page your browser could display. Because PHP offers an easy way to write web applications it powers much of the Internet. To prepare us for setting up some PHP applications in a future lab it will be helpful to know a little about how PHP scripts work. Read through the [http://www.w3schools.com/php/default.asp W3 Schools PHP Basics Tutorial] (PHP Intro through PHP Superglobals) and try creating some PHP scripts on your own Linux server like the examples given in the tutorial pages to see if you can get them to run, try modifying them a little bit and see what the results are. There are many great Internet resources devoted to understanding how to do things with PHP so take some time to see how this language can be easily integrated in websites. You should definitely be familiar with editing PHP files to change variables, echo statements, etc. work which are all skills you'll need when installing PHP based website software.<br />
<li>Create your own PHP files</li><br />
:*Try writing some simple PHP scripts on your own using variables and echo statements and make them available through your webserver.<br />
:*A good place to create these would be in your home directory, using your favorite text editor.<br />
<li>Create your own "home" page by editing your ''index.html'' file located in the '''/var/www/html''' directory.</li><br />
:''NOTE: You will need to be familiar with the very basics of editing HTML files in order to create links, etc. If you haven't done this before there are many introductory HTML tutorials available online. A good starting place is [https://www.w3schools.com/html/html_basic.asp W3 Schools HTML Basics Examples]<br />
:'' NOTE:It is importatnt to know that an '''html''' file must include the <!DOCTYPE HTML> tag. Additionally, you will notice that all tags have an opening tag and a closing tag. The information between the tags is what will have the features of the tag<br />
:*Backup your ''index.html'' file by copying to a new file name.<br />
:<code>sudo cp /var/www/html/index.html /var/www/html/index.html.bak</code><br />
:*Edit your ''index.html'' file (or create a new ''index.php'' file which will be loaded instead if it exists) so there is a list and links to the various scripts you have created as part of your PHP experimentation.<br />
:* Open your index.html file in your favorite text editor,<br />
:<code>sudo nano /var/www/html/index.html</code><br />
:*Since you have backed up the original index.html file I would edit this file to only include the basics.<br />
<pre> <br />
<!DOCTYPE HTML><br />
<html><br />
<body><br />
<h1>My ITC-2480 Server</h1><br />
<p>This is a server on Pod-R in NetLab at 172.17.50.XX</p><br />
<br><br />
<p>Here are some of the Projects I am working on:</p><br />
<a href="http://172.17.50.XX/phptest.php">PHP Version Information</a><br />
</body><br />
</html><br />
</pre><br />
:'' NOTE: Make sure to replace the XX in the IP with the IP address of your server.<br />
:<br />
:[[File:Lab5_basic_html.png|link=https://wiki.ihitc.net/mediawiki/images/2/29/Lab5_basic_html.png|500px]]<br />
:[[Media:Lab5_basic_html.png|Click here for a larger image]]<br />
:A first look for a basic page<br />
:[[File:Lab5_initial_home.png|link=https://wiki.ihitc.net/mediawiki/images/9/92/Lab5_initial_home.png|500px]]<br />
:[[Media:Lab5_initial_home.png|Click for a larger image]]<br />
<li>Try to add additional features to your "home" page.</li><br />
:''NOTE: You may get some ideas of features you might like to add by looking at the original ''index.html'' file that we backed up in step 6 of this lab.<br />
:*As you complete your labs consider what you can add to this page.<br />
:*Add links to the PHP scripts you created<br />
:*A few good chalanges would be to add a title, change font size, style or color.<br />
<br />
</ol><br />
<br />
==Experiment with Databases==<br />
<br />
'''''[https://www.youtube.com/watch?v=1zYXiWLoGdM&feature=youtu.be Video Tutorial - Experiment with Databases]'''''<br />
<ol><br />
: In order to do really powerful things with a website we need a database where we can store dynamic content which can be queried to automatically build site pages from a template. One of the most common databases is an SQL database, and MySQL has long been the most prevalent Linux SQL software. These days MariaDB, which we installed, has been taking some MySQL marketshare because it is a community developed program instead of MySQL which is now owned by Oracle. The MariaDB software and MySQL software are essentially equivalent, especially for small sites/databases, and the same commands are used interchangeably including using the '''mysql''' command to access them. SQL itself is a standard language for interacting with a specific type of database called a relational database, we'll see why it's called a relational database in a minute. Each database is a collection of data stored in tables. You can think of a table as something like a spreadsheet with rows and columns, except we call the columns fields and the rows records (sometimes we actually call them rows too). The different tables are often related to one another, of course they are usually being used by the same web application, but usually the relationship goes deeper than that as we'll see in a little bit.<br />
<li>Download a sample database</li><br />
: To jumpstart our exploration of databases we'll download a pre-built sample database with a few tables and many records already in it and import it into our MySQL database server. Download the employees database file [https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2 employees_db-full-1.0.6.tar.bz2] (about 26MB) and get it into your home directory. Instead of using the '''links''' browser to do this or downloading to your computer and then pushing this large file back across the Internet with an SCP/SFTP client like FileZilla a better choice might be to learn about the '''wget''' program which can be used like "'''wget https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2'''" to download the file into your current working directory.<br />
<code>wget https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2</code><br />
<li>Unpack the database file</li><br />
: Figure out how to use the '''tar''' program to unpack this .tar.bz2 file. Note that this file uses bz2 compression which takes longer to compress than gzip but can compress the files more. Once unpacked you should have an "employees_db" folder.<br />
<li>Explore the files included with sample database</li><br />
: Inside the ''employees_db'' folder you should have a number of ''.sql'' script files and dump files which can be used to restore the database to your system.<br />
:*Take a look at the ''employees.sql'' file, it's just a text file, which describes the format of the database. <br />
:*Also take a look at the ''load_employees.dump'' file, also just a text file, which contains all of the records from the employees table of the database. :'' NOTE: there are 300,000 some employee records in this database so you probably don't want to just use '''cat''' to view these files as it could take a while to print them out to your screen. Using the '''less''' program would be a better choice as it will allow you to exit viewing the file by pressing q at any time.<br />
<li>Open the MySQL (MariaDB) command line</li><br />
: We can interact with the MySQL/MariaDB server in many different ways. The first way we'll take a look at is through the command line '''mysql''' program. Run the "'''sudo mysql'''" command. <br />
:'' NOTE: that we are running this command with system administrator permissions which allows us to log in to the MySQL server with database administrator permissions as well. The MySQL program actually stores it's own usernames and passwords as a MySQL database itself, you can create and modify these permissions from the mysql command line but we'll learn more about modifying them through the Webmin interface later.<br />
:<code>sudo MySQL</code><br />
<br><br />
:[[File:Lab5_mariadb_cli.png|link=https://wiki.ihitc.net/mediawiki/images/4/4f/Lab5_mariadb_cli.png|500px]]<br />
:[[Media:Lab5_mariadb_cli.png|Click here for a larger image]]<br />
<li>Explore MySQL (MariaDB) Commands</li><br />
: MySQL has it's own command line language the you can use through the "mysql>" prompt you are now running. For example, if we want to see a list of databases on the system we can run "'''SHOW databases;'''" run the command and note the databases that already exist by default.<br />
<code>SHOW databases;</code><br />
:'' NOTE: Each MySQL/MariaDB statement ends with a semicolon (;) if you do not put the semicolon at the end of the line the command will not execute when you press enter and you will be able to continue to add more commands to the statement before finishing with a semicolon. If you accidentally press enter without ending with a semicolon you can just enter a semicolon on the next line and press enter.<br />
<li>Import the sample database</li><br />
: To import the employee database we can use the "'''source employees.sql;'''" command (assuming we were already working in the directory which contains the employees.sql file when we launched mysql. Import the employee database and verify the system now has an employees database.<br />
<code>SOURCE employees.sql;</code><br />
<li>Use the employees database</li><br />
<code>USE employees;</code><br />
: If we want to see all of the tables in the employees database we must first select the database we want to work on using the "'''USE employees;'''" command.<br />
<li>Explore the employee table</li><br />
: Use the "'''SHOW tables;'''" command to see a list of tables.<br />
<code>SHOW tables;</code><br />
<li>View a list of employees in table</li><br />
: To see a list of all the records in a table we need to run a SELECT query "'''SELECT * from ''<tablename>'''''" like "'''SELECT * from employees'''" which will list all the records in the ''employees'' table of the employees database and display them.<br />
<code>SELECT * from employees;</code><br />
<br><br />
:[[File:Lab5_mariadb_show_tables.png|link=https://wiki.ihitc.net/mediawiki/images/d/d5/Lab5_mariadb_show_tables.png|350px]]<br />
:[[Media:Lab5_mariadb_show_tables.png|Click here for a larger image]]<br />
:* Remember that we previously selected to USE the ''employees'' database, this will be remembered until we USE a different database. Try displaying the records in a couple of different tables like employees and departments.<br />
:'' NOTE: The output can be broken by using CTRL-C on your local machine if you do not wish to wait for all of the records to be displayed.<br />
:<br />
: There is much more that we can do from the MySQL/MariaDB command line but that would be a whole class or more itself. The MySQL/MariaDB programs are well documented on the Internet and with these basic skills you should be able to figure out most of it. Remember, the vast majority of what you read about MySQL will also work in MariaDB and vice-versa.<br />
<li>Explore the MySQL interface in Webmin<br />
: Now that you have learned a bit about MySQL databases from the command line let's see how they look in the Webmin web management interface. Log back in to your Webmin interface through a browser on your host system.<br />
:* Because MySQL was not installed when we first setup Webmin you need to "scan for new modules" first. Once that process has finished refresh the page to see that MySQL has been added to the server section of Webmin.<br />
:* Take a look at the Webmin MySQL module and see how MySQL users and permissions are configured.<br />
:* Try browsing through the ''employees'' database using the Webmin interface including viewing tables and records inside of the tables.<br />
<li>Drop database and exit MySQL (MariaDB)</li><br />
:* Go back to your MySQL command line window and run the command "'''DROP DATABASE employees;'''" to delete the entire database.<br />
:* Type "'''exit;'''" to quit the MySQL program and return to a Linux shell.<br />
<br />
:'' NOTE: Obviously, the DROP command is one to be careful with as you can easily wipe out a huge database with one line! <br />
</ol><br />
<br />
==View Logfiles==<br />
<br />
'''''[https://www.youtube.com/watch?v=cxIOQF-eMy0&feature=youtu.be Video Tutorial - Tutorial 5 View Logfiles]'''''<br />
<br />
<ol><br />
: Linux stores most of log files in the ''/var/log'' directory so change your working directory to ''/var/log''.<br />
: Some log files are viewable by all users on the system but other log files may be restricted and you will need to use '''sudo''' to view them.<br />
<li>View last 20 lines in '''/var/log/syslog'''</li><br />
:<code>tail -20 /var/log/syslog</code><br />
:[[File:Lab5_tail.png|link=https://wiki.ihitc.net/mediawiki/images/8/88/Lab5_tail.png|500px]]<br />
:[[Media:Lab5_tail.png|Click here for a larger image]]<br />
: Linux log files are typically standard text files and can be read with standard text file utilities like cat or less. One additional utility which comes in hand is the '''tail''' program which displays the last 10 lines (by default) of a text file and which can be configured to display more or less lines using a command like '''tail -20 /var/log/syslog''' which will display the last 20 lines of the main system log file. The manual page for the '''tail''' command contains additional information like how to use the ''-f'' option to view a log in realtime (exit with Ctrl-C).<br />
<li>Save the tail output to a file</li><br />
: Often we may want to save the output from a '''tail''' command to share with others or document an issue. This can easily be done using redirection we learned in a previous lab.<br />
<code>tail -20 /var/log/syslog > logtail.txt</code><br />
<li>Explore some other log files</li><br />
: Take a look at some of the log files on your system and see what kinds of information they contain specifically you should probably look at ''syslog'', ''auth.log'', ''kern.log'', ''apache2/access.log'', and ''apache2/error.log'' <br />
:* Use the tail command to explore these logs<br />
: In order to prevent log files from completely filling your drive old log files are eventually rotated on the system and compressed and then finally deleted. Take a look at some of the rotated log files like ''/var/log/syslog.1'' or ''/var/log/kern.log.1'' which will contain slightly older log entries.<br />
:'' Note: After the first rotated file other files are usually compressed with gzip. You can decompress and view these on the fly using the '''zcat''' program.<br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9514Mail server mnjk2021-02-19T02:43:26Z<p>JonQuinn: /* Auto Maildir Clean Up */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
: <code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
:<code>sudo apt install open-vm-tools</code><br />
<br><br />
<li>Install nmap</li><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
:* Run the following command at the command line.<br />
:<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li> Use the '''links''' browser or '''wget''' to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
: <code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
:* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
:* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
:* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
:* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
: * Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
: * Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
:* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
:* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
:* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
:* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
:* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<ol><br />
<li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li><br />
<li>Open up ''/etc/bind/named.conf.options''</li><br />
<ul><br />
* You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul><br />
: [[File:Bind_named_conf.png | 500px]]<br />
<li>Next, open up your interfaces file (''/etc/network/interfaces'').</li><br />
<ul><br />
* Change the dns server for the primary network interface to ''127.0.0.1''.</ul><br />
<li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings:<br />
<pre>Zone type: Forward (Names to Addresses)<br />
Domain name / Network: *.itc2480.campus.ihitc.net<br />
Records file: Automatic<br />
Master server: *.itc2480.campus.ihitc.net.<br />
Email address: root@ *.itc2480.campus.ihitc.net</pre><br />
* '''NOTE:''' the * stands for your system name, "automail" was used when setting the mail server up.</li><br />
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li><br />
* For the ''Name'' enter ''@''.<br />
* In the ''address'' field enter your VM's static IP and click ''Create''.<br />
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well. (This will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li><br />
<li>Make sure to apply the changes using the button in the top right that shows two arrows in a cricle.</li><br />
<li>After applying the changes and rebooting everything should be working. just make sure to test it using the nslookup and dig commands.</li><br />
</ol><br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol><br />
<br />
==Auto Maildir Clean Up==<br />
<ol><br />
<li>Create script to delete emails older than 45 days</li><br />
:''NOTE: The script must be owned by root and executable. Additionally, the crontab must be created with sudo priviledges<br />
:<code>sudo nano '''<scriptname.sh>'''</code><br />
<pre><br />
#!/bin/bash<br />
find /home/testuser/Maildir/cur -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/new -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/tmp -type f -mtime +45 -exec rm {} \;<br />
</pre><br />
:[[File:MAILSVR_emailflush_sh.png|link=https://wiki.ihitc.net/mediawiki/images/b/b5/MAILSVR_emailflush_sh.png|500px]]<br />
:[[Media:MAILSVR_emailflush_sh.png|Click here for a larger image]]<br />
<li>Make executable</li><br />
:<code>sudo chmod +x '''<sciptname.sh>'''</code><br />
<li>Create a '''crontab''' job</li><br />
:<code>sudo crontab -e</code><br />
: ''NOTE: the astricks at the start of the following command are respective to the scheduling of time. A good additional resource for '''cron''' can be found at [https://vitux.com/how-to-setup-a-cron-job-in-debian-10 Vitux]. Each astrik represents [Minute] [hour] [Day_of_the_Month] [Month_of_the_Year] [Day_of_the_Week] <br />
:* Add the following line to the chrontab file to schedule the job at 8PM every day.<br />
<pre>* 20 * * * * /home/ping/scriptname.sh</pre><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9513Mail server mnjk2021-02-19T02:32:30Z<p>JonQuinn: /* Auto Maildir Clean Up */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
: <code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
:<code>sudo apt install open-vm-tools</code><br />
<br><br />
<li>Install nmap</li><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
:* Run the following command at the command line.<br />
:<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li> Use the '''links''' browser or '''wget''' to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
: <code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
:* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
:* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
:* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
:* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
: * Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
: * Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
:* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
:* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
:* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
:* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
:* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<ol><br />
<li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li><br />
<li>Open up ''/etc/bind/named.conf.options''</li><br />
<ul><br />
* You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul><br />
: [[File:Bind_named_conf.png | 500px]]<br />
<li>Next, open up your interfaces file (''/etc/network/interfaces'').</li><br />
<ul><br />
* Change the dns server for the primary network interface to ''127.0.0.1''.</ul><br />
<li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings:<br />
<pre>Zone type: Forward (Names to Addresses)<br />
Domain name / Network: *.itc2480.campus.ihitc.net<br />
Records file: Automatic<br />
Master server: *.itc2480.campus.ihitc.net.<br />
Email address: root@ *.itc2480.campus.ihitc.net</pre><br />
* '''NOTE:''' the * stands for your system name, "automail" was used when setting the mail server up.</li><br />
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li><br />
* For the ''Name'' enter ''@''.<br />
* In the ''address'' field enter your VM's static IP and click ''Create''.<br />
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well. (This will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li><br />
<li>Make sure to apply the changes using the button in the top right that shows two arrows in a cricle.</li><br />
<li>After applying the changes and rebooting everything should be working. just make sure to test it using the nslookup and dig commands.</li><br />
</ol><br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol><br />
<br />
==Auto Maildir Clean Up==<br />
<ol><br />
<li>Create script to delete emails older than 45 days</li><br />
:''NOTE: The script must be owned by root and executable. Additionally, the crontab must be created with sudo priviledges<br />
:<code>sudo nano '''<scriptname.sh>'''</code><br />
<pre><br />
#!/bin/bash<br />
find /home/testuser/Maildir/cur -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/new -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/tmp -type f -mtime +45 -exec rm {} \;<br />
</pre><br />
:[[File:MAILSVR_emailflush_sh.png|link=https://wiki.ihitc.net/mediawiki/images/b/b5/MAILSVR_emailflush_sh.png|500px]]<br />
:[[Media:MAILSVR_emailflush_sh.png|Click here for a larger image]]<br />
<li>Make executable</li><br />
:<code>sudo chmod +x '''<sciptname.sh>'''</code><br />
<li>Create a '''crontab''' job</li><br />
:<code>sudo crontab -e</code><br />
: ''NOTE: the astricks at the start of the following command are respective to the scheduling of time. A good additional resource for '''cron''' can be found at [https://vitux.com/how-to-setup-a-cron-job-in-debian-10 Vitux]. Each astrik represents [Minute] [hour] [Day_of_the_Month] [Month_of_the_Year] [Day_of_the_Week] <br />
:* add the following line to the chrontab file to schedule the job at 8PM every day.<br />
<pre>* 20 * * * * /home/ping/scriptname.sh</pre><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9512Mail server mnjk2021-02-19T02:29:33Z<p>JonQuinn: /* Auto Maildir Clean Up */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
: <code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
:<code>sudo apt install open-vm-tools</code><br />
<br><br />
<li>Install nmap</li><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
:* Run the following command at the command line.<br />
:<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li> Use the '''links''' browser or '''wget''' to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
: <code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
:* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
:* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
:* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
:* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
: * Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
: * Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
:* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
:* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
:* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
:* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
:* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<ol><br />
<li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li><br />
<li>Open up ''/etc/bind/named.conf.options''</li><br />
<ul><br />
* You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul><br />
: [[File:Bind_named_conf.png | 500px]]<br />
<li>Next, open up your interfaces file (''/etc/network/interfaces'').</li><br />
<ul><br />
* Change the dns server for the primary network interface to ''127.0.0.1''.</ul><br />
<li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings:<br />
<pre>Zone type: Forward (Names to Addresses)<br />
Domain name / Network: *.itc2480.campus.ihitc.net<br />
Records file: Automatic<br />
Master server: *.itc2480.campus.ihitc.net.<br />
Email address: root@ *.itc2480.campus.ihitc.net</pre><br />
* '''NOTE:''' the * stands for your system name, "automail" was used when setting the mail server up.</li><br />
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li><br />
* For the ''Name'' enter ''@''.<br />
* In the ''address'' field enter your VM's static IP and click ''Create''.<br />
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well. (This will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li><br />
<li>Make sure to apply the changes using the button in the top right that shows two arrows in a cricle.</li><br />
<li>After applying the changes and rebooting everything should be working. just make sure to test it using the nslookup and dig commands.</li><br />
</ol><br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol><br />
<br />
==Auto Maildir Clean Up==<br />
<ol><br />
<li>Create script to delete emails older than 45 days</li><br />
:''NOTE: The script must be owned by root and executable. Additionally, the crontab must be created with sudo priviledges<br />
:<code>sudo nano '''<scriptname.sh>'''</code><br />
<pre><br />
#!/bin/bash<br />
find /home/testuser/Maildir/cur -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/new -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/tmp -type f -mtime +45 -exec rm {} \;<br />
</pre><br />
:[[File:MAILSVR_emailflush_sh.png|link=https://wiki.ihitc.net/mediawiki/images/b/b5/MAILSVR_emailflush_sh.png|500px]]<br />
:[[Media:MAILSVR_emailflush_sh.png|Click here for a larger image]]<br />
<li>Make executable</li><br />
:<code>sudo chmod +x '''<sciptname.sh>'''</code><br />
<li>Create a '''crontab''' job</li><br />
:<code>sudo crontab -e</code><br />
: ''NOTE: the astricks at the start of the following command are respective to the scheduling of time. A good additional resource for '''cron''' is https://vitux.com/how-to-setup-a-cron-job-in-debian-10. Each astrik represents [Minute] [hour] [Day_of_the_Month] [Month_of_the_Year] [Day_of_the_Week] <br />
:* add the following line to the chrontab file to schedule the job at 8PM every day.<br />
<pre>* 20 * * * * /home/ping/scriptname.sh</pre><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9511Mail server mnjk2021-02-19T02:28:43Z<p>JonQuinn: /* Auto Maildir Clean Up */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
: <code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
:<code>sudo apt install open-vm-tools</code><br />
<br><br />
<li>Install nmap</li><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
:* Run the following command at the command line.<br />
:<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li> Use the '''links''' browser or '''wget''' to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
: <code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
:* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
:* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
:* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
:* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
: * Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
: * Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
:* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
:* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
:* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
:* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
:* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<ol><br />
<li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li><br />
<li>Open up ''/etc/bind/named.conf.options''</li><br />
<ul><br />
* You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul><br />
: [[File:Bind_named_conf.png | 500px]]<br />
<li>Next, open up your interfaces file (''/etc/network/interfaces'').</li><br />
<ul><br />
* Change the dns server for the primary network interface to ''127.0.0.1''.</ul><br />
<li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings:<br />
<pre>Zone type: Forward (Names to Addresses)<br />
Domain name / Network: *.itc2480.campus.ihitc.net<br />
Records file: Automatic<br />
Master server: *.itc2480.campus.ihitc.net.<br />
Email address: root@ *.itc2480.campus.ihitc.net</pre><br />
* '''NOTE:''' the * stands for your system name, "automail" was used when setting the mail server up.</li><br />
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li><br />
* For the ''Name'' enter ''@''.<br />
* In the ''address'' field enter your VM's static IP and click ''Create''.<br />
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well. (This will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li><br />
<li>Make sure to apply the changes using the button in the top right that shows two arrows in a cricle.</li><br />
<li>After applying the changes and rebooting everything should be working. just make sure to test it using the nslookup and dig commands.</li><br />
</ol><br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol><br />
<br />
==Auto Maildir Clean Up==<br />
<ol><br />
<li>Create script to delete emails older than 45 days</li><br />
:''NOTE: The script must be owned by root and executable. Additionally, the crontab must be created with sudo priviledges<br />
:<code>sudo nano '''<scriptname.sh>'''</code><br />
<pre><br />
#!/bin/bash<br />
find /home/testuser/Maildir/cur -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/new -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/tmp -type f -mtime +45 -exec rm {} \;<br />
</pre><br />
[[File:MAILSVR_emailflush_sh.png|500px]]<br />
[[Media:MAILSVR_emailflush_sh.png|Click here for a larger image]]<br />
<li>Make executable</li><br />
:<code>sudo chmod +x '''<sciptname.sh>'''</code><br />
<li>Create a '''crontab''' job</li><br />
:<code>sudo crontab -e</code><br />
: ''NOTE: the astricks at the start of the following command are respective to the scheduling of time. A good additional resource for '''cron''' is https://vitux.com/how-to-setup-a-cron-job-in-debian-10. Each astrik represents [Minute] [hour] [Day_of_the_Month] [Month_of_the_Year] [Day_of_the_Week] <br />
:* add the following line to the chrontab file to schedule the job at 8PM every day.<br />
<pre>* 20 * * * * /home/ping/scriptname.sh</pre><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=File:MAILSVR_emailflush_sh.png&diff=9510File:MAILSVR emailflush sh.png2021-02-19T02:27:42Z<p>JonQuinn: </p>
<hr />
<div></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9509Mail server mnjk2021-02-19T02:26:40Z<p>JonQuinn: /* Auto Maildir Clean Up */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
: <code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
:<code>sudo apt install open-vm-tools</code><br />
<br><br />
<li>Install nmap</li><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
:* Run the following command at the command line.<br />
:<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li> Use the '''links''' browser or '''wget''' to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
: <code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
:* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
:* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
:* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
:* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
: * Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
: * Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
:* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
:* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
:* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
:* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
:* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<ol><br />
<li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li><br />
<li>Open up ''/etc/bind/named.conf.options''</li><br />
<ul><br />
* You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul><br />
: [[File:Bind_named_conf.png | 500px]]<br />
<li>Next, open up your interfaces file (''/etc/network/interfaces'').</li><br />
<ul><br />
* Change the dns server for the primary network interface to ''127.0.0.1''.</ul><br />
<li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings:<br />
<pre>Zone type: Forward (Names to Addresses)<br />
Domain name / Network: *.itc2480.campus.ihitc.net<br />
Records file: Automatic<br />
Master server: *.itc2480.campus.ihitc.net.<br />
Email address: root@ *.itc2480.campus.ihitc.net</pre><br />
* '''NOTE:''' the * stands for your system name, "automail" was used when setting the mail server up.</li><br />
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li><br />
* For the ''Name'' enter ''@''.<br />
* In the ''address'' field enter your VM's static IP and click ''Create''.<br />
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well. (This will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li><br />
<li>Make sure to apply the changes using the button in the top right that shows two arrows in a cricle.</li><br />
<li>After applying the changes and rebooting everything should be working. just make sure to test it using the nslookup and dig commands.</li><br />
</ol><br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol><br />
<br />
==Auto Maildir Clean Up==<br />
<ol><br />
<li>Create script to delete emails older than 45 days</li><br />
:''NOTE: The script must be owned by root and executable. Additionally, the crontab must be created with sudo priviledges<br />
:<code>sudo nano '''<scriptname.sh>'''</code><br />
<pre><br />
#!/bin/bash<br />
find /home/testuser/Maildir/cur -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/new -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/tmp -type f -mtime +45 -exec rm {} \;<br />
</pre><br />
<li>Make executable</li><br />
:<code>sudo chmod +x '''<sciptname.sh>'''</code><br />
<li>Create a '''crontab''' job</li><br />
:<code>sudo crontab -e</code><br />
: ''NOTE: the astricks at the start of the following command are respective to the scheduling of time. A good additional resource for '''cron''' is https://vitux.com/how-to-setup-a-cron-job-in-debian-10. Each astrik represents [Minute] [hour] [Day_of_the_Month] [Month_of_the_Year] [Day_of_the_Week] <br />
:* add the following line to the chrontab file to schedule the job at 8PM every day.<br />
<pre>* 20 * * * * /home/ping/scriptname.sh</pre><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9508Mail server mnjk2021-02-19T02:23:39Z<p>JonQuinn: /* Auto Maildir Clean Up */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
: <code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
:<code>sudo apt install open-vm-tools</code><br />
<br><br />
<li>Install nmap</li><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
:* Run the following command at the command line.<br />
:<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li> Use the '''links''' browser or '''wget''' to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
: <code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
:* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
:* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
:* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
:* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
: * Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
: * Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
:* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
:* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
:* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
:* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
:* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<ol><br />
<li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li><br />
<li>Open up ''/etc/bind/named.conf.options''</li><br />
<ul><br />
* You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul><br />
: [[File:Bind_named_conf.png | 500px]]<br />
<li>Next, open up your interfaces file (''/etc/network/interfaces'').</li><br />
<ul><br />
* Change the dns server for the primary network interface to ''127.0.0.1''.</ul><br />
<li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings:<br />
<pre>Zone type: Forward (Names to Addresses)<br />
Domain name / Network: *.itc2480.campus.ihitc.net<br />
Records file: Automatic<br />
Master server: *.itc2480.campus.ihitc.net.<br />
Email address: root@ *.itc2480.campus.ihitc.net</pre><br />
* '''NOTE:''' the * stands for your system name, "automail" was used when setting the mail server up.</li><br />
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li><br />
* For the ''Name'' enter ''@''.<br />
* In the ''address'' field enter your VM's static IP and click ''Create''.<br />
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well. (This will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li><br />
<li>Make sure to apply the changes using the button in the top right that shows two arrows in a cricle.</li><br />
<li>After applying the changes and rebooting everything should be working. just make sure to test it using the nslookup and dig commands.</li><br />
</ol><br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol><br />
<br />
==Auto Maildir Clean Up==<br />
<ol><br />
<li>Create script to delete emails older than 45 days</li><br />
:<code>sudo nano '''<scriptname.sh>'''</code><br />
<br><br />
<pre><br />
#!/bin/bash<br />
find /home/testuser/Maildir/cur -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/new -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/tmp -type f -mtime +45 -exec rm {} \;<br />
</pre><br />
<li>Make executable</li><br />
:<code>sudo chmod +x '''<sciptname.sh>'''</code><br />
<li>Create a '''crontab''' job</li><br />
:<code>sudo crontab -e</code><br />
: ''NOTE: the astricks at the start of the following command are respective to the scheduling of time. A good additional resource for '''cron''' is https://vitux.com/how-to-setup-a-cron-job-in-debian-10. Each astrik represents [Minute] [hour] [Day_of_the_Month] [Month_of_the_Year] [Day_of_the_Week] <br />
:* add the following line to the chrontab file to schedule the job at 8PM every day.<br />
<pre>* 20 * * * * /home/ping/scriptname.sh</pre><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9507Mail server mnjk2021-02-19T02:22:53Z<p>JonQuinn: /* Auto Reply Configuration */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
: <code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
:<code>sudo apt install open-vm-tools</code><br />
<br><br />
<li>Install nmap</li><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
:* Run the following command at the command line.<br />
:<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li> Use the '''links''' browser or '''wget''' to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
: <code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
:* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
:* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
:* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
:* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
: * Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
: * Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
:* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
:* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
:* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
:* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
:* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<ol><br />
<li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li><br />
<li>Open up ''/etc/bind/named.conf.options''</li><br />
<ul><br />
* You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul><br />
: [[File:Bind_named_conf.png | 500px]]<br />
<li>Next, open up your interfaces file (''/etc/network/interfaces'').</li><br />
<ul><br />
* Change the dns server for the primary network interface to ''127.0.0.1''.</ul><br />
<li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings:<br />
<pre>Zone type: Forward (Names to Addresses)<br />
Domain name / Network: *.itc2480.campus.ihitc.net<br />
Records file: Automatic<br />
Master server: *.itc2480.campus.ihitc.net.<br />
Email address: root@ *.itc2480.campus.ihitc.net</pre><br />
* '''NOTE:''' the * stands for your system name, "automail" was used when setting the mail server up.</li><br />
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li><br />
* For the ''Name'' enter ''@''.<br />
* In the ''address'' field enter your VM's static IP and click ''Create''.<br />
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well. (This will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li><br />
<li>Make sure to apply the changes using the button in the top right that shows two arrows in a cricle.</li><br />
<li>After applying the changes and rebooting everything should be working. just make sure to test it using the nslookup and dig commands.</li><br />
</ol><br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol><br />
<br />
==Auto Maildir Clean Up==<br />
<ol><br />
<li>Create script to delete emails older than 45 days</li><br />
:<code>sudo nano '''<scriptname.sh>'''</code><br />
<br><br />
<pre><br />
#!/bin/bash<br />
find /home/testuser/Maildir/cur -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/new -type f -mtime +45 -exec rm {} \;<br />
find /home/testuser/Maildir/tmp -type f -mtime +45 -exec rm {} \;<br />
</pre><br />
<li>Make executable</li><br />
:<code>sudo chmod +x '''<sciptname.sh>'''</code><br />
<li>Create a '''crontab''' job</li><br />
:<code>sudo crontab -e</code><br />
: ''NOTE: the astricks at the start of the following command are respective to the scheduling of time. A good additional resource for '''cron''' is https://vitux.com/how-to-setup-a-cron-job-in-debian-10. Each astrik represents [Minute] [hour] [Day_of_the_Month] [Month_of_the_Year] [Day_of_the_Week] <br />
:* add the following line to the chrontab file to schedule the job at 8PM every day.<br />
<pre>* 20 * * * * /home/ping/''scriptname.sh''</pre><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mnjk-inver&diff=9503Mnjk-inver2021-02-18T03:00:12Z<p>JonQuinn: /* List of Labs */</p>
<hr />
<div>=Stylesheet=<br />
<br />
[[Stylesheet mnjk | Stylesheet]]<br />
<br />
=List of Labs=<br />
<br />
[[Lab 1 mnjk|Lab 1: Install Debian, check IP, remote access with ssh/sftp]]<br />
<br />
[[Lab 2 mnjk|Lab 2]]<br />
<br />
[[Lab 3 mnjk|Lab 3]]<br />
<br />
[[Lab 4 mnjk|Lab 4]]<br />
<br />
[[Lab 5 mnjk|Lab 5: Set static IP, install PHP/mySQL, experiment with websites and databases, view logfiles]]<br />
<br />
[[Lab 6 mnjk|Lab 6]]<br />
<br />
[[Lab 7 mnjk|Lab 7]]<br />
<br />
[[Lab 8 mnjk|Lab 8]]<br />
<br />
[[Lab 9 mnjk|Lab 9: Install Postfix MTA, courier-imap]]<br />
<br />
[[Lab 10 mnjk|Lab 10]]<br />
<br />
[[Lab 11 mnjk|Lab 11]]<br />
<br />
[[Lab 12 mnjk|Lab 12]]<br />
<br />
[[Lab 13 mnjk|Lab 13]]<br />
<br />
[[Lab 14 mnjk|Lab 14]]<br />
<br />
[[mail server mnjk|mail]]<br />
<br />
=Test pages=<br />
<br />
[[Mike mnjk|Mike]]<br />
<br />
[[Nate mnjk|Nate]]<br />
<br />
[[Jon mnjk|Jon]]<br />
<br />
[[Kreid mnjk|Kreid]]<br />
<br />
=Lab 11 Rewrites=<br />
<br />
[[Final Lab 11]]<br />
<br />
[[Mike Lab 11]]<br />
<br />
[[Nate Lab 11]]<br />
<br />
[[Jon Lab 11]]<br />
<br />
[[Kreid lab 11]]</div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_5_mnjk&diff=9502Lab 5 mnjk2021-02-18T02:40:57Z<p>JonQuinn: /* Set a static IP */</p>
<hr />
<div>=Introduction=<br />
In this lab you will perform the following tasks:<br />
*Learn about static network configuration of Debian Linux systems<br />
*Install '''[https://www.php.net PHP]'''<br />
*Install '''[https://www.php.net MariaDB]''' on your server, this is an open-source MySQL alternative<br />
*Experiment with websites and databases<br />
*Explore the standard log files on your system.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/ifup ifup]'''<br />
*'''[https://linux.die.net/man/8/ifdown ifdown]'''<br />
*'''[https://linux.die.net/man/8/ping ping]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://www.commandlinux.com/man-page/man8/a2dissite.8.html a2ensite]'''<br />
*'''[https://www.commandlinux.com/man-page/man8/a2dissite.8.html a2dissite]'''<br />
*'''[https://linux.die.net/man/1/wget wget]'''<br />
*'''[https://linux.die.net/man/1/zcat zcat]'''<br />
*'''[https://linux.die.net/man/8/service service]'''<br />
*'''[https://linux.die.net/man/1/tail tail]'''<br />
<br />
You will also use the following MySQL (MariaDB) commands:<br />
<br />
*'''[https://mariadb.com/kb/en/use USE]'''<br />
*'''[https://mariadb.com/kb/en/show SHOW]'''<br />
*'''[https://mariadb.com/kb/en/select SELECT]'''<br />
*'''[https://mariadb.com/kb/en/drop-database DROP database]'''<br />
<br />
=Lab Procedure=<br />
==Prerequisites==<br />
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account<br />
# Make a note of the static IP address information for your particular system in the table below, it is based on the system name identification letter in vmWare. These IP addresses will ONLY be valid in the ITC vmWare Linux class subnet. If you are working on a local VirtualBox system you will need to select an available static IP from the correct subnet for your system or skip the static IP addressing section. All vmWare systems will use a gateway address of 172.17.50.1 and a subnet mask of 255.255.255.0 with two nameservers 172.17.139.11 and 172.17.139.111<br />
{| {{table}}<br />
| align="center" style="background:#f0f0f0;"|'''System ID'''<br />
| align="center" style="background:#f0f0f0;"|'''Static IP'''<br />
|-<br />
| A||172.17.50.11<br />
|-<br />
| B||172.17.50.12<br />
|-<br />
| C||172.17.50.13<br />
|-<br />
| D||172.17.50.14<br />
|-<br />
| E||172.17.50.15<br />
|-<br />
| F||172.17.50.16<br />
|-<br />
| G||172.17.50.17<br />
|-<br />
| H||172.17.50.18<br />
|-<br />
| I||172.17.50.19<br />
|-<br />
| J||172.17.50.20<br />
|-<br />
| K||172.17.50.21<br />
|-<br />
| L||172.17.50.22<br />
|-<br />
| M||172.17.50.23<br />
|-<br />
| N||172.17.50.24<br />
|-<br />
| O||172.17.50.25<br />
|-<br />
| P||172.17.50.26<br />
|-<br />
| Q||172.17.50.27<br />
|-<br />
| R||172.17.50.28<br />
|-<br />
| S||172.17.50.29<br />
|-<br />
| T||172.17.50.30<br />
|-<br />
| U||172.17.50.31<br />
|-<br />
| V||172.17.50.32<br />
|-<br />
| W||172.17.50.33<br />
|-<br />
| X||172.17.50.34<br />
|-<br />
| Y||172.17.50.35<br />
|-<br />
| Z||172.17.50.36<br />
|}<br />
<br />
<br />
<br />
==Set a static IP==<br />
'''''[https://www.youtube.com/watch?v=VcPA6gJ0Ohw&feature=youtu.be Video Tutorial - Setting a Static IP Address]'''''<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
* Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
* Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
:'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==Install PHP & MySQL/MariaDB==<br />
<br />
'''''[https://www.youtube.com/watch?v=Az0qtg4LSjA&feature=youtu.be Video Tutorial - Install PHP and MySQL MariaDB]'''''<br />
<ol><br />
<li>Install packages</li><br />
:* Using '''apt''', install the ''php'' and ''mariadb-server'' packages as well as the ''php-mysql'' package which provides the link between php and mysql and the ''libapache2-mod-php'' package which provides a copy of PHP which allows the Apache webserver to run website PHP scripts.<br />
'' Note: Remember to do an '''apt update''' before installing packages to make sure you get the latest versions<br />
'' Note: Maria-DB is a fully compatible replacement for MySQL that isn't controlled by Oracle.<br />
* After the dependencies are found, go ahead and accept them to continue the install.<br />
<li> After the install is complete, '''cd''' to ''/var/www/html'' which is the root directory of your webserver and so where all website files are served from.</li><br />
<li> In order to fully enable the PHP-MySQL module you should restart your Apache webserver. You don't need to restart your entire system to do this. Do some research on the "apache2ctl" or the "service apache2" commands which can be used to do this.<br />
<li> At this point we will test to verify that php is working properly with Apache. Create a new file named ''phptest.php'', and then open it in a text editor.</li><br />
: '' Note: you may have to use sudo to create and edit files in this directory. as your standard user account may not have privilidges to create and edit files in this directory.<br />
:<code>sudo touch phptest.php</code><br />
:<code>sudo nano phptest.php</code><br />
<li>Enter the following into the file:<br />
<pre><?php<br />
phpinfo();<br />
?></pre></li><br />
<li>Now save the file, and on your local machine go to xxx.xxx.xxx.xxx/phptest.php in a web browser where xxx.xxx.xxx.xxx is your VM's static IP. You should now be on a page that shows your PHP Version, and system information.</li> <br />
:[[File:Lab5_php_info.png|500px]]<br />
:[[Media:Lab5_php_info.png|Click here for a larger image]]<br />
<li>Use the "View Source" option in your browser to see what the HTML source code is for the page you're viewing is. Is it the same or different than the .php file you created? Why? How is this different than a standard .html file?</li><br />
:[[File:Lab5_php_info_devtab.png|500px]]<br />
:[[Media:Lab5_php_info_devtab.png|Click here for a larger image]]<br />
</ol><br />
<br />
==Experiment with Website PHP==<br />
<br />
'''''[https://www.youtube.com/watch?v=m_sUrt_quX4&feature=youtu.be Video Tutorial - Experiment with Website PHP]'''''<br />
<ol><br />
<li> Explore Apache symlinks</li><br />
:In a previous lab we learned about editing the ''/var/www/index.html'' file to change the default web page displayed by your server. In a future lab you will install some PHP/MySQL based software which powers many Internet sites with forums, blogs, etc. Before we can do that we need to learn a little more about PHP and about databases. Like most software on Linux the Apache webserver configuration files are stored in the ''/etc'' directory. Specifically, you can find several of them which work together and are called from each other in ''/etc/apache2/'' take a look in the ''/etc/apache2/sites-enabled/'' directory. See how symlinks are used to point to configuration files which actually reside in the ''/etc/apache2/sites-available/'' directory? This allows us to turn off and on various sites by creating or removing a symlink rather than by deleting the actual configuration file, a handy thing if we just want to temporarily disable a site. In fact Apache provides a utility to automatically add and remove these links called '''a2ensite''' and '''a2dissite'''. Check the '''man''' pages for these commands to see how they work.<br />
<li>Explore '''/etc/apche2/sites-enabled'''</li><br />
:As you might have guessed the default site for your system is configured by the file linked to at ''/etc/apache2/sites-enabled/000-default'' If you open this file in your favorite text editor you will see a series of what Apache calls "directives" which explain how the webserver should function, what port it should listen on, where the website files will reside (''/var/www/html''), etc. <br />
:'' NOTE: Going into all of the different Apache directives is outside of the scope of this course but you will find a lot of documentation about them on the Internet.<br />
<li>Explore the Apache configuration files in Webmin</li><br />
:In addition to configuring Apache directly through it's configuration files you can also configure it through an interface like Webmin which we installed in a previous lab. Bring up the Webmin configuration page for Apache and take a look at the settings for the default site. Note how the things you saw directly in the configuration file match up with what you see in Webmin. One of the things you may be interested in seeing is how the webserver knows to display the index.html file from a directory if it exists and no specific file is requested in the URL. Take a look on the "Directory Indexing" page for the default virtualhost and see if you can find this information. You'll notice that there is a list of files, not just index.html which the server will display.<br />
:'' NOTE: You may need to refresh your Webmin modules or "scan for new modules" if you haven't done that since installing Apache and Webmin. Webmin scans your system for compatible server software packages (like Apache) when it is installed but needs to re-scan it's modules after you install new server software before you can configure it through Webmin.<br />
<li>Expiriment with and learn PHP basics</li><br />
:In another section of this lab you created a basic ''phptest.php'' file and saw how the server executed the PHP code and turned it into an HTML page your browser could display. Because PHP offers an easy way to write web applications it powers much of the Internet. To prepare us for setting up some PHP applications in a future lab it will be helpful to know a little about how PHP scripts work. Read through the [http://www.w3schools.com/php/default.asp W3 Schools PHP Basics Tutorial] (PHP Intro through PHP Superglobals) and try creating some PHP scripts on your own Linux server like the examples given in the tutorial pages to see if you can get them to run, try modifying them a little bit and see what the results are. There are many great Internet resources devoted to understanding how to do things with PHP so take some time to see how this language can be easily integrated in websites. You should definitely be familiar with editing PHP files to change variables, echo statements, etc. work which are all skills you'll need when installing PHP based website software.<br />
<li>Create your own PHP files</li><br />
:*Try writing some simple PHP scripts on your own using variables and echo statements and make them available through your webserver.<br />
:*A good place to create these would be in your home directory, using your favorite text editor.<br />
<li>Create your own "home" page by editing your ''index.html'' file located in the '''/var/www/html''' directory.</li><br />
:''NOTE: You will need to be familiar with the very basics of editing HTML files in order to create links, etc. If you haven't done this before there are many introductory HTML tutorials available online. A good starting place is [https://www.w3schools.com/html/html_basic.asp W3 Schools HTML Basics Examples]<br />
:'' NOTE:It is importatnt to know that an '''html''' file must include the <!DOCTYPE HTML> tag. Additionally, you will notice that all tags have an opening tag and a closing tag. The information between the tags is what will have the features of the tag<br />
:*Backup your ''index.html'' file by copying to a new file name.<br />
:<code>sudo cp /var/www/html/index.html /var/www/html/index.html.bak</code><br />
:*Edit your ''index.html'' file (or create a new ''index.php'' file which will be loaded instead if it exists) so there is a list and links to the various scripts you have created as part of your PHP experimentation.<br />
:* Open your index.html file in your favorite text editor,<br />
:<code>sudo nano /var/www/html/index.html</code><br />
:*Since you have backed up the original index.html file I would edit this file to only include the basics.<br />
<pre> <br />
<!DOCTYPE HTML><br />
<html><br />
<body><br />
<h1>My ITC-2480 Server</h1><br />
<p>This is a server on Pod-R in NetLab at 172.17.50.XX</p><br />
<br><br />
<p>Here are some of the Projects I am working on:</p><br />
<a href="http://172.17.50.XX/phptest.php">PHP Version Information</a><br />
</body><br />
</html><br />
</pre><br />
:'' NOTE: Make sure to replace the XX in the IP with the IP address of your server.<br />
:<br />
:[[File:Lab5_basic_html.png|link=https://wiki.ihitc.net/mediawiki/images/2/29/Lab5_basic_html.png|500px]]<br />
:[[Media:Lab5_basic_html.png|Click here for a larger image]]<br />
:A first look for a basic page<br />
:[[File:Lab5_initial_home.png|link=https://wiki.ihitc.net/mediawiki/images/9/92/Lab5_initial_home.png|500px]]<br />
:[[Media:Lab5_initial_home.png|Click for a larger image]]<br />
<li>Try to add additional features to your "home" page.</li><br />
:''NOTE: You may get some ideas of features you might like to add by looking at the original ''index.html'' file that we backed up in step 6 of this lab.<br />
:*As you complete your labs consider what you can add to this page.<br />
:*Add links to the PHP scripts you created<br />
:*A few good chalanges would be to add a title, change font size, style or color.<br />
<br />
</ol><br />
<br />
==Experiment with Databases==<br />
<br />
'''''[https://www.youtube.com/watch?v=1zYXiWLoGdM&feature=youtu.be Video Tutorial - Experiment with Databases]'''''<br />
<ol><br />
: In order to do really powerful things with a website we need a database where we can store dynamic content which can be queried to automatically build site pages from a template. One of the most common databases is an SQL database, and MySQL has long been the most prevalent Linux SQL software. These days MariaDB, which we installed, has been taking some MySQL marketshare because it is a community developed program instead of MySQL which is now owned by Oracle. The MariaDB software and MySQL software are essentially equivalent, especially for small sites/databases, and the same commands are used interchangeably including using the '''mysql''' command to access them. SQL itself is a standard language for interacting with a specific type of database called a relational database, we'll see why it's called a relational database in a minute. Each database is a collection of data stored in tables. You can think of a table as something like a spreadsheet with rows and columns, except we call the columns fields and the rows records (sometimes we actually call them rows too). The different tables are often related to one another, of course they are usually being used by the same web application, but usually the relationship goes deeper than that as we'll see in a little bit.<br />
<li>Download a sample database</li><br />
: To jumpstart our exploration of databases we'll download a pre-built sample database with a few tables and many records already in it and import it into our MySQL database server. Download the employees database file [https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2 employees_db-full-1.0.6.tar.bz2] (about 26MB) and get it into your home directory. Instead of using the '''links''' browser to do this or downloading to your computer and then pushing this large file back across the Internet with an SCP/SFTP client like FileZilla a better choice might be to learn about the '''wget''' program which can be used like "'''wget https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2'''" to download the file into your current working directory.<br />
<code>wget https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2</code><br />
<li>Unpack the database file</li><br />
: Figure out how to use the '''tar''' program to unpack this .tar.bz2 file. Note that this file uses bz2 compression which takes longer to compress than gzip but can compress the files more. Once unpacked you should have an "employees_db" folder.<br />
<li>Explore the files included with sample database</li><br />
: Inside the ''employees_db'' folder you should have a number of ''.sql'' script files and dump files which can be used to restore the database to your system.<br />
:*Take a look at the ''employees.sql'' file, it's just a text file, which describes the format of the database. <br />
:*Also take a look at the ''load_employees.dump'' file, also just a text file, which contains all of the records from the employees table of the database. :'' NOTE: there are 300,000 some employee records in this database so you probably don't want to just use '''cat''' to view these files as it could take a while to print them out to your screen. Using the '''less''' program would be a better choice as it will allow you to exit viewing the file by pressing q at any time.<br />
<li>Open the MySQL (MariaDB) command line</li><br />
: We can interact with the MySQL/MariaDB server in many different ways. The first way we'll take a look at is through the command line '''mysql''' program. Run the "'''sudo mysql'''" command. <br />
:'' NOTE: that we are running this command with system administrator permissions which allows us to log in to the MySQL server with database administrator permissions as well. The MySQL program actually stores it's own usernames and passwords as a MySQL database itself, you can create and modify these permissions from the mysql command line but we'll learn more about modifying them through the Webmin interface later.<br />
:<code>sudo MySQL</code><br />
<br><br />
:[[File:Lab5_mariadb_cli.png|link=https://wiki.ihitc.net/mediawiki/images/4/4f/Lab5_mariadb_cli.png|500px]]<br />
:[[Media:Lab5_mariadb_cli.png|Click here for a larger image]]<br />
<li>Explore MySQL (MariaDB) Commands</li><br />
: MySQL has it's own command line language the you can use through the "mysql>" prompt you are now running. For example, if we want to see a list of databases on the system we can run "'''SHOW databases;'''" run the command and note the databases that already exist by default.<br />
<code>SHOW databases;</code><br />
:'' NOTE: Each MySQL/MariaDB statement ends with a semicolon (;) if you do not put the semicolon at the end of the line the command will not execute when you press enter and you will be able to continue to add more commands to the statement before finishing with a semicolon. If you accidentally press enter without ending with a semicolon you can just enter a semicolon on the next line and press enter.<br />
<li>Import the sample database</li><br />
: To import the employee database we can use the "'''source employees.sql;'''" command (assuming we were already working in the directory which contains the employees.sql file when we launched mysql. Import the employee database and verify the system now has an employees database.<br />
<code>SOURCE employees.sql;</code><br />
<li>Use the employees database</li><br />
<code>USE employees;</code><br />
: If we want to see all of the tables in the employees database we must first select the database we want to work on using the "'''USE employees;'''" command.<br />
<li>Explore the employee table</li><br />
: Use the "'''SHOW tables;'''" command to see a list of tables.<br />
<code>SHOW tables;</code><br />
<li>View a list of employees in table</li><br />
: To see a list of all the records in a table we need to run a SELECT query "'''SELECT * from ''<tablename>'''''" like "'''SELECT * from employees'''" which will list all the records in the ''employees'' table of the employees database and display them.<br />
<code>SELECT * from employees;</code><br />
<br><br />
:[[File:Lab5_mariadb_show_tables.png|link=https://wiki.ihitc.net/mediawiki/images/d/d5/Lab5_mariadb_show_tables.png|350px]]<br />
:[[Media:Lab5_mariadb_show_tables.png|Click here for a larger image]]<br />
:* Remember that we previously selected to USE the ''employees'' database, this will be remembered until we USE a different database. Try displaying the records in a couple of different tables like employees and departments.<br />
:'' NOTE: The output can be broken by using CTRL-C on your local machine if you do not wish to wait for all of the records to be displayed.<br />
:<br />
: There is much more that we can do from the MySQL/MariaDB command line but that would be a whole class or more itself. The MySQL/MariaDB programs are well documented on the Internet and with these basic skills you should be able to figure out most of it. Remember, the vast majority of what you read about MySQL will also work in MariaDB and vice-versa.<br />
<li>Explore the MySQL interface in Webmin<br />
: Now that you have learned a bit about MySQL databases from the command line let's see how they look in the Webmin web management interface. Log back in to your Webmin interface through a browser on your host system.<br />
:* Because MySQL was not installed when we first setup Webmin you need to "scan for new modules" first. Once that process has finished refresh the page to see that MySQL has been added to the server section of Webmin.<br />
:* Take a look at the Webmin MySQL module and see how MySQL users and permissions are configured.<br />
:* Try browsing through the ''employees'' database using the Webmin interface including viewing tables and records inside of the tables.<br />
<li>Drop database and exit MySQL (MariaDB)</li><br />
:* Go back to your MySQL command line window and run the command "'''DROP DATABASE employees;'''" to delete the entire database.<br />
:* Type "'''exit;'''" to quit the MySQL program and return to a Linux shell.<br />
<br />
:'' NOTE: Obviously, the DROP command is one to be careful with as you can easily wipe out a huge database with one line! <br />
</ol><br />
<br />
==View Logfiles==<br />
<br />
'''''[https://www.youtube.com/watch?v=cxIOQF-eMy0&feature=youtu.be Video Tutorial - Tutorial 5 View Logfiles]'''''<br />
<br />
<ol><br />
: Linux stores most of log files in the ''/var/log'' directory so change your working directory to ''/var/log''.<br />
: Some log files are viewable by all users on the system but other log files may be restricted and you will need to use '''sudo''' to view them.<br />
<li>View last 20 lines in '''/var/log/syslog'''</li><br />
:<code>tail -20 /var/log/syslog</code><br />
:[[File:Lab5_tail.png|link=https://wiki.ihitc.net/mediawiki/images/8/88/Lab5_tail.png|500px]]<br />
:[[Media:Lab5_tail.png|Click here for a larger image]]<br />
: Linux log files are typically standard text files and can be read with standard text file utilities like cat or less. One additional utility which comes in hand is the '''tail''' program which displays the last 10 lines (by default) of a text file and which can be configured to display more or less lines using a command like '''tail -20 /var/log/syslog''' which will display the last 20 lines of the main system log file. The manual page for the '''tail''' command contains additional information like how to use the ''-f'' option to view a log in realtime (exit with Ctrl-C).<br />
<li>Explore some other log files</li><br />
: Take a look at some of the log files on your system and see what kinds of information they contain specifically you should probably look at ''syslog'', ''auth.log'', ''kern.log'', ''apache2/access.log'', and ''apache2/error.log'' <br />
:* Use the tail command to explore these logs<br />
: In order to prevent log files from completely filling your drive old log files are eventually rotated on the system and compressed and then finally deleted. Take a look at some of the rotated log files like ''/var/log/syslog.1'' or ''/var/log/kern.log.1'' which will contain slightly older log entries.<br />
:'' Note: After the first rotated file other files are usually compressed with gzip. You can decompress and view these on the fly using the '''zcat''' program.<br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9501Mail server mnjk2021-02-18T02:36:29Z<p>JonQuinn: /* Set Static IP Address */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
: <code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
:<code>sudo apt install open-vm-tools</code><br />
<br><br />
<li>Install nmap</li><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
:* Run the following command at the command line.<br />
:<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li> Use the '''links''' browser or '''wget''' to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
: <code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
:* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
:* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
:* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
:* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
: * Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
: * Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
:* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
:* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
:* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
:* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
:* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9500Mail server mnjk2021-02-18T02:34:57Z<p>JonQuinn: /* Add User "Ping", Install Webmin */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
: <code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
:<code>sudo apt install open-vm-tools</code><br />
<br><br />
<li>Install nmap</li><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
:* Run the following command at the command line.<br />
:<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li> Use the '''links''' browser or '''wget''' to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
: <code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
* Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
* Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
'''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9499Mail server mnjk2021-02-18T02:34:43Z<p>JonQuinn: /* Add User "Ping", Install Webmin */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
: <code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
:<code>sudo apt install open-vm-tools</code><br />
<br><br />
<li>Install nmap</li><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
:* Run the following command at the command line.<br />
:<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li> Use the '''links''' browser or wget to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
: <code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
* Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
* Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
'''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9498Mail server mnjk2021-02-18T02:34:04Z<p>JonQuinn: /* Add User "Ping", Install Webmin */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
: <code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
:<code>sudo apt install open-vm-tools</code><br />
<br><br />
<li>Install nmap</li><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
:* Run the following command at the command line.<br />
:<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
: <code> adduser ping</code><br />
<li> Use the '''links''' browser to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
: <code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
* Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
* Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
'''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9497Mail server mnjk2021-02-18T02:33:08Z<p>JonQuinn: /* Add User "Ping", Install Webmin */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
: <code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
:<code>sudo apt install open-vm-tools</code><br />
<br><br />
<li>Install nmap</li><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
:* Run the following command at the command line.<br />
:<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''ping''' using the '''adduser''' program</li><br />
<code> adduser ping</code><br />
<li> Use the '''links''' browser to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
<code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
* Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
* Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
'''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9496Mail server mnjk2021-02-18T02:32:33Z<p>JonQuinn: /* Install Basic Tools */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
: <code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
:<code>sudo apt install open-vm-tools</code><br />
<br><br />
<li>Install nmap</li><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
:* Run the following command at the command line.<br />
:<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''jsmith''' using the '''adduser''' program</li><br />
<code> adduser jsmith </code><br />
<li> Use the '''links''' browser to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
<code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
* Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
* Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
'''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9495Mail server mnjk2021-02-18T02:31:09Z<p>JonQuinn: /* Install Basic Tools */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
<code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
:<code>sudo apt install open-vm-tools</code><br />
<br><br />
<li>Install nmap</li><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
:* Run the following command at the command line.<br />
:<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''jsmith''' using the '''adduser''' program</li><br />
<code> adduser jsmith </code><br />
<li> Use the '''links''' browser to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
<code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
* Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
* Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
'''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9494Mail server mnjk2021-02-18T02:29:50Z<p>JonQuinn: /* Install Basic Tools */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
<code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
:<code>sudo apt install open-vm-tools</code><br />
<br><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
<br />
<li>Open a SSH session to your server</li><br />
: Run the following command at the command line.<br />
:<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''jsmith''' using the '''adduser''' program</li><br />
<code> adduser jsmith </code><br />
<li> Use the '''links''' browser to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
<code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
* Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
* Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
'''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9493Mail server mnjk2021-02-18T02:28:54Z<p>JonQuinn: /* Install Basic Tools */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
<code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<code>sudo apt install open-vm-tools</code><br />
<br><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:* ''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
<br />
<li>Open a SSH session to your server</li><br />
: Run the following command at the command line.<br />
:<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''jsmith''' using the '''adduser''' program</li><br />
<code> adduser jsmith </code><br />
<li> Use the '''links''' browser to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
<code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
* Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
* Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
'''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol></div>JonQuinnhttps://wiki.ihitc.net/mediawiki/index.php?title=Mail_server_mnjk&diff=9492Mail server mnjk2021-02-18T02:27:50Z<p>JonQuinn: /* Install Basic Tools */</p>
<hr />
<div>==Introduction==<br />
:This section documents the creation of the Auto-Reply Mail Server. This section will likely be created by an instructor or administrator.<br />
==Mail Server Documentation==<br />
<ol><br />
<li>Power on you Virtual machine</li><br />
<br />
:* This server may reside in the VMware ESXi or NetLab as long as the network configuration allows connection to the course VLAN and student VM's.<br />
<li>Install Debian Linux</li><br />
: Once the system has booted and is on the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Install Basic Tools==<br />
<ol><br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
:<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
<code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
:<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
: [[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
: <code>sudo ip address show</code><br />
<br />
<br />
<li>Open a SSH session to your server</li><br />
: Connect into your system using the remote SSH console method explained above.<br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<code>sudo apt install open-vm-tools</code><br />
<br><br />
<ol><br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:* ''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
<br />
<li>Open a SSH session to your server</li><br />
: Run the following command at the command line.<br />
<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
</ol><br />
<br />
== Add User "Ping", Install Webmin==<br />
<ol><br />
<li> Create a new user account '''jsmith''' using the '''adduser''' program</li><br />
<code> adduser jsmith </code><br />
<li> Use the '''links''' browser to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
<code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
==Set Static IP Address==<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
* Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
* Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
'''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==DNS Section==<br />
<br />
<br />
==Auto Reply Configuration==<br />
<ol><br />
<li>Install vacation</li><br />
: Vacation is a Linux package that will auto-respond to received emails for the receiving users. <br />
<code>sudo apt install vacation</code><br />
<li>Run the vacation program in the profile you wish to set up the reply message from</li><br />
<code>vacation</code><br />
<li>Follow the prompts, for now reply with the default answer (Y)</li><br />
: [[File:MAILSVR_vaca_prompts.png|link=https://wiki.ihitc.net/mediawiki/images/7/76/MAILSVR_vaca_prompts.png|500px]]<br />
: [[Media:MAILSVR_vaca_prompts.png|Click here for a larger image]]<br />
<li>Edit the vacation.msg file</li><br />
<code>nano vacation.msg</code> <br />
: [[File:MAILSVR_vaca_msg.png|link=https://wiki.ihitc.net/mediawiki/images/b/b9/MAILSVR_vaca_msg.png|500px]]<br />
: [[Media:MAILSVR_vaca_msg.png|Click for a larger image]]<br />
:* Enter the message that you would like to have in the auto-response.<br />
<li>Set the response to auto mail every message</li><br />
: The default response is every one week to send an auto-reply, for our use it is important to reply to every email.<br />
<code>vacation -i -r 0</code><br />
: ''NOTE: It is important to understand this command sets the auto-reply delay. Using the '''-r 0''' sets the vacation program to reply to EVERY message it receives. In a production environment, this is not recommended as it can create mail loops.<br />
<li>Test your reply message from the CLI '''mailutils''' package or the MTA chosen to use on client computers</li><br />
</ol></div>JonQuinn