https://wiki.ihitc.net/mediawiki/api.php?action=feedcontributions&user=NateHaleen&feedformat=atomITCwiki - User contributions [en]2024-03-29T14:41:53ZUser contributionsMediaWiki 1.38.5https://wiki.ihitc.net/mediawiki/index.php?title=Lab_12_mnjk&diff=9644Lab 12 mnjk2021-04-25T16:10:20Z<p>NateHaleen: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
In this lab you will learn about several Linux utilities which can be used for monitoring Linux and other systems for security and service uptime purposes.<br />
<br />
In this lab you will perform the following tasks:<br />
* Monitor connections with [https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat netstat]<br />
* Scan for open ports using [https://nmap.org/ nmap]<br />
* Monitor services with [https://www.zabbix.com/ zabbix]<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://linux.die.net/man/8/netstat netstat]'''<br />
*'''[https://linux.die.net/man/1/ps ps]'''<br />
*'''[https://linux.die.net/man/1/grep grep]'''<br />
*'''[https://linux.die.net/man/1/nmap namp]'''<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account<br />
# The IP address of a partner's system which you have permission to portscan<br />
<br />
== Monitoring connections with netstat ==<br />
'''''[https://www.youtube.com/watch?v=51eo20xbSxs Video Tutorial - Monitoring Connections with Netstat]''''' <br><br />
One common activity you would want to do when evaluating the security of a system is to find out what ports the system is accepting connections on. For this reason most operating systems have some kind of utility to display active network connections and open ports, Linux is no exception. The netstat utility can show you currently active network connections as well as open ports on your local system. Take a look at the man page for the [https://linux.die.net/man/1/nmap '''netstat'''] command. Specifically, figure out what the ''-n -a -t -p'' and ''-u'' options do.<br />
<ol><br />
<li> Run the '''netstat''' command on your system and observe the output.</li><br />
<code>sudo netstat -natup</code><br />
* Try to identify what the purpose of each open port on your system is. There are many online guides to common uses for ports.<br />
<li> Use the '''sudo ps aux''' command (along with '''grep''') to match the PID (process ID) numbers of open ports shown in '''netstat -natup''' with specific processes on your system.</li><br />
<li> Connect to the IP address or domain name of your system through your web browser and re-run the '''netstat -natup''' command to see the TCP session established by your browser to download the website.</li><br />
<ul> You'll find that there are a number of ports open on your system. Some of these we have opened to provide a specific service such as SMTP, DNS, Webserver, etc. but some such as the sunrpc port are open simply by default on a fresh install. There are a number of different strategies you can use to secure your system including disabling a service, binding it to an internal-only IP address, or blocking access with a firewall rule. If your firewall is setup with an implicit (or explicit) reject any rule at the bottom of the input chain and you have not specifically opened a port it should not be accessible from other systems. How can we test that though? The '''netstat''' utility is useful at making a list of ports somehow open on the system but it does not show us how those ports react if someone outside actually tries to connect.</ul><br />
</ol><br />
<br />
== Scanning ports using nmap ==<br />
'''''[https://www.youtube.com/watch?v=DzxpMPtGsGM Video Tutorial - Scanning Ports with nmap]''''' <br><br />
The nmap Network Mapper utility is a very powerful security scanning utility available on Linux. While netstat uses information from the Linux kernel about what ports and connections are in use by what processes nmap actively probes and tests ports on your system or another system to determine whether the port is open or not as well as additional information about the port in some cases. Unlike netstat, nmap is not part of the default Debian installation so you will need to install the nmap package before proceeding. nmap is complex and powerful. Entire [http://nmap.org/book/toc.html books] and [http://nmap.org/book/man.html extensive documentation] are available which you may want to reference but we'll only be exploring some of the more basic features in this introduction.<br />
: ''NOTE: Before we begin this section of the lab it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!''<br />
<ol><br />
<li> Make sure '''nmap''' is installed</li><br />
<code>sudo apt install nmap</code><br />
<li>'''nmap''' provides a system on the Internet which they allow you to scan for testing purposes so let's try a verbose scan which gives additional diagnostic detail.</li><br />
<code>nmap -v scanme.nmap.org</code><br />
* Review the output and then run the same command without the ''-v'' verbose option and compare the output you receive.<br />
<ul> When scanning your own system there are a few different ways to go about it. You could either scan the localhost address 127.0.0.1 or the actual outside IP address of your system. You could also setup a separate system or VM and do the scanning from that system. In each case you might see somewhat different results, can you guess why?</ul><br />
* The answer is related to how you have firewall rules setup and what addresses you have services bound to. For example by default on Debian systems the mySQL/MariaDB server daemon only listens for connections on the localhost address (127.0.0.1) and not on outside interfaces. Try running the '''nmap 127.0.0.1''' command and then compare output with the '''nmap <your outside ip address here>''' command. Do you see some network services listening only on the localhost address. These services are not accessible from outside your computer even though the ports are open and you would see them as open with '''netstat'''. This shows us some of the additional value of using '''nmap'''.<br />
<li> The most realistic use of '''nmap''' though is to scan like an attacker would using a system outside of the one you're testing. Use '''nmap''' to scan a partner's IP address in the class and take a look at some of the '''nmap''' documentation to try a few different types scans on that system. If you would like you can also try scanning the entire ITC-2480 subnet (172.17.50.0/24) if you want to try some subnet scanning capabilities.</li><br />
<ul> Remember that in our case these systems are secure from the outside world because we have an upstream firewall which you have bypassed by connecting to our VPN and these systems are using unroutable private IPv4 addresses.</ul><br />
<li> '''nmap''' also supports scanning IPv6 addresses. Note that a running service is not necessarily listening on both IPv4 and IPv6 addresses just because you have them both active on your machine. Figure out how to scan IPv6 addresses with '''nmap''' and try scanning both an IPv4 and IPv6 address of your machine and compare the results. Use the same type of address (i.e. both IPv4 and Ipv6 addresses should be the localhost addresses or should both be outside addresses) Are the same services open on both IPv4 and IPv6 on your system?</li><br />
</ol><br />
<br />
== Monitoring Services and Graphing System Statistics with Zabbix==<br />
'''''[https://www.youtube.com/watch?v=fF5NNRJwLjg Video Tutorial - Monitoring with Zabbix]''''' <br><br />
In this section we will be following the instruction on how to install zabbix using [https://www.zabbix.com/download?zabbix=5.0&os_distribution=debian&os_version=10_buster&db=mysql&ws=apache these instructions on the Zabbix site].<br />
<ol><br />
<li> Go to the instructions link above and scroll down to '''part 2'''. Start by installing the zabbix repository.</li><br />
<code>wget https://repo.zabbix.com/zabbix/5.0/debian/pool/main/z/zabbix-release/zabbix-release_5.0-1+buster_all.deb</code><br><br />
<code>dpkg -i zabbix-release_5.0-1+buster_all.deb</code><br><br />
<code>apt update</code><br />
<li>Install Zabbix server, frontend, agent</li><br />
<code>apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent</code><br />
<li>Create a database, a user, and schema following the instructions on the same website.<br />
: ''NOTE: These instructions use the MySQL/MariaDB command line, if you prefer you can create the same database, user, and schema using the Webmin software but you'll have to translate the command line instructions into the actions required in Webmin.''<br />
<code>mysql -uroot -p</code><br><br />
<code>create database zabbix character set utf8 collate utf8_bin;</code><br><br />
<code>create user zabbix@localhost identified by 'password';</code><br><br />
* Replace password with a password you want to use. (Command needs the quotes so don't remove them).<br />
<code>grant all privileges on zabbix.* to zabbix@localhost;</code><br><br />
<code>quit;</code><br><br />
<li>On Zabbix server host import initial schema and data. You will be prompted to enter your newly created password used when setting up the mysql database.</li><br />
<code>zcat /usr/share/doc/zabbix-server-mysql*/create.sql.gz | mysql -uzabbix -p zabbix</code><br />
<li>Edit the server configuration file ( ''/etc/zabbix/zabbix_server.conf'' ) to include the correct database password used when you setup the database above. ( ''DBPassword=<password>'' )<br />
: [[File:DBPassword.png | 500px]]<br />
<li>Edit the server configuration file ( ''/etc/zabbix/apache.conf'' ) to include the correct timezone. [https://www.php.net/manual/en/timezones.php A list of valid PHP timezones can be found here.] We will be using ''America/Chicago''.</li><br />
: [[File:Apache_timezone.png | 500px]]<br />
<li>Restart the server. Then set it to auto start on startup:</li><br />
<code>systemctl restart zabbix-server zabbix-agent apache2</code><br><br />
<code>systemctl enable zabbix-server zabbix-agent apache2</code><br />
<li>Access the Zabbix web application at http://yourserver/zabbix/ and complete the setup wizard. [https://www.zabbix.com/documentation/5.0/manual/installation/frontend Detailed instructions for completing the setup wizard can be found here on the Zabbix site.]</li> <br />
<ul> At the end of the setup wizard you may need to download a ''zabbix.conf.php'' and save it to ''/etc/zabbix/zabbix.conf.php'' on your system.</ul><br />
<li> Login to http://yourserver/zabbix/ (where yourserver is the IP address or DNS name for your system) with the username and password found [https://www.zabbix.com/documentation/5.0/manual/quickstart/login on the Zabbix site login instructions].</li><br />
: [[File:Enable_monitoring_zabbix.png | 500px]]<br />
<ul>The default superuser credentials are user name '''Admin''' with password '''zabbix'''.</ul><br />
<li> Enable monitoring of your Zabbix server host (''Configuration'' -> ''Hosts'')</li><br />
: [[File:Enable_monitoring_zabbix.png | 500px]]<br />
: ''NOTE: [https://www.zabbix.com/documentation/5.0/manual The Zabbix manual] may be helpful in completing these monitoring setup tasks.''<br />
* Add the templates to the host appropriate for the services we are running on the server (HTTP, IMAP, MySQL, SMTP, SSH)<br />
: [[File:Zabbix_templates.png | 500px]]<br />
* Explore some of the data available through Zabbix such as various graphs (''Monitoring'' -> ''Graphs''), Latest Data (''Monitoring'' -> ''Latest Data''), Screens (''Monitoring'' -> ''Screens''), and Events (''Monitoring'' -> ''Events'')<br />
* Try temporarily stopping some of the services on your system (to simulate a problem) such as the Postfix SMTP server, ''courier-imap'' server, etc. using the command line '''service''' command.<br />
* Re-check the data in Zabbix with the services turned off, are you alerted of the problems? Make sure to turn the services back on when you're done.<br />
: ''NOTE: Most services will not instantaneously show as down, the templates for the service probably check it once per minute or less so you may need to leave things down for a bit to see it in the Web UI.''<br />
* If you have additional time see if you can get email notifications of failed services working (see ''Administration'' -> ''Media Types'' -> ''Email and Configuration'' -> ''Actions'')<br />
</ol><br />
==Checking Your Work==<br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_12_test.py | python3<br />
</nowiki></code><br />
</ol><br />
=Web App=<br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_11_mnjk&diff=9643Lab 11 mnjk2021-04-25T16:10:00Z<p>NateHaleen: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
This lab assumes you know how to navigate through directories and create new files.<br />
<br />
In this lab you will perform the following tasks:<br />
*Explore [https://www.linux.com/news/discover-possibilities-proc-directory/ '''/proc'''], a directory containing the kernel runtime configuration and system information<br />
*Explore [https://tldp.org/LDP/sag/html/dev-fs.html '''/dev'''], a directory containing each device and interface attached to the system<br />
*Add a second hard drive to your Linux system<br />
*Mount a partition on your second drive<br />
*Check disk and file usage on your Linux system to verify the partitions and see how much disk space is being used.<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://linux.die.net/man/8/lsusb lsusb]'''<br />
*'''[https://linux.die.net/man/8/lsmod lsmod]'''<br />
*'''[https://linux.die.net/man/1/uname uname]'''<br />
*'''[https://linux.die.net/man/8/lspci lspci]'''<br />
*'''[https://linux.die.net/man/8/dmesg dmesg]'''<br />
*'''[https://linux.die.net/man/8/cfdisk cfdisk]'''<br />
*'''[https://linux.die.net/man/8/mkfs.ext4 mkfs.ext4]'''<br />
*'''[https://linux.die.net/man/8/mkfs.btrfs mkfs.btrfs]'''<br />
*'''[https://linux.die.net/man/8/mount mount]'''<br />
*'''[https://linux.die.net/man/1/df df]'''<br />
*'''[https://linux.die.net/man/1/du du]'''<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
: You need to be able to open an SSH console to your Linux system using the PuTTY software.<br />
: You should login with your standard user account.<br />
<br />
== Exploring /proc ==<br />
'''''[https://www.youtube.com/watch?v=NeYKHyV4nss&feature=youtu.be Video Tutorial - Exploring /proc]''''' <br><br />
<ol><br />
<li> Enter the '''/proc''' directory on your VM. </li><br />
: '''/proc''' is a very special folder is its a virtual filesystem. Its sometimes referred to as a process information pseudo-filesystem. The reason for calling it a pseudo-file system is that all of the "files" in ''/proc'' are not really files at all, but kernel runtime configuration and system information.<br />
<li> Use '''cat cpuinfo''' to view the contents of the '''/proc/cpuinfo''' "file". </li><br />
: Notice how the output tells your information about the CPU that is running the VM. This isn't actually a file at all you are essentially asking the kernel to provide information about the CPU it's running on which it gathers in realtime. '''/proc''' is used not only to get hardware and kernel information, but it can also be used to tweak kernel settings while the system is running in a way similar to some Windows Registry edits. Look back on '''[[Lab_10_mnjk#Enable_Routing|Lab 10]]''' and notice how we echoed a "1" to a "file" in '''/proc''' to enable packet forwarding without rebooting the system.<br />
: There are a few files in '''/proc''' you should get to know:<br />
: '''/proc/cpuinfo''' = Shows you the CPU info for your machine.<br />
: '''/proc/modules''' = Shows you the currently enabled kernel modules that are active on your kernel.<br />
: '''/proc/cmdline''' = Shows you the boot arguments used to boot your kernel.<br />
: '''/proc/version''' = Shows you your kernel version.<br />
: It is important to note that some of these files have commands tied to them that can give you similar information but often formatted in a different way. For example:<br />
: '''lsmod''' = '''/proc/modules'''<br />
: '''mount''' = '''/proc/mounts'''<br />
: '''uname -a''' = '''/proc/version'''<br />
: Normally it is best to use the command version to lookup the information as it is normally formatted to be easier to read and understand.<br />
<li> Explore all of these files and commands and find the differences between the command line and file output versions as well as what types of information are available. </li><br />
</ol><br />
<br />
== Exploring /dev ==<br />
'''''[https://www.youtube.com/watch?v=ocBxRBH_6Js&feature=youtu.be Video Tutorial - Exploring /dev]''''' <br><br />
<ol><br />
<li> Change directories to '''/dev''' and list the "files". </li><br />
:Notice there are A LOT, but don't worry, there is organization in the mess. Each "file", like in '''/proc''', is actually a device or interface on the machine so '''/dev''' is actually another pseudo-filesystem. Here is a list of the most common interfaces you will see:<br />
: '''/dev/sd*''' = SATA Hard Drives<br />
: '''/dev/hd*''' = IDE Hard Drives<br />
: '''/dev/vd*''' = VirtIO (Virtualized) Hard Drives<br />
: '''/dev/ttyS*''' = Serial Interfaces on your PC.<br />
: '''/dev/tty*''' = Virtual Consoles, similar to the one you are using to enter commands. Mostly used by background programs or services.<br />
There are also some commands you should learn that will help you with detecting, and looking up devices:<br />
: '''lsusb''' = List USB Devices (Bus, Device, ID, and advertised vendor)<br />
:: ''NOTE: Many virtual machines do not include a virtual USB controller which means the USB drivers and software including '''lsusb''' are not installed.''<br />
: '''lspci''' = List PCI Devices (Bus, Type, Advertised Name, Revision)<br />
: '''dmesg''' = Display or Driver Message. This shows kernel messages that are normally linked to adding, or removing devices.<br />
</ol><br />
<br />
== Partitioning a Second Disk ==<br />
'''''[https://www.youtube.com/watch?v=mK6zetYou0A&feature=youtu.be Video Tutorial - Partitioning A Second Disk]''''' <br><br />
<br />
As you may have noticed when exploring '''/dev''', our VM setup uses '''sd''' devices for hard drives. Drives are identified by a letter such as '''sda''', '''sdb''', '''sdc''', etc. for the first, second, and third SATA drives on a system (including HDDs, CD/DVDs, SSDs, etc.). Each partition on the drive is then given a number starting with 0 for the first partition. So the first partition on the first disk, the full identifier for the partition would be '''/dev/sda0'''.<br />
You may also have noticed there is an '''sdb''' that currently has no partitions. We are going to format this drive into 2 partitions, format them, and then setup automatic mounting of the partitions.<br />
<ol><br />
<li> To start, run the following as root:<br />
<br><br />
<code>cfdisk /dev/sdb</code> </li><br />
:'''cfdisk''' is a graphical version of '''fdisk''', which is a tool used to setup disk partitioning. Note that '''fdisk''' or any other partitioning software only sets up the MBR, and does not actually format the drive even though you can set a partition type identifier such as '''fat32''', '''Linux''', etc. Also notice how we tell '''cfdisk''' what drive we want to edit the partition on by appending the drive device "file" to the end of the command.<br />
:[[file:Cfdisk-first-screen.png | link= https://wiki.ihitc.net/mediawiki/images/8/8e/Cfdisk-first-screen.png | 500px]]<br />
:[[media:Cfdisk-first-screen.png | Click for Larger Image]]<br />
: Because our new drives contain no existing partitions we are asked what type of partition table to create. <br />
<li> Choose to create a '''dos''' (aka MBR) style partition table. </li><br />
: Although this is an older style partition table it is well supported by many operating systems and BIOSes. The primary benefit of the newer GPT style tables is their ability to work with very large drives.<br />
<li> Once in '''cfdisk''', Select the '''New''' option. </li><br />
<li> Set the size close to '''5GB'''. </li><br />
: It does not need to be exact.<br />
<li> Now select '''primary''' as we are making a primary MBR partition. <li><br />
<li> Use the arrow keys to go down to the remaining '''Free Space''' on the drive, and press enter to again select '''New'''. </li><br />
<li> Create another '''primary''' partition, and set the size to about '''2GB'''. </li><br />
: At this point we should have two partitions, one named ''sdb1'' with a size of about 5GB (the program will round down to the closest boundary), and ''sdb2'' which takes up the next 2GB or so of the drive. <br />
<li> Use the arrow keys to select the '''Write''' option, and press '''enter'''. </li><br />
: You will be warned that this will write the table to the disk. enter '''yes''', and press '''enter''' again to confirm.<br />
:: ''NOTE: If, on the bottom of the screen, you see "The partition table has been altered", you have successfully written the MBR to the drive.''<br />
<li> Navigate to '''Quit''' to exit the program.</li><br />
<li> From the command line run the following:<br />
<br><br />
<code>ls -al /dev/sd*</code>. </li><br />
: Notice how you can now see both of the new partitions, '''sdb1''' and '''sdb2''' in the listing. This means the partition device "files" have been created and you are ready to format the partitions with a filesystem.<br />
: The first partition will be formatted as '''ext4''', and the second partition will be formatted as '''btrfs'''. Both filesystems (as well as many others) are commonly used on Linux systems. For more information on the differences and similarities between '''btrfs''' and '''ext4''', refer to your book or Google.<br />
: To create the '''ext4''' partition, we will use the '''mkfs.ext4''' command. <br />
<li> As root, run the follwing command<br />
<br><br />
<code>mkfs.ext4 /dev/sdb1</code>. </li><br />
: This will partition the drive as '''ext4''' with no label. If you would like to label the partition, look into the options of '''mkfs.ext4''' using '''man mkfs.ext4'''.<br />
: Before formatting the other partition as '''btrfs''' we need to install some tools. <br />
<li> The required tools are part of the '''btrfs-tools''' software package so install that package at this time.<br />
: ''NOTE: If you have issues with installing packages, check your firewall rules you created in a previous lab and ensure your Internet access is working properly from the VM.''</li><br />
<li> To format the second partition as a '''btrfs''' filesystem partition we will run the following:<br />
<br><br />
<code>mkfs.btrfs /dev/sdb2</code><br />
: Just like before, we need to tell the '''mkfs.btrfs''' package what partition to format by including that on the command line. </li><br />
</ol><br />
<br />
:There are many other options that can be set for specific filesystems during the formatting process. For example, many newer large drives use 4096 byte "Advanced Format" sectors instead of the traditional 512 byte hard drive sectors. Using these disks most efficiently requires adjusting the sector size during the format process to match the physical sector size on the disk. Other features and filesystems include the ability to take snapshots of the drive for backups. The full details of all the options, settings, and filesystems available in Linux is beyond the scope of this course. Suffice it to say that Linux systems with a need for high speed I/O from disks or other specialized features are finely tuned.<br />
<br />
:As a Linux system administrator at a minimum you should be familiar with the basic formatting of drives in the most common '''ext3''', '''ext4''', '''btrfs''', and '''fat''' (32) filesystems. Even though the FAT filesystem is not native to Linux (it doesn't have important features like user and group ownership) it is important as it is a cross platform filesystem commonly used to share files on thumb drives, external hard drives, or dual boot systems with MacOS or Windows users.<br />
<br />
:Once your two partitions are formatted they need to be '''mounted''' to the filesystem structure so that we can begin using them for file storage.<br />
<br />
== Mounting Partitions == <br />
'''''[https://www.youtube.com/watch?v=A0_6mPsuHbM&feature=youtu.be Video Tutorial - Mounting Partitions]''''' <br><br />
There are two main ways to mount disks in Linux. One is done manually, and the other is to setup mounting at boot. Manual mounting is typically done for either temporary access to drives such as CD/DVDs, thumb drives, external hard drives, or to access a newly created partition before rebooting the system. Automatic mounting is done during the boot process so that you have immediate access to he drive once the system is booted.<br />
<br />
To start, we will learn how to manually mount a partition. <br />
<ol><br />
<li> Change into the '''/mnt''' directory and then create a new directory named '''part1'''. </li><br />
: This will become the location where we will mount our '''/dev/sdb1''' partition and be able to save files to it.<br />
<li> Enter the '''part1''' directory and create a new empty file (remember the '''touch''' command?) named '''unmounted'''. </li><br />
: Because we have not yet mounted '''/dev/sdb1''' this file will be stored on our existing partition (''/dev/sda1'').<br />
<li> Go back to the '''/mnt''' parent directory. </li><br />
<li> Run the following as root:<br />
<br><br />
<code>mount /dev/sdb1 /mnt/part1</code> </li><br />
: This command will mount, or attach, '''/dev/sdb1''' to the filesystem location '''/mnt/part1''' and everything stored in that "directory" from this point on will actually be saved onto the first partition of the second SATA drive.<br />
<li> Go back into the '''part1''' directory and try listing the files. </li><br />
:[[file:Ls-part1-mounted.png | link= https://wiki.ihitc.net/mediawiki/images/2/22/Ls-part1-mounted.png | 500px]]<br />
:[[media:Ls-part1-mounted.png | Click for Larger Image]]<br />
<br />
: Notice how the '''unmounted '''file you made appears to no longer exist. This is because the '''part1''' "directory is now being used as the mount point for the first partition on '''sdb''' and we haven't yet saved any files onto '''sdb1'''.<br />
<li> You can see a list of all storage devices currently mounted on the system by simply running the command '''mount''' without any options. Try doing this and verify that the newly mounted partition is showing in the list.</li><br />
<li> Change back to the '''/mnt''' directory and unmount the partition by running the following command<br />
<br><br />
<code>umount /mnt/part1</code> </li><br />
<li> Again list the contents of the ''part1'' directory. </li><br />
: Notice how the '''unmounted''' file is back. The file didn't every really go away but it was not accessible while the other partition was mounted on the '''part1''' directory. When a drive is mounted on a directory, it overlays on top of any files in the directory, but it does not delete or touch the files on the original disk.<br />
<li> Make a directory named '''btrfs''' in '''/mnt'''. Once created, using the file editor of your choice, open the '''/etc/fstab''' file.</li><br />
:[[file:Fstab.png | link= https://wiki.ihitc.net/mediawiki/images/c/c0/Fstab.png | 500px]]<br />
:[[media:Fstab.png | Click for Larger Image]]<br />
: The '''fstab''' file is used to tell a Linux system what drives and partitions is should mount at boot, as well as any mount options and where to mount the partitions. <br />
<li> On the bottom of the file, add the following: </li><br />
<pre>/dev/sdb1 /mnt/part1 ext4 defaults 0 0<br />
/dev/sdb2 /mnt/btrfs btrfs defaults 0 0</pre><br />
:: Adding these lines will indicate both partitions should be mounted at boot to the directories we created. To mount the partitions without rebooting or entering individual mount commands, we can just run '''mount -a''' which will load and mount all partitions in the '''fstab''' file. <br />
<li> Run the following command now and verify both partitions are mounted:<br />
<br><br />
<code>mount -a</code></li><br />
</ol><br />
<br />
== Disk and File Usage ==<br />
'''''[https://www.youtube.com/watch?v=CU0BT718ifA&feature=youtu.be Video Tutorial - Disk and File Usage]''''' <br><br />
: Another way to verify the partitions which are mounted and to see how much disk space is used on each is to use the '''df''' command. <br />
<ol><br />
<li> Run '''df''', you should see something similar to this at the bottom of the output:</li><br />
:[[file:Df.png | link= https://wiki.ihitc.net/mediawiki/images/1/19/Df.png | 500px]]<br />
:[[media:Df.png | Click for Larger Image]]<br />
<br />
: This indicates that the two partitions are mounted properly to the folders we created earlier. '''df''' is a powerful command as not only will it show you what is mounted where, but it also shows you how much disk space is used and how much space is left.<br />
: The '''df''' command doesn't give the most easily readable disk or usage sizes by default. <br />
<li> Add the '''-h''' option to the command like to change the output to a "human readable" format and see what it looks like.<br />
<br><br />
<code>df -h</code> </li><br />
<li> Now, '''cd''' into '''/mnt/part1''' so you are on the ext4 partition you created. Then as root, run the following command:<br />
<br><br />
<code>cp -r /var/log ./</code> </li><br />
<li> '''cd''' into the ''log'' folder, and run the following:<br />
<br><br />
<code> du -h</code> </li><br />
: '''du''' is a command that allows you to view file usage in a tree format. Just like with '''df''' the '''-h''' flag tells '''du''' to output the usage in a "human readable" format, while the '''-a''' flag tells it to show you the results for all files, and not just for folders.<br />
<li> Read the '''man du''' page and play around with using the '''du''' command across the file system. </li><br />
: How much data is the /etc/ folder taking up on your Linux system? What directories are the biggest?<br />
</ol><br />
<br />
=Checking your Work=<br />
<ol><br />
<li> Run '''ls -al /mnt/part1''', does it look like this? </li><br />
:[[file:Ls-part1-mounted.png | link= https://wiki.ihitc.net/mediawiki/images/2/22/Ls-part1-mounted.png | 500px]]<br />
:[[media:Ls-part1-mounted.png | Click for Larger Image]]<br />
<li> Run '''ls -al /mnt/btrfs''', does it look like this? </li><br />
:[[file:Ls-btrfs-mounted.png | link= https://wiki.ihitc.net/mediawiki/images/5/57/Ls-btrfs-mounted.png | 500px]]<br />
:[[media:Ls-btrfs-mounted.png | Click for Larger Image]]<br />
<li> Run '''df''', does it look like this? </li><br />
:[[file:Df.png | link= https://wiki.ihitc.net/mediawiki/images/1/19/Df.png | 500px]]<br />
:[[media:Df.png | Click for Larger Image]]<br />
: If your output matches the screenshots, you have successfully completed the lab!<br />
<br />
<br><br><br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_11_test.py | python3<br />
</nowiki></code><br />
<br />
</ol><br />
=Web App=<br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_10_mnjk&diff=9642Lab 10 mnjk2021-04-25T16:09:38Z<p>NateHaleen: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
This lab assumes you have successfully set up [[Lab_8_mnjk#Install_BIND_.26_Enable_Caching | DNS]] and [[Lab_9_mnjk#Install_the_Postfix_MTA |email]]. If you had any issues with those labs, you should resolve them before attempting this lab, since you will be unable to properly test the tasks in this lab if those are not fully functional.<br />
<br />
In this lab you will perform the following tasks:<br />
*Configuring a [https://firewalld.org/ Firewall]<br />
*Enabling a 2nd interface<br />
*Configuring [https://en.wikipedia.org/wiki/Network_address_translation NAT]<br />
*Setting up [https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP]<br />
*Installing [https://linuxmint.com/ Linux Mint] on a second VM<br />
*Enabling [https://en.wikipedia.org/wiki/Port_forwarding Port Forwarding]<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://firewalld.org/documentation/man-pages/firewall-cmd.html firewall-cmd]'''<br />
*'''[https://linux.die.net/man/1/echo echo]'''<br />
*'''[https://linux.die.net/man/8/ifconfig ifconfig]'''<br />
<br />
NOTE: This lab does NOT have embedded videos.<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software.<br />
# Login with your standard user account.<br />
# Have a browser window set to the webmin interface for your linux VM.<br />
<br />
== Configure a Firewall ==<br />
''NOTE: It is suggested that instead of managing a firewall directly using nftables tools (which would also require us to create a script to reload our rules each time the system is restarted) we use a firewall daemon program to manage it based on a set of rules we create and automatically setup the firewall based on those rules each time the system boots. There are many command line firewall management programs out there but for this lab we will use the [https://firewalld.org/ firewalld] package suggested by Debian. ''<br />
<ol><br />
<li>Begin by installing the ''firewalld'' package on your system.</li><br />
<li>First, let's check to see if the firewall is now up and running using the following command:</li><br />
<code>firewall-cmd --state</code><br />
: The firewall has been pre-configured with a couple of rules in it to prevent us from getting locked out. <br />
: [[File:Lab10_firewalld_state.png | link=https://wiki.ihitc.net/mediawiki/images/1/11/Lab10_firewalld_state.png|500px]]<br />
: [[Media:Lab10_firewalld_state.png | Click for larger image]]<br />
<li>Let's see what those rules are by using this command: </li><br />
<code>firewall-cmd --list-all</code><br />
: [[File:Lab10_firewalld_initial_rules.png | link=https://wiki.ihitc.net/mediawiki/images/1/14/Lab10_firewalld_initial_rules.png|500px]]<br />
: [[Media:Lab10_firewalld_initial_rules.png | Click for larger image]]<br />
: By default all interfaces are in the public zone (this is set in the ''/etc/firewalld/firewalld.conf'' file). <br />
: Before we start working on rules for our firewall we should assign our outside interface to the external zone which is designed for NAT routing which we'll be setting up shortly. <br />
<li> We can do this with the command:</li><br />
<code>firewall-cmd --zone=external --add-interface=ens192</code><br />
: We can create custom zones or use pre-defined security zones which will speed up configuring the firewall. Learn more about the [https://firewalld.org/documentation/zone/predefined-zones.html pre-defined zones in firewalld documentation].<br />
<li>Since we have changed zones on our interface let's check and see what rules we have started with. Let's see what those rules are:</li><br />
<code>firewall-cmd --zone=external --list-all</code><br />
: ''NOTE: You can also use the '''firewall-cmd --list-all-zones''' command to see a list of all available zones and their rules.</li>''<br />
: If you were watching carefully you may have noted that the dhcpv6-client service which was allowed in the public zone but is not allowed by default on the external zone. <br />
<li>In our case we want to allow DHCPv6 to operate on our outside interface so we can re-enable it with the following command: </li><br />
<code> firewall-cmd --zone=external --add-service="dhcpv6-client"</code><br />
<li>Check to see what other services can be allowed on an interface with:</li><br />
<code>firewall-cmd --get-services</code><br />
: If you check you will see that although you can connect with ssh (by default it's on the allowed service list you saw above) you can't connect to your webserver or Webmin anymore. Webmin is not a pre-defined service in the list we saw above so we could either set it up as a new service and then allow it or we could create a manual rule to allow the TCP traffic on port 10000 needed to access Webmin. In this case because the service only uses a single port and to see how manual rules can be created let's manually create a rule to allow access to TCP port 10000. <br />
<li>Do this by running this command: </li><br />
<code>firewall-cmd --zone=external --add-port=10000/tcp </code><br />
:You should now be able to access Webmin again.<br />
<li> Using either service rules or manual port rules create additional rules so that the other services on your VM are again accessible from the outside (such as from your home PC over the VPN). </li><br />
:''HINT: Services we have setup so far include SSH, DNS, SMTP, IMAP, Samba, and HTTP.''<br />
: Make sure to test and ensure they are all working again!<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code> firewall-cmd --runtime-to-permanent </code><br />
</ol><br />
<br />
== Setup a 2nd NIC Interface ==<br />
To start this lab we will need to configure a second network interface, named ens224 on our virtual machines. In our simulated setup our existing ens192 interface will be our WAN interface and ens224 will be our LAN interface which could be connected to a switch and then to multiple allow other computers which will connect to the Internet through our server.<br />
<ol><br />
<li> Open ''/etc/network/interfaces'' with your favorite text editor. </li><br />
* Go to the bottom of the file.<br />
: [[File:Lab10_network_interfaces_before.png | link=https://wiki.ihitc.net/mediawiki/images/f/f8/Lab10_network_interfaces_before.png|500px]]<br />
: [[Media:Lab10_network_interfaces_before.png | Click for larger image]]<br />
* Add the following to configure the second interface with a static IP of 192.168.1.1/24:<br />
<pre>auto ens224<br />
iface ens224 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0</pre></li><br />
<br />
: [[File:Lab10_network_interfaces_after.png | link=https://wiki.ihitc.net/mediawiki/images/8/80/Lab10_network_interfaces_after.png|500px]]<br />
: [[Media:Lab10_network_interfaces_after.png | Click for larger image]]<br />
: ''NOTE: As this is a LAN only interface, we do not need to define a gateway for the server VM, as the server VM itself will be the gateway for this network.''<br />
<li>Once this is done, save the file <br />
<li> Run the following command to enable the new interface.</li><br />
<code>ifup ens224</code><br />
<li>Verify the second interface is up and running with the correct IP address</li><br />
</ol><br />
<br />
== Enable Routing ==<br />
Now we will need to enable NAT so we can route LAN traffic to the Internet and responding Internet traffic back to our LAN interface.<br />
<ol><br />
<li>In your console, you will need to edit ''/etc/sysctl.conf''. This file is used to change and tweak multiple system variables. </li><br />
* Scroll down until you find the following:<br />
<pre># Uncomment the next line to enable packet forwarding for IPv4<br />
#net.ipv4.ip_forward=1<br />
</pre><br />
* Follow the instructions in the file to enable packet forwarding in the kernel. <br />
: [[File:Lab10_sysctl_after.png | link=https://wiki.ihitc.net/mediawiki/images/1/1e/Lab10_sysctl_after.png|500px]]<br />
: [[Media:Lab10_sysctl_after.png | Click for larger image]]<br />
* When you are done, save the file.<br />
: Changes to the ''sysctl.conf'' file require a reboot, but most can be set without a reboot by echoing response codes to "files" in ''/proc''. <br />
<li> We will get into that more in a later chapter, but for now run the following command to enable ip_forwarding without rebooting the machine: </li><br />
<code>'''echo 1 > /proc/sys/net/ipv4/ip_forward</code><br />
: ''NOTE: If you are receiving an error when trying to run that command it's likely that the user you are running it as does not have permission to modify the '''/proc/sys/net/ipv4/ip_forward''' file (check the permissions by using '''ls'''). Read [http://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr this similar question] for more details and possible solutions.''<br />
</ol><br />
<br />
== Setup a DHCP Server ==<br />
To setup a DHCP server, we will first need to install the required software. <br />
<ol><br />
<li>In your SSH console use your favorite package manager to install the ''isc-dhcp-server'' package.</li><br />
: After you install the package you may get a warning about ''isc-dhcp-server'' being unable to start. This is normal as we have yet to define the interface and settings we want used.<br />
<li>Now back in Webmin, select the Refresh Modules option. .</li><br />
* After it is done, go to Servers, then DHCP Server<br />
: Before we define our DHCP range, we need to set our listening interface. <br />
* Click on the ''Edit Network Interface'' option. <br />
*Select ''ens224''. <br />
* Press save.<br />
<li>Now under Subnets and Shared Networks, select Add a new subnet. </li><br />
* Use the following settings:<br />
<pre>Subnet description: LAN DHCP Range<br />
Network Address: 192.168.1.0<br />
Netmask: 255.255.255.0<br />
Address Ranges: 192.168.1.100-192.168.1.254</pre><br />
: [[File:Lab10_webmin_dhcp_create_subnet.png | link=https://wiki.ihitc.net/mediawiki/images/4/4e/Lab10_webmin_dhcp_create_subnet.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_create_subnet.png | Click for larger image]]<br />
* When you are done, press Create. <br />
* Now, click on the network you just created to review the settings, then press Edit Client Options at the bottom.<br />
: From here we will setup the default gateway and DNS servers for the clients to use. <br />
<li> Under Default Routers, set the option to 192.168.1.1 <br />
* Under DNS servers, set it to 192.168.1.1. <br />
: [[File:Lab10_webmin_dhcp_client_options.png | link=https://wiki.ihitc.net/mediawiki/images/d/d7/Lab10_webmin_dhcp_client_options.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_client_options.png | Click for larger image]]<br />
: Notice how we are setting these options to the IP of ens224 that we setup. This is because our Linux VM will act as the router and DNS for our clients as well.<br />
* When you are done, press save<br />
* Then on the Edit Subnet page, press save again.<br />
<li>Now that you are back on the DHCP server page, press the Start Server button. <br />
: If all goes well, the button should change to "Stop Server". If this does not happen, then the server was unable start. If that happens, re-check your DHCP server configurations to make sure everything is correct.<br />
</ol><br />
<br />
== Enabling NAT and Firewall Rules for the LAN ==<br />
Now we will use firewalld to setup NAT so that we can use private addresses on our internal LAN but still have access to the public Internet. <br />
<ol><br />
<li>First, let's set our ens224 interface (LAN) to be in the internal zone with the following command.</li><br />
<code>firewall-cmd --zone=internal --add-interface=ens224</code><br />
<li>You should now take a minute to allow all of the same services and ports on the internal network that you have allowed on the external network. </li><br />
:In other words, make sure that Webmin, Samba, DNS, etc. are also allowed on the internal zone.<br />
:In order to activate NAT you need to turn on the "masquerade" feature on your outside interface. This is probably already done if you correctly assigned your outside interface to the pre-defined external zone (it's one of the features of that zone). <br />
: ''HINT: you can do this manually as well in case you setup a custom zone by running the '''firewall-cmd --add-masquerade --zone=external''' command.''<br />
: While routing and NAT should be working for hosts on your LAN interface now they probably still can't get an IP address! Just like all the other services being blocked by the firewall DHCP is also blocked unless you specifically allow it. <br />
<li>To do this run the following command:</li><br />
<code>firewall-cmd --add-service=dhcp --zone=internal</code><br />
<li>Once you are satisfied your firewall is running correctly you can use this command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code></ol><br />
<br />
== Setup a 2nd VM as a LAN Host ==<br />
Now we are going to setup a 2nd VM on the VMware server so we can have a client to connect to the LAN network segment we just created. For this though, we will be using Linux Mint instead of Debian so we have a graphical user interface to help us with testing.<br />
<ol><br />
<li> You'll need to make a Netlab reservation to work with your Mint system's GUI so go ahead and do that. </li><br />
* Enter the lab on Netlab<br />
* Click the "Linux Desktop" tab to access your Mint machine.<br />
: The VM should be booting from a Linux Mint virtual CD image. <br />
<li> Get Linux Mint installed using the link on the desktop.</li><br />
: Installation settings are not critical as we'll be using the system primarily to explore a Linux GUI and to test web browsing capability from our private network.<br />
: [[File:Lab10_linux_mint_desktop.png | link=https://wiki.ihitc.net/mediawiki/images/f/f1/Lab10_linux_mint_desktop.png|500px]]<br />
: [[Media:Lab10_linux_mint_desktop.png | Click for larger image]]<br />
: ''NOTE: By default Linux Mint will boot into a "Live CD" environment where you can use the system without installing. However, the Live CD environment is much slower and memory limited compared with a full installation to the hard drive so be sure to start an installation and reboot into the installed copy instead of from the Live CD. You will know you're working from an installed copy if you are prompted for your username and password when logging in and don't see a link on the desktop to Install Linux Mint anymore.''<br />
<li> Once you have Linux Mint installed, reboot the machine and login. </li><br />
: Hopefully the machine is able to connect to the Internet through your Debian server which is acting as a DHCP server and router (see the topology diagram tab in Netlab to see a diagram of how they are connected).<br />
<li> Press the Menu icon in the lower left corner, and enter "Terminal". </li><br />
* Then, open the terminal application.<br />
<li> You now have a shell on the system. From here, use the following command to check your network settings. </li><br />
<code>ip address show</code><br />
: Notice how you have a IP from the DHCP pool we created earlier. <br />
<li> Now try pinging ''172.17.50.1''. </li><br />
: Are you able to ping? If so, NAT is working properly on your network because the 172.17.50.0/24 network is outside of the LAN segment this machine is attached to (192.168.1.0/24).<br />
: ''NOTE: Notice how some Linux distributions like Mint haven't switched from the old naming of network interfaces with ''eth'' to the new ''ens'' style. You can also try using the older '''ifconfig''' way of checking the IP address and compare the output to the new '''ip address show''' method which we have been using so far in Debian.''<br />
<li> Now run '''ping google.com'''. </li><br />
: If you are able to ping, this shows that not only is NAT working, but DNS resolving as well.<br />
<li> Open a web browser on the system (you can use a graphical browser this time since you have a GUI) and test browsing to a few websites.</li><br />
: At this point we have a fully functional LAN environment.<br />
<li> In order to allow automatic safe shutdown of your Linux Mint system and improve speed/efficiency use the package manager to install the ''open-vm-tools-desktop'' package. </li><br />
:This provides better drivers and integration between the vmWare host which is running your Linux Mint virtual machine and the virtual machine itself.<br />
<li> Finally, in the next section we'll be setting up SSH access to Mint through the Firewall so you'll want to install the ''openssh-server package'' through the package manager. </li><br />
: Once you've done this you should be able to use the ssh program on the command line in Debian to access your Mint system like '''ssh mintusername@192.168.1.x''' where you are using a valid username on the Mint system and the IP address of the Mint system.<br />
<li> Spend a few more minutes exploring the functionality of the Linux GUI and desktop.</li></ol><br />
<br />
== Port Forwarding and Firewalling ==<br />
Now we are going to enable port forwarding to our VM. This will allow you to access the 2nd VM from the ITC network and VPN.<br />
Because we are already using port 22 on our outside interface to provide SSH access to our main Debian system we need to use a different port to access the Mint system. Instead of changing the port number in the SSH server software on Mint we can have our firewall do it at the same time the NAT masquerading is occurring. <br />
<ol><br />
<li>Set up a rule by running the following command:</li><br />
<code>firewall-cmd --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.1.100 --zone=external</code><br />
:NOTE: this rule is a little unstable because it forwards the port to 192.168.1.100 which is currently the IP of our Mint system (if yours has a different IP you should change it in the command) but because that system gets an IP from DHCP it is subject to change which would break the rule. Therefore, if we wanted this to be stable in the long term, we would want to set up a static IP on any machines we were forwarding ports to.<br />
:''HINT: If your connection is refused, it may be because SSH is not installed in Mint. Try installing SSH using the package manager or apt.''<br />
<li> From a computer on the ITC network, such as one connected to the VPN, try to SSH to port 2222 on the outside (172.17.50.xx) IP address of your Debian system. </li><br />
:If everything was set up successfully, you should be able to sign into the Mint VM based on the port forwarding rule we have put in place.<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code><br><br />
</ol><br />
When you are done testing this section of the lab please power off your new Linux Mint VM as these require far more resources to run than the Debian VMs on our servers.<br><br />
: [[File:Lab10_linux_mint_shutdown.png | link=https://wiki.ihitc.net/mediawiki/images/1/1c/Lab10_linux_mint_shutdown.png|500px]]<br />
: [[Media:Lab10_linux_mint_shutdown.png | Click for larger image]]<br />
<br />
=Checking your Work=<br />
For this lab there are many things you need to check.<br />
<br />
#Firewall - attempt to connect using FTP on port 21, this should fail<br />
#SSH - connect using FTP on port 22<br />
#DNS - navigate to url of server<br />
#SMTP - send a mail to auto-respond server<br />
#IMAP - receive a mail from auto-respond server<br />
#Samba - Create a file on server using file sharing<br />
#HTTP - Navigate to ip address of server<br />
#Webmin - Navigate to <your-ip>:10000<br />
#PuTTY into linux mint using your ip address and port 2222<br />
#Linux Mint DNS/NAT - ping google.com from within Linux Mint<br><br><br />
<br><br />
Run this script to automatically check your lab<br><br />
<br />
<code><br />
<nowiki> sudo curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_10_rewrite.py | sudo python3 </nowiki><br />
</code><br />
=Web App=<br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_9_mnjk&diff=9641Lab 9 mnjk2021-04-25T16:09:10Z<p>NateHaleen: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
<br />
In this lab you will perform the following tasks:<br />
*Install a basic email server <br />
*Install Courier MDA software<br />
*Learn how to allow remote users to send mail<br />
<br><br />
You will be introduced to the following commands:<br />
*'''[https://linux.die.net/man/1/telnet telnet]'''<br />
<br><br />
This lab assumes that you know the IP address of your Linux system and are connected to the ITCnet VPN network. Additionally, this lab assumes that you have completed the Bind DNS and have created a MX record that directs mail to your mail server. <br />
*[[Lab_8_mnjk#Install_BIND_&_Enable_Caching | Installing Bind]]<br />
*[[Lab_8_mnjk#Adding_a_Delegated_Domain | Creating a MX record in DNS]]<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account<br />
# Make sure that webmin is installed on your system. <br />
# Get the username and domain name of someone else's system in the class who you can send mail to<br />
# This lab requires that you have appropriate domain name records (at least a correct A and MX record) for your system working from the DNS lab before things will work.<br />
<br />
== Install the Postfix MTA ==<br />
'''''[https://www.youtube.com/watch?v=6VsgO5695Z4&feature=youtu.be Video Tutorial - Install Postfix MTA]'''''<br />
<ol><br />
<li> Use a package manager to install the ''postfix'' package.<br />
* During the installation process select ''Internet Site'' as the type of mail server and set the domain name to ''*.itc2480.campus.ihitc.net'' where * is the hostname letter of your system.</li><br />
: MTA software listens for incoming connections from other MTA servers on port 25 and accepts mail on behalf of users on the system. Once the mail is received it is stored locally for users to retrieve. The most common methods for storing messages is in an .mbox file, where all messages are stored in a single file, or in a Maildir, which is a directory where each message is stored in a separate file. The MTA also listens for connections from client software (MUA) and accepts outbound messages from them and forwards them on to the destination domain's mail server. Advanced configuration of MTA software can allow for anti-spam filtering, mailing list support or other programs to intercept and manipulate mail as it passes through the server.<br />
<li>Test the connection an verify the port is open</li><br />
:* Use Telnet to connect to the Postfix SMTP server on port 25: '''telnet localhost 25'''<br />
: [[File:Lab9_open_telnet.png|link=https://wiki.ihitc.net/mediawiki/images/1/10/Lab9_open_telnet.png|500px]]<br />
: [[Media:Lab9_open_telnet.png | Click here for larger image]]<br />
:* Type '''quit''' and press enter after verifying Postfix is running.<br />
<br />
<li>Configure Maildir</li><br />
: Because the Courier IMAP and POP3 server software only supports Maildir style message stores and Postfix stores in mbox files by default you must edit the ''/etc/postfix/main.cf'' file to fix this. <br />
:* Add the line <br />
:<pre>home_mailbox = Maildir/</pre> <br />
: Edit or add the ''mailbox_command'' parameter so there is nothing on the line after the equals sign, delete the portion of the line referencing procmail if it exists. The line should look like: <br />
:<pre>mailbox_command = </pre><br />
<li> Restart the ''postfix'' service to apply your change. Postfix is now saving new incoming messages into the Maildir folder inside each user's home directory. This folder is automatically created by Postfix the first time a new message comes in for a user.</li><br />
<li> Set your shell to recognize the maildir as your mail location</li><br />
:* Edit the ''/etc/login.defs'' file and comment out the ''MAIL_DIR /var/mail'' line (place a # in front of the line) and add a line setting ''MAIL_FILE'' like this:<br />
<pre><br />
#MAIL_DIR /var/mail<br />
MAIL_FILE Maildir/<br />
</pre><br />
:* Edit the ''/etc/pam.d/login'' file, find and comment out the ''session optional pam_mail.so standard'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so standard<br />
session optional pam_mail.so dir=~/Maildir standard<br />
</pre><br />
:* Edit the ''/etc/pam.d/su'' file, find and comment out the ''session optional pam_mail.so nopen'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so nopen<br />
session optional pam_mail.so dir=~/Maildir nopen<br />
</pre><br />
:* Edit the ''/etc/pam.d/sshd'' file, find and comment out the ''session optional pam_mail.so standard noenv'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so standard noenv<br />
session optional pam_mail.so dir=~/Maildir standard<br />
</pre><br />
:* Edit the ''/etc/profile'' file and at the end of the file add the line: <pre>export MAIL=~/Maildir</pre></li><br />
<li> Test sending and receiving mail as a locally logged on user.</li><br />
<br />
:* Install the ''mailutils'' package.</li><br />
:* Try sending a message (replace username with your username): <pre>echo "This is my message" | mail -s "Email Subject" username@localhost</pre><br />
:* Log out of your SSH session and open a new SSH session to apply the changes to the ''/etc/profile'' and ''/etc/login.defs'' files.<br />
:* Check to see if the message was received using the '''mail''' command, press ''q'' to return to the command line.<br />
:[[File:Lab9_cli_send_mail.png|link=https://wiki.ihitc.net/mediawiki/images/4/4f/Lab9_cli_send_mail.png|500px]]<br />
:[[Media:Lab9_cli_send_mail.png|Click here for a larger image]]<br />
: You should also be able to see the message in ''~/Maildir/'' in either the ''new/'' or ''cur/'' directory depending on whether you have viewed the message list yet or not. In either case, the message will appear as a text file with a random-looking name. It's just a text file so you can use '''cat''' or '''less''' to view it.<br />
<li> Create Aliases </li><br />
: You can create aliases and forward mail between users by editing the ''/etc/aliases'' file and then running the '''newaliases''' program. <br />
:* Create an "alias" for ''sysadmin'' which forwards mail sent to sysadmin@localhost to your username <br />
:* Send a copy of all mail to the ''root'' account to your username <br />
<br />
: Now would be a good time to try logging on to Webmin again, re-scanning for modules and then taking a look at the Postfix module in the ''Servers'' section.<br />
<li>Explore the mail log file</li><br />
: Take a look at your ''/var/log/mail.info'' log to see Postfix sending and receiving messages for users.<br />
</ol><br />
<br />
== Install Courier MDA ==<br />
'''''[https://www.youtube.com/watch?v=uvZlSiQHlxs&feature=youtu.be Video Tutorial - Install Courier MDA]'''''<br />
<ol><br />
<li>Install required courier packages </li><br />
: Most users prefer to retrieve mail from a mail server using an MDA protocol like POP3 or IMAP which can be provided by the Courier programs. Install the ''courier-pop'', ''courier-imap'', and ''fam'' packages.<br />
:* Do not create the directories for web-based administration as they are unneeded for our setup<br />
: Local users accessing their mailbox with MUA software can read and write to the .mbox file or Maildir directly. If a user not locally logged on to the system wants to access their mailbox the server runs MDA software which typically uses the POP3 or IMAP protocol for accessing the .mbox file or Maildir remotely.<br />
<br />
<li> Install MUA Client on remote system</li><br />
:*Install an email client (MUA) on your host (home) system such as [http://www.mozilla.org/en-US/thunderbird/ Mozilla Thunderbird]<br />
:* Setup two user accounts in your MUA, the usernames and passwords should be the same as users and their passwords on your system. Use ''IMAP'' as the protocol for retrieving mail. The email address for each should be ''username@*.itc2480.campus.ihitc.net'' where the * is replaced by the host letter of your system. You can verify the IMAP and SMTP settings that are detected, both server addresses should be ''*.itc2480.campus.ihitc.net'' where the * is replaced by the host letter of your system.<br />
:'' NOTE: The first time you check messages and the first time you send messages to your server from Thunderbird you will need to accept an invalid security certificate in the Thunderbird window.<br />
:[[File:Lab9_thunderbird_cert.png|link=https://wiki.ihitc.net/mediawiki/images/9/9a/Lab9_thunderbird_cert.png|500px]]<br />
:[[Media:Lab9_thunderbird_cert.png|Click here for a larger image]]<br />
:'' NOTE: To see the ''Tools'' menu with the ''Account Settings'' window in recent versions of Thunderbird (where you can add more accounts) you need to press ALT-F and then the menu bar will temporarily appear.<br />
:[[File:Lab9_thunderbird_menu.png|link=https://wiki.ihitc.net/mediawiki/images/6/60/Lab9_thunderbird_menu.png|500px]]<br />
:[[Media:Lab9_thunderbird_menu.png|Click here for a larger image]]<br />
<li>Send mail between local users</li><br />
:* Try sending a message from one user to the other user by sending a message to the other account like ''username@localhost'' Verify that you can receive and read the messages.<br />
:* Note: If a user has not yet received any mail Postfix has not created a Maildir for the user and the Courier software will send an error to the client software. Use the mail program explained above to send some mail to the user, see that the ''~/Maildir'' is then created and try retrieving the messages again with your MUA.<br />
</ol><br />
<br />
== Allow Remote Users to Send Mail ==<br />
'''''[https://www.youtube.com/watch?v=0qh3mCMIzn4&feature=youtu.be Video tutorial - Allow Remote Users to Send Mail]'''''<br />
<ol><br />
<li>Testing SMTP mail to another domain</li><br />
:* Try setting up your MUA software to send mail by creating an SMTP server entry and sending an email to ''anotheruser@localhost'' This should work because localhost is your own server but if you try sending email to ''someuser@somedomain.com'' like ''root@ben.itc2480.campus.ihitc.net'' that will fail.<br />
: The problem is you don't want just anyone to send mail through your mailserver (we did allow this in the olden days) because a spammer could then use your server to send mail worldwide and it would all trace back to the IP of your server, we call servers setup like this "open relays" because they relay mail for anyone and they are generally considered very bad practice and can get your mailserver on lists of servers to ignore all messages from. There are a number of ways to solve this. By default Postfix will only allow mail relaying from computers on the same network (based on IP) as set in the ''/etc/postfix/main.cf'' ''mynetworks'' parameter but this is inconvenient for remote users as you would need to know the remote IP address they are connecting from. The SASL protocol allows users to authenticate with a username and password before sending mail and then relay messages are accepted from them.<br />
<li>Configure Simple Autherntication and Security Layer - SASL</li><br />
:* See if you can follow [https://wiki.debian.org/PostfixAndSASL these instructions] for setting up SASL with Postfix.<br />
:'' Note: You do NOT need to setup TLS to support SASL (more on that in the additional considerations section below)<br />
<li>Test and troubleshoot SASL</li><br />
:* Modify your MUA to use a username and password when connecting to your SMTP server and try sending mail to someone else's system from your MUA using a destination address like ''root@*.itc2480.campus.ihitc.net'' where the * is replaced by the host letter of your system.<br />
:'' NOTE: You MUST actually exchange messages with someone else in the class (both sending to them and receiving from them). It is not possible to test using an outside email account of your own (you will not be able to send a message back to your server because it is behind a firewall). It is not enough to just be able to send a message to another system. It is not enough to just be able to receive a message from another user.<br />
:* Troubleshoot as needed using the mail log files on your system.<br />
</ol><br />
<br />
=Additional Considerations=<br />
Running a mailserver is tricky business. The basic server we have setup does not use valid certificates for encrypting connections meaning usernames, passwords, and mail contents are all being sent to an unverified server. This is very undesirable from a security standpoint and it would be suggested to support SSL/TLS encryption for both the MTA and MDA portions with a valid certificate purchased from a certificate authority (CA) or from a free CA like [https://letsencrypt.org/ Let's Encrypt]. In addition, you will almost certainly want spam filtering at the server. More complicated setups also use database tables for users, passwords and domains so that you can host multiple domains on a single server and have email user boxes for people who do not have local logins on the system.<br />
<br />
=Additional Resources=<br />
* [https://help.ubuntu.com/community/PostfixBasicSetupHowto Ubuntu Postfix Basic Setup]<br />
* [https://wiki.debian.org/Postfix Debian Wiki - Postfix Installation]<br />
<br />
==Checking Your Work==<br />
<ol><br />
<li>Send a test email to ping@itc2480.camus.ihitc.net from your Thunderbird or other MTA mail program.</li><br />
<ul>You should receive a response titled "Success! Auto Response form Ping Auto Mailer"</ul><br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_09_test.py | python3<br />
</nowiki></code><br />
</ol><br />
<br />
=Web App=<br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_7_mnjk&diff=9640Lab 7 mnjk2021-04-25T16:08:48Z<p>NateHaleen: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
This lab assumes you know how to install a package from the Debian repository and you have Webmin installed. If you need help please see '''[[Lab_1_mnjk#Installing_sudo_and_checking_your_IP_address | Lab 1]]''' and '''[[Lab_3_mnjk#Install_the_Webmin_Control_Panel | Lab 3]]'''.<br />
<br />
In this lab you will perform the following tasks:<br />
* Install [https://www.samba.org/samba/ Samba]<br />
* Setup a Guest Share<br />
* Share Home Directories<br />
* Setup a group share<br />
<br />
You will not be introduced to new commands.<br />
<br />
= Lab Procedure =<br />
== Prerequisites ==<br />
<ol><br />
<li> Open an SSH console to your Linux system using the PuTTY software, login with your standard user account. </li><br />
<li> Make sure that Webmin is installed on your system. </li><br />
<li> Make sure you have an up-to-date list of packages on your system using the '''apt update''' system. </li><br />
<li> Make sure you have all the latest software upgrades on your system using the '''apt upgrade''' method. </li><br />
</ol><br />
: ''NOTE: This lab sets up Samba with anonymous guest access which is not supported by Windows 10 anymore. You can work around this (directions for doing so are below) but you can't work around it on IHCC campus managed PCs so this lab really requires access to a PC which you have full administrative control over.''<br />
<br />
== Install Samba ==<br />
'''''[https://www.youtube.com/watch?v=h15fXbqYx5Y&feature=youtu.be Video Tutorial - Install Samba]''''' <br><br />
<ol><br />
<li> With your favorite package manager, install the '''samba''' package. </li><br />
<li> After Samba is installed, login into Webmin on your local computer's web browser. </li><br />
<li> Under the servers tab, notice how Samba does not show up. This is because we just installed the package. </li><br />
<li> On the bottom of the left toolbar, click '''refresh modules'''. After a minute, it should refresh the page. Now look under the servers tab again. Does Samba now show up?</li><br />
</ol><br />
<br />
== Setup a Guest Share ==<br />
'''''[https://www.youtube.com/watch?v=BmgKPYIVaPY&feature=youtu.be Video Tutorial - Setup a Guest Share]''''' <br><br />
<br />
The first thing we are going to do is we are going to create a guest share.<br />
This share will allow for all users, even those who have not authenticated, to read files.</li><br />
To help you better understand samba, this first share will be configured from PuTTY and command line.<br />
<ol><br />
<li>Change into the '''/etc/samba/''' directory and view a directory listing.<br />
: In here we have one main file, '''smb.conf''', which holds all of the Samba share and authentication settings. There may also be a few other files and directories which can be used for more advanced Samba features such as TLS certificate based authentication.</li><br />
<li>With your favorite text editor, open up '''smb.conf''' with administrative permission.</li><br />
<li>Scroll to the bottom of the file, and notice how shares are defined. They all have a similar format such as:<br />
<pre><br />
[Share Name]<br />
comment = Share Comment<br />
options....</pre><br />
:'''options''' are the different configuration settings.</li><br />
Let's try creating the guest share folder from the config file manually.<br />
<li>Exit out of the text editor, and create the folder '''/srv/Guest-Files''' as root.<br />
: This will be the folder we are sharing.</li><br />
<li>Open up '''/etc/samba/smb.conf''' in a text editor again as root, and go to the bottom of the file.</li><br />
<li>Enter the following:<br />
<pre>[Guest Share]<br />
comment = Public File Share<br />
public = yes<br />
path = /srv/Guest-Files</pre><br />
You have now created the public share. <br />
</li><br />
<br />
<li>In order to make the share take effect you need to restart the Samba service on your machine with the following command: <br />
<br><br />
<code>service smbd restart</code><br />
<br />
: ''NOTE: Restarting services requires administrative permission.''</li><br />
<li>To test this share, go into '''/srv/Guest-Files''' and create a text file and enter some information.<br />
: We will use this file to test the read-only settings of the share.<br />
: At this point, we should be ready to test out our configuration. </li><br />
<li>On your Local Computer, open up the run dialog box, and enter '''\\172.17.50.xx''' (The IP you setup for the static address of your VM), and press enter.<br />
: You should see a share folder called Guest Share.<br />
:[[file:Samba-windows-guest.png | link= https://wiki.ihitc.net/mediawiki/images/d/d4/Samba-windows-guest.png | 500px]]<br />
:[[media:Samba-windows-guest.png | Click for Larger Image]]</li><br />
: ''NOTE: If you receive an error on your local system and can't access the Samba share, it might be your firewall blocking the connection. This has been the case with non-Windows Firewalls such as BitDefender. If you are using one of these firewalls you may have to make a rule to allow traffic. This link might help: [https://www.bitdefender.com/consumer/support/answer/2397/ https://www.bitdefender.com/consumer/support/answer/2397/]''<br />
<li>Open the Guest Share folder and see if your text file is in the share.</li><br />
<li>Open up the file, and try to edit and save the file. What error do you get?</li><br />
: '''''SPECIAL NOTE for Windows 10 Client PCs:''' If the computer your are using to try and connect to this share is running Windows 10 version 1709 or later [https://support.microsoft.com/en-us/help/4046019/guest-access-smb2-disabled-by-default-in-windows-10-server-2016 Microsoft has disabled SMB guest share access] You have a few different options for completing this:''<br />
:* Use an earlier version of Windows (remember you'll need to install OpenVPN and be connected to ITCnet) such as Windows 10 before version 1709, Windows 8, or Windows 7 to attempt to connect to the share.<br />
:* Follow the instruction on the above Microsoft page to re-enable guest share access on your Windows 10 version 1709 or later system using the group policy editor (requires Windows 10 Professional or Enterprise)<br />
:* Use the registry editor to set the key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters] "AllowInsecureGuestAuth" to dword:1 (Note: editing your registry can cause your system not to boot and other unexpected behavior, so be careful and be sure of what you are doing)<br />
: '''''SPECIAL NOTE for Personal Windows PCs:''' If you are getting an error after hitting enter in the run dialog box, try either disabling your firewall or making a firewall exception for the IP address of your server.''<br />
</ol><br />
<br />
== Share Home Directories ==<br />
'''''[https://www.youtube.com/watch?v=MOJ6wwiQ1mk&feature=youtu.be Video Tutorial - Share Home Directories]''''' <br><br />
Now we are going to setup Home Directory Sharing. By default this is enabled, but write access is not and no users are setup.<br />
First it must be noted that Samba requires separate user accounts from the system, just like MySQL. So first, we are going to add your user account.<br />
<ol><br />
<li> To do this, we are now going to use Webmin to configure the shares.<br />
: Notice also what other shares are enabled in Samba by default when looking at the Webmin page for Samba. </li><br />
:[[file:Webmin-samba-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/9/9d/Webmin-samba-dashboard.png | 500px]]<br />
:[[media:Webmin-samba-dashboard.png | Click for Larger Image]]<br />
<li> On the Webmin Samba configuration page, click '''Samba Users'''.<br />
: Notice how none are currently defined.</li><br />
<li>Go back and click '''Convert Users'''.<br />
: This is the tool we will use to convert/copy the local Unix user accounts to Samba accounts.<br />
<li>Leave the Unix users to convert option set to all except listed users and UID ranges with the option of -499.</li><br />
: This will add all user accounts with a UID of 500 or more to Samba. Lower UID values are typically used on Debian systems as service accounts (like ''www-data'') who should not have Samba permissions. </li><br />
<li> On the bottom, select '''No password'''.<br />
: We are doing this as we will define unique passwords for each user.</li><br />
<li>Click '''Convert Users''' when ready. </li><br />
<li> When you are done, go to the '''Samba Users''' page again.<br />
: Notice how your user account is now listed.</li><br />
<li>From here you can now add passwords to the different user accounts you added in the last step. Be sure to set the passwords for each user you intend to connect with. </li><br />
<br />
Lastly we are going to setup write access to home folders, so you will be able to add files to your home directory over Samba.<br />
<br />
<li> On the Samba config page, under '''Shares''', click the '''home share'''.</li><br />
<li> Click '''Security and Access Control'''.</li><br />
<li> Set the '''Writable''' option to '''Yes''', and then click save. </li><br />
<li> Go back to the Samba config page, and click the '''Restart Samba Servers''' option at the bottom.<br />
: We do this to force samba to load the new configuration. You can also wait a minute or two if you don't want to disconnect any connected users. </li><br />
: At this point, we should be ready to test out our configuration.<br />
<li>On your Local Computer, open up the run dialog box, and enter '''\\172.17.50.xx''' (Your IP you setup for the static address), and press enter.<br />
: Notice how you do not see a home directory share because you are connected without any authentication.</li><br />
<li>In the top URL window, add '''\<username>''' to the path, e.g. '''\\172.17.50.xx\user'''.<br />
: You should now get a login popup.</li><br />
<li>Login as your user, and you should be greeted with your home folder.<br />
: ''NOTE: If your user is unable to login you may have forgotten to set a Samba password for the user as directed above. You need to set a password for each user within Samba.''<br />
: ''NOTE: On local systems running an operating system other than Windows follow whatever process you would normally use to connect to a Windows file share using the IP address of your VM as the server name.'' </li><br />
<li> Test creating and deleting a file to verify write access is working.</li><br />
<li> Try to access a home share of another user that was added to Samba.<br />
: Notice how you do not have permissions.</li><br />
<li>Try logging in with another user account to access a different home share.<br />
: ''NOTE: To use another user account in a samba share, you may have to logout and then back in on your local machine.'' </li><br />
</ol><br />
<br />
== Setup a Group Share ==<br />
'''''[https://www.youtube.com/watch?v=1C7BBUC_V3A&feature=youtu.be Video Tutorial - Setup a Group Share]''''' <br><br />
Now we are going to setup a group folder share that will allow for all samba users to read and write to the folder.<br />
<ol><br />
<li>Go back to the Webmin Samba configuration panel.<br />
: We are going to create a new share.</li><br />
<li>Under '''shares''', select the '''Create a new file share''' link. Use the following base configuration:<br />
<br><br />
<code>Share Name: Share-Files<br><br />
Directory to share: /srv/Group-Share<br><br />
Automatically Create Directory: Yes<br><br />
Create with owner: root<br><br />
Create with permissions: 775<br><br />
Create with group: users<br><br />
Available: yes<br><br />
Browsable: yes<br><br />
Share Comment: group share folder<br />
</code></li><br />
<li>Once the share is setup, click it to edit it.</li><br />
<li>Once you are at the '''Edit File Share''' page, click '''File Permissions'''.<br />
: Notice how the New Unix file and New Unix directory are set to 755 by default, even though we set the share to use 775 to create the directory. This is done for security purposes as it would only allow the owner to have modification privileges for the files and directories they create. We need to modify this so that all users on the system have full access to files in this share.</li><br />
<li>Set the '''New Unix file''' and '''New Unix directory''' mode to 775, and set '''Force Unix group''' to '''users'''. You can now press '''save'''. We do this to allow all authenticated users permission to modify and edit files that may have been added by other users.</li><br />
: Now we will need to enable write access to the folder.<br />
<li>On the '''Edit file share''' page again, click '''Security and Access Control'''.</li><br />
<li>Set the '''Writable''' option to '''Yes''', and press '''save'''.</li><br />
<li>At this point, you can test the share exactly the same way we did with the home folder share.</li><br />
: Notice though how this share is set to '''browsable''', so it shows up in the root share folder. Go ahead and create a file through your host computer. Then use PuTTY to look at the user and group assigned to the files you created.<br />
: It is important to note that even if a user has read or write permission in Samba they must ''also'' have permission to read or write the file/directory on the underlying Linux filesystem. Many problems with making Samba work can be traced to permissions errors where a user does not have correct permission to work with a file or directory either by the Samba software ''or'' by the filesystem.<br />
<li>Look at your '''smb.conf''' file and see what changes Webmin made in order to setup your group share.</li><br />
</ol><br />
<br />
= Checking Your Work =<br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_07_test.py | python3<br />
</nowiki></code><br />
<br />
=Web App=<br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_8_mnjk&diff=9639Lab 8 mnjk2021-04-25T16:08:24Z<p>NateHaleen: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
In this lab you will perform the following tasks:<br />
*Install BIND and configure as caching plus zones for a local domain<br />
*Learn how to create domains using Webmin<br />
*Learn how to manually edit using a zone file<br />
You will be introduced to the following commands:<br />
*'''[https://linux.die.net/man/1/dig dig]'''<br />
*'''[https://linux.die.net/man/1/nslookup nslookup]'''<br />
*'''[https://www.man7.org/linux/man-pages/man1/systemctl.1.html systemctl]'''<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account.<br />
# Make sure that Webmin is installed on your system. <br />
== Install BIND & Enable Caching ==<br />
'''''[https://www.youtube.com/watch?v=frZ7FrJyjME Video Tutorial - Installing BIND and Enabling Caching]'''''<br><br />
<ol><br />
<li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li><br />
<ul>BIND (Berkeley Internet Name Domain) is one of the available DNS server applications for Linux and the most well known and used nameserver on the Internet.</ul><br />
<li>You will also want to install the '''dnsutils''' package.</li><br />
<ul>In order to use the '''nslookup''' and '''dig''' programs for DNS testing and troubleshooting you'll need dnsutils</ul><br />
<li>Open up ''/etc/bind/named.conf.options'' with your favorite text editor.</li><br />
<ul>Now we will need to enable DNS caching and forwarding on the BIND server. This will allow us to use it for DNS resolving locally, as well as speed up frequent DNS requests.</ul><br />
<ul><br />
* You are now in the local options file for BIND. You will need to uncomment (remove the // from the front of) the following lines:<br />
: [[File:Bind_named_conf.png | 500px]]<br />
* '''NOTE:''' You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul><br />
<ul>The reason we setup a forwarder address is so that domain requests that are not on our system are passed to another DNS server instead of being searched against the root nameservers. You may want to do this in domain or enterprise environments as most large networks have internal domain names setup that only redirect inside of a local LAN. By using a forwarder, as long as the DNS server you push requests to is able to access those internal records, you will be able to access local content from internal domain names instead of needing to rely on IP addresses.</ul><br />
<li>To apply these changes, you will need to restart the BIND server with administrative permissions.</li><br />
<code>sudo service bind9 restart</code><br />
<li>Next, open up your interfaces file (''/etc/network/interfaces'') with your favorite file editor.</li><br />
<ul><br />
* Change the dns server for the primary network interface to ''127.0.0.1''.</ul><br />
<ul>The change to ''/etc/network/interfaces'' will take effect if you restart your system. To avoid doing that right now you can edit the ''/etc/resolv.conf'' file so that it has only one nameserver line like ''nameserver 127.0.0.1'' Note that unless you reboot the system it will eventually get reset back to it's prior setting by a background system process so at some point you will want to reboot your system to make the change permanent.</ul><br />
<li>Run the command:</li><br />
<code>nslookup inverhills.edu</code><br />
<ul>If BIND is working, you should now see the following output:</ul><br />
: [[File:Nslookup_inverhillsedu.png | 500px]]<br />
* Notice how it shows it is using 127.0.0.1 as the server. If you do not see this, then your interface file or resolv.conf file is not set to use the local machine for DNS lookups. Note also that the IP address returned for this domain may vary from the one shown in the output above.</li><br />
<li>Run:</li><br />
<code>dig inverhills.edu</code><br />
<ul>See if you can find where the IP address for the domain is reported in the output as well as where the server IP address is reported in the output.</ul><br />
<li>Now would be a good time to reboot your server to ensure the DNS server network interface configuration changes remain permanent.</li><br />
<code>sudo shutdown -r now</code><br />
<li>Once the system reboots log back in and use '''nslookup''' or '''dig''' to verify the default nameserver being used is ''127.0.0.1''.</li><br />
</ol><br />
<br />
== Create a Domain using Webmin ==<br />
'''''[https://www.youtube.com/watch?v=53aK9FeYz68 Video Tutorial - Create a Domain Using Webmin]'''''<br><br />
Now we are going to use Webmin to create a few different type of domain records and have our system serve as a DNS server for a domain. We will utilize A (Host), AAAA (IPv6 host), MX (Mail Exchange), and CNAME (Canonical Name) records.<br />
<ol><br />
<li>Open up your '''Webmin panel''' and sign in.</li> <br />
<ul>Now that we have BIND installed, you will need to click the Refresh Modules option on the left sidebar to have Webmin recheck the system for installed packages and services so that it will show up as an option in the ''Servers'' tab.</ul><br />
<li>Under the ''Servers'' tab, open up ''BIND DNS Server'', under ''Existing DNS Zones'' click ''Create master zone''.</li><br />
<ul>From here we will create a new domain name for our server to respond to DNS queries for.</ul><br />
<li>Use the following options, '''where * is replaced by your System ID''' that was defined in [[Franske ITC-2480 Lab 5|Lab 5]] (just the letter of your system, for example the domain name would be ''debserv-A.test'' if you had System ID "A").<br />
<pre>Zone type: Forward (Names to Addresses)<br />
Domain name / Network: debserv-*.test<br />
Records file: Automatic<br />
Master server: Leave as your hostname<br />
Email address: root@debserv-*.test</pre></li><br />
<li>Click the ''create'' button to add the domain.</li><br />
<ul> As this point you should now be on the ''Edit Master Zone'' page. From here you can add and edit domain records for this domain name.</ul><br />
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li><br />
* For the ''Name'' enter ''@''. Note: The ''@'' symbol in DNS Zones defines the parent domain (alternatively you could re-enter the parent domain ''debserv-*.test.'' with the period at the end).<br />
* In the ''address'' field enter your VM's static IP set in [[Franske ITC-2480 Lab 5|Lab 5]] and click ''Create''.<br />
<li> Return to the main BIND DNS Server page. Click the ''Apply Configuration'' link (which looks like two arrows chasing each other) in the top right corner. You'll see the "Apply Configuration" text if you hover your mouse over the button.</li><br />
<li> To test the record use '''nslookup''' or '''dig''' to lookup the domain you just created (Replace the * with your letter.)</li><br />
<code>nslookup debserv-*.test</code><br />
<code>dig debserv-*.test</code><br />
* If you have issues looking up the domain, make sure that the system is still using 127.0.0.1 as the DNS server. If not, check your ''/etc/resolv.conf'' file.</li><br />
</ol><br />
<br />
== Additional DNS Record Types ==<br />
'''''[https://www.youtube.com/watch?v=dC6RsYYMk4w Video Tutorial - Additional DNS Record Types]'''''<br><br />
Now we are going to add a few more record types to our Domain. This will include an ''MX'' (Mail Exchange) and ''CNAME'' (Canonical Name) record. We will start with the MX record. MX records are used by email servers to look up where to forward email for a specific domain.<br />
<ol><br />
<li>In Webmin on the '''BIND DNS Server''' page, click the domain on the bottom named ''debserv-*.test'' and then click the '''Mail Server''' button. Under ''name'', enter ''@'' again, and for ''mail server'' enter ''mail.debserv-*.test.'' (with the period at the end). For ''Priority'', enter ''10''.</li><br />
* This entry has said we want other servers trying to send mail to ''users@debserv-*.test'' to actually send it to the server at ''mail.debserv-*.test'' which allows us to use a different server for email than we use fore web serving, etc.<br />
* The Priority entry allows people to define more than one MX record for a name, and the order which the sending service will try to use for contacting the various mail servers at your domain.</li><br />
<li>Go back to the domain zone overview page. Add an ''A'' record for ''mail.debserv-*.test'' which points to the IP of your system.</li><br />
<ul>Because we don't currently have an "A" (address) record for ''mail.debserv-*.test'' the mail would currently go undelivered.</ul><br />
* Reapply configuration settings like you did in the last section of this lab using the button with the two arrows in a circle.<br />
<li> To test an ''MX'' record we need to make multiple queries and ask '''nslookup''' or '''dig''' to fist check for MX records for the domain like:</li><br />
<code>nslookup -type=MX debserv-*.test</code><br />
<ul>or</ul><br />
<code>dig debserv-*.test MX</code><br />
which will return the names of the mail servers for that domain. We then need to do a regular '''nslookup''' or '''dig''' on those names to determine what IP addresses those are pointed to. Of course, for mail to actually work we'd also need to insure mail server software is installed and configured on that server as well.</li><br />
<li>Again return to the domain zone overview page.</li><br />
<ul>We are now going to create a CNAME record. CNAME records are useful as they allow you to create virtual A records (aliases), but point them to another domain or host name instead of to a specific IP address. This allows you to have many hostnames all pointed to the same A record which contains the actual IP address so if the IP address changes you only need to change a single A record and all the hostnames will change. It can also be used to redirect a hostname at one domain to an entirely different domain.</ul><br />
<li>On the ''Edit Master Zone'' page for your domain, click the ''Name Alias'' button. For the ''Name'', enter ''blog'' and for the ''Real Name'', enter your domain ''debserv-*.test.'' but remember to put a period at the end of the domain as this is an ''absolute name''. Press ''create'' to add the record.</li><br />
<li>Click the ''Apply Configuration'' link at the top right of the page again. This will apply the records you have created. Now back in PuTTY, run:<br><br />
<code>nslookup blog.debserv-*.test</code><br />
or the equivalent '''dig''' command.<br> <br />
You should get a response similar to:</li><br />
<pre>Server: 127.0.0.1<br />
Address: 127.0.0.1#53<br />
<br />
blog.debserv-*.test canonical name = debserv-*.test.<br />
Name: debserv-*.test<br />
Address: 172.17.50.XXX<br />
</pre><br />
<ul>One thing we can use CNAMEs for is to create virtual web hosts in Apache that listens for the domain blog.debserv-*.test, and then forwards you directly to your blog folder instead of to our main web page. </ul><br />
<li>In '''Webmin''' under the ''Servers'' tab, select ''Apache Webserver''. Then on the top, click the ''Create virtual host'' button and use the following configuration:<br />
<pre>Handle Connections to Address: any address<br />
Port: 80<br />
Document Root: /var/www/html/blog/<br />
Server Name: blog.debserv-*.test<br />
Add virtual server to file: new file under virtual servers directory<br />
Copy directives from: nowhere<br />
</pre><br />
When done, press ''Create Now''.<br />
<li> When you are back at the ''Apache Webserver'' page, then click ''Apply Changes'' in the top right.</li><br />
<li>Now in a SSH session, open up your favorite command line web browser like '''links''' and visit ''blog.debserv-*.test.'' make special note that when you enter the URL in Links you need to include the extra period at the end.</li><br />
<ul> This is because the .test domain is not a regular TLD like .com .org etc. and the Links browser doesn't know how to handle it unless we force it as a domain name by adding the period at the end. This is not related to it being a CNAME or our Apache configuration and with a regular domain name would not be required. Notice how you are now visiting the blog directly, instead of your modified index.html file. This is because we setup a virtual host in Apache that listens for requests to the CNAME we created and points to the document root where the Wordpress software is installed.<br />
* Note that you will not be able to use this URL to access the blog from your local PC yet because your local PC isn't using your Linux server as it's DNS server and the .test domain isn't registered to your DNS server.</ul><br />
<li>Congrats, at this point you have a basic domain working with a MX, CNAME, and A record.</li><br />
</ol><br />
<br />
== Adding a AAAA record ==<br />
'''''[https://www.youtube.com/watch?v=sql0Wlo8F5g Video Tutorial - Adding an AAAA Record]'''''<br><br />
Now we are going to add an ''AAAA'' (IPv6 host) record to our domain. To do this, we will first need to make sure that IPv6 networking is setup in our virtual machine.<br />
<ol><br />
<li> Use <code>ip address show</code> to check the ''inet6'' address (IPv6 Address) on the primary network interface.</li><br />
<ul> You should have an address starting with ''2607:f930:1c00:50:''. If you do not please check with your instructor. You will need to write down or remember this full address as we will use it in Webmin to create our AAAA record.</ul><br />
<li> Back in '''Webmin''', under the ''BIND DNS Server'' tab, select your ''debserv-*.test'' domain from the bottom and then click the ''IPv6 Address'' button. For the name, enter ''@'' and for the ''address'' enter your IPv6 address WITHOUT the subnet prefix (No /64 on the end).</li><br />
<ul> It should look similar to this: ''2607:f930:1c00:50:xxxx:xxxx:xxxx:xxxx''.</ul><br />
<li>When done click ''create''. Remember to click the ''apply configuration'' link in the top right to apply the changes.</li><br />
<li> In order to verify the AAAA record is working we need to modify the '''nslookup''' or '''dig''' command to check for AAAA records instead of the default of A records. Try:<br><br />
<code>nslookup -type=AAAA debserv-*.test</code><br><br />
and<br><br />
<code>dig debserv-*.test AAAA</code><br><br />
to see the output from AAAA records.</li> <br />
<li>Congratulations, you have now setup a dual-stack DNS records for your Debian server. This means your server is accessible from both IPv4 and IPv6 at the same name because both the A and AAAA records we created have the same host name).</li><br />
</ol><br />
<br />
== Adding a Delegated Domain ==<br />
'''''[https://www.youtube.com/watch?v=Qn45Vv7vuZY Video Tutorial - Adding a Delegated Domain]'''''<br><br />
The problem with the name we have been using so far is that it only works on the DNS server itself. This is because we didn't purchase the name and so no other nameservers know to send requests for it to our server. Normally if you purchase a domain or someone else gives you control of a subdomain it is ''delegated'' to your server meaning that other DNS servers will query your server for addresses related to that name. In order to practice this we are going to add another domain to the system, but this domain will be a delegated domain which is a subdomain of ''itc2480.campus.ihitc.net''. Luckily we can add this to BIND the same way we added our original domain.<br />
<ol><br />
<li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings:<br />
<pre>Zone type: Forward (Names to Addresses)<br />
Domain name / Network: *.itc2480.campus.ihitc.net<br />
Records file: Automatic<br />
Master server: *.itc2480.campus.ihitc.net.<br />
Email address: root@ *.itc2480.campus.ihitc.net</pre><br />
* '''NOTE:''' the * stands for your System ID letter, the same as you used for the previous domain we created.</li><br />
<li> Using webmin, create an ''A'' record for ''@'' the same way as we did for the last domain.</li><br />
<ul> If you need help with this step, you can review the process we did earlier. Make sure to apply your changes after adding the record.</ul><br />
<li>Test that the record and delegation are working correctly. This time you should be able to check from your host computer too!</li><br />
<ul> Windows does not include the '''dig''' command so you'll need to use '''nslookup''' on ''*.itc2480.campus.ihitc.net'' (replace the * with your System ID). Does the correct address come back?</ul><br />
<li> Test your setup using a web browser on your local computer</li><br />
<ul> can you access your webserver by going to http://*.itc2480.campus.ihitc.net (where * is your hostname letter)?</ul><br />
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well just like we did with the test domain (this will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li><br />
<ul>Test that the MX record and associated A record are working correctly. This time you should be able to check from your host computer too! Windows does not include the '''dig''' command so you'll need to use '''nslookup'''. Does the correct mail server name and address come back?</ul><br />
<li>Create a ''CNAME'' record for the blog just like in the previous example (''blog.*.itc2480.campus.ihitc.net''' though) and create a new Apache virtual server just like in the previous example as well.</li><br />
<ul>Test your setup using a web browser on your local computer, can you access your blog directly by going to http://blog.*.itc2480.campus.ihitc.net (where * is your hostname letter)?</ul><br />
</ol><br />
<br />
== Manually editing a zone file ==<br />
'''''[https://www.youtube.com/watch?v=3T7TkE9cRVE Video Tutorial - Manually Editing a Zone File]'''''<br><br />
Lastly we are going to look at the domain zone file. While Webmin provides a nice interface to add records, all it is doing is manually adding our records to our text based zone file. When you use BIND for DNS, every domain created gets its own record file which is called the zone file. In this file all subdomains and records are stored for said domain.<br />
<ol><br />
<li>By default, the location for these records on Debian will be in ''/var/lib/bind'', so go to that directory and list the contents.</li><br />
<li>Now, with your favorite text editor, open up the file which corresponds to the ''debserv-*.test'' domain.<br><br />
It should look similar to this:<br />
<pre>$ttl 38400<br />
debserv-Z.test. IN SOA 2480-Z.itc2480.campus.ihitc.net. root.debserv-Z.test. (<br />
1519434495<br />
10800<br />
3600<br />
604800<br />
38400 )<br />
debserv-Z.test. IN NS 2480-Z.itc2480.campus.ihitc.net.<br />
debserv-Z.test. IN A 172.17.50.36<br />
debserv-Z.test. IN MX 10 mail.debserv-Z.test.<br />
mail.debserv-Z.test. IN A 172.17.50.36<br />
blog.debserv-Z.test. IN CNAME debserv-z.test.<br />
debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756<br />
mail.debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756</pre></li><br />
<ul>Notice the formatting for domain records. Each record is defined by the domain or subdomain name, ''IN'', then the record type (like A, AAAA, NS, or MX), followed by what the record is pointed to. For this example, we want to change the MX priority from 10 to 15.</ul><br />
<li>Using your text editor change the MX record settings priority from 10 to 15.</li><br />
<li>When you are done, '''restart''' the bind9 service to reload the changes.<br><br />
<code>sudo systemctl restart bind9</code><br />
* Note: when restarting bind, if you have any errors restarting the service this normally means you have a typo in one of your zone files. If this is the case, go through the file again in a text editor to make sure you did not add anything extra or remove anything else.</li><br />
<li>Use the '''dig''' tool to check the MX record and see that the new priority is active. You should see something similar to the following response:<br />
<pre>; <<>> DiG 9.10.3-P4-Debian <<>> debserv-z.test MX<br />
;; global options: +cmd<br />
;; Got answer:<br />
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40128<br />
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3<br />
<br />
;; OPT PSEUDOSECTION:<br />
; EDNS: version: 0, flags:; udp: 4096<br />
;; QUESTION SECTION:<br />
;debserv-z.test. IN MX<br />
<br />
;; ANSWER SECTION:<br />
debserv-Z.test. 38400 IN MX 15 mail.debserv-Z.test.<br />
<br />
;; AUTHORITY SECTION:<br />
debserv-Z.test. 38400 IN NS 2480-Z.itc2480.campus.ihitc.net.<br />
<br />
;; ADDITIONAL SECTION:<br />
mail.debserv-Z.test. 38400 IN A 172.17.50.36<br />
mail.debserv-Z.test. 38400 IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756<br />
<br />
;; Query time: 0 msec<br />
;; SERVER: 127.0.0.1#53(127.0.0.1)<br />
;; WHEN: Fri Feb 23 20:15:48 CST 2018<br />
;; MSG SIZE rcvd: 163</pre></li><br />
<ul>Notice how the Answer Section shows the MX record is pointed to the IP of the domain, and that the priority is set to 15.</ul><br />
<li>Congratulations, you have now setup a functional DNS server.</li><br />
<br />
==Checking Your Work==<br />
<ol><br />
<li> Check the directories and files:</li><br />
# <code>/etc/bind/named.conf.options</code> should have the ip address 172.17.139.11 saved.<br />
# <code>/etc/network/interfaces</code> should have the ip address 127.0.0.1 saved.<br />
# Your <code>/var/lib/bind/*.hosts</code> file should have a MX, CNAME, and AAAA record.<br />
<br />
<br><br><br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_08_test.py | python3<br />
</nowiki></code><br />
</ol><br />
=Web App=<br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_7_mnjk&diff=9638Lab 7 mnjk2021-04-25T16:08:02Z<p>NateHaleen: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
This lab assumes you know how to install a package from the Debian repository and you have Webmin installed. If you need help please see '''[[Lab_1_mnjk#Installing_sudo_and_checking_your_IP_address | Lab 1]]''' and '''[[Lab_3_mnjk#Install_the_Webmin_Control_Panel | Lab 3]]'''.<br />
<br />
In this lab you will perform the following tasks:<br />
* Install [https://www.samba.org/samba/ Samba]<br />
* Setup a Guest Share<br />
* Share Home Directories<br />
* Setup a group share<br />
<br />
You will not be introduced to new commands.<br />
<br />
= Lab Procedure =<br />
== Prerequisites ==<br />
<ol><br />
<li> Open an SSH console to your Linux system using the PuTTY software, login with your standard user account. </li><br />
<li> Make sure that Webmin is installed on your system. </li><br />
<li> Make sure you have an up-to-date list of packages on your system using the '''apt update''' system. </li><br />
<li> Make sure you have all the latest software upgrades on your system using the '''apt upgrade''' method. </li><br />
</ol><br />
: ''NOTE: This lab sets up Samba with anonymous guest access which is not supported by Windows 10 anymore. You can work around this (directions for doing so are below) but you can't work around it on IHCC campus managed PCs so this lab really requires access to a PC which you have full administrative control over.''<br />
<br />
== Install Samba ==<br />
'''''[https://www.youtube.com/watch?v=h15fXbqYx5Y&feature=youtu.be Video Tutorial - Install Samba]''''' <br><br />
<ol><br />
<li> With your favorite package manager, install the '''samba''' package. </li><br />
<li> After Samba is installed, login into Webmin on your local computer's web browser. </li><br />
<li> Under the servers tab, notice how Samba does not show up. This is because we just installed the package. </li><br />
<li> On the bottom of the left toolbar, click '''refresh modules'''. After a minute, it should refresh the page. Now look under the servers tab again. Does Samba now show up?</li><br />
</ol><br />
<br />
== Setup a Guest Share ==<br />
'''''[https://www.youtube.com/watch?v=BmgKPYIVaPY&feature=youtu.be Video Tutorial - Setup a Guest Share]''''' <br><br />
<br />
The first thing we are going to do is we are going to create a guest share.<br />
This share will allow for all users, even those who have not authenticated, to read files.</li><br />
To help you better understand samba, this first share will be configured from PuTTY and command line.<br />
<ol><br />
<li>Change into the '''/etc/samba/''' directory and view a directory listing.<br />
: In here we have one main file, '''smb.conf''', which holds all of the Samba share and authentication settings. There may also be a few other files and directories which can be used for more advanced Samba features such as TLS certificate based authentication.</li><br />
<li>With your favorite text editor, open up '''smb.conf''' with administrative permission.</li><br />
<li>Scroll to the bottom of the file, and notice how shares are defined. They all have a similar format such as:<br />
<pre><br />
[Share Name]<br />
comment = Share Comment<br />
options....</pre><br />
:'''options''' are the different configuration settings.</li><br />
Let's try creating the guest share folder from the config file manually.<br />
<li>Exit out of the text editor, and create the folder '''/srv/Guest-Files''' as root.<br />
: This will be the folder we are sharing.</li><br />
<li>Open up '''/etc/samba/smb.conf''' in a text editor again as root, and go to the bottom of the file.</li><br />
<li>Enter the following:<br />
<pre>[Guest Share]<br />
comment = Public File Share<br />
public = yes<br />
path = /srv/Guest-Files</pre><br />
You have now created the public share. <br />
</li><br />
<br />
<li>In order to make the share take effect you need to restart the Samba service on your machine with the following command: <br />
<br><br />
<code>service smbd restart</code><br />
<br />
: ''NOTE: Restarting services requires administrative permission.''</li><br />
<li>To test this share, go into '''/srv/Guest-Files''' and create a text file and enter some information.<br />
: We will use this file to test the read-only settings of the share.<br />
: At this point, we should be ready to test out our configuration. </li><br />
<li>On your Local Computer, open up the run dialog box, and enter '''\\172.17.50.xx''' (The IP you setup for the static address of your VM), and press enter.<br />
: You should see a share folder called Guest Share.<br />
:[[file:Samba-windows-guest.png | link= https://wiki.ihitc.net/mediawiki/images/d/d4/Samba-windows-guest.png | 500px]]<br />
:[[media:Samba-windows-guest.png | Click for Larger Image]]</li><br />
: ''NOTE: If you receive an error on your local system and can't access the Samba share, it might be your firewall blocking the connection. This has been the case with non-Windows Firewalls such as BitDefender. If you are using one of these firewalls you may have to make a rule to allow traffic. This link might help: [https://www.bitdefender.com/consumer/support/answer/2397/ https://www.bitdefender.com/consumer/support/answer/2397/]''<br />
<li>Open the Guest Share folder and see if your text file is in the share.</li><br />
<li>Open up the file, and try to edit and save the file. What error do you get?</li><br />
: '''''SPECIAL NOTE for Windows 10 Client PCs:''' If the computer your are using to try and connect to this share is running Windows 10 version 1709 or later [https://support.microsoft.com/en-us/help/4046019/guest-access-smb2-disabled-by-default-in-windows-10-server-2016 Microsoft has disabled SMB guest share access] You have a few different options for completing this:''<br />
:* Use an earlier version of Windows (remember you'll need to install OpenVPN and be connected to ITCnet) such as Windows 10 before version 1709, Windows 8, or Windows 7 to attempt to connect to the share.<br />
:* Follow the instruction on the above Microsoft page to re-enable guest share access on your Windows 10 version 1709 or later system using the group policy editor (requires Windows 10 Professional or Enterprise)<br />
:* Use the registry editor to set the key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters] "AllowInsecureGuestAuth" to dword:1 (Note: editing your registry can cause your system not to boot and other unexpected behavior, so be careful and be sure of what you are doing)<br />
: '''''SPECIAL NOTE for Personal Windows PCs:''' If you are getting an error after hitting enter in the run dialog box, try either disabling your firewall or making a firewall exception for the IP address of your server.''<br />
</ol><br />
<br />
== Share Home Directories ==<br />
'''''[https://www.youtube.com/watch?v=MOJ6wwiQ1mk&feature=youtu.be Video Tutorial - Share Home Directories]''''' <br><br />
Now we are going to setup Home Directory Sharing. By default this is enabled, but write access is not and no users are setup.<br />
First it must be noted that Samba requires separate user accounts from the system, just like MySQL. So first, we are going to add your user account.<br />
<ol><br />
<li> To do this, we are now going to use Webmin to configure the shares.<br />
: Notice also what other shares are enabled in Samba by default when looking at the Webmin page for Samba. </li><br />
:[[file:Webmin-samba-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/9/9d/Webmin-samba-dashboard.png | 500px]]<br />
:[[media:Webmin-samba-dashboard.png | Click for Larger Image]]<br />
<li> On the Webmin Samba configuration page, click '''Samba Users'''.<br />
: Notice how none are currently defined.</li><br />
<li>Go back and click '''Convert Users'''.<br />
: This is the tool we will use to convert/copy the local Unix user accounts to Samba accounts.<br />
<li>Leave the Unix users to convert option set to all except listed users and UID ranges with the option of -499.</li><br />
: This will add all user accounts with a UID of 500 or more to Samba. Lower UID values are typically used on Debian systems as service accounts (like ''www-data'') who should not have Samba permissions. </li><br />
<li> On the bottom, select '''No password'''.<br />
: We are doing this as we will define unique passwords for each user.</li><br />
<li>Click '''Convert Users''' when ready. </li><br />
<li> When you are done, go to the '''Samba Users''' page again.<br />
: Notice how your user account is now listed.</li><br />
<li>From here you can now add passwords to the different user accounts you added in the last step. Be sure to set the passwords for each user you intend to connect with. </li><br />
<br />
Lastly we are going to setup write access to home folders, so you will be able to add files to your home directory over Samba.<br />
<br />
<li> On the Samba config page, under '''Shares''', click the '''home share'''.</li><br />
<li> Click '''Security and Access Control'''.</li><br />
<li> Set the '''Writable''' option to '''Yes''', and then click save. </li><br />
<li> Go back to the Samba config page, and click the '''Restart Samba Servers''' option at the bottom.<br />
: We do this to force samba to load the new configuration. You can also wait a minute or two if you don't want to disconnect any connected users. </li><br />
: At this point, we should be ready to test out our configuration.<br />
<li>On your Local Computer, open up the run dialog box, and enter '''\\172.17.50.xx''' (Your IP you setup for the static address), and press enter.<br />
: Notice how you do not see a home directory share because you are connected without any authentication.</li><br />
<li>In the top URL window, add '''\<username>''' to the path, e.g. '''\\172.17.50.xx\user'''.<br />
: You should now get a login popup.</li><br />
<li>Login as your user, and you should be greeted with your home folder.<br />
: ''NOTE: If your user is unable to login you may have forgotten to set a Samba password for the user as directed above. You need to set a password for each user within Samba.''<br />
: ''NOTE: On local systems running an operating system other than Windows follow whatever process you would normally use to connect to a Windows file share using the IP address of your VM as the server name.'' </li><br />
<li> Test creating and deleting a file to verify write access is working.</li><br />
<li> Try to access a home share of another user that was added to Samba.<br />
: Notice how you do not have permissions.</li><br />
<li>Try logging in with another user account to access a different home share.<br />
: ''NOTE: To use another user account in a samba share, you may have to logout and then back in on your local machine.'' </li><br />
</ol><br />
<br />
== Setup a Group Share ==<br />
'''''[https://www.youtube.com/watch?v=1C7BBUC_V3A&feature=youtu.be Video Tutorial - Setup a Group Share]''''' <br><br />
Now we are going to setup a group folder share that will allow for all samba users to read and write to the folder.<br />
<ol><br />
<li>Go back to the Webmin Samba configuration panel.<br />
: We are going to create a new share.</li><br />
<li>Under '''shares''', select the '''Create a new file share''' link. Use the following base configuration:<br />
<br><br />
<code>Share Name: Share-Files<br><br />
Directory to share: /srv/Group-Share<br><br />
Automatically Create Directory: Yes<br><br />
Create with owner: root<br><br />
Create with permissions: 775<br><br />
Create with group: users<br><br />
Available: yes<br><br />
Browsable: yes<br><br />
Share Comment: group share folder<br />
</code></li><br />
<li>Once the share is setup, click it to edit it.</li><br />
<li>Once you are at the '''Edit File Share''' page, click '''File Permissions'''.<br />
: Notice how the New Unix file and New Unix directory are set to 755 by default, even though we set the share to use 775 to create the directory. This is done for security purposes as it would only allow the owner to have modification privileges for the files and directories they create. We need to modify this so that all users on the system have full access to files in this share.</li><br />
<li>Set the '''New Unix file''' and '''New Unix directory''' mode to 775, and set '''Force Unix group''' to '''users'''. You can now press '''save'''. We do this to allow all authenticated users permission to modify and edit files that may have been added by other users.</li><br />
: Now we will need to enable write access to the folder.<br />
<li>On the '''Edit file share''' page again, click '''Security and Access Control'''.</li><br />
<li>Set the '''Writable''' option to '''Yes''', and press '''save'''.</li><br />
<li>At this point, you can test the share exactly the same way we did with the home folder share.</li><br />
: Notice though how this share is set to '''browsable''', so it shows up in the root share folder. Go ahead and create a file through your host computer. Then use PuTTY to look at the user and group assigned to the files you created.<br />
: It is important to note that even if a user has read or write permission in Samba they must ''also'' have permission to read or write the file/directory on the underlying Linux filesystem. Many problems with making Samba work can be traced to permissions errors where a user does not have correct permission to work with a file or directory either by the Samba software ''or'' by the filesystem.<br />
<li>Look at your '''smb.conf''' file and see what changes Webmin made in order to setup your group share.</li><br />
</ol><br />
<br />
= Checking Your Work =<br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_07_test.py | python3<br />
</nowiki></code><br />
<br />
<br><br><br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.<br />
<br />
=Web App=<br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_6_mnjk&diff=9629Lab 6 mnjk2021-04-20T01:14:45Z<p>NateHaleen: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
In this lab you will perform the following tasks:<br />
*Installing typical website software on your server including a forum and blog software<br />
*Playing with basic PHP web scripting<br />
In all of these cases you should download the latest stable .tar.gz version of the software from the website and install it following the official documentation. <br><br />
'''DO NOT''' install pre-built Debian packages, this is not allowed and will not prepare you properly for installing this type of software in many web hosting environments.<br />
<br />
There are no specific Linux commands needed for this lab, but this lab assumes you can do the following:<br />
*[[Lab_5_mnjk#Experiment_with_Databases | MariaDB database creation]]<br />
*[[Lab_5_mnjk#Experiment_with_Website_PHP | Creating HTML links]]<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software<br />
# Login with your standard user account<br />
# Use FileZilla to transfer files to your system using SCP/SFTP if needed<br />
<br />
== Install Wordpress ==<br />
'''''[https://www.youtube.com/watch?v=Qg5fow1_SCY&feature=youtu.be Video Tutorial - Install Wordpress]'''''<br />
# Download the latest stable version of the [http://wordpress.org/ Wordpress blogging software]<br />
#:[[file:Lab6_links_wordpress.png | link= https://wiki.ihitc.net/mediawiki/images/3/39/Lab6_links_wordpress.png | 500px]]<br />
#:[[media:Lab6_links_wordpress.png| Click for Larger Image]]<br />
# Try following the [http://codex.wordpress.org/Main_Page official installation documentation] to install the software. <br />
#: Your goal is to install the software in the ''/blog/'' directory of your webserver so that you can visit your blog by going to http://''example.com''/blog/ where ''example.com'' is your IP address (we don't have DNS setup).<br />
#: ''HINT: You can use either the mysql command line client or the Webmin interface to do the database setup.''<br />
#* The command to create a database in MariaDB is:<br />
#: <code> CREATE DATABASE <name of database>; </code><br />
#* Once the database is created you will need to create a user:<br />
#: <code> CREATE USER '<username>'@'localhost' IDENTIFIED BY '<password>';</code><br />
#* Now grant the newly created user privileges:<br />
#: <code> GRANT ALL PRIVILEGES ON <database> . * TO '<username>'@'localhost';</code><br />
#* Once you've completed these steps return to the Wordpress Installation Guide and complete the installation.<br />
#:[[file:Lab6_WordPress_Installation_mk2.png | link= https://wiki.ihitc.net/mediawiki/images/f/fa/Lab6_WordPress_Installation_mk2.png | 500px]]<br />
#:[[media:Lab6_WordPress_Installation_mk2.png | Click for Larger Image]]<br />
# Once the software is installed make sure that you can successfully log in to the Wordpress web interface and add a few blog posts.<br />
#:[[file:Lab6_wordpress_default_blog_mk2.png | link= https://wiki.ihitc.net/mediawiki/images/9/9b/Lab6_wordpress_default_blog_mk2.png | 500px]]<br />
#:[[media:Lab6_wordpress_default_blog_mk2.png| Click for Larger Image]]<br />
<br />
== Install MyBB ==<br />
'''''[https://www.youtube.com/watch?v=VegevSlCpSQ&feature=youtu.be Video Tutorial - Install MyBB]'''''<br />
# Download and install the latest stable version of the [http://www.mybb.com/ MyBB forum software] following the instructions in their documentation. <br />
#:[[file:lab6_links_mybb.png | link= https://wiki.ihitc.net/mediawiki/images/2/2b/Lab6_links_mybb.png | 500px]]<br />
#:[[media:lab6_links_mybb.png | Click for Larger Image]]<br />
#: Your goal is to install the software in the ''/forum/'' directory of your webserver so that you can visit your forum by going to http://''example.com''/forum/ where ''example.com'' is your IP address (we don't have DNS setup)<br />
#:[[file:lab6_MyBB_Installation.png | link= https://wiki.ihitc.net/mediawiki/images/d/d2/Lab6_MyBB_Installation.png | 500px]]<br />
#:[[media:lab6_MyBB_Installation.png | Click for Larger Image]]<br />
#: ''HINT: If you get an error during installation about PHP XML extensions, use '''apt''' to search for and install php-xml. After that use '''sudo service apache2 restart''' to restart Apache2 and apply the change.<br />
# Make sure that you can create forums, users, and posts once you have installed the software.<br />
#:[[file:lab6_mybb_default.png | link= https://wiki.ihitc.net/mediawiki/images/d/d6/Lab6_mybb_default.png | 500px]]<br />
#:[[media:lab6_mybb_default.png | Click for Larger Image]]<br />
<br />
== Install One Additional PHP Application ==<br />
'''''[https://www.youtube.com/watch?v=X-u9EdQxcxw&feature=youtu.be Video Tutorial - Additional PHP Applications]'''''<br />
# Select One Additional PHP Application from the list below and install it following the official documentation:<br />
#* [http://www.opencart.com/ OpenCart] - Web Store System<br />
#* [https://www.mediawiki.org/ MediaWiki] - Wiki System<br />
#* [https://www.joomla.org/ Joomla!] - Content Management System<br />
#* [https://nextcloud.com NextCloud] - File Management like Google Drive<br />
#* [http://piwigo.org/ Piwigo] - Image Gallery<br />
#* [https://gnu.io/social/ GNU Social] - Microblogging like Twitter<br />
#* [https://www.limesurvey.org/stable-release LimeSurvey] - Run your own site like SurveyMonkey<br />
#* Other PHP applications may be approved by your instructor<br />
# After completing the installation make sure the software works as it should<br />
<br />
== Experiment With PHP ==<br />
# Take a look at the simple [http://www.w3schools.com/php/php_ajax_rss_reader.asp RSS reader on the w3schools site]<br />
# See if you can get the RSS reader working on your own server.<br />
#:[[file:lab6_rss.png | link= https://wiki.ihitc.net/mediawiki/images/a/a0/Lab6_rss.png | 500px]]<br />
#:[[media:lab6_rss.png | Click for Larger Image]]<br />
# Try changing one or both of the RSS feeds from Google and ZDNet to feed(s) of your choice<br />
# Try modifying the code to include more than two RSS feeds<br />
#: ''Hint: The idea in this section of the lab is to see if you can figure out how a simple PHP application works and modify it, not specifically to see if you can run the RSS reader.''<br />
<br />
== Update Your Main Page ==<br />
# Put links on your main INDEX page to everything you have done (your blog, forums, additional PHP software, and RSS reader experimental page)<br />
#: Here is a sample of what your INDEX page might look like, but you are free to customize it however you wish:<br />
#: [[File:Lab6_index_page.png|link=https://wiki.ihitc.net/mediawiki/images/0/00/Lab6_index_page.png | 500px]]<br />
#: [[Media:Lab6_index_page.png| Click here for larger image]]<br />
<br />
=Checking your Work=<br />
Wordpress<br />
# On your host computer navigate to http://''example.com''/blog.<br />
# Make a blog post.<br />
# Reach out to someone else in the class (you can get classmates email addresses from the D2L Classlist) and ask them to comment on your blog post.<br />
#: If you are able to post and see a comment from your classmate you have successfully completed the Wordpress section of the lab.<br />
<br><br />
MyBB<br />
# On your host computer navigate to http://''example.com''/forum.<br />
# Create a forum.<br />
# Create a user account.<br />
# Make a post using your new user account.<br />
#: If you are able to make a post using the new user account you have successfully completed the MyBB section of the lab.<br />
<br><br />
Other PHP Applications<br><br />
: Depending on which PHP application you installed the method of testing will be different<br />
:Use your creativity. Here are some ideas:<br />
*Upload something.<br />
* Post Something.<br />
*Make a new page.<br />
: When you are satisfied that your application is working properly, you have completed the PHP application section of this lab.<br />
<br><br />
RSS Feed Reader<br />
# From your host system navigate to the location of your RSS feed.<br />
#: ''HINT: This should be linked on your index page''<br />
# Use the dropdown bar to select a feed.<br />
#: The most recent posts from that feed should appear.<br />
#:[[file:Lab6_rss_sample.png | link= https://wiki.ihitc.net/mediawiki/images/f/f7/Lab6_rss_sample.png | 500px]]<br />
#:[[media:Lab6_rss_sample.png | Click for Larger Image]]<br />
# Try clicking the link to navigate to the full article.<br />
#: If you are able to complete all these steps you have successfully completed the RSS Reader section of this lab. <br />
<br><br><br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_06_test.py | python3<br />
</nowiki></code><br />
</ol><br />
<br><br><br />
=Web App=<br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_5_mnjk&diff=9628Lab 5 mnjk2021-04-20T01:14:20Z<p>NateHaleen: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
In this lab you will perform the following tasks:<br />
*Learn about static network configuration of Debian Linux systems<br />
*Install '''[https://www.php.net PHP]'''<br />
*Install '''[https://www.php.net MariaDB]''' on your server, this is an open-source MySQL alternative<br />
*Experiment with websites and databases<br />
*Explore the standard log files on your system.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/ifup ifup]'''<br />
*'''[https://linux.die.net/man/8/ifdown ifdown]'''<br />
*'''[https://linux.die.net/man/8/ping ping]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://www.commandlinux.com/man-page/man8/a2dissite.8.html a2ensite]'''<br />
*'''[https://www.commandlinux.com/man-page/man8/a2dissite.8.html a2dissite]'''<br />
*'''[https://linux.die.net/man/1/wget wget]'''<br />
*'''[https://linux.die.net/man/1/zcat zcat]'''<br />
*'''[https://linux.die.net/man/8/service service]'''<br />
*'''[https://linux.die.net/man/1/tail tail]'''<br />
<br />
You will also use the following MySQL (MariaDB) commands:<br />
<br />
*'''[https://mariadb.com/kb/en/use USE]'''<br />
*'''[https://mariadb.com/kb/en/show SHOW]'''<br />
*'''[https://mariadb.com/kb/en/select SELECT]'''<br />
*'''[https://mariadb.com/kb/en/drop-database DROP database]'''<br />
<br />
=Lab Procedure=<br />
==Prerequisites==<br />
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account<br />
# Make a note of the static IP address information for your particular system in the table below, it is based on the system name identification letter in vmWare. These IP addresses will ONLY be valid in the ITC vmWare Linux class subnet. If you are working on a local VirtualBox system you will need to select an available static IP from the correct subnet for your system or skip the static IP addressing section. All vmWare systems will use a gateway address of 172.17.50.1 and a subnet mask of 255.255.255.0 with two nameservers 172.17.139.11 and 172.17.139.111<br />
{| {{table}}<br />
| align="center" style="background:#f0f0f0;"|'''System ID'''<br />
| align="center" style="background:#f0f0f0;"|'''Static IP'''<br />
|-<br />
| A||172.17.50.11<br />
|-<br />
| B||172.17.50.12<br />
|-<br />
| C||172.17.50.13<br />
|-<br />
| D||172.17.50.14<br />
|-<br />
| E||172.17.50.15<br />
|-<br />
| F||172.17.50.16<br />
|-<br />
| G||172.17.50.17<br />
|-<br />
| H||172.17.50.18<br />
|-<br />
| I||172.17.50.19<br />
|-<br />
| J||172.17.50.20<br />
|-<br />
| K||172.17.50.21<br />
|-<br />
| L||172.17.50.22<br />
|-<br />
| M||172.17.50.23<br />
|-<br />
| N||172.17.50.24<br />
|-<br />
| O||172.17.50.25<br />
|-<br />
| P||172.17.50.26<br />
|-<br />
| Q||172.17.50.27<br />
|-<br />
| R||172.17.50.28<br />
|-<br />
| S||172.17.50.29<br />
|-<br />
| T||172.17.50.30<br />
|-<br />
| U||172.17.50.31<br />
|-<br />
| V||172.17.50.32<br />
|-<br />
| W||172.17.50.33<br />
|-<br />
| X||172.17.50.34<br />
|-<br />
| Y||172.17.50.35<br />
|-<br />
| Z||172.17.50.36<br />
|}<br />
<br />
<br />
<br />
==Set a static IP==<br />
'''''[https://www.youtube.com/watch?v=VcPA6gJ0Ohw&feature=youtu.be Video Tutorial - Setting a Static IP Address]'''''<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
* Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
* Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
:'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==Install PHP & MySQL/MariaDB==<br />
<br />
'''''[https://www.youtube.com/watch?v=Az0qtg4LSjA&feature=youtu.be Video Tutorial - Install PHP and MySQL MariaDB]'''''<br />
<ol><br />
<li>Install packages</li><br />
:* Using '''apt''', install the ''php'' and ''mariadb-server'' packages as well as the ''php-mysql'' package which provides the link between php and mysql and the ''libapache2-mod-php'' package which provides a copy of PHP which allows the Apache webserver to run website PHP scripts.<br />
'' Note: Remember to do an '''apt update''' before installing packages to make sure you get the latest versions<br />
'' Note: Maria-DB is a fully compatible replacement for MySQL that isn't controlled by Oracle.<br />
* After the dependencies are found, go ahead and accept them to continue the install.<br />
<li> After the install is complete, '''cd''' to ''/var/www/html'' which is the root directory of your webserver and so where all website files are served from.</li><br />
<li> In order to fully enable the PHP-MySQL module you should restart your Apache webserver. You don't need to restart your entire system to do this. Do some research on the "apache2ctl" or the "service apache2" commands which can be used to do this.<br />
<li> At this point we will test to verify that php is working properly with Apache. Create a new file named ''phptest.php'', and then open it in a text editor.</li><br />
: '' Note: you may have to use sudo to create and edit files in this directory. as your standard user account may not have privilidges to create and edit files in this directory.<br />
:<code>sudo touch phptest.php</code><br />
:<code>sudo nano phptest.php</code><br />
<li>Enter the following into the file:<br />
<pre><?php<br />
phpinfo();<br />
?></pre></li><br />
<li>Now save the file, and on your local machine go to xxx.xxx.xxx.xxx/phptest.php in a web browser where xxx.xxx.xxx.xxx is your VM's static IP. You should now be on a page that shows your PHP Version, and system information.</li> <br />
:[[File:Lab5_php_info.png|500px]]<br />
:[[Media:Lab5_php_info.png|Click here for a larger image]]<br />
<li>Use the "View Source" option in your browser to see what the HTML source code is for the page you're viewing is. Is it the same or different than the .php file you created? Why? How is this different than a standard .html file?</li><br />
:[[File:Lab5_php_info_devtab.png|500px]]<br />
:[[Media:Lab5_php_info_devtab.png|Click here for a larger image]]<br />
</ol><br />
<br />
==Experiment with Website PHP==<br />
<br />
'''''[https://www.youtube.com/watch?v=m_sUrt_quX4&feature=youtu.be Video Tutorial - Experiment with Website PHP]'''''<br />
<ol><br />
<li> Explore Apache symlinks</li><br />
:In a previous lab we learned about editing the ''/var/www/index.html'' file to change the default web page displayed by your server. In a future lab you will install some PHP/MySQL based software which powers many Internet sites with forums, blogs, etc. Before we can do that we need to learn a little more about PHP and about databases. Like most software on Linux the Apache webserver configuration files are stored in the ''/etc'' directory. Specifically, you can find several of them which work together and are called from each other in ''/etc/apache2/'' take a look in the ''/etc/apache2/sites-enabled/'' directory. See how symlinks are used to point to configuration files which actually reside in the ''/etc/apache2/sites-available/'' directory? This allows us to turn off and on various sites by creating or removing a symlink rather than by deleting the actual configuration file, a handy thing if we just want to temporarily disable a site. In fact Apache provides a utility to automatically add and remove these links called '''a2ensite''' and '''a2dissite'''. Check the '''man''' pages for these commands to see how they work.<br />
<li>Explore '''/etc/apche2/sites-enabled'''</li><br />
:As you might have guessed the default site for your system is configured by the file linked to at ''/etc/apache2/sites-enabled/000-default'' If you open this file in your favorite text editor you will see a series of what Apache calls "directives" which explain how the webserver should function, what port it should listen on, where the website files will reside (''/var/www/html''), etc. <br />
:'' NOTE: Going into all of the different Apache directives is outside of the scope of this course but you will find a lot of documentation about them on the Internet.<br />
<li>Explore the Apache configuration files in Webmin</li><br />
:In addition to configuring Apache directly through it's configuration files you can also configure it through an interface like Webmin which we installed in a previous lab. Bring up the Webmin configuration page for Apache and take a look at the settings for the default site. Note how the things you saw directly in the configuration file match up with what you see in Webmin. One of the things you may be interested in seeing is how the webserver knows to display the index.html file from a directory if it exists and no specific file is requested in the URL. Take a look on the "Directory Indexing" page for the default virtualhost and see if you can find this information. You'll notice that there is a list of files, not just index.html which the server will display.<br />
:'' NOTE: You may need to refresh your Webmin modules or "scan for new modules" if you haven't done that since installing Apache and Webmin. Webmin scans your system for compatible server software packages (like Apache) when it is installed but needs to re-scan it's modules after you install new server software before you can configure it through Webmin.<br />
<li>Expiriment with and learn PHP basics</li><br />
:In another section of this lab you created a basic ''phptest.php'' file and saw how the server executed the PHP code and turned it into an HTML page your browser could display. Because PHP offers an easy way to write web applications it powers much of the Internet. To prepare us for setting up some PHP applications in a future lab it will be helpful to know a little about how PHP scripts work. Read through the [http://www.w3schools.com/php/default.asp W3 Schools PHP Basics Tutorial] (PHP Intro through PHP Superglobals) and try creating some PHP scripts on your own Linux server like the examples given in the tutorial pages to see if you can get them to run, try modifying them a little bit and see what the results are. There are many great Internet resources devoted to understanding how to do things with PHP so take some time to see how this language can be easily integrated in websites. You should definitely be familiar with editing PHP files to change variables, echo statements, etc. work which are all skills you'll need when installing PHP based website software.<br />
<li>Create your own PHP files</li><br />
:*Try writing some simple PHP scripts on your own using variables and echo statements and make them available through your webserver.<br />
:*A good place to create these would be in your home directory, using your favorite text editor.<br />
<li>Create your own "home" page by editing your ''index.html'' file located in the '''/var/www/html''' directory.</li><br />
:''NOTE: You will need to be familiar with the very basics of editing HTML files in order to create links, etc. If you haven't done this before there are many introductory HTML tutorials available online. A good starting place is [https://www.w3schools.com/html/html_basic.asp W3 Schools HTML Basics Examples]<br />
:'' NOTE:It is importatnt to know that an '''html''' file must include the <!DOCTYPE HTML> tag. Additionally, you will notice that all tags have an opening tag and a closing tag. The information between the tags is what will have the features of the tag<br />
:*Backup your ''index.html'' file by copying to a new file name.<br />
:<code>sudo cp /var/www/html/index.html /var/www/html/index.html.bak</code><br />
:*Edit your ''index.html'' file (or create a new ''index.php'' file which will be loaded instead if it exists) so there is a list and links to the various scripts you have created as part of your PHP experimentation.<br />
:* Open your index.html file in your favorite text editor,<br />
:<code>sudo nano /var/www/html/index.html</code><br />
:*Since you have backed up the original index.html file I would edit this file to only include the basics.<br />
<pre> <br />
<!DOCTYPE HTML><br />
<html><br />
<body><br />
<h1>My ITC-2480 Server</h1><br />
<p>This is a server on Pod-R in NetLab at 172.17.50.XX</p><br />
<br><br />
<p>Here are some of the Projects I am working on:</p><br />
<a href="http://172.17.50.XX/phptest.php">PHP Version Information</a><br />
</body><br />
</html><br />
</pre><br />
:'' NOTE: Make sure to replace the XX in the IP with the IP address of your server.<br />
:<br />
:[[File:Lab5_basic_html.png|link=https://wiki.ihitc.net/mediawiki/images/2/29/Lab5_basic_html.png|500px]]<br />
:[[Media:Lab5_basic_html.png|Click here for a larger image]]<br />
:A first look for a basic page<br />
:[[File:Lab5_initial_home.png|link=https://wiki.ihitc.net/mediawiki/images/9/92/Lab5_initial_home.png|500px]]<br />
:[[Media:Lab5_initial_home.png|Click for a larger image]]<br />
<li>Try to add additional features to your "home" page.</li><br />
:''NOTE: You may get some ideas of features you might like to add by looking at the original ''index.html'' file that we backed up in step 6 of this lab.<br />
:*As you complete your labs consider what you can add to this page.<br />
:*Add links to the PHP scripts you created<br />
:*A few good chalanges would be to add a title, change font size, style or color.<br />
<br />
</ol><br />
<br />
==Experiment with Databases==<br />
<br />
'''''[https://www.youtube.com/watch?v=1zYXiWLoGdM&feature=youtu.be Video Tutorial - Experiment with Databases]'''''<br />
<ol><br />
: In order to do really powerful things with a website we need a database where we can store dynamic content which can be queried to automatically build site pages from a template. One of the most common databases is an SQL database, and MySQL has long been the most prevalent Linux SQL software. These days MariaDB, which we installed, has been taking some MySQL marketshare because it is a community developed program instead of MySQL which is now owned by Oracle. The MariaDB software and MySQL software are essentially equivalent, especially for small sites/databases, and the same commands are used interchangeably including using the '''mysql''' command to access them. SQL itself is a standard language for interacting with a specific type of database called a relational database, we'll see why it's called a relational database in a minute. Each database is a collection of data stored in tables. You can think of a table as something like a spreadsheet with rows and columns, except we call the columns fields and the rows records (sometimes we actually call them rows too). The different tables are often related to one another, of course they are usually being used by the same web application, but usually the relationship goes deeper than that as we'll see in a little bit.<br />
<li>Download a sample database</li><br />
: To jumpstart our exploration of databases we'll download a pre-built sample database with a few tables and many records already in it and import it into our MySQL database server. Download the employees database file [https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2 employees_db-full-1.0.6.tar.bz2] (about 26MB) and get it into your home directory. Instead of using the '''links''' browser to do this or downloading to your computer and then pushing this large file back across the Internet with an SCP/SFTP client like FileZilla a better choice might be to learn about the '''wget''' program which can be used like "'''wget https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2'''" to download the file into your current working directory.<br />
<code>wget https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2</code><br />
<li>Unpack the database file</li><br />
: Figure out how to use the '''tar''' program to unpack this .tar.bz2 file. Note that this file uses bz2 compression which takes longer to compress than gzip but can compress the files more. Once unpacked you should have an "employees_db" folder.<br />
<li>Explore the files included with sample database</li><br />
: Inside the ''employees_db'' folder you should have a number of ''.sql'' script files and dump files which can be used to restore the database to your system.<br />
:*Take a look at the ''employees.sql'' file, it's just a text file, which describes the format of the database. <br />
:*Also take a look at the ''load_employees.dump'' file, also just a text file, which contains all of the records from the employees table of the database. :'' NOTE: there are 300,000 some employee records in this database so you probably don't want to just use '''cat''' to view these files as it could take a while to print them out to your screen. Using the '''less''' program would be a better choice as it will allow you to exit viewing the file by pressing q at any time.<br />
<li>Open the MySQL (MariaDB) command line</li><br />
: We can interact with the MySQL/MariaDB server in many different ways. The first way we'll take a look at is through the command line '''mysql''' program. Run the "'''sudo mysql'''" command. <br />
:'' NOTE: that we are running this command with system administrator permissions which allows us to log in to the MySQL server with database administrator permissions as well. The MySQL program actually stores it's own usernames and passwords as a MySQL database itself, you can create and modify these permissions from the mysql command line but we'll learn more about modifying them through the Webmin interface later.<br />
:<code>sudo MySQL</code><br />
<br><br />
:[[File:Lab5_mariadb_cli.png|link=https://wiki.ihitc.net/mediawiki/images/4/4f/Lab5_mariadb_cli.png|500px]]<br />
:[[Media:Lab5_mariadb_cli.png|Click here for a larger image]]<br />
<li>Explore MySQL (MariaDB) Commands</li><br />
: MySQL has it's own command line language the you can use through the "mysql>" prompt you are now running. For example, if we want to see a list of databases on the system we can run "'''SHOW databases;'''" run the command and note the databases that already exist by default.<br />
<code>SHOW databases;</code><br />
:'' NOTE: Each MySQL/MariaDB statement ends with a semicolon (;) if you do not put the semicolon at the end of the line the command will not execute when you press enter and you will be able to continue to add more commands to the statement before finishing with a semicolon. If you accidentally press enter without ending with a semicolon you can just enter a semicolon on the next line and press enter.<br />
<li>Import the sample database</li><br />
: To import the employee database we can use the "'''source employees.sql;'''" command (assuming we were already working in the directory which contains the employees.sql file when we launched mysql. Import the employee database and verify the system now has an employees database.<br />
<code>SOURCE employees.sql;</code><br />
<li>Use the employees database</li><br />
<code>USE employees;</code><br />
: If we want to see all of the tables in the employees database we must first select the database we want to work on using the "'''USE employees;'''" command.<br />
<li>Explore the employee table</li><br />
: Use the "'''SHOW tables;'''" command to see a list of tables.<br />
<code>SHOW tables;</code><br />
<li>View a list of employees in table</li><br />
: To see a list of all the records in a table we need to run a SELECT query "'''SELECT * from ''<tablename>'''''" like "'''SELECT * from employees'''" which will list all the records in the ''employees'' table of the employees database and display them.<br />
<code>SELECT * from employees;</code><br />
<br><br />
:[[File:Lab5_mariadb_show_tables.png|link=https://wiki.ihitc.net/mediawiki/images/d/d5/Lab5_mariadb_show_tables.png|350px]]<br />
:[[Media:Lab5_mariadb_show_tables.png|Click here for a larger image]]<br />
:* Remember that we previously selected to USE the ''employees'' database, this will be remembered until we USE a different database. Try displaying the records in a couple of different tables like employees and departments.<br />
:'' NOTE: The output can be broken by using CTRL-C on your local machine if you do not wish to wait for all of the records to be displayed.<br />
:<br />
: There is much more that we can do from the MySQL/MariaDB command line but that would be a whole class or more itself. The MySQL/MariaDB programs are well documented on the Internet and with these basic skills you should be able to figure out most of it. Remember, the vast majority of what you read about MySQL will also work in MariaDB and vice-versa.<br />
<li>Explore the MySQL interface in Webmin<br />
: Now that you have learned a bit about MySQL databases from the command line let's see how they look in the Webmin web management interface. Log back in to your Webmin interface through a browser on your host system.<br />
:* Because MySQL was not installed when we first setup Webmin you need to "scan for new modules" first. Once that process has finished refresh the page to see that MySQL has been added to the server section of Webmin.<br />
:* Take a look at the Webmin MySQL module and see how MySQL users and permissions are configured.<br />
:* Try browsing through the ''employees'' database using the Webmin interface including viewing tables and records inside of the tables.<br />
<li>Drop database and exit MySQL (MariaDB)</li><br />
:* Go back to your MySQL command line window and run the command "'''DROP DATABASE employees;'''" to delete the entire database.<br />
:* Type "'''exit;'''" to quit the MySQL program and return to a Linux shell.<br />
<br />
:'' NOTE: Obviously, the DROP command is one to be careful with as you can easily wipe out a huge database with one line! <br />
</ol><br />
<br />
==View Logfiles==<br />
<br />
'''''[https://www.youtube.com/watch?v=cxIOQF-eMy0&feature=youtu.be Video Tutorial - Tutorial 5 View Logfiles]'''''<br />
<br />
<ol><br />
: Linux stores most of log files in the ''/var/log'' directory so change your working directory to ''/var/log''.<br />
: Some log files are viewable by all users on the system but other log files may be restricted and you will need to use '''sudo''' to view them.<br />
<li>View last 20 lines in '''/var/log/syslog'''</li><br />
:<code>tail -20 /var/log/syslog</code><br />
:[[File:Lab5_tail.png|link=https://wiki.ihitc.net/mediawiki/images/8/88/Lab5_tail.png|500px]]<br />
:[[Media:Lab5_tail.png|Click here for a larger image]]<br />
: Linux log files are typically standard text files and can be read with standard text file utilities like cat or less. One additional utility which comes in hand is the '''tail''' program which displays the last 10 lines (by default) of a text file and which can be configured to display more or less lines using a command like '''tail -20 /var/log/syslog''' which will display the last 20 lines of the main system log file. The manual page for the '''tail''' command contains additional information like how to use the ''-f'' option to view a log in realtime (exit with Ctrl-C).<br />
<li>Save the tail output to a file</li><br />
: Often we may want to save the output from a '''tail''' command to share with others or document an issue. This can easily be done using redirection we learned in a previous lab. Experiment with how to save some tail commands. Keep in mind you may need to escalate privileges for some files to be redirected. Try the following:<br />
: <code>sudo tail -20 /var/log/syslog > logtail.txt</code><br />
<li>Explore some other log files</li><br />
: Take a look at some of the log files on your system and see what kinds of information they contain specifically you should probably look at ''syslog'', ''auth.log'', ''kern.log'', ''apache2/access.log'', and ''apache2/error.log'' <br />
:* Use the tail command to explore these logs<br />
: In order to prevent log files from completely filling your drive old log files are eventually rotated on the system and compressed and then finally deleted. Take a look at some of the rotated log files like ''/var/log/syslog.1'' or ''/var/log/kern.log.1'' which will contain slightly older log entries.<br />
:'' Note: After the first rotated file other files are usually compressed with gzip. You can decompress and view these on the fly using the '''zcat''' program.<br />
</ol><br />
==Checking Your Work==<br />
<ol><br />
<li>Ping your assigned IP for your pod</li><br />
<ul>Your ping should return a response.</ul><br />
<li>Open a browser on your own PC and navigate to your IP address.</li><br />
<ul>Your custom link page should appear in your browser window.</ul><br />
<li>Check your home directory for the logtail.txt file you created.</li><br />
<ul>The logtail.txt file should be in your home directory.</ul><br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_05_test.py | python3<br />
</nowiki></code><br />
</ol><br />
<br><br><br />
=Web App=<br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_4_mnjk&diff=9627Lab 4 mnjk2021-04-20T01:14:00Z<p>NateHaleen: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
Linux is a very text file-oriented operating system. As we've learned most of the settings for the operating system are held in text files in the /etc directory and most of the commands that are used to manipulate the system take text input or give text output. Beause of this it's very important to be able to edit and manipulate text on the system which will be a key focus of this lab. In addition, we'll practice creating compressed files, which is useful for backing up files, and creating links between locations on the system.<br />
<br />
In this lab you will perform the following tasks:<br />
* Edit text files using nano and vi<br />
* Learn how to manipulate command output<br />
* Search for files<br />
* Archive and Compress files using tar<br />
* Create links between directories<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://linux.die.net/man/1/vi vi]'''<br />
*'''[https://linux.die.net/man/1/nano nano]'''<br />
*'''[https://linux.die.net/man/1/less less]'''<br />
*'''[https://linux.die.net/man/1/find find]'''<br />
*'''[https://linux.die.net/man/1/locate locate]'''<br />
*'''[https://linux.die.net/man/8/updatedb updatedb]'''<br />
*'''[https://linux.die.net/man/1/ln ln]'''<br />
<br />
=Lab Procedure=<br />
==Prerequisites==<br />
Open an SSH console to your Linux system using the PuTTY software, login with your standard user account<br />
<br />
==Text File Editing==<br />
'''''[https://www.youtube.com/watch?v=LnVsTA8_mQo Video Tutorial - Text File Editing]'''''<br />
<ol><br />
<li> Change to the ''/var/www/html'' directory which is where the Apache webserver stores it's site files by default.</li><br />
<ul> Verify you can see an ''index.html'' file inside of this directory by listing the contents of the directory. Note who the ''owner'' and ''group owner'' of the file are.</ul><br />
<li> Open up a web browser on your host computer and verify that you can browse to the IP address of your Linux system and still see the "It works" page that you saw in [[Franske ITC-2480 Lab 2#Install the Apache 2 Webserver|lab 2]] after installing Apache.</li><br />
<ul> Before we start making any changes it's a good idea to save an unmodified copy of the file you'll be working on so make a copy of the ''index.html'' file and name the copy ''index.html.orig'' so that you can always copy it back if you make a mistake.</ul><br />
<ul> There are many different text editors available for Linux but systems almost always include some version of '''vi''' or '''nano''' so those are the two we'll focus on.</ul><br />
<li> In your ssh window open the ''index.html'' file in nano.</li><br />
<ul>NOTE: Because your user does not own this file you may need to edit the file as the superuser.</ul><br />
<code>nano index.html</code><br />
<ul>[[File:nano_index_html.png|link=https://wiki.ihitc.net/mediawiki/images/d/d3/Nano_index_html.png|250px]]</ul><br />
<ul>[[Media:nano_index_html.png|Click for Larger Image]]</ul><br />
<li> Try navigating around the file with your arrow keys and changing the "Apache2 Debian Default Page" text at the top of the page to "Welcome to My Linux Webserver"<br />
<ul> Basic instructions for using nano abound on the Internet. You can get a basic introduction [http://staffwww.fullcoll.edu/sedwards/Nano/IntroToNano.html here] but it basically comes down to the menu lines at the bottom of the screen showing what your options are. The ^ character is commonly used to indicate the CTRL key so to exit the program (you will be prompted to save changes if you have made any) press CTRL-X or to save without exiting press CTRL-O and follow the prompts at the bottom of the screen.</ul><br />
<li> Save your file with the changed text and then reload the page in your browser on your host system to see if the changes have taken effect.</li><br />
<ul> Experiment with some of the nano menu options such as cutting and "un-cutting" lines of text and searching/replacing text. Once you are comfortable with the nano editor save your changes and exit.</ul><br />
<ul> Make a note of which user and group owns your ''index.html'' file.</ul><br />
<li> Delete your ''index.html'' file and copy your ''index.html.orig'' file back to ''index.html''</li><br />
<ul> Try loading the website again and see if it's back to the original text. If you encounter an error it's possible that your ''index.html'' file is not readable by the webserver account so you should use the appropriate command to set the ''index.html'' file back to the owner and group of the original file.</ul><br />
<li> Now open the ''index.html'' file in vi</li><br />
<code> vi index.html</code><br />
<ul>[[File:vi_index_html.png|link=https://wiki.ihitc.net/mediawiki/images/f/fd/Vi_index_html.png|250px]]</ul><br />
<ul>[[Media:vi_index_html.png| Click for Larger Image]]</ul><br />
<ul> The vi editor is probably considered more powerful than nano but is less user friendly without the menu at the bottom and a COMMAND mode as well as an INSERT mode. In the COMMAND mode you cannot directly change the text of the file by typing which can be frustrating to new users. Read through the vi tutorial [http://www.washington.edu/computing/unix/vi.html here] and try making some edits to your webpage. Once you are familiar with how the vi editor works save your file and exit.</ul><br />
</ol><br />
<br />
==Command Output Manipulation==<br />
'''''[https://www.youtube.com/watch?v=dgC1r0rXTpA Video Tutorial - Command Output Manipulation]'''''<br />
<ol><br />
<li> Change back to your home directory.</li><br />
<code> cd ~</code><br />
<li> Print out the files in your home directory.</li><br />
<code> ls -al</code><br />
<li> Now, run '''ls -al''' but redirect the output to a file using ''> filename''.</li><br />
<code> ls -al > listfiles.txt</code><br />
<ul> Notice how there is no command output. This is normal as you redirected the command output to the file ''listfiles.txt''</ul><br />
<li> verify the contents of ''listfiles.txt''</li><br />
<code> cat listfiles.txt</code><br />
<ul>[[File:cat_listfiles_txt.png|link=https://wiki.ihitc.net/mediawiki/images/e/e1/Cat_listfiles_txt.png|250px]]</ul><br />
<ul>[[Media:cat_listfiles_txt.png|Click for Larger Image]]</ul><br />
<ul> Notice how it contains the exact same output as running '''ls -al''' on the command line.</ul><br />
<li> Now, run:</li><br />
<code>ls -al /var/log</code> <br />
<ul>Notice how many files there are in the ''/var/log'' directory. Lets say we wanted to just know the information of the ''debug'' log files. For this, we would use a pipe and the grep command.</ul><br />
<li> So, now run:</li><br />
<code> ls -al /var/log | grep debug</code><br />
<ul>[[File:var_log_grep_debug.png|link=https://wiki.ihitc.net/mediawiki/images/7/74/Var_log_grep_debug.png|250px]]</ul><br />
<ul>[[Media:var_log_grep_debug.png|Click for Larger Image]]</ul><br />
<ul>Notice how the output is limited to all files that contain the string ''debug''.</ul><br />
<ul> TIP: Grep is very powerful. Here we're just using it to search for a string but you can use it to search regular expressions as well. We mentioned these in a previous lab too. You can learn more about regular expressions at [https://regexone.com RegexOne] and [https://www.regular-expressions.info Regular-Expressions.info] among many other places. These are frequently used in system administration and programming so it's worth your while to get at least a basic understanding of them.</ul><br />
<ul> Whats nice about pipes and redirects is that they can be used back to back on a command line creating a chain of programs which accept data as standard input and output it to the next program as standard output.</ul><br />
<li> So lets say we have a scenario where we want to get a file that contains all of the information from all ''.gz'' files in ''/var/log''. To do this, we would run:</li><br />
<code> ls -al /var/log | grep .gz > gzlogfiles.txt</code><br />
<li> Now pipe the file into '''less'''</li><br />
<code>cat gzlogfiles.txt | less</code><br />
<ul> NOTE: Remember that you are now viewing the file in the less program and will need to quite the program to return to a command line. Type the letter "q" to quit the less program.</ul><br />
<ul> In this case the piped '''cat''' command is the exact same as running '''less gzlogfiles.txt''' however there are many times where you need to connect two programs together with pipes in order to accomplish something which is otherwise not possible. Also, standard output can be non-text data as well. For example, it's possible to use pipes to pass audio data between programs such as one that scans a WAV file and adjusts the volume before piping it to an MP3 compression utility which saves the result as an MP3 file.</ul><br />
<li> See if you can figure out how to view the output of '''ls -al /var/log | grep .gz''' one page at a time without dumping it to a text file first.</li><br />
<li> Now remove the files ''gzlogfiles.txt'' and ''listfiles.txt'' that were created from this part of the lab.</li><br />
</ol><br />
<br />
==Searching for Files in Linux==<br />
'''''[https://www.youtube.com/watch?v=WSd6fq-jDyE Video Tutorial - Searching for Files in Linux]'''''<br><br />
There are several ways to search for files on a Linux system. The simplest is to use the '''find''' command which searches through the system directory by directory for files which match your search string. You can specify many options for the find command which do things such as restrict to searching in one particular directory and it's sub-directories, etc.<br />
<ol><br />
<li> Try searching your entire drive for files with syslog in the name. <br />
<code> find / -name syslog 2> /dev/null</code><br />
<ul>[[File:find_syslog.png|link=https://wiki.ihitc.net/mediawiki/images/9/96/Find_syslog.png|250px]]</ul><br />
<ul>[[Media:find_syslog.png|Click for Larger Image]]</ul><br />
<ul> Notice the ''2> /dev/null'' on the end of the command. This redirects error messages ( ''2>'' redirected stderr, ''>'' redirects stdout as discussed above) to the location ''/dev/null'' which is non-existing location/file where bits are just dropped from the system. The reason we're redirecting the error messages is that there are a number of files or directories which you may not have permission to access. Each attempt to access these by the '''find''' program would create an error message (so lots of errors). We're basically telling the system to hide these error messages from us.</ul><br />
<ul> You should see some files identified which contain the name ''syslog''. The problem is that the find command is very slow at moving through all the files on the system, in fact it may even appear to be frozen while searching slowly though the drive. If you have waited a while and are still not getting back to a command prompt you can press CTRL-C to force the find program to quit and return to a command prompt. This means the find program works just fine for searching through a few directories/files (such as your home directory might contain) but is not the best choice for searching the entire system. If you want to learn more about advanced uses of the find command take a look at [http://content.hccfl.edu/pollock/unix/findcmd.htm this tutorial].</ul><br />
<li> A faster way to search the entire system is to use the ''locate'' command. Install the '''locate''' program</li><br />
<ul>This command searches a pre-built database of all files on the system which means it operates much faster than searching though files one at a time. There are two downsides to locate. First, it may not be pre-installed on many Linux systems so you may have to install it. Second, you need to build or update the database before you can search for files. New files are not automatically updated to the database so this only really works if you periodically remember to update the database. We'll explain how you can schedule that automatically in the future (hint, see the '''cron''' program).</ul><br />
<code> sudo apt-get install locate</code><br />
<li> Create an updated database of files on your system</li><br />
<code>sudo updatedb</code><br />
<ul>Note, it will take a while for this program to find and index all the files on your system so give it a while to run. The advantage is after you do this you can search the database for many different files very quickly instead of waiting for each search as with the find command. We need to run the '''updatedb''' program as an administrator so that it can search though all locations on the system, including ones your user does not normally have access to.</ul><br />
<ul> Note: Programs that may need to run for a long time and do not require user input (like '''updatedb''') can be run in the background by placing an ampersand at the end of the command line like '''sudo updatedb&'''. This will immediately return you to a command prompt so you can continue to work on other things while the command finishes running.</ul><br />
<li> Search for files with ''syslog'' in the name again but now using the command ''locate''</li><br />
<code> locate syslog</code> <br />
<ul>[[File:locate_syslog.png|link=https://wiki.ihitc.net/mediawiki/images/1/17/Locate_syslog.png|250px]]</ul><br />
<ul>[[Media:locate_syslog.png|Click for Larger Image]]</ul><br />
<ul> You should see many files found with this name and it should happen quickly, much faster than with the find command.</ul><br />
</ol><br />
<br />
==Creating Archived/Compressed Files==<br />
'''''[https://www.youtube.com/watch?v=iBsHKvNP88E Video Tutorial - Creating Archived Compressed Files]'''''<br><br />
If you get stuck or have any problems understanding why '''tar''' is functioning in a certain way you can find a number of introductory tutorials [http://www.thegeekstuff.com/2010/04/unix-tar-command-examples/ like this one] about using '''tar''' on the Internet by [https://www.google.com/#q=tar+tutorial searching for them]<br />
<ol><br />
<li> Create a new directory ''experiments'' in your home directory.</li><br />
<li> Create a GZipped TAR file of everything in your system log directory called ''logbackup1.tar.tz'' and save it to the ''experiments'' directory in your home directory by first changing your working directory to ''/var/log'' and then using the command:</li><br><br />
<code>tar -czvf ~/experiments/logbackup1.tar.gz *</code> <br />
<ul> Note that you will need to use root privileges to create all of the log backups in this section of the lab because some log files can not be read by a standard user.</ul><br />
<ul> Note the asterisk (*) which is used to select all files in the current directory for inclusion in the TAR file. This is a type of wildcard character.</ul><br />
<li> Change your working directory to the ''experiments'' directory in your home directory.</li><br />
<li> Try extracting the files into your ''experiments'' directory, show a list of files as they are extracted (''verbose'')</li><br />
<ul> Check the contents of your ''experiments'' directory. What happened? What kind of mess could this make when you extract a TAR file when it was created this way?</ul><br />
<li> Delete all files and subdirectories from inside the ''experiments'' directory.</li><br />
<li> Try again to create a GZipped TAR file of everything in your system log directory called ''logbackup2.tar.tz'' and save it to the ''experiments'' directory in your home directory. By running the command from inside the ''experiments'' directory.</li><br />
<code> tar -czvf logbackup2.tar.gz /var/log</code><br />
<ul> Note that you will need to use root privileges to create all of the log backups in this section of the lab because some log files can not be read by a standard user.</ul><br />
<ul> Note the lack of a slash at the end of the directory we are putting into the TAR file. In some older versions of TAR putting a slash on the end meant to put the files from that directory into the file but not the directory itself (just like when we created logbackup1.tar.gz with the asterisk wildcard). By leaving the slash off the end we are telling TAR to put the log directory,as well as it's contents, into the TAR file so that when we extract it we will get a log directory made with the files going into it. Even though new versions of TAR automatically prevent you from creating TAR files without a directory path it is still best practice to make sure that you are including a directory as part of the TAR file.</ul><br />
<li> Try extracting the files into your ''experiments'' directory, show a list of files as they are extracted (''verbose'')</li><br />
<li> Check the contents of your ''experiments'' directory.</li><br />
<ul> What happened? If you extracted a tar file made this way you could potentially end up with several more levels of directories than you really want. In this case we got an extra var directory inside of experiments but if we were archiving something with a deeper path we would have even more extra subdirectories. You can actually see this during the tar file creation if you have verbose output enabled you saw that all the files being added to the tar had var/log/ in front of the filename. There are at least two ways to handle this which we will look at.</ul><br />
<li> Delete all files and subdirectories from inside the ''experiments'' directory.</li><br />
<ul> If we are creating the TAR file manually we can avoid these extra parts to the path by paying attention to what directory we are in when we create the TAR file.</ul><br />
<li> This time change your working directory to ''/var'' first and then run the command.</li><br />
<code> tar -czvf ~/experiments/logbackup3.tar.gz log</code><br />
<ul> Note the different output from the tar command. This time the filenames are prefixed only by ''log/''.</ul><br />
<li> Switch back to your ''experiments'' directory and then try extracting the files from ''logbackup3.tar.gz'' into your experiments directory, do not show a list of files as they are extracted this time.</li><br />
<ul> Check the contents of your experiments directory. This time you should see that there is just one new subdirectory called log and all of the files are neatly placed inside of it. This is the type of extraction people normally want and expect from a tar file that is distributed.</ul><br />
<li> Empty your ''experiments'' directory</li><br />
<li> If you want to have the same effect without changing your working directory that is possible too. Try running the command below.</li><br />
<code>tar -czvf ~/experiments/logbackup4.tar.gz -C /var log</code> <br />
<ul>This time it doesn't make any difference which directory on the system because we have again specified a full path for where to save the tar file and we have also told tar to change to the ''/var'' directory before adding the log directory to the file using the -C argument. This automates the process of manually changing directories like we did above.</ul><br />
<li> Switch back to your ''experiments'' directory and then try extracting the files from ''logbackup4.tar.gz'' into your experiments directory, do not show a list of files as they are extracted this time.</li><br />
<ul> Check the contents of your experiments directory. This time you should again see that there is just one new subdirectory called ''log'' and all of the files are neatly placed inside of it.</ul><br />
<ul> There are a number of other things you can do with '''tar''' such as creating slower but more highly compressed .bz2 bzip files, extracting single files (or directories or groups of files) from an archive, listing the contents of an archive without extracting (which can show you if a new subdirectory will be created), adding files to an existing archive, and preserving file ownership (only by extracting on the same system though) and permissions. You should read the manual page for tar and then try practicing some of these and be familiar with the many ways that '''tar''' can be used.</ul><br />
</ol><br />
<br />
==Working With Filesystem Links==<br />
'''''[https://www.youtube.com/watch?v=vBorZKMmvIk Video Tutorial - Working With Filesystem Links]'''''<br><br />
If you get stuck or have any problems understanding how links are functioning in a certain way you can find a number of introductory tutorials [http://www.nixtutor.com/freebsd/understanding-symbolic-links/ like this one] or [http://www.thegeekstuff.com/2010/10/linux-ln-command-examples/ more advanced tutorials] on the Internet by searching for them.<br />
<ol><br />
<li> Use root privileges to create a new directory inside the ''var'' directory called ''system-documentation'' and change the ownership permissions so that your standard user has permission to read, write, and execute as a member of a group which owns the documentation directory. You will also need to make sure that all system users have execute permission for the parent directory (''/var'') in order to access anything in it including the ''system-documentation'' directory.</li><br />
<ul> Instead of needing to go into the ''/var/-system-documentation'' directory all the time it would be more convenient if your user was able to reach that directory through a link in their own home directory.</ul><br />
<li> Run the command below inside your regular user's home directory</li><br />
<code>ln -s /var/system-documentation documentation</code> <br />
<ul>[[File:ln_documentation.png|link=https://wiki.ihitc.net/mediawiki/images/9/97/Ln_documentation.png|250px]]</ul><br />
<ul>[[Media:ln_documentation.png|Click for Larger Image]]</ul><br />
<ul>Or if you're in a different working directory you can run the command as '''ln -s /var/system-documentation ~/documentation''' Do you understand why?</ul><br />
<ul> You should now see a soft link (also called symlink) in your home directory called documentation which points to the ''/var/system-documentation'' folder.</ul><br />
<li> '''cd''' into the link just like it was a real directory.</li><br />
<ul> If you use the '''pwd''' command to print your working directory while inside the link it will look like it's a directory. Almost all software on the system will interact with the link just as if it's a real directory.</ul><br />
<li> Try creating some files and subdirectories inside of the link and then verify they are showing up in the real ''/var/system-documentation'' location as well. This should work correctly if your permissions are all set correctly.</li><br />
<li> Remove the link</li><br />
<code>rm ~/documentation</code><br />
<ul> You should see that all of the files you created are still in ''/var/system-documentation''</ul><br />
<ul> If you re-create the link you should be able to go back into ''~/documentation'' and remove files and directories and see they are removed from the actual ''/var/system-documentation'' directory as well</ul><br />
<ul> You can also practice creating links to specific files as well as directories. Links do not override permissions so you need to have permission to read, write or execute the file or directory you are linking to just like if you actually changed to the real location of the item. Go ahead and practice creating and removing links until you have a good understanding of how links can be used.</ul><br />
</ol><br />
Note: If you are using '''tar''' to back up data, depending on exactly what you want to do you may want to use the ''-h'' or ''--dereference'' option which will follow the symlink and backup the data it contains. Normal behavior for tar would just be to back up the link itslef, not the file(s) pointed to by the link. You should try creating some tar files of directories which contain symlinks, deleting the data the symlink points to and the extracting the tar file to some new location to see this in action if you are not confident that you understand this.<br />
<br />
=Checking your Work=<br />
<ol><br />
<li> You should have the following directories and files:</li><br />
# ~/documentation<br />
# ~/experiments<br />
# /var/www/html/index.html<br />
<li> Use the following command to see if locate is installed:</li><br />
<code> dpkg -s locate</code><br />
<br />
<br><br><br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_04_test.py | python3<br />
</nowiki></code><br />
</ol><br />
<br><br><br />
=Web App=<br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_3_mnjk&diff=9626Lab 3 mnjk2021-04-20T01:13:33Z<p>NateHaleen: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
This lab assumes that you know the IP address of your Linux system and are connected to the ITCnet VPN network. If you need help with these steps please see [[ITC_VPN_Instructions | the VPN instructions]] and [[Lab_1_mnjk#Installing_sudo_and_checking_your_IP_address | Lab 1]].<br />
<br />
In this lab you will perform the following tasks:<br />
*Create a new user account<br />
*Change the ownership and permissions on files and directories<br />
*Install the '''[https://www.webmin.com/ Webmin]''' package.<br />
You will be introduced to the following commands:<br />
*'''[https://www.commandlinux.com/man-page/man8/addgroup.8.html addgroup]'''<br />
*'''[https://linux.die.net/man/1/cat cat]'''<br />
*'''[https://linux.die.net/man/1/more more]'''<br />
*'''[https://linux.die.net/man/1/touch touch]'''<br />
*'''[https://linux.die.net/man/1/chown chown]'''<br />
*'''[https://linux.die.net/man/1/chgrp chgrp]'''<br />
*'''[https://linux.die.net/man/1/dpkg dpkg]'''<br />
<br />
= Lab Procedure =<br />
== Prerequisites ==<br />
<ol><br />
<li> Make sure you have an active connection to the ITCnet either by VPN or by directly connectiong to an ITCnet switch on campus</li><br />
<li> Open an SSH console to your Linux system using the PuTTY software, login with your standard user account</li><br />
</ol><br />
<br />
== Creating Users and Groups ==<br />
'''''[https://www.youtube.com/watch?v=q_tYhIVlhCU&feature=youtu.be Video Tutorial - Creating Users and Groups]''''' <br><br />
<ol><br />
<li> Create a new user account '''jsmith''' using the '''adduser''' program</li><br />
<code> adduser jsmith </code><br />
<li> Create a new group '''redteam''' using the '''addgroup''' program</li><br />
<code> addgroup redteam </code> <br />
<li> Add the '''jsmith''' account as well as your own user account to the '''redteam''' group</li><br />
<li> Close your SSH session and open two new SSH sessions</li><br />
: ''NOTE: In order for your user accounts to receive their new group permissions they need to be logged out and logged back in.''<br />
<li> Login as your regular user on one and '''jsmith''' on the other</li><br />
<li> View a list of all the user accounts on your system by looking at the '''/etc/passwd'''. To output the contents of the '''/etc/passwd''' file you can use the following command:</li><br />
<code>cat /etc/passwd</code><br />
: The /etc/passwd file is a plain text file on your system.<br />
<li> View a list of the password data on your system by viewing the '''/etc/shadow''' file</li><br />
<li> View a list of groups and group members on your system in the '''/etc/group''' file<br />
: ''NOTE: The group list may be longer than one full screen of text (the same is true of the '''/etc/passwd''' or '''/etc/shadow''' file depending on your screen resolution.''<br />
* To output the contents of the file while pausing after each page of output use the following command:<br />
: <code>more /etc/group</code><br />
* To output the contents of the file while pausing after each page of output and being able to scroll up and down through the output use the following command:<br />
: <code>less /etc/group</code><br />
* Press '''q''' to return to the command line<br />
* It may be helpful to try these commands to display an even longer text file like one of the Shakespeare texts you downloaded in an earlier lab in the '''~/sample-files''' directory. You may have to un-tar the files again first.</li><br />
</ol><br />
</ol><br />
<br />
== Practice Filesystem Permissions and Ownership ==<br />
'''''[https://www.youtube.com/watch?v=5-6dRHTbJfM&feature=youtu.be Video Tutorial - Practice Filesystem Permissions and Ownership]''''' <br><br />
''NOTE: Working with file and directory ownership and permissions is tricky and there are many, many possible combinations of users, groups, and permissions which can be assigned to both files and folders. The goal of this section of the lab is to familiarize you with how to use the commands for changing ownership and permissions, not to teach you how to read or understand Linux file permissions (see your readings for this, it is important!) Once you understand how to use the commands you should experiment with setting different owners and permissions on a several different files and folders and subfolders until you have a good understanding of how permissions work. The only way to understand these relationships well is to read about it and then try it out. You should be able to set all of these permissions just as regular users (assuming you have access to both of the user accounts) '''you should not need sudo access to change the permissions because one of the the two users owns all the files and directories we're working in. You will need sudo access to change the owner of the files because otherwise it would be possible to accidentally lock yourself out of a file.'''''<br />
<br />
''ADDITIONALLY: This table may be helpful:''<br />
: {| class="wikitable"<br />
|+Linux Permissions<br />
!|Octal<br />
!|Binary<br />
!|File Mode<br />
|-<br />
| 0<br />
| 000<br />
| ---<br />
|-<br />
| 1<br />
| 001<br />
| --x<br />
|-<br />
| 2<br />
| 010<br />
| -w-<br />
|-<br />
| 3<br />
| 011<br />
| -wx<br />
|-<br />
| 4<br />
| 100<br />
| r--<br />
|-<br />
| 5<br />
| 101<br />
| r-x<br />
|-<br />
| 6<br />
| 110<br />
| rw-<br />
|-<br />
| 7<br />
| 111<br />
| rwx<br />
|}<br />
''This '''[http://permissions-calculator.org/ permissions calculator]''' may also be helpful.''<br />
<ol><br />
<li> Change to the '''/home''' directory.</li><br />
<li> Check the ownership and permissions on the subdirectories inside of '''/home'''</li><br />
<li> Try to create new files using the '''touch''' command called '''foo''' and '''foo2''' in the '''/home/jsmith''' directory.<br />
*Try as both your regular user and as '''jsmith''' respectively<br />
: <code>touch foo</code><br />
: <code>touch foo2</code></li><br />
<li> Try removing the '''foo''' and/or '''foo2''' files using both your regular user account and '''jsmith'''</li><br />
<li> Use the '''jsmith''' user to create a new directory '''/home/jsmith/redteam/'''</li><br />
<li> Use the '''jsmith''' user to create some files: '''/home/jsmith/redteam/theplan''' and '''/home/jsmith/redteam/yours''' '''/home/jsmith/redteam/mine''' and '''/home/jsmith/ours'''</li><br />
<li> In order to find out more about the '''chown''' and '''chgrp''' programs which you'll use to change the owners and groups for files and directories use the following commands to view the built in manual pages:<br />
: <code>man chown</code><br />
: <code>man chgrp</code><br />
: ''NOTE: Almost every command line tool in Linux has a manual page you can view in this way, try accessing a few other man pages for some of the other tools we've been using. You can scroll through the manual pages using the arrow keys and page up/down. To return to the command line press the q key.''</li><br />
<li> Change the permissions on the '''/home/jsmith/redteam/''' directory so that the group '''redteam''' is the group owner of the directory</li><br />
: [[File:Change-ownership-directory.png | link=https://wiki.ihitc.net/mediawiki/images/6/61/Change-ownership-directory.png | 500px]]<br />
: [[media:Change-ownership-directory.png | Click for Larger Image]]<br />
<li> Add write permission for the group to the '''/home/jsmith/redteam/''' directory</li><br />
<li> Change the ownership of the '''yours''' file so that it is owned by your regular user account instead of '''jsmith'''</li><br />
<li> Change the group owner of the '''ours''' file so that it is controlled by the '''redteam''' group</li><br />
<li> Experiment with creating and removing files and subdirectories inside of the '''/home/jsmith/redteam/''' directory as well as listing the contents of directories with various permissions applied to them until you have a good understanding of how permissions work.</li><br />
</ol><br />
<br />
== Install the Webmin Control Panel ==<br />
'''''[https://www.youtube.com/watch?v=tfthl4jH-jg&feature=youtu.be Video Tutorial - Install the Webmin Control Panel]''''' <br><br />
<ol><br />
<li> Use the '''links''' browser to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
<code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
= Checking Your Work =<br />
<ol><br />
<li> Run the following command:<br />
<br><br />
<code> ls -al /home/jsmith/redteam </code><br />
* Verify the following directories are present:<br />
*: '''/theplan'''<br />
*: '''/yours'''<br />
*: '''/mine'''<br />
*: '''/ours'''</li><br />
* Verify the '''redteam''' group owns the '''/ours''' directory.<br />
<li>Run the following command:<br />
<br><br />
<code> ls -al /home/jsmith </code><br />
* Verify the '''redteam''' group owns and has write permissions of the '''/redteam''' directory.</li><br />
<br><br><br />
<li> Automatically check your results by running this command:</li><br />
<br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_03_test.py | python3<br />
</nowiki></code></ol><br />
<br><br><br />
=Web App=<br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_2_mnjk&diff=9625Lab 2 mnjk2021-04-20T01:13:04Z<p>NateHaleen: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
In this lab you will perform the following tasks:<br />
*Installing the ''links'' web browser<br />
*Downloading a compressed file<br />
*Creating a directory<br />
*Copying and moving files<br />
*Extracting a .tar.tz "tarball" file<br />
*Removing files and directories<br />
*Installing the [https://httpd.apache.org/ Apache] webserver<br />
*Installing [https://www.python.org/ Python] and its dependencies<br />
<br />
This lab assumes that you know the IP address of your Linux system and are connected to the ITCnet VPN network. If you need help with these steps please see [[ITC_VPN_Instructions | the VPN instructions]] and [[Lab_1_mnjk#Installing_sudo_and_checking_your_IP_address | the previous lab]].<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://linux.die.net/man/1/ls ls]'''<br />
*'''[https://linux.die.net/man/1/cd cd]'''<br />
*'''[https://linux.die.net/man/1/cp cp]'''<br />
*'''[http://linux.die.net/man/1/mv mv]'''<br />
*'''[https://linux.die.net/man/1/man man]'''<br />
*'''[http://linux.die.net/man/1/links links]'''<br />
*'''[http://linux.die.net/man/1/mkdir mkdir]'''<br />
*'''[http://linux.die.net/man/1/pwd pwd]'''<br />
*'''[http://linux.die.net/man/1/rm rm]'''<br />
*'''[http://linux.die.net/man/1/rmdir rmdir]'''<br />
*'''[http://linux.die.net/man/1/tar tar]'''<br />
<br />
=Lab Procedure=<br />
==Preliminaries==<br />
# Ensure your VM is powered on in Netlab<br />
#:''NOTE: you should have shut it down at the end of the last lab, but you will leave it on from now on. <br />
#:''NOTE: you will need to make a reservation in Netlab to power on your VM.<br />
# Make sure you have the current IP address of your Linux system<br />
#: If your Linux VM has been powered off for some time since you checked the IP address in a previous lab you may have received a new IP address, so be sure to check your IP address again and use that IP address in this lab. <br />
# Open an SSH console to your Linux system using the [https://www.putty.org/ PuTTY] software<br />
#: [[File:Lab2_putty.png |link=https://wiki.ihitc.net/mediawiki/images/6/6f/Lab2_putty.png|500px]]<br />
#: [[Media:Lab2_putty.png | Click for larger image]]<br />
# Log in with your standard user account<br />
#: From this point on we will be working only through an SSH connection to the server so unless you have a problem with network access to your VM, or you need to power it on again you should not need to make Netlab reservations or use the Netlab interface for quite some time.<br />
<br />
==Install the Links Web Browser Package==<br />
'''''[https://www.youtube.com/watch?v=2Ikzy23WuqQ&feature=youtu.be Video Tutorial - Installing the Links Web Browser]'''''<br />
<ol><br />
<li> Update your package lists using the following command:</li><br />
<code>sudo apt update</code><br />
: Because software installation and updates need to be done as an administrator we need to put '''sudo''' in front of these commands. You will likely need to enter your password again unless you've recently used sudo for something else and your session has not timed out yet.<br />
<li> Search for a description of the ''links'' package using the following '''apt''' command to search for packages with links in the package name.</li><br />
<code> apt search --names-only links</code><br />
<ul> ''TIP: You could further restrict your search using regular expressions instead of just searching for "links" such as '''apt search --names-only ^links''' which will only search for packages that ''start'' with the word links. You can learn more about regular expressions at [https://regexone.com RegexOne] and [https://www.regular-expressions.info Regular-Expressions.info] among many other places. These are frequently used in system administration and programming so it's worth your while to get at least a basic understanding of them.''</ul><br />
<ul> ''TIP: You can also expand your search to include searching the full package descriptions instead of just the names like '''apt search links''' which returns many more results.''</ul><br />
<li> Check the details of the ''links'' software package using the following command: </li><br />
<code>apt show links</code><br />
<li> Install the ''links'' web browser package using the following aptitude command: </li><br />
<code>sudo apt install links</code><br />
<li> Run the links program using the following command:</li><br />
<code>links</code><br />
<ul> [[File:Links.png|link=https://wiki.ihitc.net/mediawiki/images/6/6e/Links.png|500px]]</ul><br />
<ul> [[Media:Links.png | Click for Larger Image]]</ul><br />
<li> Try browsing to a website such as ''www.google.com'' or ''www.debian.org''. </li><br />
<ul> ''Hint: Pressing CTRL-G lets you enter a URL. Alternatively, you can enter a URL from the command line such as '''links google.com'''''</ul><br />
<ul> ''Hint: Press ALT-F to get a menu bar to appear on your screen which you can then go through using arrow keys.''</ul><br />
<li> Press the letter "q" on your keyboard to quit links.</li><br />
</ol><br />
<br><br />
There are many other text-based browsers to choose from. Some of these are more recent and have advanced features like handling SSL and cookies better. If you are interested check out [http://w3m.sourceforge.net/ w3m] or [https://lynx.invisible-island.net/ lynx]<br />
<br />
==Basic File Management and Navigation==<br />
'''''[https://www.youtube.com/watch?v=v0rm7Iab624&feature=youtu.be Video Tutorial - Basic File Management and Navigation]'''''<br />
<ol><br />
<li> Use the links web browser to open the page ''http://www.franske.com/shakespeare.tar.gz'' </li><br />
<li> Download the ''shakespeare.tar.gz'' file from that page. </li><br />
<li> Exit the links browser and verify the file has downloaded into your current directory with the following command:</li><br />
<code>ls -al</code><br />
<ul> This command lists the files in the current directory.</ul><br />
<li> Create a new directory called ''sample-files'' using the following command:</li><br />
<code>mkdir sample-files</code><br />
<li> Copy the ''shakespeare.tar.gz'' file from the current directory into the ''sample-files'' directory using:</li><br />
<code>cp shakespeare.tar.gz sample-files/ </code><br />
<ul> Note the / on the end of the command which indicates we want to place the file ''into'' a subdirectory and not make a new copy of the file in the same directory but with a different name. Pay attention to case, Linux is a case sensitive operating system. You can actually have two different files in the same directory, one called ''Shakespeare.tar.gz'' and one called ''shakespeare.tar.gz''</ul><br />
<li> Change your current directory to the ''sample-files'' directory using: </li><br />
<code>cd sample-files</code><br />
<li>verify your directory change using the print working directory command:</li><br />
<code>pwd</code><br />
<li>Verify the file has been copied by using the following command inside the ''sample-files'' directory:</li><br />
<code>ls -al</code> <br />
<li> Delete (remove) the file from the current directory by using:</li><br />
<code> rm shakespeare.tar.gz</code><br />
<li>Change your directory back to your user's home directory (one level above the subdirectory you're currently in. </li><br />
<ul> There are many ways to do this but a common shortcut to move one directory up in the tree is to use the ".." shortcut which means one directory above the current directory so '''cd ..''' will change your working directory up one level.</ul><br />
<ul> This time we want to move the ''shakespeare.tar.gz'' file into the ''sample-files'' directory instead of copying it. </ul><br />
<li>Use the following command to do this:</li><br />
<code>mv shakespeare.tar.gz sample-files/</code><br />
<ul> Again, note the / on the end of sample-files/ indicating we want to put it in a ''directory'' named ''sample-files'' instead of renaming ''shakespeare.tar.gz'' to a ''file'' called ''sample-files''.</ul><br />
<li> Verify the ''shakespeare.tar.gz'' file is no longer in your current directory then change your working directory to ''sample-files'' again and verify that the file has been moved there.</li><br />
<ul> The ''.tar.gz'' type files are sometimes called a "tarball" and they are a common way to distribute files on *NIX (UNIX/Linux/BSD/POSIX) based systems. These files really have two parts. The first is a TAR file which is a way to pack multiple files and directories into a single file for archival an distribution purposes but does not compress the file in any way, the size will be essentially the same as if you added together all of the files it contains. After the files are put into a TAR file they can be compressed with the '''gzip''' program so we add the ''.gz'' extension to the filename to indicate this TAR file has been compressed. Other compression programs such as '''bzip2''' can also be used, in that case it would be a ''.tar.bz2'' file. Because TAR files are so frequently gzipped to compress them the command to compress or uncompress a file as been added to the TAR program itself so we don't need to go through two steps. In this case we can uncompress and extract the files using the ''tar -zxf shakespeare.tar.gz'' command or to see the list of files as they are extracted we can add the -v argument to the command to make the output verbose '''tar -zxvf shakespeare.tar.gz''' </ul><br />
<li> Run the command to extract and uncompress the file. </li><br />
<li> Verify it by listing the directory contents. </li><br />
<ul> You should see a new subdirectory, it's common and good practice to always include the files in a TAR in their own subdirectory so that when they are extracted they don't clutter the current working directory. </ul><br />
<li> Enter the new subdirectory and list the contents to verify the extraction, you should see several files.</li><br />
<li> Try removing one of the files that was extracted. </li><br />
<ul>You might encounter an error if the filename includes a space. Although spaces are allowed in filenames on Linux, it's not recommended because you will need to either quote or escape filenames in some way in order to work with the files. For example if you wanted to remove a file called ''a file with spaces.txt'' you would either need to enter the command as '''rm "a file with spaces.txt"''' (with the quotes) or as ''rm a\ file\ with\ spaces.txt'' where the backslash character is used to "escape" the special characters in the filename (in this case spaces, but other characters, like exclamation points, are special as well). Make sure you can remove a file with spaces in the name. </ul><br />
<li> Move up one directory (back to the ''sample-files'' directory). </li><br />
<ul> Let's say we want to remove the entire Shakespeare directory now. </ul><br />
<li> Try using the following command to do that: </li><br />
<code> rm Shakespeare</code><br />
<ul> The '''rm''' command will give you an error because it is designed for removing files, not directories. To remove directories you can use the '''rmdir''' command such as '''rmdir Shakespeare''' but this will also give you an error. </ul><br />
<li> Try it! </li><br />
<code> rmdir Shakespeare </code><br />
<ul> The '''rmdir''' command requires that a directory be empty before it can be removed. You now have a choice, you could go back into the directory and clear it out, one file at a time using the rm command. Or you could speed things up by removing all the files in it at once using the '''rm *''' command, which includes a special character, called a wildcard, which stands for all files in the directory. This would work but it still requires a second step and if there were even more levels of directories inside the one you wanted to remove you would have to go through all of them as well. Luckily, Linux has a powerful (but obviously dangerous) command the "recursive remove" command which removes a directory as well as all of the files and subdirectories it contains. You must be careful with this command because, used incorrectly, you could obviously delete everything on your hard drive with a single command. We want to remove the Shakespeare directory and everything it contains so we can use the '''rm -r Shakespeare''' command. </ul><br />
<li> Do this and then verify the directory has been removed.</li><br />
<li> Navigate back to your user's home directory before continuing.</li></ol><br />
<br />
==Install the Apache 2 Webserver==<br />
'''''[https://www.youtube.com/watch?v=56iOrpFbHOM&feature=youtu.be Video Tutorial - Installing Apache 2]<br />
<ol><li> On your HOST system open a web browser and try browsing to the IP address of your Linux system. </li><br />
<ul> You should get some kind of server unreachable error because there is currently no webserver running on your system. </ul><br />
<li> Use the '''apt show''' command to review details of the ''apache2'' package</li><br />
<ul> [https://httpd.apache.org/ Apache] is one of the most popular webserver programs on the Internet. </ul><br />
<li> After reading through the information go ahead and install the '''apache2''' package using '''apt install'''. </li><br />
<ul> You'll notice this time, because it's a more complex program than links, you will be prompted to install several other packages that apache relies on to run, we call these packages "dependencies". One key advantage of using a "package manager" like '''apt''', '''apt-get''', or '''aptitude''' is that they automatically keep track of dependencies and install packages needed to make the one you're trying to install function properly.</ul><br />
<li> Once the installation process for Apache 2 is complete you should be able to go back to your host system and try visiting the IP address of your Linux system again or reloading the page. </li><br />
<ul> You should now see a basic welcome page which indicates you have a webserver up and running on your Linux system. Obviously we haven't done anything exciting with the page yet or setup much security but it really is that simple to turn a Linux system into a basic webserver.</ul><br />
<ul> [[File:Lab2_apache2.png|link=https://wiki.ihitc.net/mediawiki/images/b/bc/Lab2_apache2.png|500px]]</ul><br />
<ul> [[Media:Lab2_apache2.png | Click for Larger Image]]</ul><br />
</ol><br />
<br />
''NOTE: You can leave your VM running from this point on''<br />
<br />
=Checking Your Work=<br />
<ol><li> Return to your home directory and run:</li><br />
<code>ls -al</code><br />
<ul> If you see the ''shakespeare.tar.gz'' file you haven't followed all the directions.</ul><br />
<li> List the files in the sample-files directory:</li><br />
<ul> If you only see the ''shakespeare.tar.gz'' file you have successfully completed that section of the lab.</ul><br />
<li> Run the following command:</li><br />
<code> links</code><br />
<ul> If the Links browser opens you have successfully installed it.</ul><br />
<li> Navigate to your ip address using the Links browser; does the website look like this?</li><br />
<ul>[[file:Links_apache2.png | link= https://wiki.ihitc.net/mediawiki/images/1/12/Links_apache2.png | 500px]]</ul><br />
<ul>[[media:Links_apache2.png| Click for Larger Image]]</ul><br />
<br />
<li> Run the following command; does the output look like this?</li><br />
<code background-color: #f1f1f1>python3 --version</code><br />
<ul> [[File:Python_version.png|link=https://wiki.ihitc.net/mediawiki/images/7/70/Python_version.png|500px]]</ul><br />
<ul> [[Media:Python_version.png | Click for Larger Image]]</ul><br />
<ul> If your results match the screenshots, you have successfully completed the lab! </ul><br />
<br><br />
<br><br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_02_test.py | python3<br />
</nowiki></code><br />
<br><br><br />
=Web App=<br />
<br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.<br />
</ol></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_1_mnjk&diff=9624Lab 1 mnjk2021-04-20T01:12:20Z<p>NateHaleen: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
:In this lab you will perform the following tasks:<br />
*Access NetLab to access the environment for you virtual machine<br />
*Install the latest version of Debian Linux in a virtual machine<br />
*Learn how to login and check the IP address of the system<br />
*Learn to remotely access the system with SSH and SFTP.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/apt apt]'''<br />
*'''[https://linux.die.net/man/8/sudo sudo]'''<br />
*'''[https://linux.die.net/man/8/useradd adduser]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://linux.die.net/man/8/ip ip address show]'''<br />
<br />
=Lab Procedure=<br />
==Netlab Access==<br />
'''''[https://www.youtube.com/watch?v=-hLejbDfPGM&feature=youtu.be Video Tutorial - NetLab Access]'''''<br />
<ol><br />
<li> Connect to the ITCnet </li> <br />
: This can be accomplished by directly plugging into an ITCnet port in one of the ITC labs or by connecting to the [[ITC_VPN_Instructions|VPN]].<br />
:'' Note: If you want to connect using a wireless connection on campus you need to [[Connecting to Eduroam|connect to the eduroam network]] before connecting to the VPN.<br />
<li> After you are connected to ITCnet (by VPN or wired connection) you simply need to open a web browser and access https://ihcc-netlab.campus.ihitc.net</li><br />
* The first time you visit this site in a browser you may need to accept a self-signed security certificate<br />
* You will need to log in with a username and password established by your instructor.<br />
* The first time you log in you will need to change your password and set your timezone. Make sure your timezone is set correctly so you can schedule reservations to work with equipment at convenient times.<br />
<li> Once you are logged in click the blue "New Lab Reservation" button</li><br />
: Next, in the lower left corner of the screen, select "Schedule a Lab for Myself". Reservations are used to hold a place on the Netlab system to work on labs during a specific time. You only need reservations in this class when working with the GUI, which will come later in the class, if you need to turn the power back on to your VM, or during the installation process. The rest of the time you will be able to connect directly to your Linux server using the SSH protocol, but more on that in a bit.<br />
:'' Note: If you are enrolled in more than one class that is using Netlab you will be presented with a list of classes you are enrolled in, click on your Linux System Administration course of you see this screen.<br />
: All of our lab work in this class is done in a single "Lab Environment" and your progress will be saved from one reservation to another. As a result there is only one lab listed in this course "Linux System Administration Labs". Click on this lab title.<br />
<li> Use the calendar to choose a date, time, and specific pod to reserve for your lab activity (when you will begin your Debian server installation).</li><br />
: The red line on this screen indicates the current time. If you want to get started right away you can click just below this line. Pay attention to the title of the column at the top, it will say something like "LSA Pod Z". The letter at the end of this pod name is your "pod letter" which you will use to set the host name and IP address of your machine in the future so make note of it.<br />
: You will be presented with a summary screen for your reservation where you can set the end time of your reservation (up to a maximum). It is suggested to make your reservation a couple hours long the first time you plan to install Debian, though you can extend it if needed. Click submit once you are ready to make the reservation.<br />
<li>You will see a confirmation screen that your reservation has been made.</li><br />
: You are now ready to progress on to the Debian Linux Installation (as long as your reservation is right away).<br />
</ol><br />
<br />
==Debian Linux Installation==<br />
'''''[https://www.youtube.com/watch?v=H0DcdEytpFQ&feature=youtu.be Video Tutorial - Debian Linux Installation]'''''<br />
<ol><br />
<li> Log in to the Netlab system</li><br />
: Access this using a web browser at https://ihcc-netlab.campus.ihitc.net if you are not already logged in.<br />
: If you have a currently active reservation you will see a green "Enter Lab" button on your list of reservations. Click the green "Enter Lab" button. If not, you will need to make a reservation (see above) and then click the "Enter Lab" button.<br />
: Your virtual machines (VMs) will automatically power on when your reservation begins and because there is no operating system currently installed to their virtual hard drives they will boot from their virtual CD/DVD drives which have been pre-loaded with the installation discs for Linux.<br />
<li> Access you virtual machine console</li><br />
: Once you are in your pod you can either click on the image of the "Linux Server" on the topology diagram or use the tabs across the top of your screen to access the console of your Linux Server VM.<br />
: The console shows the display of your VM and allows you to type and interact with your VM just as if you were physically sitting down in front of a server with a monitor, keyboard, and mouse attached. Just like a separate physical machine you will not be able to copy and paste text or drag and drop files in and out of this console window. We will use other utilities across the network connection to do those things just like we would with a physical server.<br />
<li>Learn to "Power Cycle" your virtual machine</li><br />
: By now your VM has likely already booted from it's virtual CD/DVD drive and should be at the "Debian GNU/Linux installer menu". Before continuing let's practice rebooting your system so you can watch the system boot and see how to reboot the system if needed. Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power Off" then click the red "Power Off" button on the popup to power off your VM. This is the equivalent of just pulling out the power cord, at least until we install the VMware Tools software which allows for a graceful shutdown, so you'll want to be careful to only do this if absolutely needed until then.<br />
<li>Power on you Virtual machine</li><br />
: Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power On", or press the blue "Power On" button in the middle of your screen, then press the green "Power On" button to boot your system.<br />
<li>Install Debian Linux</li><br />
: Once the system has rebooted and is back to the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Installing sudo and Checking Your IP Address==<br />
'''''[https://www.youtube.com/watch?v=TwXp5YfAvlw&feature=youtu.be Video Tutorial - Installing sudo and checking your IP address]'''''<br />
<ol><br />
<li>Log in to NetLab</li><br />
: Login through the Netlab local console with your root account and password (username ''root'', password as set during the installation)<br />
:'' Note: When entering a password on the command line of a Linux system it is normal that nothing should appear and the cursor will not move when you are typing. This prevents someone who is able to see your computer screen from seeing what your password is or even how long it is. Just type your password and trust that the system is receiving it, press enter to submit your password.<br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
<code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
[[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
<code>sudo ip address show</code><br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
</ol><br />
<br />
==Logging in to a Remote Terminal==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Logging into a remote terminal]'''''<br />
<br />
A faster way to interact with your system is not through the Netlab local console but through a remote SSH session over the network directly to your server. Once you have mastered this you will be able to copy and paste text to your Linux server and will not need to make a reservation in Netlab to work on labs. For our purposes you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install Putty</li><br />
: Assuming you are running Windows, install the PuTTY software on your home PC from [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html this website].<br />
: '' Note: For other operating systems there are other ways and software you can use to make an SSH connection, you will need to research what tools are used for making SSH connections from your particular operating system.<br />
<li>Open an SSH session</li><br />
:* Run the PuTTY software on your computer and enter in the IP address of your VM in the "Host Name" box and click the "Open" button.<br />
:[[File:Lab1_putty.png|link=https://wiki.ihitc.net/mediawiki/images/f/f5/Lab1_putty.png|500px]]<br />
:[[Media:Lab1_putty.png| Click here for larger image]]<br />
:* Click Yes to save the host key on your system<br />
: [[File:Lab1_puttycert.png|link=https://wiki.ihitc.net/mediawiki/images/4/4b/Lab1_puttycert.png|500px]]<br />
: [[Media:Lab1_puttycert.png|Click here for larger image]]<br />
:* Enter the standard username and password for your Linux system to connect.<br />
: '' Note: You should receive a prompt just like the one you had on the Netlab local console but it is now a direct connection from your computer over the ITCnet to your server.<br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Remote File Transfer==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Remote File Transfer]'''''<br />
<br />
The easiest way to transfer files to and from your VM is with SFTP software. For our purposes, you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install FileZilla</li><br />
: Install the FileZilla client software on your home PC from [https://filezilla-project.org/download.php?type=client this website]<br />
<li>Open a SFTP session to your server</li><br />
: Run FileZilla and use the Quick Connect bar at the top of the screen to access your system. <br />
:* Enter the IP address of your Linux system in the "Host:" box<br />
:* Enter your standard username and password in the appropriate boxes<br />
:* Enter ''22'' in the "Port:" box<br />
:* Click the "Quickconnect" button.<br />
: [[File:Lab1_filezillanew.png|link=https://wiki.ihitc.net/mediawiki/images/b/b1/Lab1_filezillanew.png|500px]]<br />
: [[Media:Lab1_filezillanew.png|Click here for larger image]]<br />
: You should see some connection text scroll on the top of the screen and some files on the right side of the screen now such as ''.bashrc'' and ''.profile'' The right side of the screen is the drive on your Linux system and the left side of the screen is the drive on your home system. Files and folders can be dragged between the two sides to transfer them back and forth.<br />
: [[File:Lab1_filezillaconnected.png|link=https://wiki.ihitc.net/mediawiki/images/c/ca/Lab1_filezillaconnected.png|500px]]<br />
: [[Media:Lab1_filezillaconnected.png|Click here for larger image]]<br />
<li>Close the FileZilla software to disconnect.</li><br />
</ol><br />
<br />
==Install VM Tools==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Install VM Tools]'''''<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect into your system using the remote SSH console method explained above.<br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<code>sudo apt install open-vm-tools</code><br />
</ol><br />
<br />
==Install Python==<br />
In order to check your work in the labs of this course you will need to have an application called [https://www.python.org/ Python] installed on your Linux system.<br />
<ol><br />
<li> Download ''python3'' using '''apt'''</li><br />
* When prompted type Y to install the app and its dependencies</li><br />
<ul>''NOTE: This may take a while.''</ul><br />
* When prompted to specify the name of the host where the TANGO database server is running, just select ok.</li><br />
<ul> [[File:Python_tango.png|link=https://wiki.ihitc.net/mediawiki/images/4/4c/Python_tango.png|500px]]</ul><br />
<ul> [[Media:Python_tango.png | Click for Larger Image]]</ul><br />
<li> Run the following command to verify that python version 3.6 is installed.</li><br />
<code>python3 --version</code><br />
<ul> [[File:Python_version.png|link=https://wiki.ihitc.net/mediawiki/images/7/70/Python_version.png|500px]]</ul><br />
<ul> [[Media:Python_version.png | Click for Larger Image]]</ul><br />
</ol><br />
<br />
==Install Nmap==<br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:* ''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Run the following command at the command line.<br />
<code>sudo apt install nmap</code><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
</ol><br />
<br />
==Install Curl==<br />
:Curl is a tool that lets you run scripts that are not saved to your virtual machine. It will be used to check the labs for completion while working through the course. <br />
<ol><br />
<li> Run the following command at the command line. </li><br />
<code>sudo apt install curl</code><br />
: If prompted to install additional packages type "y"<br />
<li> Automatically check your results by running this command:</li><br />
: Installing Curl will allow you to check each of your labs for completion of some of the critical objectives of the lab work using a command in the "Checking your Work" section of the labs. This will usually be completed as the last step of the lab, but for this lab please run the following command now to check your work.<br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_01_revised.py | python3<br />
</nowiki></code><br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Safely Shutdown==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Safely Shutdown]'''''<br />
:We will normally leave our VM running but it is important that you know how to shutdown a Linux system correctly so this time we'll turn it off.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect in to your system using the remote SSH console method explained above.<br />
<li> Safely shutdown you server</li><br />
:* Run the '''sudo shutdown -h now''' at the command line to safely shutdown the system.<br />
<code>sudo shutdown -h now</code><br />
: You should soon get a message that PuTTY has lost it's connection. Click OK and then you can close the PuTTY window.<br />
<li>End NetLab Reservation</li><br />
: If you still have time left in your reservation in Netlab it's polite to end the reservation so other users can work on the system, only a limited number of reservations can be made at one time. You can do this by logging into Netlab, opening your lab, and clicking the "Reservation" menu at the top of the screen and choose to "End Reservation Now" followed by confirming that you want to end the reservation.<br />
</ol><br />
<br />
=Checking your Work=<br />
<ol><br />
<li>This section will cover ways to manually check your work</li><br />
<ul>For this lab each section was tested in the process of the lab. You should have successfully connected an SSH session with putty, and an ftp session with FileZilla.</ul><br />
<ul>You should have shut down you server in one of the last steps, so no further testing is necessary at this time.</ul><br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_01_revised.py | python3<br />
</nowiki></code><br />
<br><br />
</ol><br />
<br />
=Web App=<br />
<br />
You can check your progress on any of the labs in the ITC-2480 course from a web app from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application. <br><br />
In order to use the web app, follow the link and enter the username, password and IP Address for your Linux server into the form. The address must be on the 172.17.50.0/24 subnet or the app will make you re-enter it. When you've entered your credentials, click the Sign In button on the bottom. You should see a 3x4 grid of buttons with the names of each of the labs. Click the lab you want to check and the application will automatically run the check-script for that lab!</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_1_mnjk&diff=9619Lab 1 mnjk2021-04-16T22:43:24Z<p>NateHaleen: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
:In this lab you will perform the following tasks:<br />
*Access NetLab to access the environment for you virtual machine<br />
*Install the latest version of Debian Linux in a virtual machine<br />
*Learn how to login and check the IP address of the system<br />
*Learn to remotely access the system with SSH and SFTP.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/apt apt]'''<br />
*'''[https://linux.die.net/man/8/sudo sudo]'''<br />
*'''[https://linux.die.net/man/8/useradd adduser]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://linux.die.net/man/8/ip ip address show]'''<br />
<br />
=Lab Procedure=<br />
==Netlab Access==<br />
'''''[https://www.youtube.com/watch?v=-hLejbDfPGM&feature=youtu.be Video Tutorial - NetLab Access]'''''<br />
<ol><br />
<li> Connect to the ITCnet </li> <br />
: This can be accomplished by directly plugging into an ITCnet port in one of the ITC labs or by connecting to the [[ITC_VPN_Instructions|VPN]].<br />
:'' Note: If you want to connect using a wireless connection on campus you need to [[Connecting to Eduroam|connect to the eduroam network]] before connecting to the VPN.<br />
<li> After you are connected to ITCnet (by VPN or wired connection) you simply need to open a web browser and access https://ihcc-netlab.campus.ihitc.net</li><br />
* The first time you visit this site in a browser you may need to accept a self-signed security certificate<br />
* You will need to log in with a username and password established by your instructor.<br />
* The first time you log in you will need to change your password and set your timezone. Make sure your timezone is set correctly so you can schedule reservations to work with equipment at convenient times.<br />
<li> Once you are logged in click the blue "New Lab Reservation" button</li><br />
: Next, in the lower left corner of the screen, select "Schedule a Lab for Myself". Reservations are used to hold a place on the Netlab system to work on labs during a specific time. You only need reservations in this class when working with the GUI, which will come later in the class, if you need to turn the power back on to your VM, or during the installation process. The rest of the time you will be able to connect directly to your Linux server using the SSH protocol, but more on that in a bit.<br />
:'' Note: If you are enrolled in more than one class that is using Netlab you will be presented with a list of classes you are enrolled in, click on your Linux System Administration course of you see this screen.<br />
: All of our lab work in this class is done in a single "Lab Environment" and your progress will be saved from one reservation to another. As a result there is only one lab listed in this course "Linux System Administration Labs". Click on this lab title.<br />
<li> Use the calendar to choose a date, time, and specific pod to reserve for your lab activity (when you will begin your Debian server installation).</li><br />
: The red line on this screen indicates the current time. If you want to get started right away you can click just below this line. Pay attention to the title of the column at the top, it will say something like "LSA Pod Z". The letter at the end of this pod name is your "pod letter" which you will use to set the host name and IP address of your machine in the future so make note of it.<br />
: You will be presented with a summary screen for your reservation where you can set the end time of your reservation (up to a maximum). It is suggested to make your reservation a couple hours long the first time you plan to install Debian, though you can extend it if needed. Click submit once you are ready to make the reservation.<br />
<li>You will see a confirmation screen that your reservation has been made.</li><br />
: You are now ready to progress on to the Debian Linux Installation (as long as your reservation is right away).<br />
</ol><br />
<br />
==Debian Linux Installation==<br />
'''''[https://www.youtube.com/watch?v=H0DcdEytpFQ&feature=youtu.be Video Tutorial - Debian Linux Installation]'''''<br />
<ol><br />
<li> Log in to the Netlab system</li><br />
: Access this using a web browser at https://ihcc-netlab.campus.ihitc.net if you are not already logged in.<br />
: If you have a currently active reservation you will see a green "Enter Lab" button on your list of reservations. Click the green "Enter Lab" button. If not, you will need to make a reservation (see above) and then click the "Enter Lab" button.<br />
: Your virtual machines (VMs) will automatically power on when your reservation begins and because there is no operating system currently installed to their virtual hard drives they will boot from their virtual CD/DVD drives which have been pre-loaded with the installation discs for Linux.<br />
<li> Access you virtual machine console</li><br />
: Once you are in your pod you can either click on the image of the "Linux Server" on the topology diagram or use the tabs across the top of your screen to access the console of your Linux Server VM.<br />
: The console shows the display of your VM and allows you to type and interact with your VM just as if you were physically sitting down in front of a server with a monitor, keyboard, and mouse attached. Just like a separate physical machine you will not be able to copy and paste text or drag and drop files in and out of this console window. We will use other utilities across the network connection to do those things just like we would with a physical server.<br />
<li>Learn to "Power Cycle" your virtual machine</li><br />
: By now your VM has likely already booted from it's virtual CD/DVD drive and should be at the "Debian GNU/Linux installer menu". Before continuing let's practice rebooting your system so you can watch the system boot and see how to reboot the system if needed. Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power Off" then click the red "Power Off" button on the popup to power off your VM. This is the equivalent of just pulling out the power cord, at least until we install the VMware Tools software which allows for a graceful shutdown, so you'll want to be careful to only do this if absolutely needed until then.<br />
<li>Power on you Virtual machine</li><br />
: Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power On", or press the blue "Power On" button in the middle of your screen, then press the green "Power On" button to boot your system.<br />
<li>Install Debian Linux</li><br />
: Once the system has rebooted and is back to the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Installing sudo and Checking Your IP Address==<br />
'''''[https://www.youtube.com/watch?v=TwXp5YfAvlw&feature=youtu.be Video Tutorial - Installing sudo and checking your IP address]'''''<br />
<ol><br />
<li>Log in to NetLab</li><br />
: Login through the Netlab local console with your root account and password (username ''root'', password as set during the installation)<br />
:'' Note: When entering a password on the command line of a Linux system it is normal that nothing should appear and the cursor will not move when you are typing. This prevents someone who is able to see your computer screen from seeing what your password is or even how long it is. Just type your password and trust that the system is receiving it, press enter to submit your password.<br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
<code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
[[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
<code>sudo ip address show</code><br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
</ol><br />
<br />
==Logging in to a Remote Terminal==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Logging into a remote terminal]'''''<br />
<br />
A faster way to interact with your system is not through the Netlab local console but through a remote SSH session over the network directly to your server. Once you have mastered this you will be able to copy and paste text to your Linux server and will not need to make a reservation in Netlab to work on labs. For our purposes you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install Putty</li><br />
: Assuming you are running Windows, install the PuTTY software on your home PC from [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html this website].<br />
: '' Note: For other operating systems there are other ways and software you can use to make an SSH connection, you will need to research what tools are used for making SSH connections from your particular operating system.<br />
<li>Open an SSH session</li><br />
:* Run the PuTTY software on your computer and enter in the IP address of your VM in the "Host Name" box and click the "Open" button.<br />
:[[File:Lab1_putty.png|link=https://wiki.ihitc.net/mediawiki/images/f/f5/Lab1_putty.png|500px]]<br />
:[[Media:Lab1_putty.png| Click here for larger image]]<br />
:* Click Yes to save the host key on your system<br />
: [[File:Lab1_puttycert.png|link=https://wiki.ihitc.net/mediawiki/images/4/4b/Lab1_puttycert.png|500px]]<br />
: [[Media:Lab1_puttycert.png|Click here for larger image]]<br />
:* Enter the standard username and password for your Linux system to connect.<br />
: '' Note: You should receive a prompt just like the one you had on the Netlab local console but it is now a direct connection from your computer over the ITCnet to your server.<br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Remote File Transfer==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Remote File Transfer]'''''<br />
<br />
The easiest way to transfer files to and from your VM is with SFTP software. For our purposes, you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install FileZilla</li><br />
: Install the FileZilla client software on your home PC from [https://filezilla-project.org/download.php?type=client this website]<br />
<li>Open a SFTP session to your server</li><br />
: Run FileZilla and use the Quick Connect bar at the top of the screen to access your system. <br />
:* Enter the IP address of your Linux system in the "Host:" box<br />
:* Enter your standard username and password in the appropriate boxes<br />
:* Enter ''22'' in the "Port:" box<br />
:* Click the "Quickconnect" button.<br />
: [[File:Lab1_filezillanew.png|link=https://wiki.ihitc.net/mediawiki/images/b/b1/Lab1_filezillanew.png|500px]]<br />
: [[Media:Lab1_filezillanew.png|Click here for larger image]]<br />
: You should see some connection text scroll on the top of the screen and some files on the right side of the screen now such as ''.bashrc'' and ''.profile'' The right side of the screen is the drive on your Linux system and the left side of the screen is the drive on your home system. Files and folders can be dragged between the two sides to transfer them back and forth.<br />
: [[File:Lab1_filezillaconnected.png|link=https://wiki.ihitc.net/mediawiki/images/c/ca/Lab1_filezillaconnected.png|500px]]<br />
: [[Media:Lab1_filezillaconnected.png|Click here for larger image]]<br />
<li>Close the FileZilla software to disconnect.</li><br />
</ol><br />
<br />
==Install VM Tools==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Install VM Tools]'''''<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect into your system using the remote SSH console method explained above.<br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<code>sudo apt install open-vm-tools</code><br />
</ol><br />
<br />
==Install Python==<br />
In order to check your work in the labs of this course you will need to have an application called [https://www.python.org/ Python] installed on your Linux system.<br />
<ol><br />
<li> Download ''python3'' using '''apt'''</li><br />
* When prompted type Y to install the app and its dependencies</li><br />
<ul>''NOTE: This may take a while.''</ul><br />
* When prompted to specify the name of the host where the TANGO database server is running, just select ok.</li><br />
<ul> [[File:Python_tango.png|link=https://wiki.ihitc.net/mediawiki/images/4/4c/Python_tango.png|500px]]</ul><br />
<ul> [[Media:Python_tango.png | Click for Larger Image]]</ul><br />
<li> Run the following command to verify that python version 3.6 is installed.</li><br />
<code>python3 --version</code><br />
<ul> [[File:Python_version.png|link=https://wiki.ihitc.net/mediawiki/images/7/70/Python_version.png|500px]]</ul><br />
<ul> [[Media:Python_version.png | Click for Larger Image]]</ul><br />
</ol><br />
<br />
==Install Nmap==<br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:* ''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Run the following command at the command line.<br />
<code>sudo apt install nmap</code><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
</ol><br />
<br />
==Install Curl==<br />
:Curl is a tool that lets you run scripts that are not saved to your virtual machine. It will be used to check the labs for completion while working through the course. <br />
<ol><br />
<li> Run the following command at the command line. </li><br />
<code>sudo apt install curl</code><br />
: If prompted to install additional packages type "y"<br />
<li> Automatically check your results by running this command:</li><br />
: Installing Curl will allow you to check each of your labs for completion of some of the critical objectives of the lab work using a command in the "Checking your Work" section of the labs. This will usually be completed as the last step of the lab, but for this lab please run the following command now to check your work.<br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_01_revised.py | python3<br />
</nowiki></code><br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Safely Shutdown==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Safely Shutdown]'''''<br />
:We will normally leave our VM running but it is important that you know how to shutdown a Linux system correctly so this time we'll turn it off.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect in to your system using the remote SSH console method explained above.<br />
<li> Safely shutdown you server</li><br />
:* Run the '''sudo shutdown -h now''' at the command line to safely shutdown the system.<br />
<code>sudo shutdown -h now</code><br />
: You should soon get a message that PuTTY has lost it's connection. Click OK and then you can close the PuTTY window.<br />
<li>End NetLab Reservation</li><br />
: If you still have time left in your reservation in Netlab it's polite to end the reservation so other users can work on the system, only a limited number of reservations can be made at one time. You can do this by logging into Netlab, opening your lab, and clicking the "Reservation" menu at the top of the screen and choose to "End Reservation Now" followed by confirming that you want to end the reservation.<br />
</ol><br />
<br />
=Checking your Work=<br />
<ol><br />
<li>This section will cover ways to manually check your work</li><br />
<ul>For this lab each section was tested in the process of the lab. You should have successfully connected an SSH session with putty, and an ftp session with FileZilla.</ul><br />
<ul>You should have shut down you server in one of the last steps, so no further testing is necessary at this time.</ul><br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_01_revised.py | python3<br />
</nowiki></code><br />
<br><br />
</ol><br />
You can check your progress on any of the labs in the ITC-2480 course from a web app from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application. <br><br />
In order to use the web app, follow the link and enter the username, password and IP Address for your Linux server into the form. The address must be on the 172.17.50.0/24 subnet or the app will make you re-enter it. When you've entered your credentials, click the Sign In button on the bottom. You should see a 3x4 grid of buttons with the names of each of the labs. Click the lab you want to check and the application will automatically run the check-script for that lab!</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_12_mnjk&diff=9618Lab 12 mnjk2021-04-16T22:38:27Z<p>NateHaleen: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
In this lab you will learn about several Linux utilities which can be used for monitoring Linux and other systems for security and service uptime purposes.<br />
<br />
In this lab you will perform the following tasks:<br />
* Monitor connections with [https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat netstat]<br />
* Scan for open ports using [https://nmap.org/ nmap]<br />
* Monitor services with [https://www.zabbix.com/ zabbix]<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://linux.die.net/man/8/netstat netstat]'''<br />
*'''[https://linux.die.net/man/1/ps ps]'''<br />
*'''[https://linux.die.net/man/1/grep grep]'''<br />
*'''[https://linux.die.net/man/1/nmap namp]'''<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account<br />
# The IP address of a partner's system which you have permission to portscan<br />
<br />
== Monitoring connections with netstat ==<br />
'''''[https://www.youtube.com/watch?v=51eo20xbSxs Video Tutorial - Monitoring Connections with Netstat]''''' <br><br />
One common activity you would want to do when evaluating the security of a system is to find out what ports the system is accepting connections on. For this reason most operating systems have some kind of utility to display active network connections and open ports, Linux is no exception. The netstat utility can show you currently active network connections as well as open ports on your local system. Take a look at the man page for the [https://linux.die.net/man/1/nmap '''netstat'''] command. Specifically, figure out what the ''-n -a -t -p'' and ''-u'' options do.<br />
<ol><br />
<li> Run the '''netstat''' command on your system and observe the output.</li><br />
<code>sudo netstat -natup</code><br />
* Try to identify what the purpose of each open port on your system is. There are many online guides to common uses for ports.<br />
<li> Use the '''sudo ps aux''' command (along with '''grep''') to match the PID (process ID) numbers of open ports shown in '''netstat -natup''' with specific processes on your system.</li><br />
<li> Connect to the IP address or domain name of your system through your web browser and re-run the '''netstat -natup''' command to see the TCP session established by your browser to download the website.</li><br />
<ul> You'll find that there are a number of ports open on your system. Some of these we have opened to provide a specific service such as SMTP, DNS, Webserver, etc. but some such as the sunrpc port are open simply by default on a fresh install. There are a number of different strategies you can use to secure your system including disabling a service, binding it to an internal-only IP address, or blocking access with a firewall rule. If your firewall is setup with an implicit (or explicit) reject any rule at the bottom of the input chain and you have not specifically opened a port it should not be accessible from other systems. How can we test that though? The '''netstat''' utility is useful at making a list of ports somehow open on the system but it does not show us how those ports react if someone outside actually tries to connect.</ul><br />
</ol><br />
<br />
== Scanning ports using nmap ==<br />
'''''[https://www.youtube.com/watch?v=DzxpMPtGsGM Video Tutorial - Scanning Ports with nmap]''''' <br><br />
The nmap Network Mapper utility is a very powerful security scanning utility available on Linux. While netstat uses information from the Linux kernel about what ports and connections are in use by what processes nmap actively probes and tests ports on your system or another system to determine whether the port is open or not as well as additional information about the port in some cases. Unlike netstat, nmap is not part of the default Debian installation so you will need to install the nmap package before proceeding. nmap is complex and powerful. Entire [http://nmap.org/book/toc.html books] and [http://nmap.org/book/man.html extensive documentation] are available which you may want to reference but we'll only be exploring some of the more basic features in this introduction.<br />
: ''NOTE: Before we begin this section of the lab it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!''<br />
<ol><br />
<li> Make sure '''nmap''' is installed</li><br />
<code>sudo apt install nmap</code><br />
<li>'''nmap''' provides a system on the Internet which they allow you to scan for testing purposes so let's try a verbose scan which gives additional diagnostic detail.</li><br />
<code>nmap -v scanme.nmap.org</code><br />
* Review the output and then run the same command without the ''-v'' verbose option and compare the output you receive.<br />
<ul> When scanning your own system there are a few different ways to go about it. You could either scan the localhost address 127.0.0.1 or the actual outside IP address of your system. You could also setup a separate system or VM and do the scanning from that system. In each case you might see somewhat different results, can you guess why?</ul><br />
* The answer is related to how you have firewall rules setup and what addresses you have services bound to. For example by default on Debian systems the mySQL/MariaDB server daemon only listens for connections on the localhost address (127.0.0.1) and not on outside interfaces. Try running the '''nmap 127.0.0.1''' command and then compare output with the '''nmap <your outside ip address here>''' command. Do you see some network services listening only on the localhost address. These services are not accessible from outside your computer even though the ports are open and you would see them as open with '''netstat'''. This shows us some of the additional value of using '''nmap'''.<br />
<li> The most realistic use of '''nmap''' though is to scan like an attacker would using a system outside of the one you're testing. Use '''nmap''' to scan a partner's IP address in the class and take a look at some of the '''nmap''' documentation to try a few different types scans on that system. If you would like you can also try scanning the entire ITC-2480 subnet (172.17.50.0/24) if you want to try some subnet scanning capabilities.</li><br />
<ul> Remember that in our case these systems are secure from the outside world because we have an upstream firewall which you have bypassed by connecting to our VPN and these systems are using unroutable private IPv4 addresses.</ul><br />
<li> '''nmap''' also supports scanning IPv6 addresses. Note that a running service is not necessarily listening on both IPv4 and IPv6 addresses just because you have them both active on your machine. Figure out how to scan IPv6 addresses with '''nmap''' and try scanning both an IPv4 and IPv6 address of your machine and compare the results. Use the same type of address (i.e. both IPv4 and Ipv6 addresses should be the localhost addresses or should both be outside addresses) Are the same services open on both IPv4 and IPv6 on your system?</li><br />
</ol><br />
<br />
== Monitoring Services and Graphing System Statistics with Zabbix==<br />
'''''[https://www.youtube.com/watch?v=fF5NNRJwLjg Video Tutorial - Monitoring with Zabbix]''''' <br><br />
In this section we will be following the instruction on how to install zabbix using [https://www.zabbix.com/download?zabbix=5.0&os_distribution=debian&os_version=10_buster&db=mysql&ws=apache these instructions on the Zabbix site].<br />
<ol><br />
<li> Go to the instructions link above and scroll down to '''part 2'''. Start by installing the zabbix repository.</li><br />
<code>wget https://repo.zabbix.com/zabbix/5.0/debian/pool/main/z/zabbix-release/zabbix-release_5.0-1+buster_all.deb</code><br><br />
<code>dpkg -i zabbix-release_5.0-1+buster_all.deb</code><br><br />
<code>apt update</code><br />
<li>Install Zabbix server, frontend, agent</li><br />
<code>apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent</code><br />
<li>Create a database, a user, and schema following the instructions on the same website.<br />
: ''NOTE: These instructions use the MySQL/MariaDB command line, if you prefer you can create the same database, user, and schema using the Webmin software but you'll have to translate the command line instructions into the actions required in Webmin.''<br />
<code>mysql -uroot -p</code><br><br />
<code>create database zabbix character set utf8 collate utf8_bin;</code><br><br />
<code>create user zabbix@localhost identified by 'password';</code><br><br />
* Replace password with a password you want to use. (Command needs the quotes so don't remove them).<br />
<code>grant all privileges on zabbix.* to zabbix@localhost;</code><br><br />
<code>quit;</code><br><br />
<li>On Zabbix server host import initial schema and data. You will be prompted to enter your newly created password used when setting up the mysql database.</li><br />
<code>zcat /usr/share/doc/zabbix-server-mysql*/create.sql.gz | mysql -uzabbix -p zabbix</code><br />
<li>Edit the server configuration file ( ''/etc/zabbix/zabbix_server.conf'' ) to include the correct database password used when you setup the database above. ( ''DBPassword=<password>'' )<br />
: [[File:DBPassword.png | 500px]]<br />
<li>Edit the server configuration file ( ''/etc/zabbix/apache.conf'' ) to include the correct timezone. [https://www.php.net/manual/en/timezones.php A list of valid PHP timezones can be found here.] We will be using ''America/Chicago''.</li><br />
: [[File:Apache_timezone.png | 500px]]<br />
<li>Restart the server. Then set it to auto start on startup:</li><br />
<code>systemctl restart zabbix-server zabbix-agent apache2</code><br><br />
<code>systemctl enable zabbix-server zabbix-agent apache2</code><br />
<li>Access the Zabbix web application at http://yourserver/zabbix/ and complete the setup wizard. [https://www.zabbix.com/documentation/5.0/manual/installation/frontend Detailed instructions for completing the setup wizard can be found here on the Zabbix site.]</li> <br />
<ul> At the end of the setup wizard you may need to download a ''zabbix.conf.php'' and save it to ''/etc/zabbix/zabbix.conf.php'' on your system.</ul><br />
<li> Login to http://yourserver/zabbix/ (where yourserver is the IP address or DNS name for your system) with the username and password found [https://www.zabbix.com/documentation/5.0/manual/quickstart/login on the Zabbix site login instructions].</li><br />
: [[File:Enable_monitoring_zabbix.png | 500px]]<br />
<ul>The default superuser credentials are user name '''Admin''' with password '''zabbix'''.</ul><br />
<li> Enable monitoring of your Zabbix server host (''Configuration'' -> ''Hosts'')</li><br />
: [[File:Enable_monitoring_zabbix.png | 500px]]<br />
: ''NOTE: [https://www.zabbix.com/documentation/5.0/manual The Zabbix manual] may be helpful in completing these monitoring setup tasks.''<br />
* Add the templates to the host appropriate for the services we are running on the server (HTTP, IMAP, MySQL, SMTP, SSH)<br />
: [[File:Zabbix_templates.png | 500px]]<br />
* Explore some of the data available through Zabbix such as various graphs (''Monitoring'' -> ''Graphs''), Latest Data (''Monitoring'' -> ''Latest Data''), Screens (''Monitoring'' -> ''Screens''), and Events (''Monitoring'' -> ''Events'')<br />
* Try temporarily stopping some of the services on your system (to simulate a problem) such as the Postfix SMTP server, ''courier-imap'' server, etc. using the command line '''service''' command.<br />
* Re-check the data in Zabbix with the services turned off, are you alerted of the problems? Make sure to turn the services back on when you're done.<br />
: ''NOTE: Most services will not instantaneously show as down, the templates for the service probably check it once per minute or less so you may need to leave things down for a bit to see it in the Web UI.''<br />
* If you have additional time see if you can get email notifications of failed services working (see ''Administration'' -> ''Media Types'' -> ''Email and Configuration'' -> ''Actions'')<br />
</ol><br />
==Checking Your Work==<br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_12_test.py | python3<br />
</nowiki></code><br />
</ol><br />
<br><br><br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_11_mnjk&diff=9617Lab 11 mnjk2021-04-16T22:38:11Z<p>NateHaleen: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
This lab assumes you know how to navigate through directories and create new files.<br />
<br />
In this lab you will perform the following tasks:<br />
*Explore [https://www.linux.com/news/discover-possibilities-proc-directory/ '''/proc'''], a directory containing the kernel runtime configuration and system information<br />
*Explore [https://tldp.org/LDP/sag/html/dev-fs.html '''/dev'''], a directory containing each device and interface attached to the system<br />
*Add a second hard drive to your Linux system<br />
*Mount a partition on your second drive<br />
*Check disk and file usage on your Linux system to verify the partitions and see how much disk space is being used.<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://linux.die.net/man/8/lsusb lsusb]'''<br />
*'''[https://linux.die.net/man/8/lsmod lsmod]'''<br />
*'''[https://linux.die.net/man/1/uname uname]'''<br />
*'''[https://linux.die.net/man/8/lspci lspci]'''<br />
*'''[https://linux.die.net/man/8/dmesg dmesg]'''<br />
*'''[https://linux.die.net/man/8/cfdisk cfdisk]'''<br />
*'''[https://linux.die.net/man/8/mkfs.ext4 mkfs.ext4]'''<br />
*'''[https://linux.die.net/man/8/mkfs.btrfs mkfs.btrfs]'''<br />
*'''[https://linux.die.net/man/8/mount mount]'''<br />
*'''[https://linux.die.net/man/1/df df]'''<br />
*'''[https://linux.die.net/man/1/du du]'''<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
: You need to be able to open an SSH console to your Linux system using the PuTTY software.<br />
: You should login with your standard user account.<br />
<br />
== Exploring /proc ==<br />
'''''[https://www.youtube.com/watch?v=NeYKHyV4nss&feature=youtu.be Video Tutorial - Exploring /proc]''''' <br><br />
<ol><br />
<li> Enter the '''/proc''' directory on your VM. </li><br />
: '''/proc''' is a very special folder is its a virtual filesystem. Its sometimes referred to as a process information pseudo-filesystem. The reason for calling it a pseudo-file system is that all of the "files" in ''/proc'' are not really files at all, but kernel runtime configuration and system information.<br />
<li> Use '''cat cpuinfo''' to view the contents of the '''/proc/cpuinfo''' "file". </li><br />
: Notice how the output tells your information about the CPU that is running the VM. This isn't actually a file at all you are essentially asking the kernel to provide information about the CPU it's running on which it gathers in realtime. '''/proc''' is used not only to get hardware and kernel information, but it can also be used to tweak kernel settings while the system is running in a way similar to some Windows Registry edits. Look back on '''[[Lab_10_mnjk#Enable_Routing|Lab 10]]''' and notice how we echoed a "1" to a "file" in '''/proc''' to enable packet forwarding without rebooting the system.<br />
: There are a few files in '''/proc''' you should get to know:<br />
: '''/proc/cpuinfo''' = Shows you the CPU info for your machine.<br />
: '''/proc/modules''' = Shows you the currently enabled kernel modules that are active on your kernel.<br />
: '''/proc/cmdline''' = Shows you the boot arguments used to boot your kernel.<br />
: '''/proc/version''' = Shows you your kernel version.<br />
: It is important to note that some of these files have commands tied to them that can give you similar information but often formatted in a different way. For example:<br />
: '''lsmod''' = '''/proc/modules'''<br />
: '''mount''' = '''/proc/mounts'''<br />
: '''uname -a''' = '''/proc/version'''<br />
: Normally it is best to use the command version to lookup the information as it is normally formatted to be easier to read and understand.<br />
<li> Explore all of these files and commands and find the differences between the command line and file output versions as well as what types of information are available. </li><br />
</ol><br />
<br />
== Exploring /dev ==<br />
'''''[https://www.youtube.com/watch?v=ocBxRBH_6Js&feature=youtu.be Video Tutorial - Exploring /dev]''''' <br><br />
<ol><br />
<li> Change directories to '''/dev''' and list the "files". </li><br />
:Notice there are A LOT, but don't worry, there is organization in the mess. Each "file", like in '''/proc''', is actually a device or interface on the machine so '''/dev''' is actually another pseudo-filesystem. Here is a list of the most common interfaces you will see:<br />
: '''/dev/sd*''' = SATA Hard Drives<br />
: '''/dev/hd*''' = IDE Hard Drives<br />
: '''/dev/vd*''' = VirtIO (Virtualized) Hard Drives<br />
: '''/dev/ttyS*''' = Serial Interfaces on your PC.<br />
: '''/dev/tty*''' = Virtual Consoles, similar to the one you are using to enter commands. Mostly used by background programs or services.<br />
There are also some commands you should learn that will help you with detecting, and looking up devices:<br />
: '''lsusb''' = List USB Devices (Bus, Device, ID, and advertised vendor)<br />
:: ''NOTE: Many virtual machines do not include a virtual USB controller which means the USB drivers and software including '''lsusb''' are not installed.''<br />
: '''lspci''' = List PCI Devices (Bus, Type, Advertised Name, Revision)<br />
: '''dmesg''' = Display or Driver Message. This shows kernel messages that are normally linked to adding, or removing devices.<br />
</ol><br />
<br />
== Partitioning a Second Disk ==<br />
'''''[https://www.youtube.com/watch?v=mK6zetYou0A&feature=youtu.be Video Tutorial - Partitioning A Second Disk]''''' <br><br />
<br />
As you may have noticed when exploring '''/dev''', our VM setup uses '''sd''' devices for hard drives. Drives are identified by a letter such as '''sda''', '''sdb''', '''sdc''', etc. for the first, second, and third SATA drives on a system (including HDDs, CD/DVDs, SSDs, etc.). Each partition on the drive is then given a number starting with 0 for the first partition. So the first partition on the first disk, the full identifier for the partition would be '''/dev/sda0'''.<br />
You may also have noticed there is an '''sdb''' that currently has no partitions. We are going to format this drive into 2 partitions, format them, and then setup automatic mounting of the partitions.<br />
<ol><br />
<li> To start, run the following as root:<br />
<br><br />
<code>cfdisk /dev/sdb</code> </li><br />
:'''cfdisk''' is a graphical version of '''fdisk''', which is a tool used to setup disk partitioning. Note that '''fdisk''' or any other partitioning software only sets up the MBR, and does not actually format the drive even though you can set a partition type identifier such as '''fat32''', '''Linux''', etc. Also notice how we tell '''cfdisk''' what drive we want to edit the partition on by appending the drive device "file" to the end of the command.<br />
:[[file:Cfdisk-first-screen.png | link= https://wiki.ihitc.net/mediawiki/images/8/8e/Cfdisk-first-screen.png | 500px]]<br />
:[[media:Cfdisk-first-screen.png | Click for Larger Image]]<br />
: Because our new drives contain no existing partitions we are asked what type of partition table to create. <br />
<li> Choose to create a '''dos''' (aka MBR) style partition table. </li><br />
: Although this is an older style partition table it is well supported by many operating systems and BIOSes. The primary benefit of the newer GPT style tables is their ability to work with very large drives.<br />
<li> Once in '''cfdisk''', Select the '''New''' option. </li><br />
<li> Set the size close to '''5GB'''. </li><br />
: It does not need to be exact.<br />
<li> Now select '''primary''' as we are making a primary MBR partition. <li><br />
<li> Use the arrow keys to go down to the remaining '''Free Space''' on the drive, and press enter to again select '''New'''. </li><br />
<li> Create another '''primary''' partition, and set the size to about '''2GB'''. </li><br />
: At this point we should have two partitions, one named ''sdb1'' with a size of about 5GB (the program will round down to the closest boundary), and ''sdb2'' which takes up the next 2GB or so of the drive. <br />
<li> Use the arrow keys to select the '''Write''' option, and press '''enter'''. </li><br />
: You will be warned that this will write the table to the disk. enter '''yes''', and press '''enter''' again to confirm.<br />
:: ''NOTE: If, on the bottom of the screen, you see "The partition table has been altered", you have successfully written the MBR to the drive.''<br />
<li> Navigate to '''Quit''' to exit the program.</li><br />
<li> From the command line run the following:<br />
<br><br />
<code>ls -al /dev/sd*</code>. </li><br />
: Notice how you can now see both of the new partitions, '''sdb1''' and '''sdb2''' in the listing. This means the partition device "files" have been created and you are ready to format the partitions with a filesystem.<br />
: The first partition will be formatted as '''ext4''', and the second partition will be formatted as '''btrfs'''. Both filesystems (as well as many others) are commonly used on Linux systems. For more information on the differences and similarities between '''btrfs''' and '''ext4''', refer to your book or Google.<br />
: To create the '''ext4''' partition, we will use the '''mkfs.ext4''' command. <br />
<li> As root, run the follwing command<br />
<br><br />
<code>mkfs.ext4 /dev/sdb1</code>. </li><br />
: This will partition the drive as '''ext4''' with no label. If you would like to label the partition, look into the options of '''mkfs.ext4''' using '''man mkfs.ext4'''.<br />
: Before formatting the other partition as '''btrfs''' we need to install some tools. <br />
<li> The required tools are part of the '''btrfs-tools''' software package so install that package at this time.<br />
: ''NOTE: If you have issues with installing packages, check your firewall rules you created in a previous lab and ensure your Internet access is working properly from the VM.''</li><br />
<li> To format the second partition as a '''btrfs''' filesystem partition we will run the following:<br />
<br><br />
<code>mkfs.btrfs /dev/sdb2</code><br />
: Just like before, we need to tell the '''mkfs.btrfs''' package what partition to format by including that on the command line. </li><br />
</ol><br />
<br />
:There are many other options that can be set for specific filesystems during the formatting process. For example, many newer large drives use 4096 byte "Advanced Format" sectors instead of the traditional 512 byte hard drive sectors. Using these disks most efficiently requires adjusting the sector size during the format process to match the physical sector size on the disk. Other features and filesystems include the ability to take snapshots of the drive for backups. The full details of all the options, settings, and filesystems available in Linux is beyond the scope of this course. Suffice it to say that Linux systems with a need for high speed I/O from disks or other specialized features are finely tuned.<br />
<br />
:As a Linux system administrator at a minimum you should be familiar with the basic formatting of drives in the most common '''ext3''', '''ext4''', '''btrfs''', and '''fat''' (32) filesystems. Even though the FAT filesystem is not native to Linux (it doesn't have important features like user and group ownership) it is important as it is a cross platform filesystem commonly used to share files on thumb drives, external hard drives, or dual boot systems with MacOS or Windows users.<br />
<br />
:Once your two partitions are formatted they need to be '''mounted''' to the filesystem structure so that we can begin using them for file storage.<br />
<br />
== Mounting Partitions == <br />
'''''[https://www.youtube.com/watch?v=A0_6mPsuHbM&feature=youtu.be Video Tutorial - Mounting Partitions]''''' <br><br />
There are two main ways to mount disks in Linux. One is done manually, and the other is to setup mounting at boot. Manual mounting is typically done for either temporary access to drives such as CD/DVDs, thumb drives, external hard drives, or to access a newly created partition before rebooting the system. Automatic mounting is done during the boot process so that you have immediate access to he drive once the system is booted.<br />
<br />
To start, we will learn how to manually mount a partition. <br />
<ol><br />
<li> Change into the '''/mnt''' directory and then create a new directory named '''part1'''. </li><br />
: This will become the location where we will mount our '''/dev/sdb1''' partition and be able to save files to it.<br />
<li> Enter the '''part1''' directory and create a new empty file (remember the '''touch''' command?) named '''unmounted'''. </li><br />
: Because we have not yet mounted '''/dev/sdb1''' this file will be stored on our existing partition (''/dev/sda1'').<br />
<li> Go back to the '''/mnt''' parent directory. </li><br />
<li> Run the following as root:<br />
<br><br />
<code>mount /dev/sdb1 /mnt/part1</code> </li><br />
: This command will mount, or attach, '''/dev/sdb1''' to the filesystem location '''/mnt/part1''' and everything stored in that "directory" from this point on will actually be saved onto the first partition of the second SATA drive.<br />
<li> Go back into the '''part1''' directory and try listing the files. </li><br />
:[[file:Ls-part1-mounted.png | link= https://wiki.ihitc.net/mediawiki/images/2/22/Ls-part1-mounted.png | 500px]]<br />
:[[media:Ls-part1-mounted.png | Click for Larger Image]]<br />
<br />
: Notice how the '''unmounted '''file you made appears to no longer exist. This is because the '''part1''' "directory is now being used as the mount point for the first partition on '''sdb''' and we haven't yet saved any files onto '''sdb1'''.<br />
<li> You can see a list of all storage devices currently mounted on the system by simply running the command '''mount''' without any options. Try doing this and verify that the newly mounted partition is showing in the list.</li><br />
<li> Change back to the '''/mnt''' directory and unmount the partition by running the following command<br />
<br><br />
<code>umount /mnt/part1</code> </li><br />
<li> Again list the contents of the ''part1'' directory. </li><br />
: Notice how the '''unmounted''' file is back. The file didn't every really go away but it was not accessible while the other partition was mounted on the '''part1''' directory. When a drive is mounted on a directory, it overlays on top of any files in the directory, but it does not delete or touch the files on the original disk.<br />
<li> Make a directory named '''btrfs''' in '''/mnt'''. Once created, using the file editor of your choice, open the '''/etc/fstab''' file.</li><br />
:[[file:Fstab.png | link= https://wiki.ihitc.net/mediawiki/images/c/c0/Fstab.png | 500px]]<br />
:[[media:Fstab.png | Click for Larger Image]]<br />
: The '''fstab''' file is used to tell a Linux system what drives and partitions is should mount at boot, as well as any mount options and where to mount the partitions. <br />
<li> On the bottom of the file, add the following: </li><br />
<pre>/dev/sdb1 /mnt/part1 ext4 defaults 0 0<br />
/dev/sdb2 /mnt/btrfs btrfs defaults 0 0</pre><br />
:: Adding these lines will indicate both partitions should be mounted at boot to the directories we created. To mount the partitions without rebooting or entering individual mount commands, we can just run '''mount -a''' which will load and mount all partitions in the '''fstab''' file. <br />
<li> Run the following command now and verify both partitions are mounted:<br />
<br><br />
<code>mount -a</code></li><br />
</ol><br />
<br />
== Disk and File Usage ==<br />
'''''[https://www.youtube.com/watch?v=CU0BT718ifA&feature=youtu.be Video Tutorial - Disk and File Usage]''''' <br><br />
: Another way to verify the partitions which are mounted and to see how much disk space is used on each is to use the '''df''' command. <br />
<ol><br />
<li> Run '''df''', you should see something similar to this at the bottom of the output:</li><br />
:[[file:Df.png | link= https://wiki.ihitc.net/mediawiki/images/1/19/Df.png | 500px]]<br />
:[[media:Df.png | Click for Larger Image]]<br />
<br />
: This indicates that the two partitions are mounted properly to the folders we created earlier. '''df''' is a powerful command as not only will it show you what is mounted where, but it also shows you how much disk space is used and how much space is left.<br />
: The '''df''' command doesn't give the most easily readable disk or usage sizes by default. <br />
<li> Add the '''-h''' option to the command like to change the output to a "human readable" format and see what it looks like.<br />
<br><br />
<code>df -h</code> </li><br />
<li> Now, '''cd''' into '''/mnt/part1''' so you are on the ext4 partition you created. Then as root, run the following command:<br />
<br><br />
<code>cp -r /var/log ./</code> </li><br />
<li> '''cd''' into the ''log'' folder, and run the following:<br />
<br><br />
<code> du -h</code> </li><br />
: '''du''' is a command that allows you to view file usage in a tree format. Just like with '''df''' the '''-h''' flag tells '''du''' to output the usage in a "human readable" format, while the '''-a''' flag tells it to show you the results for all files, and not just for folders.<br />
<li> Read the '''man du''' page and play around with using the '''du''' command across the file system. </li><br />
: How much data is the /etc/ folder taking up on your Linux system? What directories are the biggest?<br />
</ol><br />
<br />
=Checking your Work=<br />
<ol><br />
<li> Run '''ls -al /mnt/part1''', does it look like this? </li><br />
:[[file:Ls-part1-mounted.png | link= https://wiki.ihitc.net/mediawiki/images/2/22/Ls-part1-mounted.png | 500px]]<br />
:[[media:Ls-part1-mounted.png | Click for Larger Image]]<br />
<li> Run '''ls -al /mnt/btrfs''', does it look like this? </li><br />
:[[file:Ls-btrfs-mounted.png | link= https://wiki.ihitc.net/mediawiki/images/5/57/Ls-btrfs-mounted.png | 500px]]<br />
:[[media:Ls-btrfs-mounted.png | Click for Larger Image]]<br />
<li> Run '''df''', does it look like this? </li><br />
:[[file:Df.png | link= https://wiki.ihitc.net/mediawiki/images/1/19/Df.png | 500px]]<br />
:[[media:Df.png | Click for Larger Image]]<br />
: If your output matches the screenshots, you have successfully completed the lab!<br />
<br />
<br><br><br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_11_test.py | python3<br />
</nowiki></code><br />
<br />
</ol><br />
<br><br><br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_10_mnjk&diff=9616Lab 10 mnjk2021-04-16T22:37:47Z<p>NateHaleen: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
This lab assumes you have successfully set up [[Lab_8_mnjk#Install_BIND_.26_Enable_Caching | DNS]] and [[Lab_9_mnjk#Install_the_Postfix_MTA |email]]. If you had any issues with those labs, you should resolve them before attempting this lab, since you will be unable to properly test the tasks in this lab if those are not fully functional.<br />
<br />
In this lab you will perform the following tasks:<br />
*Configuring a [https://firewalld.org/ Firewall]<br />
*Enabling a 2nd interface<br />
*Configuring [https://en.wikipedia.org/wiki/Network_address_translation NAT]<br />
*Setting up [https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP]<br />
*Installing [https://linuxmint.com/ Linux Mint] on a second VM<br />
*Enabling [https://en.wikipedia.org/wiki/Port_forwarding Port Forwarding]<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://firewalld.org/documentation/man-pages/firewall-cmd.html firewall-cmd]'''<br />
*'''[https://linux.die.net/man/1/echo echo]'''<br />
*'''[https://linux.die.net/man/8/ifconfig ifconfig]'''<br />
<br />
NOTE: This lab does NOT have embedded videos.<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software.<br />
# Login with your standard user account.<br />
# Have a browser window set to the webmin interface for your linux VM.<br />
<br />
== Configure a Firewall ==<br />
''NOTE: It is suggested that instead of managing a firewall directly using nftables tools (which would also require us to create a script to reload our rules each time the system is restarted) we use a firewall daemon program to manage it based on a set of rules we create and automatically setup the firewall based on those rules each time the system boots. There are many command line firewall management programs out there but for this lab we will use the [https://firewalld.org/ firewalld] package suggested by Debian. ''<br />
<ol><br />
<li>Begin by installing the ''firewalld'' package on your system.</li><br />
<li>First, let's check to see if the firewall is now up and running using the following command:</li><br />
<code>firewall-cmd --state</code><br />
: The firewall has been pre-configured with a couple of rules in it to prevent us from getting locked out. <br />
: [[File:Lab10_firewalld_state.png | link=https://wiki.ihitc.net/mediawiki/images/1/11/Lab10_firewalld_state.png|500px]]<br />
: [[Media:Lab10_firewalld_state.png | Click for larger image]]<br />
<li>Let's see what those rules are by using this command: </li><br />
<code>firewall-cmd --list-all</code><br />
: [[File:Lab10_firewalld_initial_rules.png | link=https://wiki.ihitc.net/mediawiki/images/1/14/Lab10_firewalld_initial_rules.png|500px]]<br />
: [[Media:Lab10_firewalld_initial_rules.png | Click for larger image]]<br />
: By default all interfaces are in the public zone (this is set in the ''/etc/firewalld/firewalld.conf'' file). <br />
: Before we start working on rules for our firewall we should assign our outside interface to the external zone which is designed for NAT routing which we'll be setting up shortly. <br />
<li> We can do this with the command:</li><br />
<code>firewall-cmd --zone=external --add-interface=ens192</code><br />
: We can create custom zones or use pre-defined security zones which will speed up configuring the firewall. Learn more about the [https://firewalld.org/documentation/zone/predefined-zones.html pre-defined zones in firewalld documentation].<br />
<li>Since we have changed zones on our interface let's check and see what rules we have started with. Let's see what those rules are:</li><br />
<code>firewall-cmd --zone=external --list-all</code><br />
: ''NOTE: You can also use the '''firewall-cmd --list-all-zones''' command to see a list of all available zones and their rules.</li>''<br />
: If you were watching carefully you may have noted that the dhcpv6-client service which was allowed in the public zone but is not allowed by default on the external zone. <br />
<li>In our case we want to allow DHCPv6 to operate on our outside interface so we can re-enable it with the following command: </li><br />
<code> firewall-cmd --zone=external --add-service="dhcpv6-client"</code><br />
<li>Check to see what other services can be allowed on an interface with:</li><br />
<code>firewall-cmd --get-services</code><br />
: If you check you will see that although you can connect with ssh (by default it's on the allowed service list you saw above) you can't connect to your webserver or Webmin anymore. Webmin is not a pre-defined service in the list we saw above so we could either set it up as a new service and then allow it or we could create a manual rule to allow the TCP traffic on port 10000 needed to access Webmin. In this case because the service only uses a single port and to see how manual rules can be created let's manually create a rule to allow access to TCP port 10000. <br />
<li>Do this by running this command: </li><br />
<code>firewall-cmd --zone=external --add-port=10000/tcp </code><br />
:You should now be able to access Webmin again.<br />
<li> Using either service rules or manual port rules create additional rules so that the other services on your VM are again accessible from the outside (such as from your home PC over the VPN). </li><br />
:''HINT: Services we have setup so far include SSH, DNS, SMTP, IMAP, Samba, and HTTP.''<br />
: Make sure to test and ensure they are all working again!<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code> firewall-cmd --runtime-to-permanent </code><br />
</ol><br />
<br />
== Setup a 2nd NIC Interface ==<br />
To start this lab we will need to configure a second network interface, named ens224 on our virtual machines. In our simulated setup our existing ens192 interface will be our WAN interface and ens224 will be our LAN interface which could be connected to a switch and then to multiple allow other computers which will connect to the Internet through our server.<br />
<ol><br />
<li> Open ''/etc/network/interfaces'' with your favorite text editor. </li><br />
* Go to the bottom of the file.<br />
: [[File:Lab10_network_interfaces_before.png | link=https://wiki.ihitc.net/mediawiki/images/f/f8/Lab10_network_interfaces_before.png|500px]]<br />
: [[Media:Lab10_network_interfaces_before.png | Click for larger image]]<br />
* Add the following to configure the second interface with a static IP of 192.168.1.1/24:<br />
<pre>auto ens224<br />
iface ens224 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0</pre></li><br />
<br />
: [[File:Lab10_network_interfaces_after.png | link=https://wiki.ihitc.net/mediawiki/images/8/80/Lab10_network_interfaces_after.png|500px]]<br />
: [[Media:Lab10_network_interfaces_after.png | Click for larger image]]<br />
: ''NOTE: As this is a LAN only interface, we do not need to define a gateway for the server VM, as the server VM itself will be the gateway for this network.''<br />
<li>Once this is done, save the file <br />
<li> Run the following command to enable the new interface.</li><br />
<code>ifup ens224</code><br />
<li>Verify the second interface is up and running with the correct IP address</li><br />
</ol><br />
<br />
== Enable Routing ==<br />
Now we will need to enable NAT so we can route LAN traffic to the Internet and responding Internet traffic back to our LAN interface.<br />
<ol><br />
<li>In your console, you will need to edit ''/etc/sysctl.conf''. This file is used to change and tweak multiple system variables. </li><br />
* Scroll down until you find the following:<br />
<pre># Uncomment the next line to enable packet forwarding for IPv4<br />
#net.ipv4.ip_forward=1<br />
</pre><br />
* Follow the instructions in the file to enable packet forwarding in the kernel. <br />
: [[File:Lab10_sysctl_after.png | link=https://wiki.ihitc.net/mediawiki/images/1/1e/Lab10_sysctl_after.png|500px]]<br />
: [[Media:Lab10_sysctl_after.png | Click for larger image]]<br />
* When you are done, save the file.<br />
: Changes to the ''sysctl.conf'' file require a reboot, but most can be set without a reboot by echoing response codes to "files" in ''/proc''. <br />
<li> We will get into that more in a later chapter, but for now run the following command to enable ip_forwarding without rebooting the machine: </li><br />
<code>'''echo 1 > /proc/sys/net/ipv4/ip_forward</code><br />
: ''NOTE: If you are receiving an error when trying to run that command it's likely that the user you are running it as does not have permission to modify the '''/proc/sys/net/ipv4/ip_forward''' file (check the permissions by using '''ls'''). Read [http://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr this similar question] for more details and possible solutions.''<br />
</ol><br />
<br />
== Setup a DHCP Server ==<br />
To setup a DHCP server, we will first need to install the required software. <br />
<ol><br />
<li>In your SSH console use your favorite package manager to install the ''isc-dhcp-server'' package.</li><br />
: After you install the package you may get a warning about ''isc-dhcp-server'' being unable to start. This is normal as we have yet to define the interface and settings we want used.<br />
<li>Now back in Webmin, select the Refresh Modules option. .</li><br />
* After it is done, go to Servers, then DHCP Server<br />
: Before we define our DHCP range, we need to set our listening interface. <br />
* Click on the ''Edit Network Interface'' option. <br />
*Select ''ens224''. <br />
* Press save.<br />
<li>Now under Subnets and Shared Networks, select Add a new subnet. </li><br />
* Use the following settings:<br />
<pre>Subnet description: LAN DHCP Range<br />
Network Address: 192.168.1.0<br />
Netmask: 255.255.255.0<br />
Address Ranges: 192.168.1.100-192.168.1.254</pre><br />
: [[File:Lab10_webmin_dhcp_create_subnet.png | link=https://wiki.ihitc.net/mediawiki/images/4/4e/Lab10_webmin_dhcp_create_subnet.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_create_subnet.png | Click for larger image]]<br />
* When you are done, press Create. <br />
* Now, click on the network you just created to review the settings, then press Edit Client Options at the bottom.<br />
: From here we will setup the default gateway and DNS servers for the clients to use. <br />
<li> Under Default Routers, set the option to 192.168.1.1 <br />
* Under DNS servers, set it to 192.168.1.1. <br />
: [[File:Lab10_webmin_dhcp_client_options.png | link=https://wiki.ihitc.net/mediawiki/images/d/d7/Lab10_webmin_dhcp_client_options.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_client_options.png | Click for larger image]]<br />
: Notice how we are setting these options to the IP of ens224 that we setup. This is because our Linux VM will act as the router and DNS for our clients as well.<br />
* When you are done, press save<br />
* Then on the Edit Subnet page, press save again.<br />
<li>Now that you are back on the DHCP server page, press the Start Server button. <br />
: If all goes well, the button should change to "Stop Server". If this does not happen, then the server was unable start. If that happens, re-check your DHCP server configurations to make sure everything is correct.<br />
</ol><br />
<br />
== Enabling NAT and Firewall Rules for the LAN ==<br />
Now we will use firewalld to setup NAT so that we can use private addresses on our internal LAN but still have access to the public Internet. <br />
<ol><br />
<li>First, let's set our ens224 interface (LAN) to be in the internal zone with the following command.</li><br />
<code>firewall-cmd --zone=internal --add-interface=ens224</code><br />
<li>You should now take a minute to allow all of the same services and ports on the internal network that you have allowed on the external network. </li><br />
:In other words, make sure that Webmin, Samba, DNS, etc. are also allowed on the internal zone.<br />
:In order to activate NAT you need to turn on the "masquerade" feature on your outside interface. This is probably already done if you correctly assigned your outside interface to the pre-defined external zone (it's one of the features of that zone). <br />
: ''HINT: you can do this manually as well in case you setup a custom zone by running the '''firewall-cmd --add-masquerade --zone=external''' command.''<br />
: While routing and NAT should be working for hosts on your LAN interface now they probably still can't get an IP address! Just like all the other services being blocked by the firewall DHCP is also blocked unless you specifically allow it. <br />
<li>To do this run the following command:</li><br />
<code>firewall-cmd --add-service=dhcp --zone=internal</code><br />
<li>Once you are satisfied your firewall is running correctly you can use this command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code></ol><br />
<br />
== Setup a 2nd VM as a LAN Host ==<br />
Now we are going to setup a 2nd VM on the VMware server so we can have a client to connect to the LAN network segment we just created. For this though, we will be using Linux Mint instead of Debian so we have a graphical user interface to help us with testing.<br />
<ol><br />
<li> You'll need to make a Netlab reservation to work with your Mint system's GUI so go ahead and do that. </li><br />
* Enter the lab on Netlab<br />
* Click the "Linux Desktop" tab to access your Mint machine.<br />
: The VM should be booting from a Linux Mint virtual CD image. <br />
<li> Get Linux Mint installed using the link on the desktop.</li><br />
: Installation settings are not critical as we'll be using the system primarily to explore a Linux GUI and to test web browsing capability from our private network.<br />
: [[File:Lab10_linux_mint_desktop.png | link=https://wiki.ihitc.net/mediawiki/images/f/f1/Lab10_linux_mint_desktop.png|500px]]<br />
: [[Media:Lab10_linux_mint_desktop.png | Click for larger image]]<br />
: ''NOTE: By default Linux Mint will boot into a "Live CD" environment where you can use the system without installing. However, the Live CD environment is much slower and memory limited compared with a full installation to the hard drive so be sure to start an installation and reboot into the installed copy instead of from the Live CD. You will know you're working from an installed copy if you are prompted for your username and password when logging in and don't see a link on the desktop to Install Linux Mint anymore.''<br />
<li> Once you have Linux Mint installed, reboot the machine and login. </li><br />
: Hopefully the machine is able to connect to the Internet through your Debian server which is acting as a DHCP server and router (see the topology diagram tab in Netlab to see a diagram of how they are connected).<br />
<li> Press the Menu icon in the lower left corner, and enter "Terminal". </li><br />
* Then, open the terminal application.<br />
<li> You now have a shell on the system. From here, use the following command to check your network settings. </li><br />
<code>ip address show</code><br />
: Notice how you have a IP from the DHCP pool we created earlier. <br />
<li> Now try pinging ''172.17.50.1''. </li><br />
: Are you able to ping? If so, NAT is working properly on your network because the 172.17.50.0/24 network is outside of the LAN segment this machine is attached to (192.168.1.0/24).<br />
: ''NOTE: Notice how some Linux distributions like Mint haven't switched from the old naming of network interfaces with ''eth'' to the new ''ens'' style. You can also try using the older '''ifconfig''' way of checking the IP address and compare the output to the new '''ip address show''' method which we have been using so far in Debian.''<br />
<li> Now run '''ping google.com'''. </li><br />
: If you are able to ping, this shows that not only is NAT working, but DNS resolving as well.<br />
<li> Open a web browser on the system (you can use a graphical browser this time since you have a GUI) and test browsing to a few websites.</li><br />
: At this point we have a fully functional LAN environment.<br />
<li> In order to allow automatic safe shutdown of your Linux Mint system and improve speed/efficiency use the package manager to install the ''open-vm-tools-desktop'' package. </li><br />
:This provides better drivers and integration between the vmWare host which is running your Linux Mint virtual machine and the virtual machine itself.<br />
<li> Finally, in the next section we'll be setting up SSH access to Mint through the Firewall so you'll want to install the ''openssh-server package'' through the package manager. </li><br />
: Once you've done this you should be able to use the ssh program on the command line in Debian to access your Mint system like '''ssh mintusername@192.168.1.x''' where you are using a valid username on the Mint system and the IP address of the Mint system.<br />
<li> Spend a few more minutes exploring the functionality of the Linux GUI and desktop.</li></ol><br />
<br />
== Port Forwarding and Firewalling ==<br />
Now we are going to enable port forwarding to our VM. This will allow you to access the 2nd VM from the ITC network and VPN.<br />
Because we are already using port 22 on our outside interface to provide SSH access to our main Debian system we need to use a different port to access the Mint system. Instead of changing the port number in the SSH server software on Mint we can have our firewall do it at the same time the NAT masquerading is occurring. <br />
<ol><br />
<li>Set up a rule by running the following command:</li><br />
<code>firewall-cmd --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.1.100 --zone=external</code><br />
:NOTE: this rule is a little unstable because it forwards the port to 192.168.1.100 which is currently the IP of our Mint system (if yours has a different IP you should change it in the command) but because that system gets an IP from DHCP it is subject to change which would break the rule. Therefore, if we wanted this to be stable in the long term, we would want to set up a static IP on any machines we were forwarding ports to.<br />
:''HINT: If your connection is refused, it may be because SSH is not installed in Mint. Try installing SSH using the package manager or apt.''<br />
<li> From a computer on the ITC network, such as one connected to the VPN, try to SSH to port 2222 on the outside (172.17.50.xx) IP address of your Debian system. </li><br />
:If everything was set up successfully, you should be able to sign into the Mint VM based on the port forwarding rule we have put in place.<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code><br><br />
</ol><br />
When you are done testing this section of the lab please power off your new Linux Mint VM as these require far more resources to run than the Debian VMs on our servers.<br><br />
: [[File:Lab10_linux_mint_shutdown.png | link=https://wiki.ihitc.net/mediawiki/images/1/1c/Lab10_linux_mint_shutdown.png|500px]]<br />
: [[Media:Lab10_linux_mint_shutdown.png | Click for larger image]]<br />
<br />
=Checking your Work=<br />
For this lab there are many things you need to check.<br />
<br />
#Firewall - attempt to connect using FTP on port 21, this should fail<br />
#SSH - connect using FTP on port 22<br />
#DNS - navigate to url of server<br />
#SMTP - send a mail to auto-respond server<br />
#IMAP - receive a mail from auto-respond server<br />
#Samba - Create a file on server using file sharing<br />
#HTTP - Navigate to ip address of server<br />
#Webmin - Navigate to <your-ip>:10000<br />
#PuTTY into linux mint using your ip address and port 2222<br />
#Linux Mint DNS/NAT - ping google.com from within Linux Mint<br><br><br />
<br><br />
Run this script to automatically check your lab<br><br />
<br />
<code><br />
<nowiki> sudo curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_10_rewrite.py | sudo python3 </nowiki><br />
</code><br />
<br><br><br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_9_mnjk&diff=9615Lab 9 mnjk2021-04-16T22:37:30Z<p>NateHaleen: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
<br />
In this lab you will perform the following tasks:<br />
*Install a basic email server <br />
*Install Courier MDA software<br />
*Learn how to allow remote users to send mail<br />
<br><br />
You will be introduced to the following commands:<br />
*'''[https://linux.die.net/man/1/telnet telnet]'''<br />
<br><br />
This lab assumes that you know the IP address of your Linux system and are connected to the ITCnet VPN network. Additionally, this lab assumes that you have completed the Bind DNS and have created a MX record that directs mail to your mail server. <br />
*[[Lab_8_mnjk#Install_BIND_&_Enable_Caching | Installing Bind]]<br />
*[[Lab_8_mnjk#Adding_a_Delegated_Domain | Creating a MX record in DNS]]<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account<br />
# Make sure that webmin is installed on your system. <br />
# Get the username and domain name of someone else's system in the class who you can send mail to<br />
# This lab requires that you have appropriate domain name records (at least a correct A and MX record) for your system working from the DNS lab before things will work.<br />
<br />
== Install the Postfix MTA ==<br />
'''''[https://www.youtube.com/watch?v=6VsgO5695Z4&feature=youtu.be Video Tutorial - Install Postfix MTA]'''''<br />
<ol><br />
<li> Use a package manager to install the ''postfix'' package.<br />
* During the installation process select ''Internet Site'' as the type of mail server and set the domain name to ''*.itc2480.campus.ihitc.net'' where * is the hostname letter of your system.</li><br />
: MTA software listens for incoming connections from other MTA servers on port 25 and accepts mail on behalf of users on the system. Once the mail is received it is stored locally for users to retrieve. The most common methods for storing messages is in an .mbox file, where all messages are stored in a single file, or in a Maildir, which is a directory where each message is stored in a separate file. The MTA also listens for connections from client software (MUA) and accepts outbound messages from them and forwards them on to the destination domain's mail server. Advanced configuration of MTA software can allow for anti-spam filtering, mailing list support or other programs to intercept and manipulate mail as it passes through the server.<br />
<li>Test the connection an verify the port is open</li><br />
:* Use Telnet to connect to the Postfix SMTP server on port 25: '''telnet localhost 25'''<br />
: [[File:Lab9_open_telnet.png|link=https://wiki.ihitc.net/mediawiki/images/1/10/Lab9_open_telnet.png|500px]]<br />
: [[Media:Lab9_open_telnet.png | Click here for larger image]]<br />
:* Type '''quit''' and press enter after verifying Postfix is running.<br />
<br />
<li>Configure Maildir</li><br />
: Because the Courier IMAP and POP3 server software only supports Maildir style message stores and Postfix stores in mbox files by default you must edit the ''/etc/postfix/main.cf'' file to fix this. <br />
:* Add the line <br />
:<pre>home_mailbox = Maildir/</pre> <br />
: Edit or add the ''mailbox_command'' parameter so there is nothing on the line after the equals sign, delete the portion of the line referencing procmail if it exists. The line should look like: <br />
:<pre>mailbox_command = </pre><br />
<li> Restart the ''postfix'' service to apply your change. Postfix is now saving new incoming messages into the Maildir folder inside each user's home directory. This folder is automatically created by Postfix the first time a new message comes in for a user.</li><br />
<li> Set your shell to recognize the maildir as your mail location</li><br />
:* Edit the ''/etc/login.defs'' file and comment out the ''MAIL_DIR /var/mail'' line (place a # in front of the line) and add a line setting ''MAIL_FILE'' like this:<br />
<pre><br />
#MAIL_DIR /var/mail<br />
MAIL_FILE Maildir/<br />
</pre><br />
:* Edit the ''/etc/pam.d/login'' file, find and comment out the ''session optional pam_mail.so standard'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so standard<br />
session optional pam_mail.so dir=~/Maildir standard<br />
</pre><br />
:* Edit the ''/etc/pam.d/su'' file, find and comment out the ''session optional pam_mail.so nopen'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so nopen<br />
session optional pam_mail.so dir=~/Maildir nopen<br />
</pre><br />
:* Edit the ''/etc/pam.d/sshd'' file, find and comment out the ''session optional pam_mail.so standard noenv'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so standard noenv<br />
session optional pam_mail.so dir=~/Maildir standard<br />
</pre><br />
:* Edit the ''/etc/profile'' file and at the end of the file add the line: <pre>export MAIL=~/Maildir</pre></li><br />
<li> Test sending and receiving mail as a locally logged on user.</li><br />
<br />
:* Install the ''mailutils'' package.</li><br />
:* Try sending a message (replace username with your username): <pre>echo "This is my message" | mail -s "Email Subject" username@localhost</pre><br />
:* Log out of your SSH session and open a new SSH session to apply the changes to the ''/etc/profile'' and ''/etc/login.defs'' files.<br />
:* Check to see if the message was received using the '''mail''' command, press ''q'' to return to the command line.<br />
:[[File:Lab9_cli_send_mail.png|link=https://wiki.ihitc.net/mediawiki/images/4/4f/Lab9_cli_send_mail.png|500px]]<br />
:[[Media:Lab9_cli_send_mail.png|Click here for a larger image]]<br />
: You should also be able to see the message in ''~/Maildir/'' in either the ''new/'' or ''cur/'' directory depending on whether you have viewed the message list yet or not. In either case, the message will appear as a text file with a random-looking name. It's just a text file so you can use '''cat''' or '''less''' to view it.<br />
<li> Create Aliases </li><br />
: You can create aliases and forward mail between users by editing the ''/etc/aliases'' file and then running the '''newaliases''' program. <br />
:* Create an "alias" for ''sysadmin'' which forwards mail sent to sysadmin@localhost to your username <br />
:* Send a copy of all mail to the ''root'' account to your username <br />
<br />
: Now would be a good time to try logging on to Webmin again, re-scanning for modules and then taking a look at the Postfix module in the ''Servers'' section.<br />
<li>Explore the mail log file</li><br />
: Take a look at your ''/var/log/mail.info'' log to see Postfix sending and receiving messages for users.<br />
</ol><br />
<br />
== Install Courier MDA ==<br />
'''''[https://www.youtube.com/watch?v=uvZlSiQHlxs&feature=youtu.be Video Tutorial - Install Courier MDA]'''''<br />
<ol><br />
<li>Install required courier packages </li><br />
: Most users prefer to retrieve mail from a mail server using an MDA protocol like POP3 or IMAP which can be provided by the Courier programs. Install the ''courier-pop'', ''courier-imap'', and ''fam'' packages.<br />
:* Do not create the directories for web-based administration as they are unneeded for our setup<br />
: Local users accessing their mailbox with MUA software can read and write to the .mbox file or Maildir directly. If a user not locally logged on to the system wants to access their mailbox the server runs MDA software which typically uses the POP3 or IMAP protocol for accessing the .mbox file or Maildir remotely.<br />
<br />
<li> Install MUA Client on remote system</li><br />
:*Install an email client (MUA) on your host (home) system such as [http://www.mozilla.org/en-US/thunderbird/ Mozilla Thunderbird]<br />
:* Setup two user accounts in your MUA, the usernames and passwords should be the same as users and their passwords on your system. Use ''IMAP'' as the protocol for retrieving mail. The email address for each should be ''username@*.itc2480.campus.ihitc.net'' where the * is replaced by the host letter of your system. You can verify the IMAP and SMTP settings that are detected, both server addresses should be ''*.itc2480.campus.ihitc.net'' where the * is replaced by the host letter of your system.<br />
:'' NOTE: The first time you check messages and the first time you send messages to your server from Thunderbird you will need to accept an invalid security certificate in the Thunderbird window.<br />
:[[File:Lab9_thunderbird_cert.png|link=https://wiki.ihitc.net/mediawiki/images/9/9a/Lab9_thunderbird_cert.png|500px]]<br />
:[[Media:Lab9_thunderbird_cert.png|Click here for a larger image]]<br />
:'' NOTE: To see the ''Tools'' menu with the ''Account Settings'' window in recent versions of Thunderbird (where you can add more accounts) you need to press ALT-F and then the menu bar will temporarily appear.<br />
:[[File:Lab9_thunderbird_menu.png|link=https://wiki.ihitc.net/mediawiki/images/6/60/Lab9_thunderbird_menu.png|500px]]<br />
:[[Media:Lab9_thunderbird_menu.png|Click here for a larger image]]<br />
<li>Send mail between local users</li><br />
:* Try sending a message from one user to the other user by sending a message to the other account like ''username@localhost'' Verify that you can receive and read the messages.<br />
:* Note: If a user has not yet received any mail Postfix has not created a Maildir for the user and the Courier software will send an error to the client software. Use the mail program explained above to send some mail to the user, see that the ''~/Maildir'' is then created and try retrieving the messages again with your MUA.<br />
</ol><br />
<br />
== Allow Remote Users to Send Mail ==<br />
'''''[https://www.youtube.com/watch?v=0qh3mCMIzn4&feature=youtu.be Video tutorial - Allow Remote Users to Send Mail]'''''<br />
<ol><br />
<li>Testing SMTP mail to another domain</li><br />
:* Try setting up your MUA software to send mail by creating an SMTP server entry and sending an email to ''anotheruser@localhost'' This should work because localhost is your own server but if you try sending email to ''someuser@somedomain.com'' like ''root@ben.itc2480.campus.ihitc.net'' that will fail.<br />
: The problem is you don't want just anyone to send mail through your mailserver (we did allow this in the olden days) because a spammer could then use your server to send mail worldwide and it would all trace back to the IP of your server, we call servers setup like this "open relays" because they relay mail for anyone and they are generally considered very bad practice and can get your mailserver on lists of servers to ignore all messages from. There are a number of ways to solve this. By default Postfix will only allow mail relaying from computers on the same network (based on IP) as set in the ''/etc/postfix/main.cf'' ''mynetworks'' parameter but this is inconvenient for remote users as you would need to know the remote IP address they are connecting from. The SASL protocol allows users to authenticate with a username and password before sending mail and then relay messages are accepted from them.<br />
<li>Configure Simple Autherntication and Security Layer - SASL</li><br />
:* See if you can follow [https://wiki.debian.org/PostfixAndSASL these instructions] for setting up SASL with Postfix.<br />
:'' Note: You do NOT need to setup TLS to support SASL (more on that in the additional considerations section below)<br />
<li>Test and troubleshoot SASL</li><br />
:* Modify your MUA to use a username and password when connecting to your SMTP server and try sending mail to someone else's system from your MUA using a destination address like ''root@*.itc2480.campus.ihitc.net'' where the * is replaced by the host letter of your system.<br />
:'' NOTE: You MUST actually exchange messages with someone else in the class (both sending to them and receiving from them). It is not possible to test using an outside email account of your own (you will not be able to send a message back to your server because it is behind a firewall). It is not enough to just be able to send a message to another system. It is not enough to just be able to receive a message from another user.<br />
:* Troubleshoot as needed using the mail log files on your system.<br />
</ol><br />
<br />
=Additional Considerations=<br />
Running a mailserver is tricky business. The basic server we have setup does not use valid certificates for encrypting connections meaning usernames, passwords, and mail contents are all being sent to an unverified server. This is very undesirable from a security standpoint and it would be suggested to support SSL/TLS encryption for both the MTA and MDA portions with a valid certificate purchased from a certificate authority (CA) or from a free CA like [https://letsencrypt.org/ Let's Encrypt]. In addition, you will almost certainly want spam filtering at the server. More complicated setups also use database tables for users, passwords and domains so that you can host multiple domains on a single server and have email user boxes for people who do not have local logins on the system.<br />
<br />
=Additional Resources=<br />
* [https://help.ubuntu.com/community/PostfixBasicSetupHowto Ubuntu Postfix Basic Setup]<br />
* [https://wiki.debian.org/Postfix Debian Wiki - Postfix Installation]<br />
<br />
==Checking Your Work==<br />
<ol><br />
<li>Send a test email to ping@itc2480.camus.ihitc.net from your Thunderbird or other MTA mail program.</li><br />
<ul>You should receive a response titled "Success! Auto Response form Ping Auto Mailer"</ul><br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_09_test.py | python3<br />
</nowiki></code><br />
</ol><br />
<br><br><br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_8_mnjk&diff=9614Lab 8 mnjk2021-04-16T22:37:15Z<p>NateHaleen: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
In this lab you will perform the following tasks:<br />
*Install BIND and configure as caching plus zones for a local domain<br />
*Learn how to create domains using Webmin<br />
*Learn how to manually edit using a zone file<br />
You will be introduced to the following commands:<br />
*'''[https://linux.die.net/man/1/dig dig]'''<br />
*'''[https://linux.die.net/man/1/nslookup nslookup]'''<br />
*'''[https://www.man7.org/linux/man-pages/man1/systemctl.1.html systemctl]'''<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account.<br />
# Make sure that Webmin is installed on your system. <br />
== Install BIND & Enable Caching ==<br />
'''''[https://www.youtube.com/watch?v=frZ7FrJyjME Video Tutorial - Installing BIND and Enabling Caching]'''''<br><br />
<ol><br />
<li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li><br />
<ul>BIND (Berkeley Internet Name Domain) is one of the available DNS server applications for Linux and the most well known and used nameserver on the Internet.</ul><br />
<li>You will also want to install the '''dnsutils''' package.</li><br />
<ul>In order to use the '''nslookup''' and '''dig''' programs for DNS testing and troubleshooting you'll need dnsutils</ul><br />
<li>Open up ''/etc/bind/named.conf.options'' with your favorite text editor.</li><br />
<ul>Now we will need to enable DNS caching and forwarding on the BIND server. This will allow us to use it for DNS resolving locally, as well as speed up frequent DNS requests.</ul><br />
<ul><br />
* You are now in the local options file for BIND. You will need to uncomment (remove the // from the front of) the following lines:<br />
: [[File:Bind_named_conf.png | 500px]]<br />
* '''NOTE:''' You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul><br />
<ul>The reason we setup a forwarder address is so that domain requests that are not on our system are passed to another DNS server instead of being searched against the root nameservers. You may want to do this in domain or enterprise environments as most large networks have internal domain names setup that only redirect inside of a local LAN. By using a forwarder, as long as the DNS server you push requests to is able to access those internal records, you will be able to access local content from internal domain names instead of needing to rely on IP addresses.</ul><br />
<li>To apply these changes, you will need to restart the BIND server with administrative permissions.</li><br />
<code>sudo service bind9 restart</code><br />
<li>Next, open up your interfaces file (''/etc/network/interfaces'') with your favorite file editor.</li><br />
<ul><br />
* Change the dns server for the primary network interface to ''127.0.0.1''.</ul><br />
<ul>The change to ''/etc/network/interfaces'' will take effect if you restart your system. To avoid doing that right now you can edit the ''/etc/resolv.conf'' file so that it has only one nameserver line like ''nameserver 127.0.0.1'' Note that unless you reboot the system it will eventually get reset back to it's prior setting by a background system process so at some point you will want to reboot your system to make the change permanent.</ul><br />
<li>Run the command:</li><br />
<code>nslookup inverhills.edu</code><br />
<ul>If BIND is working, you should now see the following output:</ul><br />
: [[File:Nslookup_inverhillsedu.png | 500px]]<br />
* Notice how it shows it is using 127.0.0.1 as the server. If you do not see this, then your interface file or resolv.conf file is not set to use the local machine for DNS lookups. Note also that the IP address returned for this domain may vary from the one shown in the output above.</li><br />
<li>Run:</li><br />
<code>dig inverhills.edu</code><br />
<ul>See if you can find where the IP address for the domain is reported in the output as well as where the server IP address is reported in the output.</ul><br />
<li>Now would be a good time to reboot your server to ensure the DNS server network interface configuration changes remain permanent.</li><br />
<code>sudo shutdown -r now</code><br />
<li>Once the system reboots log back in and use '''nslookup''' or '''dig''' to verify the default nameserver being used is ''127.0.0.1''.</li><br />
</ol><br />
<br />
== Create a Domain using Webmin ==<br />
'''''[https://www.youtube.com/watch?v=53aK9FeYz68 Video Tutorial - Create a Domain Using Webmin]'''''<br><br />
Now we are going to use Webmin to create a few different type of domain records and have our system serve as a DNS server for a domain. We will utilize A (Host), AAAA (IPv6 host), MX (Mail Exchange), and CNAME (Canonical Name) records.<br />
<ol><br />
<li>Open up your '''Webmin panel''' and sign in.</li> <br />
<ul>Now that we have BIND installed, you will need to click the Refresh Modules option on the left sidebar to have Webmin recheck the system for installed packages and services so that it will show up as an option in the ''Servers'' tab.</ul><br />
<li>Under the ''Servers'' tab, open up ''BIND DNS Server'', under ''Existing DNS Zones'' click ''Create master zone''.</li><br />
<ul>From here we will create a new domain name for our server to respond to DNS queries for.</ul><br />
<li>Use the following options, '''where * is replaced by your System ID''' that was defined in [[Franske ITC-2480 Lab 5|Lab 5]] (just the letter of your system, for example the domain name would be ''debserv-A.test'' if you had System ID "A").<br />
<pre>Zone type: Forward (Names to Addresses)<br />
Domain name / Network: debserv-*.test<br />
Records file: Automatic<br />
Master server: Leave as your hostname<br />
Email address: root@debserv-*.test</pre></li><br />
<li>Click the ''create'' button to add the domain.</li><br />
<ul> As this point you should now be on the ''Edit Master Zone'' page. From here you can add and edit domain records for this domain name.</ul><br />
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li><br />
* For the ''Name'' enter ''@''. Note: The ''@'' symbol in DNS Zones defines the parent domain (alternatively you could re-enter the parent domain ''debserv-*.test.'' with the period at the end).<br />
* In the ''address'' field enter your VM's static IP set in [[Franske ITC-2480 Lab 5|Lab 5]] and click ''Create''.<br />
<li> Return to the main BIND DNS Server page. Click the ''Apply Configuration'' link (which looks like two arrows chasing each other) in the top right corner. You'll see the "Apply Configuration" text if you hover your mouse over the button.</li><br />
<li> To test the record use '''nslookup''' or '''dig''' to lookup the domain you just created (Replace the * with your letter.)</li><br />
<code>nslookup debserv-*.test</code><br />
<code>dig debserv-*.test</code><br />
* If you have issues looking up the domain, make sure that the system is still using 127.0.0.1 as the DNS server. If not, check your ''/etc/resolv.conf'' file.</li><br />
</ol><br />
<br />
== Additional DNS Record Types ==<br />
'''''[https://www.youtube.com/watch?v=dC6RsYYMk4w Video Tutorial - Additional DNS Record Types]'''''<br><br />
Now we are going to add a few more record types to our Domain. This will include an ''MX'' (Mail Exchange) and ''CNAME'' (Canonical Name) record. We will start with the MX record. MX records are used by email servers to look up where to forward email for a specific domain.<br />
<ol><br />
<li>In Webmin on the '''BIND DNS Server''' page, click the domain on the bottom named ''debserv-*.test'' and then click the '''Mail Server''' button. Under ''name'', enter ''@'' again, and for ''mail server'' enter ''mail.debserv-*.test.'' (with the period at the end). For ''Priority'', enter ''10''.</li><br />
* This entry has said we want other servers trying to send mail to ''users@debserv-*.test'' to actually send it to the server at ''mail.debserv-*.test'' which allows us to use a different server for email than we use fore web serving, etc.<br />
* The Priority entry allows people to define more than one MX record for a name, and the order which the sending service will try to use for contacting the various mail servers at your domain.</li><br />
<li>Go back to the domain zone overview page. Add an ''A'' record for ''mail.debserv-*.test'' which points to the IP of your system.</li><br />
<ul>Because we don't currently have an "A" (address) record for ''mail.debserv-*.test'' the mail would currently go undelivered.</ul><br />
* Reapply configuration settings like you did in the last section of this lab using the button with the two arrows in a circle.<br />
<li> To test an ''MX'' record we need to make multiple queries and ask '''nslookup''' or '''dig''' to fist check for MX records for the domain like:</li><br />
<code>nslookup -type=MX debserv-*.test</code><br />
<ul>or</ul><br />
<code>dig debserv-*.test MX</code><br />
which will return the names of the mail servers for that domain. We then need to do a regular '''nslookup''' or '''dig''' on those names to determine what IP addresses those are pointed to. Of course, for mail to actually work we'd also need to insure mail server software is installed and configured on that server as well.</li><br />
<li>Again return to the domain zone overview page.</li><br />
<ul>We are now going to create a CNAME record. CNAME records are useful as they allow you to create virtual A records (aliases), but point them to another domain or host name instead of to a specific IP address. This allows you to have many hostnames all pointed to the same A record which contains the actual IP address so if the IP address changes you only need to change a single A record and all the hostnames will change. It can also be used to redirect a hostname at one domain to an entirely different domain.</ul><br />
<li>On the ''Edit Master Zone'' page for your domain, click the ''Name Alias'' button. For the ''Name'', enter ''blog'' and for the ''Real Name'', enter your domain ''debserv-*.test.'' but remember to put a period at the end of the domain as this is an ''absolute name''. Press ''create'' to add the record.</li><br />
<li>Click the ''Apply Configuration'' link at the top right of the page again. This will apply the records you have created. Now back in PuTTY, run:<br><br />
<code>nslookup blog.debserv-*.test</code><br />
or the equivalent '''dig''' command.<br> <br />
You should get a response similar to:</li><br />
<pre>Server: 127.0.0.1<br />
Address: 127.0.0.1#53<br />
<br />
blog.debserv-*.test canonical name = debserv-*.test.<br />
Name: debserv-*.test<br />
Address: 172.17.50.XXX<br />
</pre><br />
<ul>One thing we can use CNAMEs for is to create virtual web hosts in Apache that listens for the domain blog.debserv-*.test, and then forwards you directly to your blog folder instead of to our main web page. </ul><br />
<li>In '''Webmin''' under the ''Servers'' tab, select ''Apache Webserver''. Then on the top, click the ''Create virtual host'' button and use the following configuration:<br />
<pre>Handle Connections to Address: any address<br />
Port: 80<br />
Document Root: /var/www/html/blog/<br />
Server Name: blog.debserv-*.test<br />
Add virtual server to file: new file under virtual servers directory<br />
Copy directives from: nowhere<br />
</pre><br />
When done, press ''Create Now''.<br />
<li> When you are back at the ''Apache Webserver'' page, then click ''Apply Changes'' in the top right.</li><br />
<li>Now in a SSH session, open up your favorite command line web browser like '''links''' and visit ''blog.debserv-*.test.'' make special note that when you enter the URL in Links you need to include the extra period at the end.</li><br />
<ul> This is because the .test domain is not a regular TLD like .com .org etc. and the Links browser doesn't know how to handle it unless we force it as a domain name by adding the period at the end. This is not related to it being a CNAME or our Apache configuration and with a regular domain name would not be required. Notice how you are now visiting the blog directly, instead of your modified index.html file. This is because we setup a virtual host in Apache that listens for requests to the CNAME we created and points to the document root where the Wordpress software is installed.<br />
* Note that you will not be able to use this URL to access the blog from your local PC yet because your local PC isn't using your Linux server as it's DNS server and the .test domain isn't registered to your DNS server.</ul><br />
<li>Congrats, at this point you have a basic domain working with a MX, CNAME, and A record.</li><br />
</ol><br />
<br />
== Adding a AAAA record ==<br />
'''''[https://www.youtube.com/watch?v=sql0Wlo8F5g Video Tutorial - Adding an AAAA Record]'''''<br><br />
Now we are going to add an ''AAAA'' (IPv6 host) record to our domain. To do this, we will first need to make sure that IPv6 networking is setup in our virtual machine.<br />
<ol><br />
<li> Use <code>ip address show</code> to check the ''inet6'' address (IPv6 Address) on the primary network interface.</li><br />
<ul> You should have an address starting with ''2607:f930:1c00:50:''. If you do not please check with your instructor. You will need to write down or remember this full address as we will use it in Webmin to create our AAAA record.</ul><br />
<li> Back in '''Webmin''', under the ''BIND DNS Server'' tab, select your ''debserv-*.test'' domain from the bottom and then click the ''IPv6 Address'' button. For the name, enter ''@'' and for the ''address'' enter your IPv6 address WITHOUT the subnet prefix (No /64 on the end).</li><br />
<ul> It should look similar to this: ''2607:f930:1c00:50:xxxx:xxxx:xxxx:xxxx''.</ul><br />
<li>When done click ''create''. Remember to click the ''apply configuration'' link in the top right to apply the changes.</li><br />
<li> In order to verify the AAAA record is working we need to modify the '''nslookup''' or '''dig''' command to check for AAAA records instead of the default of A records. Try:<br><br />
<code>nslookup -type=AAAA debserv-*.test</code><br><br />
and<br><br />
<code>dig debserv-*.test AAAA</code><br><br />
to see the output from AAAA records.</li> <br />
<li>Congratulations, you have now setup a dual-stack DNS records for your Debian server. This means your server is accessible from both IPv4 and IPv6 at the same name because both the A and AAAA records we created have the same host name).</li><br />
</ol><br />
<br />
== Adding a Delegated Domain ==<br />
'''''[https://www.youtube.com/watch?v=Qn45Vv7vuZY Video Tutorial - Adding a Delegated Domain]'''''<br><br />
The problem with the name we have been using so far is that it only works on the DNS server itself. This is because we didn't purchase the name and so no other nameservers know to send requests for it to our server. Normally if you purchase a domain or someone else gives you control of a subdomain it is ''delegated'' to your server meaning that other DNS servers will query your server for addresses related to that name. In order to practice this we are going to add another domain to the system, but this domain will be a delegated domain which is a subdomain of ''itc2480.campus.ihitc.net''. Luckily we can add this to BIND the same way we added our original domain.<br />
<ol><br />
<li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings:<br />
<pre>Zone type: Forward (Names to Addresses)<br />
Domain name / Network: *.itc2480.campus.ihitc.net<br />
Records file: Automatic<br />
Master server: *.itc2480.campus.ihitc.net.<br />
Email address: root@ *.itc2480.campus.ihitc.net</pre><br />
* '''NOTE:''' the * stands for your System ID letter, the same as you used for the previous domain we created.</li><br />
<li> Using webmin, create an ''A'' record for ''@'' the same way as we did for the last domain.</li><br />
<ul> If you need help with this step, you can review the process we did earlier. Make sure to apply your changes after adding the record.</ul><br />
<li>Test that the record and delegation are working correctly. This time you should be able to check from your host computer too!</li><br />
<ul> Windows does not include the '''dig''' command so you'll need to use '''nslookup''' on ''*.itc2480.campus.ihitc.net'' (replace the * with your System ID). Does the correct address come back?</ul><br />
<li> Test your setup using a web browser on your local computer</li><br />
<ul> can you access your webserver by going to http://*.itc2480.campus.ihitc.net (where * is your hostname letter)?</ul><br />
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well just like we did with the test domain (this will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li><br />
<ul>Test that the MX record and associated A record are working correctly. This time you should be able to check from your host computer too! Windows does not include the '''dig''' command so you'll need to use '''nslookup'''. Does the correct mail server name and address come back?</ul><br />
<li>Create a ''CNAME'' record for the blog just like in the previous example (''blog.*.itc2480.campus.ihitc.net''' though) and create a new Apache virtual server just like in the previous example as well.</li><br />
<ul>Test your setup using a web browser on your local computer, can you access your blog directly by going to http://blog.*.itc2480.campus.ihitc.net (where * is your hostname letter)?</ul><br />
</ol><br />
<br />
== Manually editing a zone file ==<br />
'''''[https://www.youtube.com/watch?v=3T7TkE9cRVE Video Tutorial - Manually Editing a Zone File]'''''<br><br />
Lastly we are going to look at the domain zone file. While Webmin provides a nice interface to add records, all it is doing is manually adding our records to our text based zone file. When you use BIND for DNS, every domain created gets its own record file which is called the zone file. In this file all subdomains and records are stored for said domain.<br />
<ol><br />
<li>By default, the location for these records on Debian will be in ''/var/lib/bind'', so go to that directory and list the contents.</li><br />
<li>Now, with your favorite text editor, open up the file which corresponds to the ''debserv-*.test'' domain.<br><br />
It should look similar to this:<br />
<pre>$ttl 38400<br />
debserv-Z.test. IN SOA 2480-Z.itc2480.campus.ihitc.net. root.debserv-Z.test. (<br />
1519434495<br />
10800<br />
3600<br />
604800<br />
38400 )<br />
debserv-Z.test. IN NS 2480-Z.itc2480.campus.ihitc.net.<br />
debserv-Z.test. IN A 172.17.50.36<br />
debserv-Z.test. IN MX 10 mail.debserv-Z.test.<br />
mail.debserv-Z.test. IN A 172.17.50.36<br />
blog.debserv-Z.test. IN CNAME debserv-z.test.<br />
debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756<br />
mail.debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756</pre></li><br />
<ul>Notice the formatting for domain records. Each record is defined by the domain or subdomain name, ''IN'', then the record type (like A, AAAA, NS, or MX), followed by what the record is pointed to. For this example, we want to change the MX priority from 10 to 15.</ul><br />
<li>Using your text editor change the MX record settings priority from 10 to 15.</li><br />
<li>When you are done, '''restart''' the bind9 service to reload the changes.<br><br />
<code>sudo systemctl restart bind9</code><br />
* Note: when restarting bind, if you have any errors restarting the service this normally means you have a typo in one of your zone files. If this is the case, go through the file again in a text editor to make sure you did not add anything extra or remove anything else.</li><br />
<li>Use the '''dig''' tool to check the MX record and see that the new priority is active. You should see something similar to the following response:<br />
<pre>; <<>> DiG 9.10.3-P4-Debian <<>> debserv-z.test MX<br />
;; global options: +cmd<br />
;; Got answer:<br />
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40128<br />
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3<br />
<br />
;; OPT PSEUDOSECTION:<br />
; EDNS: version: 0, flags:; udp: 4096<br />
;; QUESTION SECTION:<br />
;debserv-z.test. IN MX<br />
<br />
;; ANSWER SECTION:<br />
debserv-Z.test. 38400 IN MX 15 mail.debserv-Z.test.<br />
<br />
;; AUTHORITY SECTION:<br />
debserv-Z.test. 38400 IN NS 2480-Z.itc2480.campus.ihitc.net.<br />
<br />
;; ADDITIONAL SECTION:<br />
mail.debserv-Z.test. 38400 IN A 172.17.50.36<br />
mail.debserv-Z.test. 38400 IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756<br />
<br />
;; Query time: 0 msec<br />
;; SERVER: 127.0.0.1#53(127.0.0.1)<br />
;; WHEN: Fri Feb 23 20:15:48 CST 2018<br />
;; MSG SIZE rcvd: 163</pre></li><br />
<ul>Notice how the Answer Section shows the MX record is pointed to the IP of the domain, and that the priority is set to 15.</ul><br />
<li>Congratulations, you have now setup a functional DNS server.</li><br />
<br />
==Checking Your Work==<br />
<ol><br />
<li> Check the directories and files:</li><br />
# <code>/etc/bind/named.conf.options</code> should have the ip address 172.17.139.11 saved.<br />
# <code>/etc/network/interfaces</code> should have the ip address 127.0.0.1 saved.<br />
# Your <code>/var/lib/bind/*.hosts</code> file should have a MX, CNAME, and AAAA record.<br />
<br />
<br><br><br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_08_test.py | python3<br />
</nowiki></code><br />
</ol><br />
<br><br><br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_7_mnjk&diff=9613Lab 7 mnjk2021-04-16T22:36:59Z<p>NateHaleen: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
This lab assumes you know how to install a package from the Debian repository and you have Webmin installed. If you need help please see '''[[Lab_1_mnjk#Installing_sudo_and_checking_your_IP_address | Lab 1]]''' and '''[[Lab_3_mnjk#Install_the_Webmin_Control_Panel | Lab 3]]'''.<br />
<br />
In this lab you will perform the following tasks:<br />
* Install [https://www.samba.org/samba/ Samba]<br />
* Setup a Guest Share<br />
* Share Home Directories<br />
* Setup a group share<br />
<br />
You will not be introduced to new commands.<br />
<br />
= Lab Procedure =<br />
== Prerequisites ==<br />
<ol><br />
<li> Open an SSH console to your Linux system using the PuTTY software, login with your standard user account. </li><br />
<li> Make sure that Webmin is installed on your system. </li><br />
<li> Make sure you have an up-to-date list of packages on your system using the '''apt update''' system. </li><br />
<li> Make sure you have all the latest software upgrades on your system using the '''apt upgrade''' method. </li><br />
</ol><br />
: ''NOTE: This lab sets up Samba with anonymous guest access which is not supported by Windows 10 anymore. You can work around this (directions for doing so are below) but you can't work around it on IHCC campus managed PCs so this lab really requires access to a PC which you have full administrative control over.''<br />
<br />
== Install Samba ==<br />
'''''[https://www.youtube.com/watch?v=h15fXbqYx5Y&feature=youtu.be Video Tutorial - Install Samba]''''' <br><br />
<ol><br />
<li> With your favorite package manager, install the '''samba''' package. </li><br />
<li> After Samba is installed, login into Webmin on your local computer's web browser. </li><br />
<li> Under the servers tab, notice how Samba does not show up. This is because we just installed the package. </li><br />
<li> On the bottom of the left toolbar, click '''refresh modules'''. After a minute, it should refresh the page. Now look under the servers tab again. Does Samba now show up?</li><br />
</ol><br />
<br />
== Setup a Guest Share ==<br />
'''''[https://www.youtube.com/watch?v=BmgKPYIVaPY&feature=youtu.be Video Tutorial - Setup a Guest Share]''''' <br><br />
<br />
The first thing we are going to do is we are going to create a guest share.<br />
This share will allow for all users, even those who have not authenticated, to read files.</li><br />
To help you better understand samba, this first share will be configured from PuTTY and command line.<br />
<ol><br />
<li>Change into the '''/etc/samba/''' directory and view a directory listing.<br />
: In here we have one main file, '''smb.conf''', which holds all of the Samba share and authentication settings. There may also be a few other files and directories which can be used for more advanced Samba features such as TLS certificate based authentication.</li><br />
<li>With your favorite text editor, open up '''smb.conf''' with administrative permission.</li><br />
<li>Scroll to the bottom of the file, and notice how shares are defined. They all have a similar format such as:<br />
<pre><br />
[Share Name]<br />
comment = Share Comment<br />
options....</pre><br />
:'''options''' are the different configuration settings.</li><br />
Let's try creating the guest share folder from the config file manually.<br />
<li>Exit out of the text editor, and create the folder '''/srv/Guest-Files''' as root.<br />
: This will be the folder we are sharing.</li><br />
<li>Open up '''/etc/samba/smb.conf''' in a text editor again as root, and go to the bottom of the file.</li><br />
<li>Enter the following:<br />
<pre>[Guest Share]<br />
comment = Public File Share<br />
public = yes<br />
path = /srv/Guest-Files</pre><br />
You have now created the public share. <br />
</li><br />
<br />
<li>In order to make the share take effect you need to restart the Samba service on your machine with the following command: <br />
<br><br />
<code>service smbd restart</code><br />
<br />
: ''NOTE: Restarting services requires administrative permission.''</li><br />
<li>To test this share, go into '''/srv/Guest-Files''' and create a text file and enter some information.<br />
: We will use this file to test the read-only settings of the share.<br />
: At this point, we should be ready to test out our configuration. </li><br />
<li>On your Local Computer, open up the run dialog box, and enter '''\\172.17.50.xx''' (The IP you setup for the static address of your VM), and press enter.<br />
: You should see a share folder called Guest Share.<br />
:[[file:Samba-windows-guest.png | link= https://wiki.ihitc.net/mediawiki/images/d/d4/Samba-windows-guest.png | 500px]]<br />
:[[media:Samba-windows-guest.png | Click for Larger Image]]</li><br />
: ''NOTE: If you receive an error on your local system and can't access the Samba share, it might be your firewall blocking the connection. This has been the case with non-Windows Firewalls such as BitDefender. If you are using one of these firewalls you may have to make a rule to allow traffic. This link might help: [https://www.bitdefender.com/consumer/support/answer/2397/ https://www.bitdefender.com/consumer/support/answer/2397/]''<br />
<li>Open the Guest Share folder and see if your text file is in the share.</li><br />
<li>Open up the file, and try to edit and save the file. What error do you get?</li><br />
: '''''SPECIAL NOTE for Windows 10 Client PCs:''' If the computer your are using to try and connect to this share is running Windows 10 version 1709 or later [https://support.microsoft.com/en-us/help/4046019/guest-access-smb2-disabled-by-default-in-windows-10-server-2016 Microsoft has disabled SMB guest share access] You have a few different options for completing this:''<br />
:* Use an earlier version of Windows (remember you'll need to install OpenVPN and be connected to ITCnet) such as Windows 10 before version 1709, Windows 8, or Windows 7 to attempt to connect to the share.<br />
:* Follow the instruction on the above Microsoft page to re-enable guest share access on your Windows 10 version 1709 or later system using the group policy editor (requires Windows 10 Professional or Enterprise)<br />
:* Use the registry editor to set the key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters] "AllowInsecureGuestAuth" to dword:1 (Note: editing your registry can cause your system not to boot and other unexpected behavior, so be careful and be sure of what you are doing)<br />
: '''''SPECIAL NOTE for Personal Windows PCs:''' If you are getting an error after hitting enter in the run dialog box, try either disabling your firewall or making a firewall exception for the IP address of your server.''<br />
</ol><br />
<br />
== Share Home Directories ==<br />
'''''[https://www.youtube.com/watch?v=MOJ6wwiQ1mk&feature=youtu.be Video Tutorial - Share Home Directories]''''' <br><br />
Now we are going to setup Home Directory Sharing. By default this is enabled, but write access is not and no users are setup.<br />
First it must be noted that Samba requires separate user accounts from the system, just like MySQL. So first, we are going to add your user account.<br />
<ol><br />
<li> To do this, we are now going to use Webmin to configure the shares.<br />
: Notice also what other shares are enabled in Samba by default when looking at the Webmin page for Samba. </li><br />
:[[file:Webmin-samba-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/9/9d/Webmin-samba-dashboard.png | 500px]]<br />
:[[media:Webmin-samba-dashboard.png | Click for Larger Image]]<br />
<li> On the Webmin Samba configuration page, click '''Samba Users'''.<br />
: Notice how none are currently defined.</li><br />
<li>Go back and click '''Convert Users'''.<br />
: This is the tool we will use to convert/copy the local Unix user accounts to Samba accounts.<br />
<li>Leave the Unix users to convert option set to all except listed users and UID ranges with the option of -499.</li><br />
: This will add all user accounts with a UID of 500 or more to Samba. Lower UID values are typically used on Debian systems as service accounts (like ''www-data'') who should not have Samba permissions. </li><br />
<li> On the bottom, select '''No password'''.<br />
: We are doing this as we will define unique passwords for each user.</li><br />
<li>Click '''Convert Users''' when ready. </li><br />
<li> When you are done, go to the '''Samba Users''' page again.<br />
: Notice how your user account is now listed.</li><br />
<li>From here you can now add passwords to the different user accounts you added in the last step. Be sure to set the passwords for each user you intend to connect with. </li><br />
<br />
Lastly we are going to setup write access to home folders, so you will be able to add files to your home directory over Samba.<br />
<br />
<li> On the Samba config page, under '''Shares''', click the '''home share'''.</li><br />
<li> Click '''Security and Access Control'''.</li><br />
<li> Set the '''Writable''' option to '''Yes''', and then click save. </li><br />
<li> Go back to the Samba config page, and click the '''Restart Samba Servers''' option at the bottom.<br />
: We do this to force samba to load the new configuration. You can also wait a minute or two if you don't want to disconnect any connected users. </li><br />
: At this point, we should be ready to test out our configuration.<br />
<li>On your Local Computer, open up the run dialog box, and enter '''\\172.17.50.xx''' (Your IP you setup for the static address), and press enter.<br />
: Notice how you do not see a home directory share because you are connected without any authentication.</li><br />
<li>In the top URL window, add '''\<username>''' to the path, e.g. '''\\172.17.50.xx\user'''.<br />
: You should now get a login popup.</li><br />
<li>Login as your user, and you should be greeted with your home folder.<br />
: ''NOTE: If your user is unable to login you may have forgotten to set a Samba password for the user as directed above. You need to set a password for each user within Samba.''<br />
: ''NOTE: On local systems running an operating system other than Windows follow whatever process you would normally use to connect to a Windows file share using the IP address of your VM as the server name.'' </li><br />
<li> Test creating and deleting a file to verify write access is working.</li><br />
<li> Try to access a home share of another user that was added to Samba.<br />
: Notice how you do not have permissions.</li><br />
<li>Try logging in with another user account to access a different home share.<br />
: ''NOTE: To use another user account in a samba share, you may have to logout and then back in on your local machine.'' </li><br />
</ol><br />
<br />
== Setup a Group Share ==<br />
'''''[https://www.youtube.com/watch?v=1C7BBUC_V3A&feature=youtu.be Video Tutorial - Setup a Group Share]''''' <br><br />
Now we are going to setup a group folder share that will allow for all samba users to read and write to the folder.<br />
<ol><br />
<li>Go back to the Webmin Samba configuration panel.<br />
: We are going to create a new share.</li><br />
<li>Under '''shares''', select the '''Create a new file share''' link. Use the following base configuration:<br />
<br><br />
<code>Share Name: Share-Files<br><br />
Directory to share: /srv/Group-Share<br><br />
Automatically Create Directory: Yes<br><br />
Create with owner: root<br><br />
Create with permissions: 775<br><br />
Create with group: users<br><br />
Available: yes<br><br />
Browsable: yes<br><br />
Share Comment: group share folder<br />
</code></li><br />
<li>Once the share is setup, click it to edit it.</li><br />
<li>Once you are at the '''Edit File Share''' page, click '''File Permissions'''.<br />
: Notice how the New Unix file and New Unix directory are set to 755 by default, even though we set the share to use 775 to create the directory. This is done for security purposes as it would only allow the owner to have modification privileges for the files and directories they create. We need to modify this so that all users on the system have full access to files in this share.</li><br />
<li>Set the '''New Unix file''' and '''New Unix directory''' mode to 775, and set '''Force Unix group''' to '''users'''. You can now press '''save'''. We do this to allow all authenticated users permission to modify and edit files that may have been added by other users.</li><br />
: Now we will need to enable write access to the folder.<br />
<li>On the '''Edit file share''' page again, click '''Security and Access Control'''.</li><br />
<li>Set the '''Writable''' option to '''Yes''', and press '''save'''.</li><br />
<li>At this point, you can test the share exactly the same way we did with the home folder share.</li><br />
: Notice though how this share is set to '''browsable''', so it shows up in the root share folder. Go ahead and create a file through your host computer. Then use PuTTY to look at the user and group assigned to the files you created.<br />
: It is important to note that even if a user has read or write permission in Samba they must ''also'' have permission to read or write the file/directory on the underlying Linux filesystem. Many problems with making Samba work can be traced to permissions errors where a user does not have correct permission to work with a file or directory either by the Samba software ''or'' by the filesystem.<br />
<li>Look at your '''smb.conf''' file and see what changes Webmin made in order to setup your group share.</li><br />
</ol><br />
<br />
= Checking Your Work =<br />
<br><br><br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_07_test.py | python3<br />
</nowiki></code><br />
<br />
<br><br><br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_6_mnjk&diff=9612Lab 6 mnjk2021-04-16T22:36:37Z<p>NateHaleen: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
In this lab you will perform the following tasks:<br />
*Installing typical website software on your server including a forum and blog software<br />
*Playing with basic PHP web scripting<br />
In all of these cases you should download the latest stable .tar.gz version of the software from the website and install it following the official documentation. <br><br />
'''DO NOT''' install pre-built Debian packages, this is not allowed and will not prepare you properly for installing this type of software in many web hosting environments.<br />
<br />
There are no specific Linux commands needed for this lab, but this lab assumes you can do the following:<br />
*[[Lab_5_mnjk#Experiment_with_Databases | MariaDB database creation]]<br />
*[[Lab_5_mnjk#Experiment_with_Website_PHP | Creating HTML links]]<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software<br />
# Login with your standard user account<br />
# Use FileZilla to transfer files to your system using SCP/SFTP if needed<br />
<br />
== Install Wordpress ==<br />
'''''[https://www.youtube.com/watch?v=Qg5fow1_SCY&feature=youtu.be Video Tutorial - Install Wordpress]'''''<br />
# Download the latest stable version of the [http://wordpress.org/ Wordpress blogging software]<br />
#:[[file:Lab6_links_wordpress.png | link= https://wiki.ihitc.net/mediawiki/images/3/39/Lab6_links_wordpress.png | 500px]]<br />
#:[[media:Lab6_links_wordpress.png| Click for Larger Image]]<br />
# Try following the [http://codex.wordpress.org/Main_Page official installation documentation] to install the software. <br />
#: Your goal is to install the software in the ''/blog/'' directory of your webserver so that you can visit your blog by going to http://''example.com''/blog/ where ''example.com'' is your IP address (we don't have DNS setup).<br />
#: ''HINT: You can use either the mysql command line client or the Webmin interface to do the database setup.''<br />
#* The command to create a database in MariaDB is:<br />
#: <code> CREATE DATABASE <name of database>; </code><br />
#* Once the database is created you will need to create a user:<br />
#: <code> CREATE USER '<username>'@'localhost' IDENTIFIED BY '<password>';</code><br />
#* Now grant the newly created user privileges:<br />
#: <code> GRANT ALL PRIVILEGES ON <database> . * TO '<username>'@'localhost';</code><br />
#* Once you've completed these steps return to the Wordpress Installation Guide and complete the installation.<br />
#:[[file:Lab6_WordPress_Installation_mk2.png | link= https://wiki.ihitc.net/mediawiki/images/f/fa/Lab6_WordPress_Installation_mk2.png | 500px]]<br />
#:[[media:Lab6_WordPress_Installation_mk2.png | Click for Larger Image]]<br />
# Once the software is installed make sure that you can successfully log in to the Wordpress web interface and add a few blog posts.<br />
#:[[file:Lab6_wordpress_default_blog_mk2.png | link= https://wiki.ihitc.net/mediawiki/images/9/9b/Lab6_wordpress_default_blog_mk2.png | 500px]]<br />
#:[[media:Lab6_wordpress_default_blog_mk2.png| Click for Larger Image]]<br />
<br />
== Install MyBB ==<br />
'''''[https://www.youtube.com/watch?v=VegevSlCpSQ&feature=youtu.be Video Tutorial - Install MyBB]'''''<br />
# Download and install the latest stable version of the [http://www.mybb.com/ MyBB forum software] following the instructions in their documentation. <br />
#:[[file:lab6_links_mybb.png | link= https://wiki.ihitc.net/mediawiki/images/2/2b/Lab6_links_mybb.png | 500px]]<br />
#:[[media:lab6_links_mybb.png | Click for Larger Image]]<br />
#: Your goal is to install the software in the ''/forum/'' directory of your webserver so that you can visit your forum by going to http://''example.com''/forum/ where ''example.com'' is your IP address (we don't have DNS setup)<br />
#:[[file:lab6_MyBB_Installation.png | link= https://wiki.ihitc.net/mediawiki/images/d/d2/Lab6_MyBB_Installation.png | 500px]]<br />
#:[[media:lab6_MyBB_Installation.png | Click for Larger Image]]<br />
#: ''HINT: If you get an error during installation about PHP XML extensions, use '''apt''' to search for and install php-xml. After that use '''sudo service apache2 restart''' to restart Apache2 and apply the change.<br />
# Make sure that you can create forums, users, and posts once you have installed the software.<br />
#:[[file:lab6_mybb_default.png | link= https://wiki.ihitc.net/mediawiki/images/d/d6/Lab6_mybb_default.png | 500px]]<br />
#:[[media:lab6_mybb_default.png | Click for Larger Image]]<br />
<br />
== Install One Additional PHP Application ==<br />
'''''[https://www.youtube.com/watch?v=X-u9EdQxcxw&feature=youtu.be Video Tutorial - Additional PHP Applications]'''''<br />
# Select One Additional PHP Application from the list below and install it following the official documentation:<br />
#* [http://www.opencart.com/ OpenCart] - Web Store System<br />
#* [https://www.mediawiki.org/ MediaWiki] - Wiki System<br />
#* [https://www.joomla.org/ Joomla!] - Content Management System<br />
#* [https://nextcloud.com NextCloud] - File Management like Google Drive<br />
#* [http://piwigo.org/ Piwigo] - Image Gallery<br />
#* [https://gnu.io/social/ GNU Social] - Microblogging like Twitter<br />
#* [https://www.limesurvey.org/stable-release LimeSurvey] - Run your own site like SurveyMonkey<br />
#* Other PHP applications may be approved by your instructor<br />
# After completing the installation make sure the software works as it should<br />
<br />
== Experiment With PHP ==<br />
# Take a look at the simple [http://www.w3schools.com/php/php_ajax_rss_reader.asp RSS reader on the w3schools site]<br />
# See if you can get the RSS reader working on your own server.<br />
#:[[file:lab6_rss.png | link= https://wiki.ihitc.net/mediawiki/images/a/a0/Lab6_rss.png | 500px]]<br />
#:[[media:lab6_rss.png | Click for Larger Image]]<br />
# Try changing one or both of the RSS feeds from Google and ZDNet to feed(s) of your choice<br />
# Try modifying the code to include more than two RSS feeds<br />
#: ''Hint: The idea in this section of the lab is to see if you can figure out how a simple PHP application works and modify it, not specifically to see if you can run the RSS reader.''<br />
<br />
== Update Your Main Page ==<br />
# Put links on your main INDEX page to everything you have done (your blog, forums, additional PHP software, and RSS reader experimental page)<br />
#: Here is a sample of what your INDEX page might look like, but you are free to customize it however you wish:<br />
#: [[File:Lab6_index_page.png|link=https://wiki.ihitc.net/mediawiki/images/0/00/Lab6_index_page.png | 500px]]<br />
#: [[Media:Lab6_index_page.png| Click here for larger image]]<br />
<br />
=Checking your Work=<br />
Wordpress<br />
# On your host computer navigate to http://''example.com''/blog.<br />
# Make a blog post.<br />
# Reach out to someone else in the class (you can get classmates email addresses from the D2L Classlist) and ask them to comment on your blog post.<br />
#: If you are able to post and see a comment from your classmate you have successfully completed the Wordpress section of the lab.<br />
<br><br />
MyBB<br />
# On your host computer navigate to http://''example.com''/forum.<br />
# Create a forum.<br />
# Create a user account.<br />
# Make a post using your new user account.<br />
#: If you are able to make a post using the new user account you have successfully completed the MyBB section of the lab.<br />
<br><br />
Other PHP Applications<br><br />
: Depending on which PHP application you installed the method of testing will be different<br />
:Use your creativity. Here are some ideas:<br />
*Upload something.<br />
* Post Something.<br />
*Make a new page.<br />
: When you are satisfied that your application is working properly, you have completed the PHP application section of this lab.<br />
<br><br />
RSS Feed Reader<br />
# From your host system navigate to the location of your RSS feed.<br />
#: ''HINT: This should be linked on your index page''<br />
# Use the dropdown bar to select a feed.<br />
#: The most recent posts from that feed should appear.<br />
#:[[file:Lab6_rss_sample.png | link= https://wiki.ihitc.net/mediawiki/images/f/f7/Lab6_rss_sample.png | 500px]]<br />
#:[[media:Lab6_rss_sample.png | Click for Larger Image]]<br />
# Try clicking the link to navigate to the full article.<br />
#: If you are able to complete all these steps you have successfully completed the RSS Reader section of this lab. <br />
<br><br><br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_06_test.py | python3<br />
</nowiki></code><br />
</ol><br />
<br><br><br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_5_mnjk&diff=9611Lab 5 mnjk2021-04-16T22:36:14Z<p>NateHaleen: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
In this lab you will perform the following tasks:<br />
*Learn about static network configuration of Debian Linux systems<br />
*Install '''[https://www.php.net PHP]'''<br />
*Install '''[https://www.php.net MariaDB]''' on your server, this is an open-source MySQL alternative<br />
*Experiment with websites and databases<br />
*Explore the standard log files on your system.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/ifup ifup]'''<br />
*'''[https://linux.die.net/man/8/ifdown ifdown]'''<br />
*'''[https://linux.die.net/man/8/ping ping]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://www.commandlinux.com/man-page/man8/a2dissite.8.html a2ensite]'''<br />
*'''[https://www.commandlinux.com/man-page/man8/a2dissite.8.html a2dissite]'''<br />
*'''[https://linux.die.net/man/1/wget wget]'''<br />
*'''[https://linux.die.net/man/1/zcat zcat]'''<br />
*'''[https://linux.die.net/man/8/service service]'''<br />
*'''[https://linux.die.net/man/1/tail tail]'''<br />
<br />
You will also use the following MySQL (MariaDB) commands:<br />
<br />
*'''[https://mariadb.com/kb/en/use USE]'''<br />
*'''[https://mariadb.com/kb/en/show SHOW]'''<br />
*'''[https://mariadb.com/kb/en/select SELECT]'''<br />
*'''[https://mariadb.com/kb/en/drop-database DROP database]'''<br />
<br />
=Lab Procedure=<br />
==Prerequisites==<br />
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account<br />
# Make a note of the static IP address information for your particular system in the table below, it is based on the system name identification letter in vmWare. These IP addresses will ONLY be valid in the ITC vmWare Linux class subnet. If you are working on a local VirtualBox system you will need to select an available static IP from the correct subnet for your system or skip the static IP addressing section. All vmWare systems will use a gateway address of 172.17.50.1 and a subnet mask of 255.255.255.0 with two nameservers 172.17.139.11 and 172.17.139.111<br />
{| {{table}}<br />
| align="center" style="background:#f0f0f0;"|'''System ID'''<br />
| align="center" style="background:#f0f0f0;"|'''Static IP'''<br />
|-<br />
| A||172.17.50.11<br />
|-<br />
| B||172.17.50.12<br />
|-<br />
| C||172.17.50.13<br />
|-<br />
| D||172.17.50.14<br />
|-<br />
| E||172.17.50.15<br />
|-<br />
| F||172.17.50.16<br />
|-<br />
| G||172.17.50.17<br />
|-<br />
| H||172.17.50.18<br />
|-<br />
| I||172.17.50.19<br />
|-<br />
| J||172.17.50.20<br />
|-<br />
| K||172.17.50.21<br />
|-<br />
| L||172.17.50.22<br />
|-<br />
| M||172.17.50.23<br />
|-<br />
| N||172.17.50.24<br />
|-<br />
| O||172.17.50.25<br />
|-<br />
| P||172.17.50.26<br />
|-<br />
| Q||172.17.50.27<br />
|-<br />
| R||172.17.50.28<br />
|-<br />
| S||172.17.50.29<br />
|-<br />
| T||172.17.50.30<br />
|-<br />
| U||172.17.50.31<br />
|-<br />
| V||172.17.50.32<br />
|-<br />
| W||172.17.50.33<br />
|-<br />
| X||172.17.50.34<br />
|-<br />
| Y||172.17.50.35<br />
|-<br />
| Z||172.17.50.36<br />
|}<br />
<br />
<br />
<br />
==Set a static IP==<br />
'''''[https://www.youtube.com/watch?v=VcPA6gJ0Ohw&feature=youtu.be Video Tutorial - Setting a Static IP Address]'''''<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
* Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
* Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
:'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==Install PHP & MySQL/MariaDB==<br />
<br />
'''''[https://www.youtube.com/watch?v=Az0qtg4LSjA&feature=youtu.be Video Tutorial - Install PHP and MySQL MariaDB]'''''<br />
<ol><br />
<li>Install packages</li><br />
:* Using '''apt''', install the ''php'' and ''mariadb-server'' packages as well as the ''php-mysql'' package which provides the link between php and mysql and the ''libapache2-mod-php'' package which provides a copy of PHP which allows the Apache webserver to run website PHP scripts.<br />
'' Note: Remember to do an '''apt update''' before installing packages to make sure you get the latest versions<br />
'' Note: Maria-DB is a fully compatible replacement for MySQL that isn't controlled by Oracle.<br />
* After the dependencies are found, go ahead and accept them to continue the install.<br />
<li> After the install is complete, '''cd''' to ''/var/www/html'' which is the root directory of your webserver and so where all website files are served from.</li><br />
<li> In order to fully enable the PHP-MySQL module you should restart your Apache webserver. You don't need to restart your entire system to do this. Do some research on the "apache2ctl" or the "service apache2" commands which can be used to do this.<br />
<li> At this point we will test to verify that php is working properly with Apache. Create a new file named ''phptest.php'', and then open it in a text editor.</li><br />
: '' Note: you may have to use sudo to create and edit files in this directory. as your standard user account may not have privilidges to create and edit files in this directory.<br />
:<code>sudo touch phptest.php</code><br />
:<code>sudo nano phptest.php</code><br />
<li>Enter the following into the file:<br />
<pre><?php<br />
phpinfo();<br />
?></pre></li><br />
<li>Now save the file, and on your local machine go to xxx.xxx.xxx.xxx/phptest.php in a web browser where xxx.xxx.xxx.xxx is your VM's static IP. You should now be on a page that shows your PHP Version, and system information.</li> <br />
:[[File:Lab5_php_info.png|500px]]<br />
:[[Media:Lab5_php_info.png|Click here for a larger image]]<br />
<li>Use the "View Source" option in your browser to see what the HTML source code is for the page you're viewing is. Is it the same or different than the .php file you created? Why? How is this different than a standard .html file?</li><br />
:[[File:Lab5_php_info_devtab.png|500px]]<br />
:[[Media:Lab5_php_info_devtab.png|Click here for a larger image]]<br />
</ol><br />
<br />
==Experiment with Website PHP==<br />
<br />
'''''[https://www.youtube.com/watch?v=m_sUrt_quX4&feature=youtu.be Video Tutorial - Experiment with Website PHP]'''''<br />
<ol><br />
<li> Explore Apache symlinks</li><br />
:In a previous lab we learned about editing the ''/var/www/index.html'' file to change the default web page displayed by your server. In a future lab you will install some PHP/MySQL based software which powers many Internet sites with forums, blogs, etc. Before we can do that we need to learn a little more about PHP and about databases. Like most software on Linux the Apache webserver configuration files are stored in the ''/etc'' directory. Specifically, you can find several of them which work together and are called from each other in ''/etc/apache2/'' take a look in the ''/etc/apache2/sites-enabled/'' directory. See how symlinks are used to point to configuration files which actually reside in the ''/etc/apache2/sites-available/'' directory? This allows us to turn off and on various sites by creating or removing a symlink rather than by deleting the actual configuration file, a handy thing if we just want to temporarily disable a site. In fact Apache provides a utility to automatically add and remove these links called '''a2ensite''' and '''a2dissite'''. Check the '''man''' pages for these commands to see how they work.<br />
<li>Explore '''/etc/apche2/sites-enabled'''</li><br />
:As you might have guessed the default site for your system is configured by the file linked to at ''/etc/apache2/sites-enabled/000-default'' If you open this file in your favorite text editor you will see a series of what Apache calls "directives" which explain how the webserver should function, what port it should listen on, where the website files will reside (''/var/www/html''), etc. <br />
:'' NOTE: Going into all of the different Apache directives is outside of the scope of this course but you will find a lot of documentation about them on the Internet.<br />
<li>Explore the Apache configuration files in Webmin</li><br />
:In addition to configuring Apache directly through it's configuration files you can also configure it through an interface like Webmin which we installed in a previous lab. Bring up the Webmin configuration page for Apache and take a look at the settings for the default site. Note how the things you saw directly in the configuration file match up with what you see in Webmin. One of the things you may be interested in seeing is how the webserver knows to display the index.html file from a directory if it exists and no specific file is requested in the URL. Take a look on the "Directory Indexing" page for the default virtualhost and see if you can find this information. You'll notice that there is a list of files, not just index.html which the server will display.<br />
:'' NOTE: You may need to refresh your Webmin modules or "scan for new modules" if you haven't done that since installing Apache and Webmin. Webmin scans your system for compatible server software packages (like Apache) when it is installed but needs to re-scan it's modules after you install new server software before you can configure it through Webmin.<br />
<li>Expiriment with and learn PHP basics</li><br />
:In another section of this lab you created a basic ''phptest.php'' file and saw how the server executed the PHP code and turned it into an HTML page your browser could display. Because PHP offers an easy way to write web applications it powers much of the Internet. To prepare us for setting up some PHP applications in a future lab it will be helpful to know a little about how PHP scripts work. Read through the [http://www.w3schools.com/php/default.asp W3 Schools PHP Basics Tutorial] (PHP Intro through PHP Superglobals) and try creating some PHP scripts on your own Linux server like the examples given in the tutorial pages to see if you can get them to run, try modifying them a little bit and see what the results are. There are many great Internet resources devoted to understanding how to do things with PHP so take some time to see how this language can be easily integrated in websites. You should definitely be familiar with editing PHP files to change variables, echo statements, etc. work which are all skills you'll need when installing PHP based website software.<br />
<li>Create your own PHP files</li><br />
:*Try writing some simple PHP scripts on your own using variables and echo statements and make them available through your webserver.<br />
:*A good place to create these would be in your home directory, using your favorite text editor.<br />
<li>Create your own "home" page by editing your ''index.html'' file located in the '''/var/www/html''' directory.</li><br />
:''NOTE: You will need to be familiar with the very basics of editing HTML files in order to create links, etc. If you haven't done this before there are many introductory HTML tutorials available online. A good starting place is [https://www.w3schools.com/html/html_basic.asp W3 Schools HTML Basics Examples]<br />
:'' NOTE:It is importatnt to know that an '''html''' file must include the <!DOCTYPE HTML> tag. Additionally, you will notice that all tags have an opening tag and a closing tag. The information between the tags is what will have the features of the tag<br />
:*Backup your ''index.html'' file by copying to a new file name.<br />
:<code>sudo cp /var/www/html/index.html /var/www/html/index.html.bak</code><br />
:*Edit your ''index.html'' file (or create a new ''index.php'' file which will be loaded instead if it exists) so there is a list and links to the various scripts you have created as part of your PHP experimentation.<br />
:* Open your index.html file in your favorite text editor,<br />
:<code>sudo nano /var/www/html/index.html</code><br />
:*Since you have backed up the original index.html file I would edit this file to only include the basics.<br />
<pre> <br />
<!DOCTYPE HTML><br />
<html><br />
<body><br />
<h1>My ITC-2480 Server</h1><br />
<p>This is a server on Pod-R in NetLab at 172.17.50.XX</p><br />
<br><br />
<p>Here are some of the Projects I am working on:</p><br />
<a href="http://172.17.50.XX/phptest.php">PHP Version Information</a><br />
</body><br />
</html><br />
</pre><br />
:'' NOTE: Make sure to replace the XX in the IP with the IP address of your server.<br />
:<br />
:[[File:Lab5_basic_html.png|link=https://wiki.ihitc.net/mediawiki/images/2/29/Lab5_basic_html.png|500px]]<br />
:[[Media:Lab5_basic_html.png|Click here for a larger image]]<br />
:A first look for a basic page<br />
:[[File:Lab5_initial_home.png|link=https://wiki.ihitc.net/mediawiki/images/9/92/Lab5_initial_home.png|500px]]<br />
:[[Media:Lab5_initial_home.png|Click for a larger image]]<br />
<li>Try to add additional features to your "home" page.</li><br />
:''NOTE: You may get some ideas of features you might like to add by looking at the original ''index.html'' file that we backed up in step 6 of this lab.<br />
:*As you complete your labs consider what you can add to this page.<br />
:*Add links to the PHP scripts you created<br />
:*A few good chalanges would be to add a title, change font size, style or color.<br />
<br />
</ol><br />
<br />
==Experiment with Databases==<br />
<br />
'''''[https://www.youtube.com/watch?v=1zYXiWLoGdM&feature=youtu.be Video Tutorial - Experiment with Databases]'''''<br />
<ol><br />
: In order to do really powerful things with a website we need a database where we can store dynamic content which can be queried to automatically build site pages from a template. One of the most common databases is an SQL database, and MySQL has long been the most prevalent Linux SQL software. These days MariaDB, which we installed, has been taking some MySQL marketshare because it is a community developed program instead of MySQL which is now owned by Oracle. The MariaDB software and MySQL software are essentially equivalent, especially for small sites/databases, and the same commands are used interchangeably including using the '''mysql''' command to access them. SQL itself is a standard language for interacting with a specific type of database called a relational database, we'll see why it's called a relational database in a minute. Each database is a collection of data stored in tables. You can think of a table as something like a spreadsheet with rows and columns, except we call the columns fields and the rows records (sometimes we actually call them rows too). The different tables are often related to one another, of course they are usually being used by the same web application, but usually the relationship goes deeper than that as we'll see in a little bit.<br />
<li>Download a sample database</li><br />
: To jumpstart our exploration of databases we'll download a pre-built sample database with a few tables and many records already in it and import it into our MySQL database server. Download the employees database file [https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2 employees_db-full-1.0.6.tar.bz2] (about 26MB) and get it into your home directory. Instead of using the '''links''' browser to do this or downloading to your computer and then pushing this large file back across the Internet with an SCP/SFTP client like FileZilla a better choice might be to learn about the '''wget''' program which can be used like "'''wget https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2'''" to download the file into your current working directory.<br />
<code>wget https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2</code><br />
<li>Unpack the database file</li><br />
: Figure out how to use the '''tar''' program to unpack this .tar.bz2 file. Note that this file uses bz2 compression which takes longer to compress than gzip but can compress the files more. Once unpacked you should have an "employees_db" folder.<br />
<li>Explore the files included with sample database</li><br />
: Inside the ''employees_db'' folder you should have a number of ''.sql'' script files and dump files which can be used to restore the database to your system.<br />
:*Take a look at the ''employees.sql'' file, it's just a text file, which describes the format of the database. <br />
:*Also take a look at the ''load_employees.dump'' file, also just a text file, which contains all of the records from the employees table of the database. :'' NOTE: there are 300,000 some employee records in this database so you probably don't want to just use '''cat''' to view these files as it could take a while to print them out to your screen. Using the '''less''' program would be a better choice as it will allow you to exit viewing the file by pressing q at any time.<br />
<li>Open the MySQL (MariaDB) command line</li><br />
: We can interact with the MySQL/MariaDB server in many different ways. The first way we'll take a look at is through the command line '''mysql''' program. Run the "'''sudo mysql'''" command. <br />
:'' NOTE: that we are running this command with system administrator permissions which allows us to log in to the MySQL server with database administrator permissions as well. The MySQL program actually stores it's own usernames and passwords as a MySQL database itself, you can create and modify these permissions from the mysql command line but we'll learn more about modifying them through the Webmin interface later.<br />
:<code>sudo MySQL</code><br />
<br><br />
:[[File:Lab5_mariadb_cli.png|link=https://wiki.ihitc.net/mediawiki/images/4/4f/Lab5_mariadb_cli.png|500px]]<br />
:[[Media:Lab5_mariadb_cli.png|Click here for a larger image]]<br />
<li>Explore MySQL (MariaDB) Commands</li><br />
: MySQL has it's own command line language the you can use through the "mysql>" prompt you are now running. For example, if we want to see a list of databases on the system we can run "'''SHOW databases;'''" run the command and note the databases that already exist by default.<br />
<code>SHOW databases;</code><br />
:'' NOTE: Each MySQL/MariaDB statement ends with a semicolon (;) if you do not put the semicolon at the end of the line the command will not execute when you press enter and you will be able to continue to add more commands to the statement before finishing with a semicolon. If you accidentally press enter without ending with a semicolon you can just enter a semicolon on the next line and press enter.<br />
<li>Import the sample database</li><br />
: To import the employee database we can use the "'''source employees.sql;'''" command (assuming we were already working in the directory which contains the employees.sql file when we launched mysql. Import the employee database and verify the system now has an employees database.<br />
<code>SOURCE employees.sql;</code><br />
<li>Use the employees database</li><br />
<code>USE employees;</code><br />
: If we want to see all of the tables in the employees database we must first select the database we want to work on using the "'''USE employees;'''" command.<br />
<li>Explore the employee table</li><br />
: Use the "'''SHOW tables;'''" command to see a list of tables.<br />
<code>SHOW tables;</code><br />
<li>View a list of employees in table</li><br />
: To see a list of all the records in a table we need to run a SELECT query "'''SELECT * from ''<tablename>'''''" like "'''SELECT * from employees'''" which will list all the records in the ''employees'' table of the employees database and display them.<br />
<code>SELECT * from employees;</code><br />
<br><br />
:[[File:Lab5_mariadb_show_tables.png|link=https://wiki.ihitc.net/mediawiki/images/d/d5/Lab5_mariadb_show_tables.png|350px]]<br />
:[[Media:Lab5_mariadb_show_tables.png|Click here for a larger image]]<br />
:* Remember that we previously selected to USE the ''employees'' database, this will be remembered until we USE a different database. Try displaying the records in a couple of different tables like employees and departments.<br />
:'' NOTE: The output can be broken by using CTRL-C on your local machine if you do not wish to wait for all of the records to be displayed.<br />
:<br />
: There is much more that we can do from the MySQL/MariaDB command line but that would be a whole class or more itself. The MySQL/MariaDB programs are well documented on the Internet and with these basic skills you should be able to figure out most of it. Remember, the vast majority of what you read about MySQL will also work in MariaDB and vice-versa.<br />
<li>Explore the MySQL interface in Webmin<br />
: Now that you have learned a bit about MySQL databases from the command line let's see how they look in the Webmin web management interface. Log back in to your Webmin interface through a browser on your host system.<br />
:* Because MySQL was not installed when we first setup Webmin you need to "scan for new modules" first. Once that process has finished refresh the page to see that MySQL has been added to the server section of Webmin.<br />
:* Take a look at the Webmin MySQL module and see how MySQL users and permissions are configured.<br />
:* Try browsing through the ''employees'' database using the Webmin interface including viewing tables and records inside of the tables.<br />
<li>Drop database and exit MySQL (MariaDB)</li><br />
:* Go back to your MySQL command line window and run the command "'''DROP DATABASE employees;'''" to delete the entire database.<br />
:* Type "'''exit;'''" to quit the MySQL program and return to a Linux shell.<br />
<br />
:'' NOTE: Obviously, the DROP command is one to be careful with as you can easily wipe out a huge database with one line! <br />
</ol><br />
<br />
==View Logfiles==<br />
<br />
'''''[https://www.youtube.com/watch?v=cxIOQF-eMy0&feature=youtu.be Video Tutorial - Tutorial 5 View Logfiles]'''''<br />
<br />
<ol><br />
: Linux stores most of log files in the ''/var/log'' directory so change your working directory to ''/var/log''.<br />
: Some log files are viewable by all users on the system but other log files may be restricted and you will need to use '''sudo''' to view them.<br />
<li>View last 20 lines in '''/var/log/syslog'''</li><br />
:<code>tail -20 /var/log/syslog</code><br />
:[[File:Lab5_tail.png|link=https://wiki.ihitc.net/mediawiki/images/8/88/Lab5_tail.png|500px]]<br />
:[[Media:Lab5_tail.png|Click here for a larger image]]<br />
: Linux log files are typically standard text files and can be read with standard text file utilities like cat or less. One additional utility which comes in hand is the '''tail''' program which displays the last 10 lines (by default) of a text file and which can be configured to display more or less lines using a command like '''tail -20 /var/log/syslog''' which will display the last 20 lines of the main system log file. The manual page for the '''tail''' command contains additional information like how to use the ''-f'' option to view a log in realtime (exit with Ctrl-C).<br />
<li>Save the tail output to a file</li><br />
: Often we may want to save the output from a '''tail''' command to share with others or document an issue. This can easily be done using redirection we learned in a previous lab. Experiment with how to save some tail commands. Keep in mind you may need to escalate privileges for some files to be redirected. Try the following:<br />
: <code>sudo tail -20 /var/log/syslog > logtail.txt</code><br />
<li>Explore some other log files</li><br />
: Take a look at some of the log files on your system and see what kinds of information they contain specifically you should probably look at ''syslog'', ''auth.log'', ''kern.log'', ''apache2/access.log'', and ''apache2/error.log'' <br />
:* Use the tail command to explore these logs<br />
: In order to prevent log files from completely filling your drive old log files are eventually rotated on the system and compressed and then finally deleted. Take a look at some of the rotated log files like ''/var/log/syslog.1'' or ''/var/log/kern.log.1'' which will contain slightly older log entries.<br />
:'' Note: After the first rotated file other files are usually compressed with gzip. You can decompress and view these on the fly using the '''zcat''' program.<br />
</ol><br />
==Checking Your Work==<br />
<ol><br />
<li>Ping your assigned IP for your pod</li><br />
<ul>Your ping should return a response.</ul><br />
<li>Open a browser on your own PC and navigate to your IP address.</li><br />
<ul>Your custom link page should appear in your browser window.</ul><br />
<li>Check your home directory for the logtail.txt file you created.</li><br />
<ul>The logtail.txt file should be in your home directory.</ul><br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_05_test.py | python3<br />
</nowiki></code><br />
</ol><br />
<br><br><br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_4_mnjk&diff=9610Lab 4 mnjk2021-04-16T22:35:16Z<p>NateHaleen: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
Linux is a very text file-oriented operating system. As we've learned most of the settings for the operating system are held in text files in the /etc directory and most of the commands that are used to manipulate the system take text input or give text output. Beause of this it's very important to be able to edit and manipulate text on the system which will be a key focus of this lab. In addition, we'll practice creating compressed files, which is useful for backing up files, and creating links between locations on the system.<br />
<br />
In this lab you will perform the following tasks:<br />
* Edit text files using nano and vi<br />
* Learn how to manipulate command output<br />
* Search for files<br />
* Archive and Compress files using tar<br />
* Create links between directories<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://linux.die.net/man/1/vi vi]'''<br />
*'''[https://linux.die.net/man/1/nano nano]'''<br />
*'''[https://linux.die.net/man/1/less less]'''<br />
*'''[https://linux.die.net/man/1/find find]'''<br />
*'''[https://linux.die.net/man/1/locate locate]'''<br />
*'''[https://linux.die.net/man/8/updatedb updatedb]'''<br />
*'''[https://linux.die.net/man/1/ln ln]'''<br />
<br />
=Lab Procedure=<br />
==Prerequisites==<br />
Open an SSH console to your Linux system using the PuTTY software, login with your standard user account<br />
<br />
==Text File Editing==<br />
'''''[https://www.youtube.com/watch?v=LnVsTA8_mQo Video Tutorial - Text File Editing]'''''<br />
<ol><br />
<li> Change to the ''/var/www/html'' directory which is where the Apache webserver stores it's site files by default.</li><br />
<ul> Verify you can see an ''index.html'' file inside of this directory by listing the contents of the directory. Note who the ''owner'' and ''group owner'' of the file are.</ul><br />
<li> Open up a web browser on your host computer and verify that you can browse to the IP address of your Linux system and still see the "It works" page that you saw in [[Franske ITC-2480 Lab 2#Install the Apache 2 Webserver|lab 2]] after installing Apache.</li><br />
<ul> Before we start making any changes it's a good idea to save an unmodified copy of the file you'll be working on so make a copy of the ''index.html'' file and name the copy ''index.html.orig'' so that you can always copy it back if you make a mistake.</ul><br />
<ul> There are many different text editors available for Linux but systems almost always include some version of '''vi''' or '''nano''' so those are the two we'll focus on.</ul><br />
<li> In your ssh window open the ''index.html'' file in nano.</li><br />
<ul>NOTE: Because your user does not own this file you may need to edit the file as the superuser.</ul><br />
<code>nano index.html</code><br />
<ul>[[File:nano_index_html.png|link=https://wiki.ihitc.net/mediawiki/images/d/d3/Nano_index_html.png|250px]]</ul><br />
<ul>[[Media:nano_index_html.png|Click for Larger Image]]</ul><br />
<li> Try navigating around the file with your arrow keys and changing the "Apache2 Debian Default Page" text at the top of the page to "Welcome to My Linux Webserver"<br />
<ul> Basic instructions for using nano abound on the Internet. You can get a basic introduction [http://staffwww.fullcoll.edu/sedwards/Nano/IntroToNano.html here] but it basically comes down to the menu lines at the bottom of the screen showing what your options are. The ^ character is commonly used to indicate the CTRL key so to exit the program (you will be prompted to save changes if you have made any) press CTRL-X or to save without exiting press CTRL-O and follow the prompts at the bottom of the screen.</ul><br />
<li> Save your file with the changed text and then reload the page in your browser on your host system to see if the changes have taken effect.</li><br />
<ul> Experiment with some of the nano menu options such as cutting and "un-cutting" lines of text and searching/replacing text. Once you are comfortable with the nano editor save your changes and exit.</ul><br />
<ul> Make a note of which user and group owns your ''index.html'' file.</ul><br />
<li> Delete your ''index.html'' file and copy your ''index.html.orig'' file back to ''index.html''</li><br />
<ul> Try loading the website again and see if it's back to the original text. If you encounter an error it's possible that your ''index.html'' file is not readable by the webserver account so you should use the appropriate command to set the ''index.html'' file back to the owner and group of the original file.</ul><br />
<li> Now open the ''index.html'' file in vi</li><br />
<code> vi index.html</code><br />
<ul>[[File:vi_index_html.png|link=https://wiki.ihitc.net/mediawiki/images/f/fd/Vi_index_html.png|250px]]</ul><br />
<ul>[[Media:vi_index_html.png| Click for Larger Image]]</ul><br />
<ul> The vi editor is probably considered more powerful than nano but is less user friendly without the menu at the bottom and a COMMAND mode as well as an INSERT mode. In the COMMAND mode you cannot directly change the text of the file by typing which can be frustrating to new users. Read through the vi tutorial [http://www.washington.edu/computing/unix/vi.html here] and try making some edits to your webpage. Once you are familiar with how the vi editor works save your file and exit.</ul><br />
</ol><br />
<br />
==Command Output Manipulation==<br />
'''''[https://www.youtube.com/watch?v=dgC1r0rXTpA Video Tutorial - Command Output Manipulation]'''''<br />
<ol><br />
<li> Change back to your home directory.</li><br />
<code> cd ~</code><br />
<li> Print out the files in your home directory.</li><br />
<code> ls -al</code><br />
<li> Now, run '''ls -al''' but redirect the output to a file using ''> filename''.</li><br />
<code> ls -al > listfiles.txt</code><br />
<ul> Notice how there is no command output. This is normal as you redirected the command output to the file ''listfiles.txt''</ul><br />
<li> verify the contents of ''listfiles.txt''</li><br />
<code> cat listfiles.txt</code><br />
<ul>[[File:cat_listfiles_txt.png|link=https://wiki.ihitc.net/mediawiki/images/e/e1/Cat_listfiles_txt.png|250px]]</ul><br />
<ul>[[Media:cat_listfiles_txt.png|Click for Larger Image]]</ul><br />
<ul> Notice how it contains the exact same output as running '''ls -al''' on the command line.</ul><br />
<li> Now, run:</li><br />
<code>ls -al /var/log</code> <br />
<ul>Notice how many files there are in the ''/var/log'' directory. Lets say we wanted to just know the information of the ''debug'' log files. For this, we would use a pipe and the grep command.</ul><br />
<li> So, now run:</li><br />
<code> ls -al /var/log | grep debug</code><br />
<ul>[[File:var_log_grep_debug.png|link=https://wiki.ihitc.net/mediawiki/images/7/74/Var_log_grep_debug.png|250px]]</ul><br />
<ul>[[Media:var_log_grep_debug.png|Click for Larger Image]]</ul><br />
<ul>Notice how the output is limited to all files that contain the string ''debug''.</ul><br />
<ul> TIP: Grep is very powerful. Here we're just using it to search for a string but you can use it to search regular expressions as well. We mentioned these in a previous lab too. You can learn more about regular expressions at [https://regexone.com RegexOne] and [https://www.regular-expressions.info Regular-Expressions.info] among many other places. These are frequently used in system administration and programming so it's worth your while to get at least a basic understanding of them.</ul><br />
<ul> Whats nice about pipes and redirects is that they can be used back to back on a command line creating a chain of programs which accept data as standard input and output it to the next program as standard output.</ul><br />
<li> So lets say we have a scenario where we want to get a file that contains all of the information from all ''.gz'' files in ''/var/log''. To do this, we would run:</li><br />
<code> ls -al /var/log | grep .gz > gzlogfiles.txt</code><br />
<li> Now pipe the file into '''less'''</li><br />
<code>cat gzlogfiles.txt | less</code><br />
<ul> NOTE: Remember that you are now viewing the file in the less program and will need to quite the program to return to a command line. Type the letter "q" to quit the less program.</ul><br />
<ul> In this case the piped '''cat''' command is the exact same as running '''less gzlogfiles.txt''' however there are many times where you need to connect two programs together with pipes in order to accomplish something which is otherwise not possible. Also, standard output can be non-text data as well. For example, it's possible to use pipes to pass audio data between programs such as one that scans a WAV file and adjusts the volume before piping it to an MP3 compression utility which saves the result as an MP3 file.</ul><br />
<li> See if you can figure out how to view the output of '''ls -al /var/log | grep .gz''' one page at a time without dumping it to a text file first.</li><br />
<li> Now remove the files ''gzlogfiles.txt'' and ''listfiles.txt'' that were created from this part of the lab.</li><br />
</ol><br />
<br />
==Searching for Files in Linux==<br />
'''''[https://www.youtube.com/watch?v=WSd6fq-jDyE Video Tutorial - Searching for Files in Linux]'''''<br><br />
There are several ways to search for files on a Linux system. The simplest is to use the '''find''' command which searches through the system directory by directory for files which match your search string. You can specify many options for the find command which do things such as restrict to searching in one particular directory and it's sub-directories, etc.<br />
<ol><br />
<li> Try searching your entire drive for files with syslog in the name. <br />
<code> find / -name syslog 2> /dev/null</code><br />
<ul>[[File:find_syslog.png|link=https://wiki.ihitc.net/mediawiki/images/9/96/Find_syslog.png|250px]]</ul><br />
<ul>[[Media:find_syslog.png|Click for Larger Image]]</ul><br />
<ul> Notice the ''2> /dev/null'' on the end of the command. This redirects error messages ( ''2>'' redirected stderr, ''>'' redirects stdout as discussed above) to the location ''/dev/null'' which is non-existing location/file where bits are just dropped from the system. The reason we're redirecting the error messages is that there are a number of files or directories which you may not have permission to access. Each attempt to access these by the '''find''' program would create an error message (so lots of errors). We're basically telling the system to hide these error messages from us.</ul><br />
<ul> You should see some files identified which contain the name ''syslog''. The problem is that the find command is very slow at moving through all the files on the system, in fact it may even appear to be frozen while searching slowly though the drive. If you have waited a while and are still not getting back to a command prompt you can press CTRL-C to force the find program to quit and return to a command prompt. This means the find program works just fine for searching through a few directories/files (such as your home directory might contain) but is not the best choice for searching the entire system. If you want to learn more about advanced uses of the find command take a look at [http://content.hccfl.edu/pollock/unix/findcmd.htm this tutorial].</ul><br />
<li> A faster way to search the entire system is to use the ''locate'' command. Install the '''locate''' program</li><br />
<ul>This command searches a pre-built database of all files on the system which means it operates much faster than searching though files one at a time. There are two downsides to locate. First, it may not be pre-installed on many Linux systems so you may have to install it. Second, you need to build or update the database before you can search for files. New files are not automatically updated to the database so this only really works if you periodically remember to update the database. We'll explain how you can schedule that automatically in the future (hint, see the '''cron''' program).</ul><br />
<code> sudo apt-get install locate</code><br />
<li> Create an updated database of files on your system</li><br />
<code>sudo updatedb</code><br />
<ul>Note, it will take a while for this program to find and index all the files on your system so give it a while to run. The advantage is after you do this you can search the database for many different files very quickly instead of waiting for each search as with the find command. We need to run the '''updatedb''' program as an administrator so that it can search though all locations on the system, including ones your user does not normally have access to.</ul><br />
<ul> Note: Programs that may need to run for a long time and do not require user input (like '''updatedb''') can be run in the background by placing an ampersand at the end of the command line like '''sudo updatedb&'''. This will immediately return you to a command prompt so you can continue to work on other things while the command finishes running.</ul><br />
<li> Search for files with ''syslog'' in the name again but now using the command ''locate''</li><br />
<code> locate syslog</code> <br />
<ul>[[File:locate_syslog.png|link=https://wiki.ihitc.net/mediawiki/images/1/17/Locate_syslog.png|250px]]</ul><br />
<ul>[[Media:locate_syslog.png|Click for Larger Image]]</ul><br />
<ul> You should see many files found with this name and it should happen quickly, much faster than with the find command.</ul><br />
</ol><br />
<br />
==Creating Archived/Compressed Files==<br />
'''''[https://www.youtube.com/watch?v=iBsHKvNP88E Video Tutorial - Creating Archived Compressed Files]'''''<br><br />
If you get stuck or have any problems understanding why '''tar''' is functioning in a certain way you can find a number of introductory tutorials [http://www.thegeekstuff.com/2010/04/unix-tar-command-examples/ like this one] about using '''tar''' on the Internet by [https://www.google.com/#q=tar+tutorial searching for them]<br />
<ol><br />
<li> Create a new directory ''experiments'' in your home directory.</li><br />
<li> Create a GZipped TAR file of everything in your system log directory called ''logbackup1.tar.tz'' and save it to the ''experiments'' directory in your home directory by first changing your working directory to ''/var/log'' and then using the command:</li><br><br />
<code>tar -czvf ~/experiments/logbackup1.tar.gz *</code> <br />
<ul> Note that you will need to use root privileges to create all of the log backups in this section of the lab because some log files can not be read by a standard user.</ul><br />
<ul> Note the asterisk (*) which is used to select all files in the current directory for inclusion in the TAR file. This is a type of wildcard character.</ul><br />
<li> Change your working directory to the ''experiments'' directory in your home directory.</li><br />
<li> Try extracting the files into your ''experiments'' directory, show a list of files as they are extracted (''verbose'')</li><br />
<ul> Check the contents of your ''experiments'' directory. What happened? What kind of mess could this make when you extract a TAR file when it was created this way?</ul><br />
<li> Delete all files and subdirectories from inside the ''experiments'' directory.</li><br />
<li> Try again to create a GZipped TAR file of everything in your system log directory called ''logbackup2.tar.tz'' and save it to the ''experiments'' directory in your home directory. By running the command from inside the ''experiments'' directory.</li><br />
<code> tar -czvf logbackup2.tar.gz /var/log</code><br />
<ul> Note that you will need to use root privileges to create all of the log backups in this section of the lab because some log files can not be read by a standard user.</ul><br />
<ul> Note the lack of a slash at the end of the directory we are putting into the TAR file. In some older versions of TAR putting a slash on the end meant to put the files from that directory into the file but not the directory itself (just like when we created logbackup1.tar.gz with the asterisk wildcard). By leaving the slash off the end we are telling TAR to put the log directory,as well as it's contents, into the TAR file so that when we extract it we will get a log directory made with the files going into it. Even though new versions of TAR automatically prevent you from creating TAR files without a directory path it is still best practice to make sure that you are including a directory as part of the TAR file.</ul><br />
<li> Try extracting the files into your ''experiments'' directory, show a list of files as they are extracted (''verbose'')</li><br />
<li> Check the contents of your ''experiments'' directory.</li><br />
<ul> What happened? If you extracted a tar file made this way you could potentially end up with several more levels of directories than you really want. In this case we got an extra var directory inside of experiments but if we were archiving something with a deeper path we would have even more extra subdirectories. You can actually see this during the tar file creation if you have verbose output enabled you saw that all the files being added to the tar had var/log/ in front of the filename. There are at least two ways to handle this which we will look at.</ul><br />
<li> Delete all files and subdirectories from inside the ''experiments'' directory.</li><br />
<ul> If we are creating the TAR file manually we can avoid these extra parts to the path by paying attention to what directory we are in when we create the TAR file.</ul><br />
<li> This time change your working directory to ''/var'' first and then run the command.</li><br />
<code> tar -czvf ~/experiments/logbackup3.tar.gz log</code><br />
<ul> Note the different output from the tar command. This time the filenames are prefixed only by ''log/''.</ul><br />
<li> Switch back to your ''experiments'' directory and then try extracting the files from ''logbackup3.tar.gz'' into your experiments directory, do not show a list of files as they are extracted this time.</li><br />
<ul> Check the contents of your experiments directory. This time you should see that there is just one new subdirectory called log and all of the files are neatly placed inside of it. This is the type of extraction people normally want and expect from a tar file that is distributed.</ul><br />
<li> Empty your ''experiments'' directory</li><br />
<li> If you want to have the same effect without changing your working directory that is possible too. Try running the command below.</li><br />
<code>tar -czvf ~/experiments/logbackup4.tar.gz -C /var log</code> <br />
<ul>This time it doesn't make any difference which directory on the system because we have again specified a full path for where to save the tar file and we have also told tar to change to the ''/var'' directory before adding the log directory to the file using the -C argument. This automates the process of manually changing directories like we did above.</ul><br />
<li> Switch back to your ''experiments'' directory and then try extracting the files from ''logbackup4.tar.gz'' into your experiments directory, do not show a list of files as they are extracted this time.</li><br />
<ul> Check the contents of your experiments directory. This time you should again see that there is just one new subdirectory called ''log'' and all of the files are neatly placed inside of it.</ul><br />
<ul> There are a number of other things you can do with '''tar''' such as creating slower but more highly compressed .bz2 bzip files, extracting single files (or directories or groups of files) from an archive, listing the contents of an archive without extracting (which can show you if a new subdirectory will be created), adding files to an existing archive, and preserving file ownership (only by extracting on the same system though) and permissions. You should read the manual page for tar and then try practicing some of these and be familiar with the many ways that '''tar''' can be used.</ul><br />
</ol><br />
<br />
==Working With Filesystem Links==<br />
'''''[https://www.youtube.com/watch?v=vBorZKMmvIk Video Tutorial - Working With Filesystem Links]'''''<br><br />
If you get stuck or have any problems understanding how links are functioning in a certain way you can find a number of introductory tutorials [http://www.nixtutor.com/freebsd/understanding-symbolic-links/ like this one] or [http://www.thegeekstuff.com/2010/10/linux-ln-command-examples/ more advanced tutorials] on the Internet by searching for them.<br />
<ol><br />
<li> Use root privileges to create a new directory inside the ''var'' directory called ''system-documentation'' and change the ownership permissions so that your standard user has permission to read, write, and execute as a member of a group which owns the documentation directory. You will also need to make sure that all system users have execute permission for the parent directory (''/var'') in order to access anything in it including the ''system-documentation'' directory.</li><br />
<ul> Instead of needing to go into the ''/var/-system-documentation'' directory all the time it would be more convenient if your user was able to reach that directory through a link in their own home directory.</ul><br />
<li> Run the command below inside your regular user's home directory</li><br />
<code>ln -s /var/system-documentation documentation</code> <br />
<ul>[[File:ln_documentation.png|link=https://wiki.ihitc.net/mediawiki/images/9/97/Ln_documentation.png|250px]]</ul><br />
<ul>[[Media:ln_documentation.png|Click for Larger Image]]</ul><br />
<ul>Or if you're in a different working directory you can run the command as '''ln -s /var/system-documentation ~/documentation''' Do you understand why?</ul><br />
<ul> You should now see a soft link (also called symlink) in your home directory called documentation which points to the ''/var/system-documentation'' folder.</ul><br />
<li> '''cd''' into the link just like it was a real directory.</li><br />
<ul> If you use the '''pwd''' command to print your working directory while inside the link it will look like it's a directory. Almost all software on the system will interact with the link just as if it's a real directory.</ul><br />
<li> Try creating some files and subdirectories inside of the link and then verify they are showing up in the real ''/var/system-documentation'' location as well. This should work correctly if your permissions are all set correctly.</li><br />
<li> Remove the link</li><br />
<code>rm ~/documentation</code><br />
<ul> You should see that all of the files you created are still in ''/var/system-documentation''</ul><br />
<ul> If you re-create the link you should be able to go back into ''~/documentation'' and remove files and directories and see they are removed from the actual ''/var/system-documentation'' directory as well</ul><br />
<ul> You can also practice creating links to specific files as well as directories. Links do not override permissions so you need to have permission to read, write or execute the file or directory you are linking to just like if you actually changed to the real location of the item. Go ahead and practice creating and removing links until you have a good understanding of how links can be used.</ul><br />
</ol><br />
Note: If you are using '''tar''' to back up data, depending on exactly what you want to do you may want to use the ''-h'' or ''--dereference'' option which will follow the symlink and backup the data it contains. Normal behavior for tar would just be to back up the link itslef, not the file(s) pointed to by the link. You should try creating some tar files of directories which contain symlinks, deleting the data the symlink points to and the extracting the tar file to some new location to see this in action if you are not confident that you understand this.<br />
<br />
=Checking your Work=<br />
<ol><br />
<li> You should have the following directories and files:</li><br />
# ~/documentation<br />
# ~/experiments<br />
# /var/www/html/index.html<br />
<li> Use the following command to see if locate is installed:</li><br />
<code> dpkg -s locate</code><br />
<br />
<br><br><br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_04_test.py | python3<br />
</nowiki></code><br />
</ol><br />
<br><br><br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_3_mnjk&diff=9609Lab 3 mnjk2021-04-16T22:33:26Z<p>NateHaleen: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
This lab assumes that you know the IP address of your Linux system and are connected to the ITCnet VPN network. If you need help with these steps please see [[ITC_VPN_Instructions | the VPN instructions]] and [[Lab_1_mnjk#Installing_sudo_and_checking_your_IP_address | Lab 1]].<br />
<br />
In this lab you will perform the following tasks:<br />
*Create a new user account<br />
*Change the ownership and permissions on files and directories<br />
*Install the '''[https://www.webmin.com/ Webmin]''' package.<br />
You will be introduced to the following commands:<br />
*'''[https://www.commandlinux.com/man-page/man8/addgroup.8.html addgroup]'''<br />
*'''[https://linux.die.net/man/1/cat cat]'''<br />
*'''[https://linux.die.net/man/1/more more]'''<br />
*'''[https://linux.die.net/man/1/touch touch]'''<br />
*'''[https://linux.die.net/man/1/chown chown]'''<br />
*'''[https://linux.die.net/man/1/chgrp chgrp]'''<br />
*'''[https://linux.die.net/man/1/dpkg dpkg]'''<br />
<br />
= Lab Procedure =<br />
== Prerequisites ==<br />
<ol><br />
<li> Make sure you have an active connection to the ITCnet either by VPN or by directly connectiong to an ITCnet switch on campus</li><br />
<li> Open an SSH console to your Linux system using the PuTTY software, login with your standard user account</li><br />
</ol><br />
<br />
== Creating Users and Groups ==<br />
'''''[https://www.youtube.com/watch?v=q_tYhIVlhCU&feature=youtu.be Video Tutorial - Creating Users and Groups]''''' <br><br />
<ol><br />
<li> Create a new user account '''jsmith''' using the '''adduser''' program</li><br />
<code> adduser jsmith </code><br />
<li> Create a new group '''redteam''' using the '''addgroup''' program</li><br />
<code> addgroup redteam </code> <br />
<li> Add the '''jsmith''' account as well as your own user account to the '''redteam''' group</li><br />
<li> Close your SSH session and open two new SSH sessions</li><br />
: ''NOTE: In order for your user accounts to receive their new group permissions they need to be logged out and logged back in.''<br />
<li> Login as your regular user on one and '''jsmith''' on the other</li><br />
<li> View a list of all the user accounts on your system by looking at the '''/etc/passwd'''. To output the contents of the '''/etc/passwd''' file you can use the following command:</li><br />
<code>cat /etc/passwd</code><br />
: The /etc/passwd file is a plain text file on your system.<br />
<li> View a list of the password data on your system by viewing the '''/etc/shadow''' file</li><br />
<li> View a list of groups and group members on your system in the '''/etc/group''' file<br />
: ''NOTE: The group list may be longer than one full screen of text (the same is true of the '''/etc/passwd''' or '''/etc/shadow''' file depending on your screen resolution.''<br />
* To output the contents of the file while pausing after each page of output use the following command:<br />
: <code>more /etc/group</code><br />
* To output the contents of the file while pausing after each page of output and being able to scroll up and down through the output use the following command:<br />
: <code>less /etc/group</code><br />
* Press '''q''' to return to the command line<br />
* It may be helpful to try these commands to display an even longer text file like one of the Shakespeare texts you downloaded in an earlier lab in the '''~/sample-files''' directory. You may have to un-tar the files again first.</li><br />
</ol><br />
</ol><br />
<br />
== Practice Filesystem Permissions and Ownership ==<br />
'''''[https://www.youtube.com/watch?v=5-6dRHTbJfM&feature=youtu.be Video Tutorial - Practice Filesystem Permissions and Ownership]''''' <br><br />
''NOTE: Working with file and directory ownership and permissions is tricky and there are many, many possible combinations of users, groups, and permissions which can be assigned to both files and folders. The goal of this section of the lab is to familiarize you with how to use the commands for changing ownership and permissions, not to teach you how to read or understand Linux file permissions (see your readings for this, it is important!) Once you understand how to use the commands you should experiment with setting different owners and permissions on a several different files and folders and subfolders until you have a good understanding of how permissions work. The only way to understand these relationships well is to read about it and then try it out. You should be able to set all of these permissions just as regular users (assuming you have access to both of the user accounts) '''you should not need sudo access to change the permissions because one of the the two users owns all the files and directories we're working in. You will need sudo access to change the owner of the files because otherwise it would be possible to accidentally lock yourself out of a file.'''''<br />
<br />
''ADDITIONALLY: This table may be helpful:''<br />
: {| class="wikitable"<br />
|+Linux Permissions<br />
!|Octal<br />
!|Binary<br />
!|File Mode<br />
|-<br />
| 0<br />
| 000<br />
| ---<br />
|-<br />
| 1<br />
| 001<br />
| --x<br />
|-<br />
| 2<br />
| 010<br />
| -w-<br />
|-<br />
| 3<br />
| 011<br />
| -wx<br />
|-<br />
| 4<br />
| 100<br />
| r--<br />
|-<br />
| 5<br />
| 101<br />
| r-x<br />
|-<br />
| 6<br />
| 110<br />
| rw-<br />
|-<br />
| 7<br />
| 111<br />
| rwx<br />
|}<br />
''This '''[http://permissions-calculator.org/ permissions calculator]''' may also be helpful.''<br />
<ol><br />
<li> Change to the '''/home''' directory.</li><br />
<li> Check the ownership and permissions on the subdirectories inside of '''/home'''</li><br />
<li> Try to create new files using the '''touch''' command called '''foo''' and '''foo2''' in the '''/home/jsmith''' directory.<br />
*Try as both your regular user and as '''jsmith''' respectively<br />
: <code>touch foo</code><br />
: <code>touch foo2</code></li><br />
<li> Try removing the '''foo''' and/or '''foo2''' files using both your regular user account and '''jsmith'''</li><br />
<li> Use the '''jsmith''' user to create a new directory '''/home/jsmith/redteam/'''</li><br />
<li> Use the '''jsmith''' user to create some files: '''/home/jsmith/redteam/theplan''' and '''/home/jsmith/redteam/yours''' '''/home/jsmith/redteam/mine''' and '''/home/jsmith/ours'''</li><br />
<li> In order to find out more about the '''chown''' and '''chgrp''' programs which you'll use to change the owners and groups for files and directories use the following commands to view the built in manual pages:<br />
: <code>man chown</code><br />
: <code>man chgrp</code><br />
: ''NOTE: Almost every command line tool in Linux has a manual page you can view in this way, try accessing a few other man pages for some of the other tools we've been using. You can scroll through the manual pages using the arrow keys and page up/down. To return to the command line press the q key.''</li><br />
<li> Change the permissions on the '''/home/jsmith/redteam/''' directory so that the group '''redteam''' is the group owner of the directory</li><br />
: [[File:Change-ownership-directory.png | link=https://wiki.ihitc.net/mediawiki/images/6/61/Change-ownership-directory.png | 500px]]<br />
: [[media:Change-ownership-directory.png | Click for Larger Image]]<br />
<li> Add write permission for the group to the '''/home/jsmith/redteam/''' directory</li><br />
<li> Change the ownership of the '''yours''' file so that it is owned by your regular user account instead of '''jsmith'''</li><br />
<li> Change the group owner of the '''ours''' file so that it is controlled by the '''redteam''' group</li><br />
<li> Experiment with creating and removing files and subdirectories inside of the '''/home/jsmith/redteam/''' directory as well as listing the contents of directories with various permissions applied to them until you have a good understanding of how permissions work.</li><br />
</ol><br />
<br />
== Install the Webmin Control Panel ==<br />
'''''[https://www.youtube.com/watch?v=tfthl4jH-jg&feature=youtu.be Video Tutorial - Install the Webmin Control Panel]''''' <br><br />
<ol><br />
<li> Use the '''links''' browser to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
<code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
= Checking Your Work =<br />
<ol><br />
<li> Run the following command:<br />
<br><br />
<code> ls -al /home/jsmith/redteam </code><br />
* Verify the following directories are present:<br />
*: '''/theplan'''<br />
*: '''/yours'''<br />
*: '''/mine'''<br />
*: '''/ours'''</li><br />
* Verify the '''redteam''' group owns the '''/ours''' directory.<br />
<li>Run the following command:<br />
<br><br />
<code> ls -al /home/jsmith </code><br />
* Verify the '''redteam''' group owns and has write permissions of the '''/redteam''' directory.</li><br />
<br><br><br />
<li> Automatically check your results by running this command:</li><br />
<br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_03_test.py | python3<br />
</nowiki></code></ol><br />
<br><br><br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_2_mnjk&diff=9608Lab 2 mnjk2021-04-16T22:32:41Z<p>NateHaleen: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
In this lab you will perform the following tasks:<br />
*Installing the ''links'' web browser<br />
*Downloading a compressed file<br />
*Creating a directory<br />
*Copying and moving files<br />
*Extracting a .tar.tz "tarball" file<br />
*Removing files and directories<br />
*Installing the [https://httpd.apache.org/ Apache] webserver<br />
*Installing [https://www.python.org/ Python] and its dependencies<br />
<br />
This lab assumes that you know the IP address of your Linux system and are connected to the ITCnet VPN network. If you need help with these steps please see [[ITC_VPN_Instructions | the VPN instructions]] and [[Lab_1_mnjk#Installing_sudo_and_checking_your_IP_address | the previous lab]].<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://linux.die.net/man/1/ls ls]'''<br />
*'''[https://linux.die.net/man/1/cd cd]'''<br />
*'''[https://linux.die.net/man/1/cp cp]'''<br />
*'''[http://linux.die.net/man/1/mv mv]'''<br />
*'''[https://linux.die.net/man/1/man man]'''<br />
*'''[http://linux.die.net/man/1/links links]'''<br />
*'''[http://linux.die.net/man/1/mkdir mkdir]'''<br />
*'''[http://linux.die.net/man/1/pwd pwd]'''<br />
*'''[http://linux.die.net/man/1/rm rm]'''<br />
*'''[http://linux.die.net/man/1/rmdir rmdir]'''<br />
*'''[http://linux.die.net/man/1/tar tar]'''<br />
<br />
=Lab Procedure=<br />
==Preliminaries==<br />
# Ensure your VM is powered on in Netlab<br />
#:''NOTE: you should have shut it down at the end of the last lab, but you will leave it on from now on. <br />
#:''NOTE: you will need to make a reservation in Netlab to power on your VM.<br />
# Make sure you have the current IP address of your Linux system<br />
#: If your Linux VM has been powered off for some time since you checked the IP address in a previous lab you may have received a new IP address, so be sure to check your IP address again and use that IP address in this lab. <br />
# Open an SSH console to your Linux system using the [https://www.putty.org/ PuTTY] software<br />
#: [[File:Lab2_putty.png |link=https://wiki.ihitc.net/mediawiki/images/6/6f/Lab2_putty.png|500px]]<br />
#: [[Media:Lab2_putty.png | Click for larger image]]<br />
# Log in with your standard user account<br />
#: From this point on we will be working only through an SSH connection to the server so unless you have a problem with network access to your VM, or you need to power it on again you should not need to make Netlab reservations or use the Netlab interface for quite some time.<br />
<br />
==Install the Links Web Browser Package==<br />
'''''[https://www.youtube.com/watch?v=2Ikzy23WuqQ&feature=youtu.be Video Tutorial - Installing the Links Web Browser]'''''<br />
<ol><br />
<li> Update your package lists using the following command:</li><br />
<code>sudo apt update</code><br />
: Because software installation and updates need to be done as an administrator we need to put '''sudo''' in front of these commands. You will likely need to enter your password again unless you've recently used sudo for something else and your session has not timed out yet.<br />
<li> Search for a description of the ''links'' package using the following '''apt''' command to search for packages with links in the package name.</li><br />
<code> apt search --names-only links</code><br />
<ul> ''TIP: You could further restrict your search using regular expressions instead of just searching for "links" such as '''apt search --names-only ^links''' which will only search for packages that ''start'' with the word links. You can learn more about regular expressions at [https://regexone.com RegexOne] and [https://www.regular-expressions.info Regular-Expressions.info] among many other places. These are frequently used in system administration and programming so it's worth your while to get at least a basic understanding of them.''</ul><br />
<ul> ''TIP: You can also expand your search to include searching the full package descriptions instead of just the names like '''apt search links''' which returns many more results.''</ul><br />
<li> Check the details of the ''links'' software package using the following command: </li><br />
<code>apt show links</code><br />
<li> Install the ''links'' web browser package using the following aptitude command: </li><br />
<code>sudo apt install links</code><br />
<li> Run the links program using the following command:</li><br />
<code>links</code><br />
<ul> [[File:Links.png|link=https://wiki.ihitc.net/mediawiki/images/6/6e/Links.png|500px]]</ul><br />
<ul> [[Media:Links.png | Click for Larger Image]]</ul><br />
<li> Try browsing to a website such as ''www.google.com'' or ''www.debian.org''. </li><br />
<ul> ''Hint: Pressing CTRL-G lets you enter a URL. Alternatively, you can enter a URL from the command line such as '''links google.com'''''</ul><br />
<ul> ''Hint: Press ALT-F to get a menu bar to appear on your screen which you can then go through using arrow keys.''</ul><br />
<li> Press the letter "q" on your keyboard to quit links.</li><br />
</ol><br />
<br><br />
There are many other text-based browsers to choose from. Some of these are more recent and have advanced features like handling SSL and cookies better. If you are interested check out [http://w3m.sourceforge.net/ w3m] or [https://lynx.invisible-island.net/ lynx]<br />
<br />
==Basic File Management and Navigation==<br />
'''''[https://www.youtube.com/watch?v=v0rm7Iab624&feature=youtu.be Video Tutorial - Basic File Management and Navigation]'''''<br />
<ol><br />
<li> Use the links web browser to open the page ''http://www.franske.com/shakespeare.tar.gz'' </li><br />
<li> Download the ''shakespeare.tar.gz'' file from that page. </li><br />
<li> Exit the links browser and verify the file has downloaded into your current directory with the following command:</li><br />
<code>ls -al</code><br />
<ul> This command lists the files in the current directory.</ul><br />
<li> Create a new directory called ''sample-files'' using the following command:</li><br />
<code>mkdir sample-files</code><br />
<li> Copy the ''shakespeare.tar.gz'' file from the current directory into the ''sample-files'' directory using:</li><br />
<code>cp shakespeare.tar.gz sample-files/ </code><br />
<ul> Note the / on the end of the command which indicates we want to place the file ''into'' a subdirectory and not make a new copy of the file in the same directory but with a different name. Pay attention to case, Linux is a case sensitive operating system. You can actually have two different files in the same directory, one called ''Shakespeare.tar.gz'' and one called ''shakespeare.tar.gz''</ul><br />
<li> Change your current directory to the ''sample-files'' directory using: </li><br />
<code>cd sample-files</code><br />
<li>verify your directory change using the print working directory command:</li><br />
<code>pwd</code><br />
<li>Verify the file has been copied by using the following command inside the ''sample-files'' directory:</li><br />
<code>ls -al</code> <br />
<li> Delete (remove) the file from the current directory by using:</li><br />
<code> rm shakespeare.tar.gz</code><br />
<li>Change your directory back to your user's home directory (one level above the subdirectory you're currently in. </li><br />
<ul> There are many ways to do this but a common shortcut to move one directory up in the tree is to use the ".." shortcut which means one directory above the current directory so '''cd ..''' will change your working directory up one level.</ul><br />
<ul> This time we want to move the ''shakespeare.tar.gz'' file into the ''sample-files'' directory instead of copying it. </ul><br />
<li>Use the following command to do this:</li><br />
<code>mv shakespeare.tar.gz sample-files/</code><br />
<ul> Again, note the / on the end of sample-files/ indicating we want to put it in a ''directory'' named ''sample-files'' instead of renaming ''shakespeare.tar.gz'' to a ''file'' called ''sample-files''.</ul><br />
<li> Verify the ''shakespeare.tar.gz'' file is no longer in your current directory then change your working directory to ''sample-files'' again and verify that the file has been moved there.</li><br />
<ul> The ''.tar.gz'' type files are sometimes called a "tarball" and they are a common way to distribute files on *NIX (UNIX/Linux/BSD/POSIX) based systems. These files really have two parts. The first is a TAR file which is a way to pack multiple files and directories into a single file for archival an distribution purposes but does not compress the file in any way, the size will be essentially the same as if you added together all of the files it contains. After the files are put into a TAR file they can be compressed with the '''gzip''' program so we add the ''.gz'' extension to the filename to indicate this TAR file has been compressed. Other compression programs such as '''bzip2''' can also be used, in that case it would be a ''.tar.bz2'' file. Because TAR files are so frequently gzipped to compress them the command to compress or uncompress a file as been added to the TAR program itself so we don't need to go through two steps. In this case we can uncompress and extract the files using the ''tar -zxf shakespeare.tar.gz'' command or to see the list of files as they are extracted we can add the -v argument to the command to make the output verbose '''tar -zxvf shakespeare.tar.gz''' </ul><br />
<li> Run the command to extract and uncompress the file. </li><br />
<li> Verify it by listing the directory contents. </li><br />
<ul> You should see a new subdirectory, it's common and good practice to always include the files in a TAR in their own subdirectory so that when they are extracted they don't clutter the current working directory. </ul><br />
<li> Enter the new subdirectory and list the contents to verify the extraction, you should see several files.</li><br />
<li> Try removing one of the files that was extracted. </li><br />
<ul>You might encounter an error if the filename includes a space. Although spaces are allowed in filenames on Linux, it's not recommended because you will need to either quote or escape filenames in some way in order to work with the files. For example if you wanted to remove a file called ''a file with spaces.txt'' you would either need to enter the command as '''rm "a file with spaces.txt"''' (with the quotes) or as ''rm a\ file\ with\ spaces.txt'' where the backslash character is used to "escape" the special characters in the filename (in this case spaces, but other characters, like exclamation points, are special as well). Make sure you can remove a file with spaces in the name. </ul><br />
<li> Move up one directory (back to the ''sample-files'' directory). </li><br />
<ul> Let's say we want to remove the entire Shakespeare directory now. </ul><br />
<li> Try using the following command to do that: </li><br />
<code> rm Shakespeare</code><br />
<ul> The '''rm''' command will give you an error because it is designed for removing files, not directories. To remove directories you can use the '''rmdir''' command such as '''rmdir Shakespeare''' but this will also give you an error. </ul><br />
<li> Try it! </li><br />
<code> rmdir Shakespeare </code><br />
<ul> The '''rmdir''' command requires that a directory be empty before it can be removed. You now have a choice, you could go back into the directory and clear it out, one file at a time using the rm command. Or you could speed things up by removing all the files in it at once using the '''rm *''' command, which includes a special character, called a wildcard, which stands for all files in the directory. This would work but it still requires a second step and if there were even more levels of directories inside the one you wanted to remove you would have to go through all of them as well. Luckily, Linux has a powerful (but obviously dangerous) command the "recursive remove" command which removes a directory as well as all of the files and subdirectories it contains. You must be careful with this command because, used incorrectly, you could obviously delete everything on your hard drive with a single command. We want to remove the Shakespeare directory and everything it contains so we can use the '''rm -r Shakespeare''' command. </ul><br />
<li> Do this and then verify the directory has been removed.</li><br />
<li> Navigate back to your user's home directory before continuing.</li></ol><br />
<br />
==Install the Apache 2 Webserver==<br />
'''''[https://www.youtube.com/watch?v=56iOrpFbHOM&feature=youtu.be Video Tutorial - Installing Apache 2]<br />
<ol><li> On your HOST system open a web browser and try browsing to the IP address of your Linux system. </li><br />
<ul> You should get some kind of server unreachable error because there is currently no webserver running on your system. </ul><br />
<li> Use the '''apt show''' command to review details of the ''apache2'' package</li><br />
<ul> [https://httpd.apache.org/ Apache] is one of the most popular webserver programs on the Internet. </ul><br />
<li> After reading through the information go ahead and install the '''apache2''' package using '''apt install'''. </li><br />
<ul> You'll notice this time, because it's a more complex program than links, you will be prompted to install several other packages that apache relies on to run, we call these packages "dependencies". One key advantage of using a "package manager" like '''apt''', '''apt-get''', or '''aptitude''' is that they automatically keep track of dependencies and install packages needed to make the one you're trying to install function properly.</ul><br />
<li> Once the installation process for Apache 2 is complete you should be able to go back to your host system and try visiting the IP address of your Linux system again or reloading the page. </li><br />
<ul> You should now see a basic welcome page which indicates you have a webserver up and running on your Linux system. Obviously we haven't done anything exciting with the page yet or setup much security but it really is that simple to turn a Linux system into a basic webserver.</ul><br />
<ul> [[File:Lab2_apache2.png|link=https://wiki.ihitc.net/mediawiki/images/b/bc/Lab2_apache2.png|500px]]</ul><br />
<ul> [[Media:Lab2_apache2.png | Click for Larger Image]]</ul><br />
</ol><br />
<br />
''NOTE: You can leave your VM running from this point on''<br />
<br />
=Checking Your Work=<br />
<ol><li> Return to your home directory and run:</li><br />
<code>ls -al</code><br />
<ul> If you see the ''shakespeare.tar.gz'' file you haven't followed all the directions.</ul><br />
<li> List the files in the sample-files directory:</li><br />
<ul> If you only see the ''shakespeare.tar.gz'' file you have successfully completed that section of the lab.</ul><br />
<li> Run the following command:</li><br />
<code> links</code><br />
<ul> If the Links browser opens you have successfully installed it.</ul><br />
<li> Navigate to your ip address using the Links browser; does the website look like this?</li><br />
<ul>[[file:Links_apache2.png | link= https://wiki.ihitc.net/mediawiki/images/1/12/Links_apache2.png | 500px]]</ul><br />
<ul>[[media:Links_apache2.png| Click for Larger Image]]</ul><br />
<br />
<li> Run the following command; does the output look like this?</li><br />
<code background-color: #f1f1f1>python3 --version</code><br />
<ul> [[File:Python_version.png|link=https://wiki.ihitc.net/mediawiki/images/7/70/Python_version.png|500px]]</ul><br />
<ul> [[Media:Python_version.png | Click for Larger Image]]</ul><br />
<ul> If your results match the screenshots, you have successfully completed the lab! </ul><br />
<br><br />
<br><br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_02_test.py | python3<br />
</nowiki></code><br />
<br><br><br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.<br />
</ol></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_2_mnjk&diff=9607Lab 2 mnjk2021-04-16T22:32:15Z<p>NateHaleen: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
In this lab you will perform the following tasks:<br />
*Installing the ''links'' web browser<br />
*Downloading a compressed file<br />
*Creating a directory<br />
*Copying and moving files<br />
*Extracting a .tar.tz "tarball" file<br />
*Removing files and directories<br />
*Installing the [https://httpd.apache.org/ Apache] webserver<br />
*Installing [https://www.python.org/ Python] and its dependencies<br />
<br />
This lab assumes that you know the IP address of your Linux system and are connected to the ITCnet VPN network. If you need help with these steps please see [[ITC_VPN_Instructions | the VPN instructions]] and [[Lab_1_mnjk#Installing_sudo_and_checking_your_IP_address | the previous lab]].<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://linux.die.net/man/1/ls ls]'''<br />
*'''[https://linux.die.net/man/1/cd cd]'''<br />
*'''[https://linux.die.net/man/1/cp cp]'''<br />
*'''[http://linux.die.net/man/1/mv mv]'''<br />
*'''[https://linux.die.net/man/1/man man]'''<br />
*'''[http://linux.die.net/man/1/links links]'''<br />
*'''[http://linux.die.net/man/1/mkdir mkdir]'''<br />
*'''[http://linux.die.net/man/1/pwd pwd]'''<br />
*'''[http://linux.die.net/man/1/rm rm]'''<br />
*'''[http://linux.die.net/man/1/rmdir rmdir]'''<br />
*'''[http://linux.die.net/man/1/tar tar]'''<br />
<br />
=Lab Procedure=<br />
==Preliminaries==<br />
# Ensure your VM is powered on in Netlab<br />
#:''NOTE: you should have shut it down at the end of the last lab, but you will leave it on from now on. <br />
#:''NOTE: you will need to make a reservation in Netlab to power on your VM.<br />
# Make sure you have the current IP address of your Linux system<br />
#: If your Linux VM has been powered off for some time since you checked the IP address in a previous lab you may have received a new IP address, so be sure to check your IP address again and use that IP address in this lab. <br />
# Open an SSH console to your Linux system using the [https://www.putty.org/ PuTTY] software<br />
#: [[File:Lab2_putty.png |link=https://wiki.ihitc.net/mediawiki/images/6/6f/Lab2_putty.png|500px]]<br />
#: [[Media:Lab2_putty.png | Click for larger image]]<br />
# Log in with your standard user account<br />
#: From this point on we will be working only through an SSH connection to the server so unless you have a problem with network access to your VM, or you need to power it on again you should not need to make Netlab reservations or use the Netlab interface for quite some time.<br />
<br />
==Install the Links Web Browser Package==<br />
'''''[https://www.youtube.com/watch?v=2Ikzy23WuqQ&feature=youtu.be Video Tutorial - Installing the Links Web Browser]'''''<br />
<ol><br />
<li> Update your package lists using the following command:</li><br />
<code>sudo apt update</code><br />
: Because software installation and updates need to be done as an administrator we need to put '''sudo''' in front of these commands. You will likely need to enter your password again unless you've recently used sudo for something else and your session has not timed out yet.<br />
<li> Search for a description of the ''links'' package using the following '''apt''' command to search for packages with links in the package name.</li><br />
<code> apt search --names-only links</code><br />
<ul> ''TIP: You could further restrict your search using regular expressions instead of just searching for "links" such as '''apt search --names-only ^links''' which will only search for packages that ''start'' with the word links. You can learn more about regular expressions at [https://regexone.com RegexOne] and [https://www.regular-expressions.info Regular-Expressions.info] among many other places. These are frequently used in system administration and programming so it's worth your while to get at least a basic understanding of them.''</ul><br />
<ul> ''TIP: You can also expand your search to include searching the full package descriptions instead of just the names like '''apt search links''' which returns many more results.''</ul><br />
<li> Check the details of the ''links'' software package using the following command: </li><br />
<code>apt show links</code><br />
<li> Install the ''links'' web browser package using the following aptitude command: </li><br />
<code>sudo apt install links</code><br />
<li> Run the links program using the following command:</li><br />
<code>links</code><br />
<ul> [[File:Links.png|link=https://wiki.ihitc.net/mediawiki/images/6/6e/Links.png|500px]]</ul><br />
<ul> [[Media:Links.png | Click for Larger Image]]</ul><br />
<li> Try browsing to a website such as ''www.google.com'' or ''www.debian.org''. </li><br />
<ul> ''Hint: Pressing CTRL-G lets you enter a URL. Alternatively, you can enter a URL from the command line such as '''links google.com'''''</ul><br />
<ul> ''Hint: Press ALT-F to get a menu bar to appear on your screen which you can then go through using arrow keys.''</ul><br />
<li> Press the letter "q" on your keyboard to quit links.</li><br />
</ol><br />
<br><br />
There are many other text-based browsers to choose from. Some of these are more recent and have advanced features like handling SSL and cookies better. If you are interested check out [http://w3m.sourceforge.net/ w3m] or [https://lynx.invisible-island.net/ lynx]<br />
<br />
==Basic File Management and Navigation==<br />
'''''[https://www.youtube.com/watch?v=v0rm7Iab624&feature=youtu.be Video Tutorial - Basic File Management and Navigation]'''''<br />
<ol><br />
<li> Use the links web browser to open the page ''http://www.franske.com/shakespeare.tar.gz'' </li><br />
<li> Download the ''shakespeare.tar.gz'' file from that page. </li><br />
<li> Exit the links browser and verify the file has downloaded into your current directory with the following command:</li><br />
<code>ls -al</code><br />
<ul> This command lists the files in the current directory.</ul><br />
<li> Create a new directory called ''sample-files'' using the following command:</li><br />
<code>mkdir sample-files</code><br />
<li> Copy the ''shakespeare.tar.gz'' file from the current directory into the ''sample-files'' directory using:</li><br />
<code>cp shakespeare.tar.gz sample-files/ </code><br />
<ul> Note the / on the end of the command which indicates we want to place the file ''into'' a subdirectory and not make a new copy of the file in the same directory but with a different name. Pay attention to case, Linux is a case sensitive operating system. You can actually have two different files in the same directory, one called ''Shakespeare.tar.gz'' and one called ''shakespeare.tar.gz''</ul><br />
<li> Change your current directory to the ''sample-files'' directory using: </li><br />
<code>cd sample-files</code><br />
<li>verify your directory change using the print working directory command:</li><br />
<code>pwd</code><br />
<li>Verify the file has been copied by using the following command inside the ''sample-files'' directory:</li><br />
<code>ls -al</code> <br />
<li> Delete (remove) the file from the current directory by using:</li><br />
<code> rm shakespeare.tar.gz</code><br />
<li>Change your directory back to your user's home directory (one level above the subdirectory you're currently in. </li><br />
<ul> There are many ways to do this but a common shortcut to move one directory up in the tree is to use the ".." shortcut which means one directory above the current directory so '''cd ..''' will change your working directory up one level.</ul><br />
<ul> This time we want to move the ''shakespeare.tar.gz'' file into the ''sample-files'' directory instead of copying it. </ul><br />
<li>Use the following command to do this:</li><br />
<code>mv shakespeare.tar.gz sample-files/</code><br />
<ul> Again, note the / on the end of sample-files/ indicating we want to put it in a ''directory'' named ''sample-files'' instead of renaming ''shakespeare.tar.gz'' to a ''file'' called ''sample-files''.</ul><br />
<li> Verify the ''shakespeare.tar.gz'' file is no longer in your current directory then change your working directory to ''sample-files'' again and verify that the file has been moved there.</li><br />
<ul> The ''.tar.gz'' type files are sometimes called a "tarball" and they are a common way to distribute files on *NIX (UNIX/Linux/BSD/POSIX) based systems. These files really have two parts. The first is a TAR file which is a way to pack multiple files and directories into a single file for archival an distribution purposes but does not compress the file in any way, the size will be essentially the same as if you added together all of the files it contains. After the files are put into a TAR file they can be compressed with the '''gzip''' program so we add the ''.gz'' extension to the filename to indicate this TAR file has been compressed. Other compression programs such as '''bzip2''' can also be used, in that case it would be a ''.tar.bz2'' file. Because TAR files are so frequently gzipped to compress them the command to compress or uncompress a file as been added to the TAR program itself so we don't need to go through two steps. In this case we can uncompress and extract the files using the ''tar -zxf shakespeare.tar.gz'' command or to see the list of files as they are extracted we can add the -v argument to the command to make the output verbose '''tar -zxvf shakespeare.tar.gz''' </ul><br />
<li> Run the command to extract and uncompress the file. </li><br />
<li> Verify it by listing the directory contents. </li><br />
<ul> You should see a new subdirectory, it's common and good practice to always include the files in a TAR in their own subdirectory so that when they are extracted they don't clutter the current working directory. </ul><br />
<li> Enter the new subdirectory and list the contents to verify the extraction, you should see several files.</li><br />
<li> Try removing one of the files that was extracted. </li><br />
<ul>You might encounter an error if the filename includes a space. Although spaces are allowed in filenames on Linux, it's not recommended because you will need to either quote or escape filenames in some way in order to work with the files. For example if you wanted to remove a file called ''a file with spaces.txt'' you would either need to enter the command as '''rm "a file with spaces.txt"''' (with the quotes) or as ''rm a\ file\ with\ spaces.txt'' where the backslash character is used to "escape" the special characters in the filename (in this case spaces, but other characters, like exclamation points, are special as well). Make sure you can remove a file with spaces in the name. </ul><br />
<li> Move up one directory (back to the ''sample-files'' directory). </li><br />
<ul> Let's say we want to remove the entire Shakespeare directory now. </ul><br />
<li> Try using the following command to do that: </li><br />
<code> rm Shakespeare</code><br />
<ul> The '''rm''' command will give you an error because it is designed for removing files, not directories. To remove directories you can use the '''rmdir''' command such as '''rmdir Shakespeare''' but this will also give you an error. </ul><br />
<li> Try it! </li><br />
<code> rmdir Shakespeare </code><br />
<ul> The '''rmdir''' command requires that a directory be empty before it can be removed. You now have a choice, you could go back into the directory and clear it out, one file at a time using the rm command. Or you could speed things up by removing all the files in it at once using the '''rm *''' command, which includes a special character, called a wildcard, which stands for all files in the directory. This would work but it still requires a second step and if there were even more levels of directories inside the one you wanted to remove you would have to go through all of them as well. Luckily, Linux has a powerful (but obviously dangerous) command the "recursive remove" command which removes a directory as well as all of the files and subdirectories it contains. You must be careful with this command because, used incorrectly, you could obviously delete everything on your hard drive with a single command. We want to remove the Shakespeare directory and everything it contains so we can use the '''rm -r Shakespeare''' command. </ul><br />
<li> Do this and then verify the directory has been removed.</li><br />
<li> Navigate back to your user's home directory before continuing.</li></ol><br />
<br />
==Install the Apache 2 Webserver==<br />
'''''[https://www.youtube.com/watch?v=56iOrpFbHOM&feature=youtu.be Video Tutorial - Installing Apache 2]<br />
<ol><li> On your HOST system open a web browser and try browsing to the IP address of your Linux system. </li><br />
<ul> You should get some kind of server unreachable error because there is currently no webserver running on your system. </ul><br />
<li> Use the '''apt show''' command to review details of the ''apache2'' package</li><br />
<ul> [https://httpd.apache.org/ Apache] is one of the most popular webserver programs on the Internet. </ul><br />
<li> After reading through the information go ahead and install the '''apache2''' package using '''apt install'''. </li><br />
<ul> You'll notice this time, because it's a more complex program than links, you will be prompted to install several other packages that apache relies on to run, we call these packages "dependencies". One key advantage of using a "package manager" like '''apt''', '''apt-get''', or '''aptitude''' is that they automatically keep track of dependencies and install packages needed to make the one you're trying to install function properly.</ul><br />
<li> Once the installation process for Apache 2 is complete you should be able to go back to your host system and try visiting the IP address of your Linux system again or reloading the page. </li><br />
<ul> You should now see a basic welcome page which indicates you have a webserver up and running on your Linux system. Obviously we haven't done anything exciting with the page yet or setup much security but it really is that simple to turn a Linux system into a basic webserver.</ul><br />
<ul> [[File:Lab2_apache2.png|link=https://wiki.ihitc.net/mediawiki/images/b/bc/Lab2_apache2.png|500px]]</ul><br />
<ul> [[Media:Lab2_apache2.png | Click for Larger Image]]</ul><br />
</ol><br />
<br />
''NOTE: You can leave your VM running from this point on''<br />
<br />
=Checking Your Work=<br />
<ol><li> Return to your home directory and run:</li><br />
<code>ls -al</code><br />
<ul> If you see the ''shakespeare.tar.gz'' file you haven't followed all the directions.</ul><br />
<li> List the files in the sample-files directory:</li><br />
<ul> If you only see the ''shakespeare.tar.gz'' file you have successfully completed that section of the lab.</ul><br />
<li> Run the following command:</li><br />
<code> links</code><br />
<ul> If the Links browser opens you have successfully installed it.</ul><br />
<li> Navigate to your ip address using the Links browser; does the website look like this?</li><br />
<ul>[[file:Links_apache2.png | link= https://wiki.ihitc.net/mediawiki/images/1/12/Links_apache2.png | 500px]]</ul><br />
<ul>[[media:Links_apache2.png| Click for Larger Image]]</ul><br />
<br />
<li> Run the following command; does the output look like this?</li><br />
<code background-color: #f1f1f1>python3 --version</code><br />
<ul> [[File:Python_version.png|link=https://wiki.ihitc.net/mediawiki/images/7/70/Python_version.png|500px]]</ul><br />
<ul> [[Media:Python_version.png | Click for Larger Image]]</ul><br />
<ul> If your results match the screenshots, you have successfully completed the lab! </ul><br />
<br><br />
<br><br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_02_test.py | python3<br />
</nowiki></code><br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.<br />
</ol></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_1_mnjk&diff=9606Lab 1 mnjk2021-04-16T22:31:47Z<p>NateHaleen: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
:In this lab you will perform the following tasks:<br />
*Access NetLab to access the environment for you virtual machine<br />
*Install the latest version of Debian Linux in a virtual machine<br />
*Learn how to login and check the IP address of the system<br />
*Learn to remotely access the system with SSH and SFTP.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/apt apt]'''<br />
*'''[https://linux.die.net/man/8/sudo sudo]'''<br />
*'''[https://linux.die.net/man/8/useradd adduser]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://linux.die.net/man/8/ip ip address show]'''<br />
<br />
=Lab Procedure=<br />
==Netlab Access==<br />
'''''[https://www.youtube.com/watch?v=-hLejbDfPGM&feature=youtu.be Video Tutorial - NetLab Access]'''''<br />
<ol><br />
<li> Connect to the ITCnet </li> <br />
: This can be accomplished by directly plugging into an ITCnet port in one of the ITC labs or by connecting to the [[ITC_VPN_Instructions|VPN]].<br />
:'' Note: If you want to connect using a wireless connection on campus you need to [[Connecting to Eduroam|connect to the eduroam network]] before connecting to the VPN.<br />
<li> After you are connected to ITCnet (by VPN or wired connection) you simply need to open a web browser and access https://ihcc-netlab.campus.ihitc.net</li><br />
* The first time you visit this site in a browser you may need to accept a self-signed security certificate<br />
* You will need to log in with a username and password established by your instructor.<br />
* The first time you log in you will need to change your password and set your timezone. Make sure your timezone is set correctly so you can schedule reservations to work with equipment at convenient times.<br />
<li> Once you are logged in click the blue "New Lab Reservation" button</li><br />
: Next, in the lower left corner of the screen, select "Schedule a Lab for Myself". Reservations are used to hold a place on the Netlab system to work on labs during a specific time. You only need reservations in this class when working with the GUI, which will come later in the class, if you need to turn the power back on to your VM, or during the installation process. The rest of the time you will be able to connect directly to your Linux server using the SSH protocol, but more on that in a bit.<br />
:'' Note: If you are enrolled in more than one class that is using Netlab you will be presented with a list of classes you are enrolled in, click on your Linux System Administration course of you see this screen.<br />
: All of our lab work in this class is done in a single "Lab Environment" and your progress will be saved from one reservation to another. As a result there is only one lab listed in this course "Linux System Administration Labs". Click on this lab title.<br />
<li> Use the calendar to choose a date, time, and specific pod to reserve for your lab activity (when you will begin your Debian server installation).</li><br />
: The red line on this screen indicates the current time. If you want to get started right away you can click just below this line. Pay attention to the title of the column at the top, it will say something like "LSA Pod Z". The letter at the end of this pod name is your "pod letter" which you will use to set the host name and IP address of your machine in the future so make note of it.<br />
: You will be presented with a summary screen for your reservation where you can set the end time of your reservation (up to a maximum). It is suggested to make your reservation a couple hours long the first time you plan to install Debian, though you can extend it if needed. Click submit once you are ready to make the reservation.<br />
<li>You will see a confirmation screen that your reservation has been made.</li><br />
: You are now ready to progress on to the Debian Linux Installation (as long as your reservation is right away).<br />
</ol><br />
<br />
==Debian Linux Installation==<br />
'''''[https://www.youtube.com/watch?v=H0DcdEytpFQ&feature=youtu.be Video Tutorial - Debian Linux Installation]'''''<br />
<ol><br />
<li> Log in to the Netlab system</li><br />
: Access this using a web browser at https://ihcc-netlab.campus.ihitc.net if you are not already logged in.<br />
: If you have a currently active reservation you will see a green "Enter Lab" button on your list of reservations. Click the green "Enter Lab" button. If not, you will need to make a reservation (see above) and then click the "Enter Lab" button.<br />
: Your virtual machines (VMs) will automatically power on when your reservation begins and because there is no operating system currently installed to their virtual hard drives they will boot from their virtual CD/DVD drives which have been pre-loaded with the installation discs for Linux.<br />
<li> Access you virtual machine console</li><br />
: Once you are in your pod you can either click on the image of the "Linux Server" on the topology diagram or use the tabs across the top of your screen to access the console of your Linux Server VM.<br />
: The console shows the display of your VM and allows you to type and interact with your VM just as if you were physically sitting down in front of a server with a monitor, keyboard, and mouse attached. Just like a separate physical machine you will not be able to copy and paste text or drag and drop files in and out of this console window. We will use other utilities across the network connection to do those things just like we would with a physical server.<br />
<li>Learn to "Power Cycle" your virtual machine</li><br />
: By now your VM has likely already booted from it's virtual CD/DVD drive and should be at the "Debian GNU/Linux installer menu". Before continuing let's practice rebooting your system so you can watch the system boot and see how to reboot the system if needed. Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power Off" then click the red "Power Off" button on the popup to power off your VM. This is the equivalent of just pulling out the power cord, at least until we install the VMware Tools software which allows for a graceful shutdown, so you'll want to be careful to only do this if absolutely needed until then.<br />
<li>Power on you Virtual machine</li><br />
: Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power On", or press the blue "Power On" button in the middle of your screen, then press the green "Power On" button to boot your system.<br />
<li>Install Debian Linux</li><br />
: Once the system has rebooted and is back to the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Installing sudo and Checking Your IP Address==<br />
'''''[https://www.youtube.com/watch?v=TwXp5YfAvlw&feature=youtu.be Video Tutorial - Installing sudo and checking your IP address]'''''<br />
<ol><br />
<li>Log in to NetLab</li><br />
: Login through the Netlab local console with your root account and password (username ''root'', password as set during the installation)<br />
:'' Note: When entering a password on the command line of a Linux system it is normal that nothing should appear and the cursor will not move when you are typing. This prevents someone who is able to see your computer screen from seeing what your password is or even how long it is. Just type your password and trust that the system is receiving it, press enter to submit your password.<br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
<code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
[[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
<code>sudo ip address show</code><br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
</ol><br />
<br />
==Logging in to a Remote Terminal==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Logging into a remote terminal]'''''<br />
<br />
A faster way to interact with your system is not through the Netlab local console but through a remote SSH session over the network directly to your server. Once you have mastered this you will be able to copy and paste text to your Linux server and will not need to make a reservation in Netlab to work on labs. For our purposes you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install Putty</li><br />
: Assuming you are running Windows, install the PuTTY software on your home PC from [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html this website].<br />
: '' Note: For other operating systems there are other ways and software you can use to make an SSH connection, you will need to research what tools are used for making SSH connections from your particular operating system.<br />
<li>Open an SSH session</li><br />
:* Run the PuTTY software on your computer and enter in the IP address of your VM in the "Host Name" box and click the "Open" button.<br />
:[[File:Lab1_putty.png|link=https://wiki.ihitc.net/mediawiki/images/f/f5/Lab1_putty.png|500px]]<br />
:[[Media:Lab1_putty.png| Click here for larger image]]<br />
:* Click Yes to save the host key on your system<br />
: [[File:Lab1_puttycert.png|link=https://wiki.ihitc.net/mediawiki/images/4/4b/Lab1_puttycert.png|500px]]<br />
: [[Media:Lab1_puttycert.png|Click here for larger image]]<br />
:* Enter the standard username and password for your Linux system to connect.<br />
: '' Note: You should receive a prompt just like the one you had on the Netlab local console but it is now a direct connection from your computer over the ITCnet to your server.<br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Remote File Transfer==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Remote File Transfer]'''''<br />
<br />
The easiest way to transfer files to and from your VM is with SFTP software. For our purposes, you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install FileZilla</li><br />
: Install the FileZilla client software on your home PC from [https://filezilla-project.org/download.php?type=client this website]<br />
<li>Open a SFTP session to your server</li><br />
: Run FileZilla and use the Quick Connect bar at the top of the screen to access your system. <br />
:* Enter the IP address of your Linux system in the "Host:" box<br />
:* Enter your standard username and password in the appropriate boxes<br />
:* Enter ''22'' in the "Port:" box<br />
:* Click the "Quickconnect" button.<br />
: [[File:Lab1_filezillanew.png|link=https://wiki.ihitc.net/mediawiki/images/b/b1/Lab1_filezillanew.png|500px]]<br />
: [[Media:Lab1_filezillanew.png|Click here for larger image]]<br />
: You should see some connection text scroll on the top of the screen and some files on the right side of the screen now such as ''.bashrc'' and ''.profile'' The right side of the screen is the drive on your Linux system and the left side of the screen is the drive on your home system. Files and folders can be dragged between the two sides to transfer them back and forth.<br />
: [[File:Lab1_filezillaconnected.png|link=https://wiki.ihitc.net/mediawiki/images/c/ca/Lab1_filezillaconnected.png|500px]]<br />
: [[Media:Lab1_filezillaconnected.png|Click here for larger image]]<br />
<li>Close the FileZilla software to disconnect.</li><br />
</ol><br />
<br />
==Install VM Tools==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Install VM Tools]'''''<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect into your system using the remote SSH console method explained above.<br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<code>sudo apt install open-vm-tools</code><br />
</ol><br />
<br />
==Install Python==<br />
In order to check your work in the labs of this course you will need to have an application called [https://www.python.org/ Python] installed on your Linux system.<br />
<ol><br />
<li> Download ''python3'' using '''apt'''</li><br />
* When prompted type Y to install the app and its dependencies</li><br />
<ul>''NOTE: This may take a while.''</ul><br />
* When prompted to specify the name of the host where the TANGO database server is running, just select ok.</li><br />
<ul> [[File:Python_tango.png|link=https://wiki.ihitc.net/mediawiki/images/4/4c/Python_tango.png|500px]]</ul><br />
<ul> [[Media:Python_tango.png | Click for Larger Image]]</ul><br />
<li> Run the following command to verify that python version 3.6 is installed.</li><br />
<code>python3 --version</code><br />
<ul> [[File:Python_version.png|link=https://wiki.ihitc.net/mediawiki/images/7/70/Python_version.png|500px]]</ul><br />
<ul> [[Media:Python_version.png | Click for Larger Image]]</ul><br />
</ol><br />
<br />
==Install Nmap==<br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:* ''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Run the following command at the command line.<br />
<code>sudo apt install nmap</code><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
</ol><br />
<br />
==Install Curl==<br />
:Curl is a tool that lets you run scripts that are not saved to your virtual machine. It will be used to check the labs for completion while working through the course. <br />
<ol><br />
<li> Run the following command at the command line. </li><br />
<code>sudo apt install curl</code><br />
: If prompted to install additional packages type "y"<br />
<li> Automatically check your results by running this command:</li><br />
: Installing Curl will allow you to check each of your labs for completion of some of the critical objectives of the lab work using a command in the "Checking your Work" section of the labs. This will usually be completed as the last step of the lab, but for this lab please run the following command now to check your work.<br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_01_revised.py | python3<br />
</nowiki></code><br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Safely Shutdown==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Safely Shutdown]'''''<br />
:We will normally leave our VM running but it is important that you know how to shutdown a Linux system correctly so this time we'll turn it off.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect in to your system using the remote SSH console method explained above.<br />
<li> Safely shutdown you server</li><br />
:* Run the '''sudo shutdown -h now''' at the command line to safely shutdown the system.<br />
<code>sudo shutdown -h now</code><br />
: You should soon get a message that PuTTY has lost it's connection. Click OK and then you can close the PuTTY window.<br />
<li>End NetLab Reservation</li><br />
: If you still have time left in your reservation in Netlab it's polite to end the reservation so other users can work on the system, only a limited number of reservations can be made at one time. You can do this by logging into Netlab, opening your lab, and clicking the "Reservation" menu at the top of the screen and choose to "End Reservation Now" followed by confirming that you want to end the reservation.<br />
</ol><br />
<br />
=Checking your Work=<br />
<ol><br />
<li>This section will cover ways to manually check your work</li><br />
<ul>For this lab each section was tested in the process of the lab. You should have successfully connected an SSH session with putty, and an ftp session with FileZilla.</ul><br />
<ul>You should have shut down you server in one of the last steps, so no further testing is necessary at this time.</ul><br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_01_revised.py | python3<br />
</nowiki></code><br />
<br><br />
</ol><br />
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br><br />
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br><br />
You must be logged into the campus VPN to use this application.</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_10_mnjk&diff=9605Lab 10 mnjk2021-04-16T20:54:24Z<p>NateHaleen: /* Introduction */</p>
<hr />
<div>=Introduction=<br />
This lab assumes you have successfully set up [[Lab_8_mnjk#Install_BIND_.26_Enable_Caching | DNS]] and [[Lab_9_mnjk#Install_the_Postfix_MTA |email]]. If you had any issues with those labs, you should resolve them before attempting this lab, since you will be unable to properly test the tasks in this lab if those are not fully functional.<br />
<br />
In this lab you will perform the following tasks:<br />
*Configuring a [https://firewalld.org/ Firewall]<br />
*Enabling a 2nd interface<br />
*Configuring [https://en.wikipedia.org/wiki/Network_address_translation NAT]<br />
*Setting up [https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP]<br />
*Installing [https://linuxmint.com/ Linux Mint] on a second VM<br />
*Enabling [https://en.wikipedia.org/wiki/Port_forwarding Port Forwarding]<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://firewalld.org/documentation/man-pages/firewall-cmd.html firewall-cmd]'''<br />
*'''[https://linux.die.net/man/1/echo echo]'''<br />
*'''[https://linux.die.net/man/8/ifconfig ifconfig]'''<br />
<br />
NOTE: This lab does NOT have embedded videos.<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software.<br />
# Login with your standard user account.<br />
# Have a browser window set to the webmin interface for your linux VM.<br />
<br />
== Configure a Firewall ==<br />
''NOTE: It is suggested that instead of managing a firewall directly using nftables tools (which would also require us to create a script to reload our rules each time the system is restarted) we use a firewall daemon program to manage it based on a set of rules we create and automatically setup the firewall based on those rules each time the system boots. There are many command line firewall management programs out there but for this lab we will use the [https://firewalld.org/ firewalld] package suggested by Debian. ''<br />
<ol><br />
<li>Begin by installing the ''firewalld'' package on your system.</li><br />
<li>First, let's check to see if the firewall is now up and running using the following command:</li><br />
<code>firewall-cmd --state</code><br />
: The firewall has been pre-configured with a couple of rules in it to prevent us from getting locked out. <br />
: [[File:Lab10_firewalld_state.png | link=https://wiki.ihitc.net/mediawiki/images/1/11/Lab10_firewalld_state.png|500px]]<br />
: [[Media:Lab10_firewalld_state.png | Click for larger image]]<br />
<li>Let's see what those rules are by using this command: </li><br />
<code>firewall-cmd --list-all</code><br />
: [[File:Lab10_firewalld_initial_rules.png | link=https://wiki.ihitc.net/mediawiki/images/1/14/Lab10_firewalld_initial_rules.png|500px]]<br />
: [[Media:Lab10_firewalld_initial_rules.png | Click for larger image]]<br />
: By default all interfaces are in the public zone (this is set in the ''/etc/firewalld/firewalld.conf'' file). <br />
: Before we start working on rules for our firewall we should assign our outside interface to the external zone which is designed for NAT routing which we'll be setting up shortly. <br />
<li> We can do this with the command:</li><br />
<code>firewall-cmd --zone=external --add-interface=ens192</code><br />
: We can create custom zones or use pre-defined security zones which will speed up configuring the firewall. Learn more about the [https://firewalld.org/documentation/zone/predefined-zones.html pre-defined zones in firewalld documentation].<br />
<li>Since we have changed zones on our interface let's check and see what rules we have started with. Let's see what those rules are:</li><br />
<code>firewall-cmd --zone=external --list-all</code><br />
: ''NOTE: You can also use the '''firewall-cmd --list-all-zones''' command to see a list of all available zones and their rules.</li>''<br />
: If you were watching carefully you may have noted that the dhcpv6-client service which was allowed in the public zone but is not allowed by default on the external zone. <br />
<li>In our case we want to allow DHCPv6 to operate on our outside interface so we can re-enable it with the following command: </li><br />
<code> firewall-cmd --zone=external --add-service="dhcpv6-client"</code><br />
<li>Check to see what other services can be allowed on an interface with:</li><br />
<code>firewall-cmd --get-services</code><br />
: If you check you will see that although you can connect with ssh (by default it's on the allowed service list you saw above) you can't connect to your webserver or Webmin anymore. Webmin is not a pre-defined service in the list we saw above so we could either set it up as a new service and then allow it or we could create a manual rule to allow the TCP traffic on port 10000 needed to access Webmin. In this case because the service only uses a single port and to see how manual rules can be created let's manually create a rule to allow access to TCP port 10000. <br />
<li>Do this by running this command: </li><br />
<code>firewall-cmd --zone=external --add-port=10000/tcp </code><br />
:You should now be able to access Webmin again.<br />
<li> Using either service rules or manual port rules create additional rules so that the other services on your VM are again accessible from the outside (such as from your home PC over the VPN). </li><br />
:''HINT: Services we have setup so far include SSH, DNS, SMTP, IMAP, Samba, and HTTP.''<br />
: Make sure to test and ensure they are all working again!<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code> firewall-cmd --runtime-to-permanent </code><br />
</ol><br />
<br />
== Setup a 2nd NIC Interface ==<br />
To start this lab we will need to configure a second network interface, named ens224 on our virtual machines. In our simulated setup our existing ens192 interface will be our WAN interface and ens224 will be our LAN interface which could be connected to a switch and then to multiple allow other computers which will connect to the Internet through our server.<br />
<ol><br />
<li> Open ''/etc/network/interfaces'' with your favorite text editor. </li><br />
* Go to the bottom of the file.<br />
: [[File:Lab10_network_interfaces_before.png | link=https://wiki.ihitc.net/mediawiki/images/f/f8/Lab10_network_interfaces_before.png|500px]]<br />
: [[Media:Lab10_network_interfaces_before.png | Click for larger image]]<br />
* Add the following to configure the second interface with a static IP of 192.168.1.1/24:<br />
<pre>auto ens224<br />
iface ens224 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0</pre></li><br />
<br />
: [[File:Lab10_network_interfaces_after.png | link=https://wiki.ihitc.net/mediawiki/images/8/80/Lab10_network_interfaces_after.png|500px]]<br />
: [[Media:Lab10_network_interfaces_after.png | Click for larger image]]<br />
: ''NOTE: As this is a LAN only interface, we do not need to define a gateway for the server VM, as the server VM itself will be the gateway for this network.''<br />
<li>Once this is done, save the file <br />
<li> Run the following command to enable the new interface.</li><br />
<code>ifup ens224</code><br />
<li>Verify the second interface is up and running with the correct IP address</li><br />
</ol><br />
<br />
== Enable Routing ==<br />
Now we will need to enable NAT so we can route LAN traffic to the Internet and responding Internet traffic back to our LAN interface.<br />
<ol><br />
<li>In your console, you will need to edit ''/etc/sysctl.conf''. This file is used to change and tweak multiple system variables. </li><br />
* Scroll down until you find the following:<br />
<pre># Uncomment the next line to enable packet forwarding for IPv4<br />
#net.ipv4.ip_forward=1<br />
</pre><br />
* Follow the instructions in the file to enable packet forwarding in the kernel. <br />
: [[File:Lab10_sysctl_after.png | link=https://wiki.ihitc.net/mediawiki/images/1/1e/Lab10_sysctl_after.png|500px]]<br />
: [[Media:Lab10_sysctl_after.png | Click for larger image]]<br />
* When you are done, save the file.<br />
: Changes to the ''sysctl.conf'' file require a reboot, but most can be set without a reboot by echoing response codes to "files" in ''/proc''. <br />
<li> We will get into that more in a later chapter, but for now run the following command to enable ip_forwarding without rebooting the machine: </li><br />
<code>'''echo 1 > /proc/sys/net/ipv4/ip_forward</code><br />
: ''NOTE: If you are receiving an error when trying to run that command it's likely that the user you are running it as does not have permission to modify the '''/proc/sys/net/ipv4/ip_forward''' file (check the permissions by using '''ls'''). Read [http://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr this similar question] for more details and possible solutions.''<br />
</ol><br />
<br />
== Setup a DHCP Server ==<br />
To setup a DHCP server, we will first need to install the required software. <br />
<ol><br />
<li>In your SSH console use your favorite package manager to install the ''isc-dhcp-server'' package.</li><br />
: After you install the package you may get a warning about ''isc-dhcp-server'' being unable to start. This is normal as we have yet to define the interface and settings we want used.<br />
<li>Now back in Webmin, select the Refresh Modules option. .</li><br />
* After it is done, go to Servers, then DHCP Server<br />
: Before we define our DHCP range, we need to set our listening interface. <br />
* Click on the ''Edit Network Interface'' option. <br />
*Select ''ens224''. <br />
* Press save.<br />
<li>Now under Subnets and Shared Networks, select Add a new subnet. </li><br />
* Use the following settings:<br />
<pre>Subnet description: LAN DHCP Range<br />
Network Address: 192.168.1.0<br />
Netmask: 255.255.255.0<br />
Address Ranges: 192.168.1.100-192.168.1.254</pre><br />
: [[File:Lab10_webmin_dhcp_create_subnet.png | link=https://wiki.ihitc.net/mediawiki/images/4/4e/Lab10_webmin_dhcp_create_subnet.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_create_subnet.png | Click for larger image]]<br />
* When you are done, press Create. <br />
* Now, click on the network you just created to review the settings, then press Edit Client Options at the bottom.<br />
: From here we will setup the default gateway and DNS servers for the clients to use. <br />
<li> Under Default Routers, set the option to 192.168.1.1 <br />
* Under DNS servers, set it to 192.168.1.1. <br />
: [[File:Lab10_webmin_dhcp_client_options.png | link=https://wiki.ihitc.net/mediawiki/images/d/d7/Lab10_webmin_dhcp_client_options.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_client_options.png | Click for larger image]]<br />
: Notice how we are setting these options to the IP of ens224 that we setup. This is because our Linux VM will act as the router and DNS for our clients as well.<br />
* When you are done, press save<br />
* Then on the Edit Subnet page, press save again.<br />
<li>Now that you are back on the DHCP server page, press the Start Server button. <br />
: If all goes well, the button should change to "Stop Server". If this does not happen, then the server was unable start. If that happens, re-check your DHCP server configurations to make sure everything is correct.<br />
</ol><br />
<br />
== Enabling NAT and Firewall Rules for the LAN ==<br />
Now we will use firewalld to setup NAT so that we can use private addresses on our internal LAN but still have access to the public Internet. <br />
<ol><br />
<li>First, let's set our ens224 interface (LAN) to be in the internal zone with the following command.</li><br />
<code>firewall-cmd --zone=internal --add-interface=ens224</code><br />
<li>You should now take a minute to allow all of the same services and ports on the internal network that you have allowed on the external network. </li><br />
:In other words, make sure that Webmin, Samba, DNS, etc. are also allowed on the internal zone.<br />
:In order to activate NAT you need to turn on the "masquerade" feature on your outside interface. This is probably already done if you correctly assigned your outside interface to the pre-defined external zone (it's one of the features of that zone). <br />
: ''HINT: you can do this manually as well in case you setup a custom zone by running the '''firewall-cmd --add-masquerade --zone=external''' command.''<br />
: While routing and NAT should be working for hosts on your LAN interface now they probably still can't get an IP address! Just like all the other services being blocked by the firewall DHCP is also blocked unless you specifically allow it. <br />
<li>To do this run the following command:</li><br />
<code>firewall-cmd --add-service=dhcp --zone=internal</code><br />
<li>Once you are satisfied your firewall is running correctly you can use this command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code></ol><br />
<br />
== Setup a 2nd VM as a LAN Host ==<br />
Now we are going to setup a 2nd VM on the VMware server so we can have a client to connect to the LAN network segment we just created. For this though, we will be using Linux Mint instead of Debian so we have a graphical user interface to help us with testing.<br />
<ol><br />
<li> You'll need to make a Netlab reservation to work with your Mint system's GUI so go ahead and do that. </li><br />
* Enter the lab on Netlab<br />
* Click the "Linux Desktop" tab to access your Mint machine.<br />
: The VM should be booting from a Linux Mint virtual CD image. <br />
<li> Get Linux Mint installed using the link on the desktop.</li><br />
: Installation settings are not critical as we'll be using the system primarily to explore a Linux GUI and to test web browsing capability from our private network.<br />
: [[File:Lab10_linux_mint_desktop.png | link=https://wiki.ihitc.net/mediawiki/images/f/f1/Lab10_linux_mint_desktop.png|500px]]<br />
: [[Media:Lab10_linux_mint_desktop.png | Click for larger image]]<br />
: ''NOTE: By default Linux Mint will boot into a "Live CD" environment where you can use the system without installing. However, the Live CD environment is much slower and memory limited compared with a full installation to the hard drive so be sure to start an installation and reboot into the installed copy instead of from the Live CD. You will know you're working from an installed copy if you are prompted for your username and password when logging in and don't see a link on the desktop to Install Linux Mint anymore.''<br />
<li> Once you have Linux Mint installed, reboot the machine and login. </li><br />
: Hopefully the machine is able to connect to the Internet through your Debian server which is acting as a DHCP server and router (see the topology diagram tab in Netlab to see a diagram of how they are connected).<br />
<li> Press the Menu icon in the lower left corner, and enter "Terminal". </li><br />
* Then, open the terminal application.<br />
<li> You now have a shell on the system. From here, use the following command to check your network settings. </li><br />
<code>ip address show</code><br />
: Notice how you have a IP from the DHCP pool we created earlier. <br />
<li> Now try pinging ''172.17.50.1''. </li><br />
: Are you able to ping? If so, NAT is working properly on your network because the 172.17.50.0/24 network is outside of the LAN segment this machine is attached to (192.168.1.0/24).<br />
: ''NOTE: Notice how some Linux distributions like Mint haven't switched from the old naming of network interfaces with ''eth'' to the new ''ens'' style. You can also try using the older '''ifconfig''' way of checking the IP address and compare the output to the new '''ip address show''' method which we have been using so far in Debian.''<br />
<li> Now run '''ping google.com'''. </li><br />
: If you are able to ping, this shows that not only is NAT working, but DNS resolving as well.<br />
<li> Open a web browser on the system (you can use a graphical browser this time since you have a GUI) and test browsing to a few websites.</li><br />
: At this point we have a fully functional LAN environment.<br />
<li> In order to allow automatic safe shutdown of your Linux Mint system and improve speed/efficiency use the package manager to install the ''open-vm-tools-desktop'' package. </li><br />
:This provides better drivers and integration between the vmWare host which is running your Linux Mint virtual machine and the virtual machine itself.<br />
<li> Finally, in the next section we'll be setting up SSH access to Mint through the Firewall so you'll want to install the ''openssh-server package'' through the package manager. </li><br />
: Once you've done this you should be able to use the ssh program on the command line in Debian to access your Mint system like '''ssh mintusername@192.168.1.x''' where you are using a valid username on the Mint system and the IP address of the Mint system.<br />
<li> Spend a few more minutes exploring the functionality of the Linux GUI and desktop.</li></ol><br />
<br />
== Port Forwarding and Firewalling ==<br />
Now we are going to enable port forwarding to our VM. This will allow you to access the 2nd VM from the ITC network and VPN.<br />
Because we are already using port 22 on our outside interface to provide SSH access to our main Debian system we need to use a different port to access the Mint system. Instead of changing the port number in the SSH server software on Mint we can have our firewall do it at the same time the NAT masquerading is occurring. <br />
<ol><br />
<li>Set up a rule by running the following command:</li><br />
<code>firewall-cmd --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.1.100 --zone=external</code><br />
:NOTE: this rule is a little unstable because it forwards the port to 192.168.1.100 which is currently the IP of our Mint system (if yours has a different IP you should change it in the command) but because that system gets an IP from DHCP it is subject to change which would break the rule. Therefore, if we wanted this to be stable in the long term, we would want to set up a static IP on any machines we were forwarding ports to.<br />
:''HINT: If your connection is refused, it may be because SSH is not installed in Mint. Try installing SSH using the package manager or apt.''<br />
<li> From a computer on the ITC network, such as one connected to the VPN, try to SSH to port 2222 on the outside (172.17.50.xx) IP address of your Debian system. </li><br />
:If everything was set up successfully, you should be able to sign into the Mint VM based on the port forwarding rule we have put in place.<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code><br><br />
</ol><br />
When you are done testing this section of the lab please power off your new Linux Mint VM as these require far more resources to run than the Debian VMs on our servers.<br><br />
: [[File:Lab10_linux_mint_shutdown.png | link=https://wiki.ihitc.net/mediawiki/images/1/1c/Lab10_linux_mint_shutdown.png|500px]]<br />
: [[Media:Lab10_linux_mint_shutdown.png | Click for larger image]]<br />
<br />
=Checking your Work=<br />
For this lab there are many things you need to check.<br />
<br />
#Firewall - attempt to connect using FTP on port 21, this should fail<br />
#SSH - connect using FTP on port 22<br />
#DNS - navigate to url of server<br />
#SMTP - send a mail to auto-respond server<br />
#IMAP - receive a mail from auto-respond server<br />
#Samba - Create a file on server using file sharing<br />
#HTTP - Navigate to ip address of server<br />
#Webmin - Navigate to <your-ip>:10000<br />
#PuTTY into linux mint using your ip address and port 2222<br />
#Linux Mint DNS/NAT - ping google.com from within Linux Mint<br><br><br />
<br><br />
Run this script to automatically check your lab<br><br />
<br />
<code><br />
<nowiki> sudo curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_10_rewrite.py | sudo python3 </nowiki><br />
</code></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_10_mnjk&diff=9567Lab 10 mnjk2021-03-05T04:37:52Z<p>NateHaleen: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
'''''[https://www.youtube.com/watch?v=dQw4w9WgXcQ Watch the video introduction]'''''<br />
<br />
This lab assumes you have successfully set up [[Lab_8_mnjk#Install_BIND_.26_Enable_Caching | DNS]] and [[Lab_9_mnjk#Install_the_Postfix_MTA |email]]. If you had any issues with those labs, you should resolve them before attempting this lab, since you will be unable to properly test the tasks in this lab if those are not fully functional.<br />
<br />
In this lab you will perform the following tasks:<br />
*Configuring a [https://firewalld.org/ Firewall]<br />
*Enabling a 2nd interface<br />
*Configuring [https://en.wikipedia.org/wiki/Network_address_translation NAT]<br />
*Setting up [https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP]<br />
*Installing [https://linuxmint.com/ Linux Mint] on a second VM<br />
*Enabling [https://en.wikipedia.org/wiki/Port_forwarding Port Forwarding]<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://firewalld.org/documentation/man-pages/firewall-cmd.html firewall-cmd]'''<br />
*'''[https://linux.die.net/man/1/echo echo]'''<br />
*'''[https://linux.die.net/man/8/ifconfig ifconfig]'''<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software.<br />
# Login with your standard user account.<br />
# Have a browser window set to the webmin interface for your linux VM.<br />
<br />
== Configure a Firewall ==<br />
''NOTE: It is suggested that instead of managing a firewall directly using nftables tools (which would also require us to create a script to reload our rules each time the system is restarted) we use a firewall daemon program to manage it based on a set of rules we create and automatically setup the firewall based on those rules each time the system boots. There are many command line firewall management programs out there but for this lab we will use the [https://firewalld.org/ firewalld] package suggested by Debian. ''<br />
<ol><br />
<li>Begin by installing the ''firewalld'' package on your system.</li><br />
<li>First, let's check to see if the firewall is now up and running using the following command:</li><br />
<code>firewall-cmd --state</code><br />
: The firewall has been pre-configured with a couple of rules in it to prevent us from getting locked out. <br />
: [[File:Lab10_firewalld_state.png | link=https://wiki.ihitc.net/mediawiki/images/1/11/Lab10_firewalld_state.png|500px]]<br />
: [[Media:Lab10_firewalld_state.png | Click for larger image]]<br />
<li>Let's see what those rules are by using this command: </li><br />
<code>firewall-cmd --list-all</code><br />
: [[File:Lab10_firewalld_initial_rules.png | link=https://wiki.ihitc.net/mediawiki/images/1/14/Lab10_firewalld_initial_rules.png|500px]]<br />
: [[Media:Lab10_firewalld_initial_rules.png | Click for larger image]]<br />
: By default all interfaces are in the public zone (this is set in the ''/etc/firewalld/firewalld.conf'' file). <br />
: Before we start working on rules for our firewall we should assign our outside interface to the external zone which is designed for NAT routing which we'll be setting up shortly. <br />
<li> We can do this with the command:</li><br />
<code>firewall-cmd --zone=external --add-interface=ens192</code><br />
: We can create custom zones or use pre-defined security zones which will speed up configuring the firewall. Learn more about the [https://firewalld.org/documentation/zone/predefined-zones.html pre-defined zones in firewalld documentation].<br />
<li>Since we have changed zones on our interface let's check and see what rules we have started with. Let's see what those rules are:</li><br />
<code>firewall-cmd --zone=external --list-all</code><br />
: ''NOTE: You can also use the '''firewall-cmd --list-all-zones''' command to see a list of all available zones and their rules.</li>''<br />
: If you were watching carefully you may have noted that the dhcpv6-client service which was allowed in the public zone but is not allowed by default on the external zone. <br />
<li>In our case we want to allow DHCPv6 to operate on our outside interface so we can re-enable it with the following command: </li><br />
<code> firewall-cmd --zone=external --add-service="dhcpv6-client"</code><br />
<li>Check to see what other services can be allowed on an interface with:</li><br />
<code>firewall-cmd --get-services</code><br />
: If you check you will see that although you can connect with ssh (by default it's on the allowed service list you saw above) you can't connect to your webserver or Webmin anymore. Webmin is not a pre-defined service in the list we saw above so we could either set it up as a new service and then allow it or we could create a manual rule to allow the TCP traffic on port 10000 needed to access Webmin. In this case because the service only uses a single port and to see how manual rules can be created let's manually create a rule to allow access to TCP port 10000. <br />
<li>Do this by running this command: </li><br />
<code>firewall-cmd --zone=external --add-port=10000/tcp </code><br />
:You should now be able to access Webmin again.<br />
<li> Using either service rules or manual port rules create additional rules so that the other services on your VM are again accessible from the outside (such as from your home PC over the VPN). </li><br />
:''HINT: Services we have setup so far include SSH, DNS, SMTP, IMAP, Samba, and HTTP.''<br />
: Make sure to test and ensure they are all working again!<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code> firewall-cmd --runtime-to-permanent </code><br />
</ol><br />
<br />
== Setup a 2nd NIC Interface ==<br />
To start this lab we will need to configure a second network interface, named ens224 on our virtual machines. In our simulated setup our existing ens192 interface will be our WAN interface and ens224 will be our LAN interface which could be connected to a switch and then to multiple allow other computers which will connect to the Internet through our server.<br />
<ol><br />
<li> Open ''/etc/network/interfaces'' with your favorite text editor. </li><br />
* Go to the bottom of the file.<br />
: [[File:Lab10_network_interfaces_before.png | link=https://wiki.ihitc.net/mediawiki/images/f/f8/Lab10_network_interfaces_before.png|500px]]<br />
: [[Media:Lab10_network_interfaces_before.png | Click for larger image]]<br />
* Add the following to configure the second interface with a static IP of 192.168.1.1/24:<br />
<pre>auto ens224<br />
iface ens224 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0</pre></li><br />
<br />
: [[File:Lab10_network_interfaces_after.png | link=https://wiki.ihitc.net/mediawiki/images/8/80/Lab10_network_interfaces_after.png|500px]]<br />
: [[Media:Lab10_network_interfaces_after.png | Click for larger image]]<br />
: ''NOTE: As this is a LAN only interface, we do not need to define a gateway for the server VM, as the server VM itself will be the gateway for this network.''<br />
<li>Once this is done, save the file <br />
<li> Run the following command to enable the new interface.</li><br />
<code>ifup ens224</code><br />
<li>Verify the second interface is up and running with the correct IP address</li><br />
</ol><br />
<br />
== Enable Routing ==<br />
Now we will need to enable NAT so we can route LAN traffic to the Internet and responding Internet traffic back to our LAN interface.<br />
<ol><br />
<li>In your console, you will need to edit ''/etc/sysctl.conf''. This file is used to change and tweak multiple system variables. </li><br />
* Scroll down until you find the following:<br />
<pre># Uncomment the next line to enable packet forwarding for IPv4<br />
#net.ipv4.ip_forward=1<br />
</pre><br />
* Follow the instructions in the file to enable packet forwarding in the kernel. <br />
: [[File:Lab10_sysctl_after.png | link=https://wiki.ihitc.net/mediawiki/images/1/1e/Lab10_sysctl_after.png|500px]]<br />
: [[Media:Lab10_sysctl_after.png | Click for larger image]]<br />
* When you are done, save the file.<br />
: Changes to the ''sysctl.conf'' file require a reboot, but most can be set without a reboot by echoing response codes to "files" in ''/proc''. <br />
<li> We will get into that more in a later chapter, but for now run the following command to enable ip_forwarding without rebooting the machine: </li><br />
<code>'''echo 1 > /proc/sys/net/ipv4/ip_forward</code><br />
: ''NOTE: If you are receiving an error when trying to run that command it's likely that the user you are running it as does not have permission to modify the '''/proc/sys/net/ipv4/ip_forward''' file (check the permissions by using '''ls'''). Read [http://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr this similar question] for more details and possible solutions.''<br />
</ol><br />
<br />
== Setup a DHCP Server ==<br />
To setup a DHCP server, we will first need to install the required software. <br />
<ol><br />
<li>In your SSH console use your favorite package manager to install the ''isc-dhcp-server'' package.</li><br />
: After you install the package you may get a warning about ''isc-dhcp-server'' being unable to start. This is normal as we have yet to define the interface and settings we want used.<br />
<li>Now back in Webmin, select the Refresh Modules option. .</li><br />
* After it is done, go to Servers, then DHCP Server<br />
: Before we define our DHCP range, we need to set our listening interface. <br />
* Click on the ''Edit Network Interface'' option. <br />
*Select ''ens224''. <br />
* Press save.<br />
<li>Now under Subnets and Shared Networks, select Add a new subnet. </li><br />
* Use the following settings:<br />
<pre>Subnet description: LAN DHCP Range<br />
Network Address: 192.168.1.0<br />
Netmask: 255.255.255.0<br />
Address Ranges: 192.168.1.100-192.168.1.254</pre><br />
: [[File:Lab10_webmin_dhcp_create_subnet.png | link=https://wiki.ihitc.net/mediawiki/images/4/4e/Lab10_webmin_dhcp_create_subnet.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_create_subnet.png | Click for larger image]]<br />
* When you are done, press Create. <br />
* Now, click on the network you just created to review the settings, then press Edit Client Options at the bottom.<br />
: From here we will setup the default gateway and DNS servers for the clients to use. <br />
<li> Under Default Routers, set the option to 192.168.1.1 <br />
* Under DNS servers, set it to 192.168.1.1. <br />
: [[File:Lab10_webmin_dhcp_client_options.png | link=https://wiki.ihitc.net/mediawiki/images/d/d7/Lab10_webmin_dhcp_client_options.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_client_options.png | Click for larger image]]<br />
: Notice how we are setting these options to the IP of ens224 that we setup. This is because our Linux VM will act as the router and DNS for our clients as well.<br />
* When you are done, press save<br />
* Then on the Edit Subnet page, press save again.<br />
<li>Now that you are back on the DHCP server page, press the Start Server button. <br />
: If all goes well, the button should change to "Stop Server". If this does not happen, then the server was unable start. If that happens, re-check your DHCP server configurations to make sure everything is correct.<br />
</ol><br />
<br />
== Enabling NAT and Firewall Rules for the LAN ==<br />
Now we will use firewalld to setup NAT so that we can use private addresses on our internal LAN but still have access to the public Internet. <br />
<ol><br />
<li>First, let's set our ens224 interface (LAN) to be in the internal zone with the following command.</li><br />
<code>firewall-cmd --zone=internal --add-interface=ens224</code><br />
<li>You should now take a minute to allow all of the same services and ports on the internal network that you have allowed on the external network. </li><br />
:In other words, make sure that Webmin, Samba, DNS, etc. are also allowed on the internal zone.<br />
:In order to activate NAT you need to turn on the "masquerade" feature on your outside interface. This is probably already done if you correctly assigned your outside interface to the pre-defined external zone (it's one of the features of that zone). <br />
: ''HINT: you can do this manually as well in case you setup a custom zone by running the '''firewall-cmd --add-masquerade --zone=external''' command.''<br />
: While routing and NAT should be working for hosts on your LAN interface now they probably still can't get an IP address! Just like all the other services being blocked by the firewall DHCP is also blocked unless you specifically allow it. <br />
<li>To do this run the following command:</li><br />
<code>firewall-cmd --add-service=dhcp --zone=internal</code><br />
<li>Once you are satisfied your firewall is running correctly you can use this command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code></ol><br />
<br />
== Setup a 2nd VM as a LAN Host ==<br />
Now we are going to setup a 2nd VM on the VMware server so we can have a client to connect to the LAN network segment we just created. For this though, we will be using Linux Mint instead of Debian so we have a graphical user interface to help us with testing.<br />
<ol><br />
<li> You'll need to make a Netlab reservation to work with your Mint system's GUI so go ahead and do that. </li><br />
* Enter the lab on Netlab<br />
* Click the "Linux Desktop" tab to access your Mint machine.<br />
: The VM should be booting from a Linux Mint virtual CD image. <br />
<li> Get Linux Mint installed using the link on the desktop.</li><br />
: Installation settings are not critical as we'll be using the system primarily to explore a Linux GUI and to test web browsing capability from our private network.<br />
: [[File:Lab10_linux_mint_desktop.png | link=https://wiki.ihitc.net/mediawiki/images/f/f1/Lab10_linux_mint_desktop.png|500px]]<br />
: [[Media:Lab10_linux_mint_desktop.png | Click for larger image]]<br />
: ''NOTE: By default Linux Mint will boot into a "Live CD" environment where you can use the system without installing. However, the Live CD environment is much slower and memory limited compared with a full installation to the hard drive so be sure to start an installation and reboot into the installed copy instead of from the Live CD. You will know you're working from an installed copy if you are prompted for your username and password when logging in and don't see a link on the desktop to Install Linux Mint anymore.''<br />
<li> Once you have Linux Mint installed, reboot the machine and login. </li><br />
: Hopefully the machine is able to connect to the Internet through your Debian server which is acting as a DHCP server and router (see the topology diagram tab in Netlab to see a diagram of how they are connected).<br />
<li> Press the Menu icon in the lower left corner, and enter "Terminal". </li><br />
* Then, open the terminal application.<br />
<li> You now have a shell on the system. From here, use the following command to check your network settings. </li><br />
<code>ip address show</code><br />
: Notice how you have a IP from the DHCP pool we created earlier. <br />
<li> Now try pinging ''172.17.50.1''. </li><br />
: Are you able to ping? If so, NAT is working properly on your network because the 172.17.50.0/24 network is outside of the LAN segment this machine is attached to (192.168.1.0/24).<br />
: ''NOTE: Notice how some Linux distributions like Mint haven't switched from the old naming of network interfaces with ''eth'' to the new ''ens'' style. You can also try using the older '''ifconfig''' way of checking the IP address and compare the output to the new '''ip address show''' method which we have been using so far in Debian.''<br />
<li> Now run '''ping google.com'''. </li><br />
: If you are able to ping, this shows that not only is NAT working, but DNS resolving as well.<br />
<li> Open a web browser on the system (you can use a graphical browser this time since you have a GUI) and test browsing to a few websites.</li><br />
: At this point we have a fully functional LAN environment.<br />
<li> In order to allow automatic safe shutdown of your Linux Mint system and improve speed/efficiency use the package manager to install the ''open-vm-tools-desktop'' package. </li><br />
:This provides better drivers and integration between the vmWare host which is running your Linux Mint virtual machine and the virtual machine itself.<br />
<li> Finally, in the next section we'll be setting up SSH access to Mint through the Firewall so you'll want to install the ''openssh-server package'' through the package manager. </li><br />
: Once you've done this you should be able to use the ssh program on the command line in Debian to access your Mint system like '''ssh mintusername@192.168.1.x''' where you are using a valid username on the Mint system and the IP address of the Mint system.<br />
<li> Spend a few more minutes exploring the functionality of the Linux GUI and desktop.</li></ol><br />
<br />
== Port Forwarding and Firewalling ==<br />
Now we are going to enable port forwarding to our VM. This will allow you to access the 2nd VM from the ITC network and VPN.<br />
Because we are already using port 22 on our outside interface to provide SSH access to our main Debian system we need to use a different port to access the Mint system. Instead of changing the port number in the SSH server software on Mint we can have our firewall do it at the same time the NAT masquerading is occurring. <br />
<ol><br />
<li>Set up a rule by running the following command:</li><br />
<code>firewall-cmd --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.1.100 --zone=external</code><br />
:NOTE: this rule is a little unstable because it forwards the port to 192.168.1.100 which is currently the IP of our Mint system (if yours has a different IP you should change it in the command) but because that system gets an IP from DHCP it is subject to change which would break the rule. Therefore, if we wanted this to be stable in the long term, we would want to set up a static IP on any machines we were forwarding ports to.<br />
:''HINT: If your connection is refused, it may be because SSH is not installed in Mint. Try installing SSH using the package manager or apt.''<br />
<li> From a computer on the ITC network, such as one connected to the VPN, try to SSH to port 2222 on the outside (172.17.50.xx) IP address of your Debian system. </li><br />
:If everything was set up successfully, you should be able to sign into the Mint VM based on the port forwarding rule we have put in place.<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code><br><br />
</ol><br />
When you are done testing this section of the lab please power off your new Linux Mint VM as these require far more resources to run than the Debian VMs on our servers.<br><br />
: [[File:Lab10_linux_mint_shutdown.png | link=https://wiki.ihitc.net/mediawiki/images/1/1c/Lab10_linux_mint_shutdown.png|500px]]<br />
: [[Media:Lab10_linux_mint_shutdown.png | Click for larger image]]<br />
<br />
=Checking your Work=<br />
For this lab there are many things you need to check.<br />
<br />
#Firewall - attempt to connect using FTP on port 21, this should fail<br />
#SSH - connect using FTP on port 22<br />
#DNS - navigate to url of server<br />
#SMTP - send a mail to auto-respond server<br />
#IMAP - receive a mail from auto-respond server<br />
#Samba - Create a file on server using file sharing<br />
#HTTP - Navigate to ip address of server<br />
#Webmin - Navigate to <your-ip>:10000<br />
#PuTTY into linux mint using your ip address and port 2222<br />
#Linux Mint DNS/NAT - ping google.com from within Linux Mint<br><br><br />
<br><br />
Run this script to automatically check your lab<br><br />
<br />
<code><br />
<nowiki> curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_10_rewrite.py | sudo python3 </nowiki><br />
</code></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_12_mnjk&diff=9562Lab 12 mnjk2021-03-02T22:10:03Z<p>NateHaleen: /* Monitoring Services and Graphing System Statistics with Zabbix */</p>
<hr />
<div>=Introduction=<br />
In this lab you will learn about several Linux utilities which can be used for monitoring Linux and other systems for security and service uptime purposes.<br />
<br />
In this lab you will perform the following tasks:<br />
* Monitor connections with [https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat netstat]<br />
* Scan for open ports using [https://nmap.org/ nmap]<br />
* Monitor services with [https://www.zabbix.com/ zabbix]<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://linux.die.net/man/8/netstat netstat]'''<br />
*'''[https://linux.die.net/man/1/ps ps]'''<br />
*'''[https://linux.die.net/man/1/grep grep]'''<br />
*'''[https://linux.die.net/man/1/nmap namp]'''<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account<br />
# The IP address of a partner's system which you have permission to portscan<br />
<br />
== Monitoring connections with netstat ==<br />
'''''[https://www.youtube.com/watch?v=51eo20xbSxs Video Tutorial - Monitoring Connections with Netstat]''''' <br><br />
One common activity you would want to do when evaluating the security of a system is to find out what ports the system is accepting connections on. For this reason most operating systems have some kind of utility to display active network connections and open ports, Linux is no exception. The netstat utility can show you currently active network connections as well as open ports on your local system. Take a look at the man page for the [https://linux.die.net/man/1/nmap '''netstat'''] command. Specifically, figure out what the ''-n -a -t -p'' and ''-u'' options do.<br />
<ol><br />
<li> Run the '''netstat''' command on your system and observe the output.</li><br />
<code>sudo netstat -natup</code><br />
* Try to identify what the purpose of each open port on your system is. There are many online guides to common uses for ports.<br />
<li> Use the '''sudo ps aux''' command (along with '''grep''') to match the PID (process ID) numbers of open ports shown in '''netstat -natup''' with specific processes on your system.</li><br />
<li> Connect to the IP address or domain name of your system through your web browser and re-run the '''netstat -natup''' command to see the TCP session established by your browser to download the website.</li><br />
<ul> You'll find that there are a number of ports open on your system. Some of these we have opened to provide a specific service such as SMTP, DNS, Webserver, etc. but some such as the sunrpc port are open simply by default on a fresh install. There are a number of different strategies you can use to secure your system including disabling a service, binding it to an internal-only IP address, or blocking access with a firewall rule. If your firewall is setup with an implicit (or explicit) reject any rule at the bottom of the input chain and you have not specifically opened a port it should not be accessible from other systems. How can we test that though? The '''netstat''' utility is useful at making a list of ports somehow open on the system but it does not show us how those ports react if someone outside actually tries to connect.</ul><br />
</ol><br />
<br />
== Scanning ports using nmap ==<br />
'''''[https://www.youtube.com/watch?v=DzxpMPtGsGM Video Tutorial - Scanning Ports with nmap]''''' <br><br />
The nmap Network Mapper utility is a very powerful security scanning utility available on Linux. While netstat uses information from the Linux kernel about what ports and connections are in use by what processes nmap actively probes and tests ports on your system or another system to determine whether the port is open or not as well as additional information about the port in some cases. Unlike netstat, nmap is not part of the default Debian installation so you will need to install the nmap package before proceeding. nmap is complex and powerful. Entire [http://nmap.org/book/toc.html books] and [http://nmap.org/book/man.html extensive documentation] are available which you may want to reference but we'll only be exploring some of the more basic features in this introduction.<br />
: ''NOTE: Before we begin this section of the lab it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!''<br />
<ol><br />
<li> Make sure '''nmap''' is installed</li><br />
<code>sudo apt install nmap</code><br />
<li>'''nmap''' provides a system on the Internet which they allow you to scan for testing purposes so let's try a verbose scan which gives additional diagnostic detail.</li><br />
<code>nmap -v scanme.nmap.org</code><br />
* Review the output and then run the same command without the ''-v'' verbose option and compare the output you receive.<br />
<ul> When scanning your own system there are a few different ways to go about it. You could either scan the localhost address 127.0.0.1 or the actual outside IP address of your system. You could also setup a separate system or VM and do the scanning from that system. In each case you might see somewhat different results, can you guess why?</ul><br />
* The answer is related to how you have firewall rules setup and what addresses you have services bound to. For example by default on Debian systems the mySQL/MariaDB server daemon only listens for connections on the localhost address (127.0.0.1) and not on outside interfaces. Try running the '''nmap 127.0.0.1''' command and then compare output with the '''nmap <your outside ip address here>''' command. Do you see some network services listening only on the localhost address. These services are not accessible from outside your computer even though the ports are open and you would see them as open with '''netstat'''. This shows us some of the additional value of using '''nmap'''.<br />
<li> The most realistic use of '''nmap''' though is to scan like an attacker would using a system outside of the one you're testing. Use '''nmap''' to scan a partner's IP address in the class and take a look at some of the '''nmap''' documentation to try a few different types scans on that system. If you would like you can also try scanning the entire ITC-2480 subnet (172.17.50.0/24) if you want to try some subnet scanning capabilities.</li><br />
<ul> Remember that in our case these systems are secure from the outside world because we have an upstream firewall which you have bypassed by connecting to our VPN and these systems are using unroutable private IPv4 addresses.</ul><br />
<li> '''nmap''' also supports scanning IPv6 addresses. Note that a running service is not necessarily listening on both IPv4 and IPv6 addresses just because you have them both active on your machine. Figure out how to scan IPv6 addresses with '''nmap''' and try scanning both an IPv4 and IPv6 address of your machine and compare the results. Use the same type of address (i.e. both IPv4 and Ipv6 addresses should be the localhost addresses or should both be outside addresses) Are the same services open on both IPv4 and IPv6 on your system?</li><br />
</ol><br />
<br />
== Monitoring Services and Graphing System Statistics with Zabbix==<br />
'''''[https://www.youtube.com/watch?v=fF5NNRJwLjg Video Tutorial - Monitoring with Zabbix]''''' <br><br />
In this section we will be following the instruction on how to install zabbix using [https://www.zabbix.com/download?zabbix=5.0&os_distribution=debian&os_version=10_buster&db=mysql&ws=apache these instructions on the Zabbix site].<br />
<ol><br />
<li> Go to the instructions link above and scroll down to '''part 2'''. Start by installing the zabbix repository.</li><br />
<code>wget https://repo.zabbix.com/zabbix/5.0/debian/pool/main/z/zabbix-release/zabbix-release_5.0-1+buster_all.deb</code><br><br />
<code>dpkg -i zabbix-release_5.0-1+buster_all.deb</code><br><br />
<code>apt update</code><br />
<li>Install Zabbix server, frontend, agent</li><br />
<code>apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent</code><br />
<li>Create a database, a user, and schema following the instructions on the same website.<br />
: ''NOTE: These instructions use the MySQL/MariaDB command line, if you prefer you can create the same database, user, and schema using the Webmin software but you'll have to translate the command line instructions into the actions required in Webmin.''<br />
<code>mysql -uroot -p</code><br><br />
<code>create database zabbix character set utf8 collate utf8_bin;</code><br><br />
<code>create user zabbix@localhost identified by 'password';</code><br><br />
* Replace password with a password you want to use. (Command needs the quotes so don't remove them).<br />
<code>grant all privileges on zabbix.* to zabbix@localhost;</code><br><br />
<code>quit;</code><br><br />
<li>On Zabbix server host import initial schema and data. You will be prompted to enter your newly created password used when setting up the mysql database.</li><br />
<code>zcat /usr/share/doc/zabbix-server-mysql*/create.sql.gz | mysql -uzabbix -p zabbix</code><br />
<li>Edit the server configuration file ( ''/etc/zabbix/zabbix_server.conf'' ) to include the correct database password used when you setup the database above. ( ''DBPassword=<password>'' )<br />
: [[File:DBPassword.png | 500px]]<br />
<li>Edit the server configuration file ( ''/etc/zabbix/apache.conf'' ) to include the correct timezone. [https://www.php.net/manual/en/timezones.php A list of valid PHP timezones can be found here.] We will be using ''America/Chicago''.</li><br />
: [[File:Apache_timezone.png | 500px]]<br />
<li>Restart the server. Then set it to auto start on startup:</li><br />
<code>systemctl restart zabbix-server zabbix-agent apache2</code><br><br />
<code>systemctl enable zabbix-server zabbix-agent apache2</code><br />
<li>Access the Zabbix web application at http://yourserver/zabbix/ and complete the setup wizard. [https://www.zabbix.com/documentation/5.0/manual/installation/frontend Detailed instructions for completing the setup wizard can be found here on the Zabbix site.]</li> <br />
<ul> At the end of the setup wizard you may need to download a ''zabbix.conf.php'' and save it to ''/etc/zabbix/zabbix.conf.php'' on your system.</ul><br />
<li> Login to http://yourserver/zabbix/ (where yourserver is the IP address or DNS name for your system) with the username and password found [https://www.zabbix.com/documentation/5.0/manual/quickstart/login on the Zabbix site login instructions].</li><br />
: [[File:Enable_monitoring_zabbix.png | 500px]]<br />
<ul>The default superuser credentials are user name '''Admin''' with password '''zabbix'''.</ul><br />
<li> Enable monitoring of your Zabbix server host (''Configuration'' -> ''Hosts'')</li><br />
: [[File:Enable_monitoring_zabbix.png | 500px]]<br />
: ''NOTE: [https://www.zabbix.com/documentation/5.0/manual The Zabbix manual] may be helpful in completing these monitoring setup tasks.''<br />
* Add the templates to the host appropriate for the services we are running on the server (HTTP, IMAP, MySQL, SMTP, SSH)<br />
: [[File:Zabbix_templates.png | 500px]]<br />
* Explore some of the data available through Zabbix such as various graphs (''Monitoring'' -> ''Graphs''), Latest Data (''Monitoring'' -> ''Latest Data''), Screens (''Monitoring'' -> ''Screens''), and Events (''Monitoring'' -> ''Events'')<br />
* Try temporarily stopping some of the services on your system (to simulate a problem) such as the Postfix SMTP server, ''courier-imap'' server, etc. using the command line '''service''' command.<br />
* Re-check the data in Zabbix with the services turned off, are you alerted of the problems? Make sure to turn the services back on when you're done.<br />
: ''NOTE: Most services will not instantaneously show as down, the templates for the service probably check it once per minute or less so you may need to leave things down for a bit to see it in the Web UI.''<br />
* If you have additional time see if you can get email notifications of failed services working (see ''Administration'' -> ''Media Types'' -> ''Email and Configuration'' -> ''Actions'')<br />
</ol><br />
==Checking Your Work==<br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_12_test.py | python3<br />
</nowiki></code><br />
</ol></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_11_mnjk&diff=9561Lab 11 mnjk2021-03-02T22:09:14Z<p>NateHaleen: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
'''''[https://www.youtube.com/watch?v=dQw4w9WgXcQ Watch the video introduction]'''''<br />
<br />
This lab assumes you know how to navigate through directories and create new files.<br />
<br />
In this lab you will perform the following tasks:<br />
*Explore [https://www.linux.com/news/discover-possibilities-proc-directory/ '''/proc'''], a directory containing the kernel runtime configuration and system information<br />
*Explore [https://tldp.org/LDP/sag/html/dev-fs.html '''/dev'''], a directory containing each device and interface attached to the system<br />
*Add a second hard drive to your Linux system<br />
*Mount a partition on your second drive<br />
*Check disk and file usage on your Linux system to verify the partitions and see how much disk space is being used.<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://linux.die.net/man/8/lsusb lsusb]'''<br />
*'''[https://linux.die.net/man/8/lsmod lsmod]'''<br />
*'''[https://linux.die.net/man/1/uname uname]'''<br />
*'''[https://linux.die.net/man/8/lspci lspci]'''<br />
*'''[https://linux.die.net/man/8/dmesg dmesg]'''<br />
*'''[https://linux.die.net/man/8/cfdisk cfdisk]'''<br />
*'''[https://linux.die.net/man/8/mkfs.ext4 mkfs.ext4]'''<br />
*'''[https://linux.die.net/man/8/mkfs.btrfs mkfs.btrfs]'''<br />
*'''[https://linux.die.net/man/8/mount mount]'''<br />
*'''[https://linux.die.net/man/1/df df]'''<br />
*'''[https://linux.die.net/man/1/du du]'''<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
: You need to be able to open an SSH console to your Linux system using the PuTTY software.<br />
: You should login with your standard user account.<br />
<br />
== Exploring /proc ==<br />
'''''[https://www.youtube.com/watch?v=NeYKHyV4nss&feature=youtu.be Video Tutorial - Exploring /proc]''''' <br><br />
<ol><br />
<li> Enter the '''/proc''' directory on your VM. </li><br />
: '''/proc''' is a very special folder is its a virtual filesystem. Its sometimes referred to as a process information pseudo-filesystem. The reason for calling it a pseudo-file system is that all of the "files" in ''/proc'' are not really files at all, but kernel runtime configuration and system information.<br />
<li> Use '''cat cpuinfo''' to view the contents of the '''/proc/cpuinfo''' "file". </li><br />
: Notice how the output tells your information about the CPU that is running the VM. This isn't actually a file at all you are essentially asking the kernel to provide information about the CPU it's running on which it gathers in realtime. '''/proc''' is used not only to get hardware and kernel information, but it can also be used to tweak kernel settings while the system is running in a way similar to some Windows Registry edits. Look back on '''[[Lab_10_mnjk#Enable_Routing|Lab 10]]''' and notice how we echoed a "1" to a "file" in '''/proc''' to enable packet forwarding without rebooting the system.<br />
: There are a few files in '''/proc''' you should get to know:<br />
: '''/proc/cpuinfo''' = Shows you the CPU info for your machine.<br />
: '''/proc/modules''' = Shows you the currently enabled kernel modules that are active on your kernel.<br />
: '''/proc/cmdline''' = Shows you the boot arguments used to boot your kernel.<br />
: '''/proc/version''' = Shows you your kernel version.<br />
: It is important to note that some of these files have commands tied to them that can give you similar information but often formatted in a different way. For example:<br />
: '''lsmod''' = '''/proc/modules'''<br />
: '''mount''' = '''/proc/mounts'''<br />
: '''uname -a''' = '''/proc/version'''<br />
: Normally it is best to use the command version to lookup the information as it is normally formatted to be easier to read and understand.<br />
<li> Explore all of these files and commands and find the differences between the command line and file output versions as well as what types of information are available. </li><br />
</ol><br />
<br />
== Exploring /dev ==<br />
'''''[https://www.youtube.com/watch?v=ocBxRBH_6Js&feature=youtu.be Video Tutorial - Exploring /dev]''''' <br><br />
<ol><br />
<li> Change directories to '''/dev''' and list the "files". </li><br />
:Notice there are A LOT, but don't worry, there is organization in the mess. Each "file", like in '''/proc''', is actually a device or interface on the machine so '''/dev''' is actually another pseudo-filesystem. Here is a list of the most common interfaces you will see:<br />
: '''/dev/sd*''' = SATA Hard Drives<br />
: '''/dev/hd*''' = IDE Hard Drives<br />
: '''/dev/vd*''' = VirtIO (Virtualized) Hard Drives<br />
: '''/dev/ttyS*''' = Serial Interfaces on your PC.<br />
: '''/dev/tty*''' = Virtual Consoles, similar to the one you are using to enter commands. Mostly used by background programs or services.<br />
There are also some commands you should learn that will help you with detecting, and looking up devices:<br />
: '''lsusb''' = List USB Devices (Bus, Device, ID, and advertised vendor)<br />
:: ''NOTE: Many virtual machines do not include a virtual USB controller which means the USB drivers and software including '''lsusb''' are not installed.''<br />
: '''lspci''' = List PCI Devices (Bus, Type, Advertised Name, Revision)<br />
: '''dmesg''' = Display or Driver Message. This shows kernel messages that are normally linked to adding, or removing devices.<br />
</ol><br />
<br />
== Partitioning a Second Disk ==<br />
'''''[https://www.youtube.com/watch?v=mK6zetYou0A&feature=youtu.be Video Tutorial - Partitioning A Second Disk]''''' <br><br />
<br />
As you may have noticed when exploring '''/dev''', our VM setup uses '''sd''' devices for hard drives. Drives are identified by a letter such as '''sda''', '''sdb''', '''sdc''', etc. for the first, second, and third SATA drives on a system (including HDDs, CD/DVDs, SSDs, etc.). Each partition on the drive is then given a number starting with 0 for the first partition. So the first partition on the first disk, the full identifier for the partition would be '''/dev/sda0'''.<br />
You may also have noticed there is an '''sdb''' that currently has no partitions. We are going to format this drive into 2 partitions, format them, and then setup automatic mounting of the partitions.<br />
<ol><br />
<li> To start, run the following as root:<br />
<br><br />
<code>cfdisk /dev/sdb</code> </li><br />
:'''cfdisk''' is a graphical version of '''fdisk''', which is a tool used to setup disk partitioning. Note that '''fdisk''' or any other partitioning software only sets up the MBR, and does not actually format the drive even though you can set a partition type identifier such as '''fat32''', '''Linux''', etc. Also notice how we tell '''cfdisk''' what drive we want to edit the partition on by appending the drive device "file" to the end of the command.<br />
:[[file:Cfdisk-first-screen.png | link= https://wiki.ihitc.net/mediawiki/images/8/8e/Cfdisk-first-screen.png | 500px]]<br />
:[[media:Cfdisk-first-screen.png | Click for Larger Image]]<br />
: Because our new drives contain no existing partitions we are asked what type of partition table to create. <br />
<li> Choose to create a '''dos''' (aka MBR) style partition table. </li><br />
: Although this is an older style partition table it is well supported by many operating systems and BIOSes. The primary benefit of the newer GPT style tables is their ability to work with very large drives.<br />
<li> Once in '''cfdisk''', Select the '''New''' option. </li><br />
<li> Set the size close to '''5GB'''. </li><br />
: It does not need to be exact.<br />
<li> Now select '''primary''' as we are making a primary MBR partition. <li><br />
<li> Use the arrow keys to go down to the remaining '''Free Space''' on the drive, and press enter to again select '''New'''. </li><br />
<li> Create another '''primary''' partition, and set the size to about '''2GB'''. </li><br />
: At this point we should have two partitions, one named ''sdb1'' with a size of about 5GB (the program will round down to the closest boundary), and ''sdb2'' which takes up the next 2GB or so of the drive. <br />
<li> Use the arrow keys to select the '''Write''' option, and press '''enter'''. </li><br />
: You will be warned that this will write the table to the disk. enter '''yes''', and press '''enter''' again to confirm.<br />
:: ''NOTE: If, on the bottom of the screen, you see "The partition table has been altered", you have successfully written the MBR to the drive.''<br />
<li> Navigate to '''Quit''' to exit the program.</li><br />
<li> From the command line run the following:<br />
<br><br />
<code>ls -al /dev/sd*</code>. </li><br />
: Notice how you can now see both of the new partitions, '''sdb1''' and '''sdb2''' in the listing. This means the partition device "files" have been created and you are ready to format the partitions with a filesystem.<br />
: The first partition will be formatted as '''ext4''', and the second partition will be formatted as '''btrfs'''. Both filesystems (as well as many others) are commonly used on Linux systems. For more information on the differences and similarities between '''btrfs''' and '''ext4''', refer to your book or Google.<br />
: To create the '''ext4''' partition, we will use the '''mkfs.ext4''' command. <br />
<li> As root, run the follwing command<br />
<br><br />
<code>mkfs.ext4 /dev/sdb1</code>. </li><br />
: This will partition the drive as '''ext4''' with no label. If you would like to label the partition, look into the options of '''mkfs.ext4''' using '''man mkfs.ext4'''.<br />
: Before formatting the other partition as '''btrfs''' we need to install some tools. <br />
<li> The required tools are part of the '''btrfs-tools''' software package so install that package at this time.<br />
: ''NOTE: If you have issues with installing packages, check your firewall rules you created in a previous lab and ensure your Internet access is working properly from the VM.''</li><br />
<li> To format the second partition as a '''btrfs''' filesystem partition we will run the following:<br />
<br><br />
<code>mkfs.btrfs /dev/sdb2</code><br />
: Just like before, we need to tell the '''mkfs.btrfs''' package what partition to format by including that on the command line. </li><br />
</ol><br />
<br />
:There are many other options that can be set for specific filesystems during the formatting process. For example, many newer large drives use 4096 byte "Advanced Format" sectors instead of the traditional 512 byte hard drive sectors. Using these disks most efficiently requires adjusting the sector size during the format process to match the physical sector size on the disk. Other features and filesystems include the ability to take snapshots of the drive for backups. The full details of all the options, settings, and filesystems available in Linux is beyond the scope of this course. Suffice it to say that Linux systems with a need for high speed I/O from disks or other specialized features are finely tuned.<br />
<br />
:As a Linux system administrator at a minimum you should be familiar with the basic formatting of drives in the most common '''ext3''', '''ext4''', '''btrfs''', and '''fat''' (32) filesystems. Even though the FAT filesystem is not native to Linux (it doesn't have important features like user and group ownership) it is important as it is a cross platform filesystem commonly used to share files on thumb drives, external hard drives, or dual boot systems with MacOS or Windows users.<br />
<br />
:Once your two partitions are formatted they need to be '''mounted''' to the filesystem structure so that we can begin using them for file storage.<br />
<br />
== Mounting Partitions == <br />
'''''[https://www.youtube.com/watch?v=A0_6mPsuHbM&feature=youtu.be Video Tutorial - Mounting Partitions]''''' <br><br />
There are two main ways to mount disks in Linux. One is done manually, and the other is to setup mounting at boot. Manual mounting is typically done for either temporary access to drives such as CD/DVDs, thumb drives, external hard drives, or to access a newly created partition before rebooting the system. Automatic mounting is done during the boot process so that you have immediate access to he drive once the system is booted.<br />
<br />
To start, we will learn how to manually mount a partition. <br />
<ol><br />
<li> Change into the '''/mnt''' directory and then create a new directory named '''part1'''. </li><br />
: This will become the location where we will mount our '''/dev/sdb1''' partition and be able to save files to it.<br />
<li> Enter the '''part1''' directory and create a new empty file (remember the '''touch''' command?) named '''unmounted'''. </li><br />
: Because we have not yet mounted '''/dev/sdb1''' this file will be stored on our existing partition (''/dev/sda1'').<br />
<li> Go back to the '''/mnt''' parent directory. </li><br />
<li> Run the following as root:<br />
<br><br />
<code>mount /dev/sdb1 /mnt/part1</code> </li><br />
: This command will mount, or attach, '''/dev/sdb1''' to the filesystem location '''/mnt/part1''' and everything stored in that "directory" from this point on will actually be saved onto the first partition of the second SATA drive.<br />
<li> Go back into the '''part1''' directory and try listing the files. </li><br />
:[[file:Ls-part1-mounted.png | link= https://wiki.ihitc.net/mediawiki/images/2/22/Ls-part1-mounted.png | 500px]]<br />
:[[media:Ls-part1-mounted.png | Click for Larger Image]]<br />
<br />
: Notice how the '''unmounted '''file you made appears to no longer exist. This is because the '''part1''' "directory is now being used as the mount point for the first partition on '''sdb''' and we haven't yet saved any files onto '''sdb1'''.<br />
<li> You can see a list of all storage devices currently mounted on the system by simply running the command '''mount''' without any options. Try doing this and verify that the newly mounted partition is showing in the list.</li><br />
<li> Change back to the '''/mnt''' directory and unmount the partition by running the following command<br />
<br><br />
<code>umount /mnt/part1</code> </li><br />
<li> Again list the contents of the ''part1'' directory. </li><br />
: Notice how the '''unmounted''' file is back. The file didn't every really go away but it was not accessible while the other partition was mounted on the '''part1''' directory. When a drive is mounted on a directory, it overlays on top of any files in the directory, but it does not delete or touch the files on the original disk.<br />
<li> Make a directory named '''btrfs''' in '''/mnt'''. Once created, using the file editor of your choice, open the '''/etc/fstab''' file.</li><br />
:[[file:Fstab.png | link= https://wiki.ihitc.net/mediawiki/images/c/c0/Fstab.png | 500px]]<br />
:[[media:Fstab.png | Click for Larger Image]]<br />
: The '''fstab''' file is used to tell a Linux system what drives and partitions is should mount at boot, as well as any mount options and where to mount the partitions. <br />
<li> On the bottom of the file, add the following: </li><br />
<pre>/dev/sdb1 /mnt/part1 ext4 defaults 0 0<br />
/dev/sdb2 /mnt/btrfs btrfs defaults 0 0</pre><br />
:: Adding these lines will indicate both partitions should be mounted at boot to the directories we created. To mount the partitions without rebooting or entering individual mount commands, we can just run '''mount -a''' which will load and mount all partitions in the '''fstab''' file. <br />
<li> Run the following command now and verify both partitions are mounted:<br />
<br><br />
<code>mount -a</code></li><br />
</ol><br />
<br />
== Disk and File Usage ==<br />
'''''[https://www.youtube.com/watch?v=CU0BT718ifA&feature=youtu.be Video Tutorial - Disk and File Usage]''''' <br><br />
: Another way to verify the partitions which are mounted and to see how much disk space is used on each is to use the '''df''' command. <br />
<ol><br />
<li> Run '''df''', you should see something similar to this at the bottom of the output:</li><br />
:[[file:Df.png | link= https://wiki.ihitc.net/mediawiki/images/1/19/Df.png | 500px]]<br />
:[[media:Df.png | Click for Larger Image]]<br />
<br />
: This indicates that the two partitions are mounted properly to the folders we created earlier. '''df''' is a powerful command as not only will it show you what is mounted where, but it also shows you how much disk space is used and how much space is left.<br />
: The '''df''' command doesn't give the most easily readable disk or usage sizes by default. <br />
<li> Add the '''-h''' option to the command like to change the output to a "human readable" format and see what it looks like.<br />
<br><br />
<code>df -h</code> </li><br />
<li> Now, '''cd''' into '''/mnt/part1''' so you are on the ext4 partition you created. Then as root, run the following command:<br />
<br><br />
<code>cp -r /var/log ./</code> </li><br />
<li> '''cd''' into the ''log'' folder, and run the following:<br />
<br><br />
<code> du -h</code> </li><br />
: '''du''' is a command that allows you to view file usage in a tree format. Just like with '''df''' the '''-h''' flag tells '''du''' to output the usage in a "human readable" format, while the '''-a''' flag tells it to show you the results for all files, and not just for folders.<br />
<li> Read the '''man du''' page and play around with using the '''du''' command across the file system. </li><br />
: How much data is the /etc/ folder taking up on your Linux system? What directories are the biggest?<br />
</ol><br />
<br />
=Checking your Work=<br />
<ol><br />
<li> Run '''ls -al /mnt/part1''', does it look like this? </li><br />
:[[file:Ls-part1-mounted.png | link= https://wiki.ihitc.net/mediawiki/images/2/22/Ls-part1-mounted.png | 500px]]<br />
:[[media:Ls-part1-mounted.png | Click for Larger Image]]<br />
<li> Run '''ls -al /mnt/btrfs''', does it look like this? </li><br />
:[[file:Ls-btrfs-mounted.png | link= https://wiki.ihitc.net/mediawiki/images/5/57/Ls-btrfs-mounted.png | 500px]]<br />
:[[media:Ls-btrfs-mounted.png | Click for Larger Image]]<br />
<li> Run '''df''', does it look like this? </li><br />
:[[file:Df.png | link= https://wiki.ihitc.net/mediawiki/images/1/19/Df.png | 500px]]<br />
:[[media:Df.png | Click for Larger Image]]<br />
: If your output matches the screenshots, you have successfully completed the lab!<br />
<br />
<br><br><br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_11_test.py | python3<br />
</nowiki></code><br />
<br />
</ol></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_9_mnjk&diff=9560Lab 9 mnjk2021-03-02T22:08:19Z<p>NateHaleen: /* Additional Resources */</p>
<hr />
<div>=Introduction=<br />
<br />
In this lab you will perform the following tasks:<br />
*Install a basic email server <br />
*Install Courier MDA software<br />
*Learn how to allow remote users to send mail<br />
<br><br />
You will be introduced to the following commands:<br />
*'''[https://linux.die.net/man/1/telnet telnet]'''<br />
<br><br />
This lab assumes that you know the IP address of your Linux system and are connected to the ITCnet VPN network. Additionally, this lab assumes that you have completed the Bind DNS and have created a MX record that directs mail to your mail server. <br />
*[[Lab_8_mnjk#Install_BIND_&_Enable_Caching | Installing Bind]]<br />
*[[Lab_8_mnjk#Adding_a_Delegated_Domain | Creating a MX record in DNS]]<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account<br />
# Make sure that webmin is installed on your system. <br />
# Get the username and domain name of someone else's system in the class who you can send mail to<br />
# This lab requires that you have appropriate domain name records (at least a correct A and MX record) for your system working from the DNS lab before things will work.<br />
<br />
== Install the Postfix MTA ==<br />
'''''[https://www.youtube.com/watch?v=6VsgO5695Z4&feature=youtu.be Video Tutorial - Install Postfix MTA]'''''<br />
<ol><br />
<li> Use a package manager to install the ''postfix'' package.<br />
* During the installation process select ''Internet Site'' as the type of mail server and set the domain name to ''*.itc2480.campus.ihitc.net'' where * is the hostname letter of your system.</li><br />
: MTA software listens for incoming connections from other MTA servers on port 25 and accepts mail on behalf of users on the system. Once the mail is received it is stored locally for users to retrieve. The most common methods for storing messages is in an .mbox file, where all messages are stored in a single file, or in a Maildir, which is a directory where each message is stored in a separate file. The MTA also listens for connections from client software (MUA) and accepts outbound messages from them and forwards them on to the destination domain's mail server. Advanced configuration of MTA software can allow for anti-spam filtering, mailing list support or other programs to intercept and manipulate mail as it passes through the server.<br />
<li>Test the connection an verify the port is open</li><br />
:* Use Telnet to connect to the Postfix SMTP server on port 25: '''telnet localhost 25'''<br />
: [[File:Lab9_open_telnet.png|link=https://wiki.ihitc.net/mediawiki/images/1/10/Lab9_open_telnet.png|500px]]<br />
: [[Media:Lab9_open_telnet.png | Click here for larger image]]<br />
:* Type '''quit''' and press enter after verifying Postfix is running.<br />
<br />
<li>Configure Maildir</li><br />
: Because the Courier IMAP and POP3 server software only supports Maildir style message stores and Postfix stores in mbox files by default you must edit the ''/etc/postfix/main.cf'' file to fix this. <br />
:* Add the line <br />
:<pre>home_mailbox = Maildir/</pre> <br />
: Edit or add the ''mailbox_command'' parameter so there is nothing on the line after the equals sign, delete the portion of the line referencing procmail if it exists. The line should look like: <br />
:<pre>mailbox_command = </pre><br />
<li> Restart the ''postfix'' service to apply your change. Postfix is now saving new incoming messages into the Maildir folder inside each user's home directory. This folder is automatically created by Postfix the first time a new message comes in for a user.</li><br />
<li> Set your shell to recognize the maildir as your mail location</li><br />
:* Edit the ''/etc/login.defs'' file and comment out the ''MAIL_DIR /var/mail'' line (place a # in front of the line) and add a line setting ''MAIL_FILE'' like this:<br />
<pre><br />
#MAIL_DIR /var/mail<br />
MAIL_FILE Maildir/<br />
</pre><br />
:* Edit the ''/etc/pam.d/login'' file, find and comment out the ''session optional pam_mail.so standard'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so standard<br />
session optional pam_mail.so dir=~/Maildir standard<br />
</pre><br />
:* Edit the ''/etc/pam.d/su'' file, find and comment out the ''session optional pam_mail.so nopen'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so nopen<br />
session optional pam_mail.so dir=~/Maildir nopen<br />
</pre><br />
:* Edit the ''/etc/pam.d/sshd'' file, find and comment out the ''session optional pam_mail.so standard noenv'' line (place a # in front of the line) and add a line like this immediately below it:<br />
<pre><br />
#session optional pam_mail.so standard noenv<br />
session optional pam_mail.so dir=~/Maildir standard<br />
</pre><br />
:* Edit the ''/etc/profile'' file and at the end of the file add the line: <pre>export MAIL=~/Maildir</pre></li><br />
<li> Test sending and receiving mail as a locally logged on user.</li><br />
<br />
:* Install the ''mailutils'' package.</li><br />
:* Try sending a message (replace username with your username): <pre>echo "This is my message" | mail -s "Email Subject" username@localhost</pre><br />
:* Log out of your SSH session and open a new SSH session to apply the changes to the ''/etc/profile'' and ''/etc/login.defs'' files.<br />
:* Check to see if the message was received using the '''mail''' command, press ''q'' to return to the command line.<br />
:[[File:Lab9_cli_send_mail.png|link=https://wiki.ihitc.net/mediawiki/images/4/4f/Lab9_cli_send_mail.png|500px]]<br />
:[[Media:Lab9_cli_send_mail.png|Click here for a larger image]]<br />
: You should also be able to see the message in ''~/Maildir/'' in either the ''new/'' or ''cur/'' directory depending on whether you have viewed the message list yet or not. In either case, the message will appear as a text file with a random-looking name. It's just a text file so you can use '''cat''' or '''less''' to view it.<br />
<li> Create Aliases </li><br />
: You can create aliases and forward mail between users by editing the ''/etc/aliases'' file and then running the '''newaliases''' program. <br />
:* Create an "alias" for ''sysadmin'' which forwards mail sent to sysadmin@localhost to your username <br />
:* Send a copy of all mail to the ''root'' account to your username <br />
<br />
: Now would be a good time to try logging on to Webmin again, re-scanning for modules and then taking a look at the Postfix module in the ''Servers'' section.<br />
<li>Explore the mail log file</li><br />
: Take a look at your ''/var/log/mail.info'' log to see Postfix sending and receiving messages for users.<br />
</ol><br />
<br />
== Install Courier MDA ==<br />
'''''[https://www.youtube.com/watch?v=uvZlSiQHlxs&feature=youtu.be Video Tutorial - Install Courier MDA]'''''<br />
<ol><br />
<li>Install required courier packages </li><br />
: Most users prefer to retrieve mail from a mail server using an MDA protocol like POP3 or IMAP which can be provided by the Courier programs. Install the ''courier-pop'', ''courier-imap'', and ''fam'' packages.<br />
:* Do not create the directories for web-based administration as they are unneeded for our setup<br />
: Local users accessing their mailbox with MUA software can read and write to the .mbox file or Maildir directly. If a user not locally logged on to the system wants to access their mailbox the server runs MDA software which typically uses the POP3 or IMAP protocol for accessing the .mbox file or Maildir remotely.<br />
<br />
<li> Install MUA Client on remote system</li><br />
:*Install an email client (MUA) on your host (home) system such as [http://www.mozilla.org/en-US/thunderbird/ Mozilla Thunderbird]<br />
:* Setup two user accounts in your MUA, the usernames and passwords should be the same as users and their passwords on your system. Use ''IMAP'' as the protocol for retrieving mail. The email address for each should be ''username@*.itc2480.campus.ihitc.net'' where the * is replaced by the host letter of your system. You can verify the IMAP and SMTP settings that are detected, both server addresses should be ''*.itc2480.campus.ihitc.net'' where the * is replaced by the host letter of your system.<br />
:'' NOTE: The first time you check messages and the first time you send messages to your server from Thunderbird you will need to accept an invalid security certificate in the Thunderbird window.<br />
:[[File:Lab9_thunderbird_cert.png|link=https://wiki.ihitc.net/mediawiki/images/9/9a/Lab9_thunderbird_cert.png|500px]]<br />
:[[Media:Lab9_thunderbird_cert.png|Click here for a larger image]]<br />
:'' NOTE: To see the ''Tools'' menu with the ''Account Settings'' window in recent versions of Thunderbird (where you can add more accounts) you need to press ALT-F and then the menu bar will temporarily appear.<br />
:[[File:Lab9_thunderbird_menu.png|link=https://wiki.ihitc.net/mediawiki/images/6/60/Lab9_thunderbird_menu.png|500px]]<br />
:[[Media:Lab9_thunderbird_menu.png|Click here for a larger image]]<br />
<li>Send mail between local users</li><br />
:* Try sending a message from one user to the other user by sending a message to the other account like ''username@localhost'' Verify that you can receive and read the messages.<br />
:* Note: If a user has not yet received any mail Postfix has not created a Maildir for the user and the Courier software will send an error to the client software. Use the mail program explained above to send some mail to the user, see that the ''~/Maildir'' is then created and try retrieving the messages again with your MUA.<br />
</ol><br />
<br />
== Allow Remote Users to Send Mail ==<br />
'''''[https://www.youtube.com/watch?v=0qh3mCMIzn4&feature=youtu.be Video tutorial - Allow Remote Users to Send Mail]'''''<br />
<ol><br />
<li>Testing SMTP mail to another domain</li><br />
:* Try setting up your MUA software to send mail by creating an SMTP server entry and sending an email to ''anotheruser@localhost'' This should work because localhost is your own server but if you try sending email to ''someuser@somedomain.com'' like ''root@ben.itc2480.campus.ihitc.net'' that will fail.<br />
: The problem is you don't want just anyone to send mail through your mailserver (we did allow this in the olden days) because a spammer could then use your server to send mail worldwide and it would all trace back to the IP of your server, we call servers setup like this "open relays" because they relay mail for anyone and they are generally considered very bad practice and can get your mailserver on lists of servers to ignore all messages from. There are a number of ways to solve this. By default Postfix will only allow mail relaying from computers on the same network (based on IP) as set in the ''/etc/postfix/main.cf'' ''mynetworks'' parameter but this is inconvenient for remote users as you would need to know the remote IP address they are connecting from. The SASL protocol allows users to authenticate with a username and password before sending mail and then relay messages are accepted from them.<br />
<li>Configure Simple Autherntication and Security Layer - SASL</li><br />
:* See if you can follow [https://wiki.debian.org/PostfixAndSASL these instructions] for setting up SASL with Postfix.<br />
:'' Note: You do NOT need to setup TLS to support SASL (more on that in the additional considerations section below)<br />
<li>Test and troubleshoot SASL</li><br />
:* Modify your MUA to use a username and password when connecting to your SMTP server and try sending mail to someone else's system from your MUA using a destination address like ''root@*.itc2480.campus.ihitc.net'' where the * is replaced by the host letter of your system.<br />
:'' NOTE: You MUST actually exchange messages with someone else in the class (both sending to them and receiving from them). It is not possible to test using an outside email account of your own (you will not be able to send a message back to your server because it is behind a firewall). It is not enough to just be able to send a message to another system. It is not enough to just be able to receive a message from another user.<br />
:* Troubleshoot as needed using the mail log files on your system.<br />
</ol><br />
<br />
=Additional Considerations=<br />
Running a mailserver is tricky business. The basic server we have setup does not use valid certificates for encrypting connections meaning usernames, passwords, and mail contents are all being sent to an unverified server. This is very undesirable from a security standpoint and it would be suggested to support SSL/TLS encryption for both the MTA and MDA portions with a valid certificate purchased from a certificate authority (CA) or from a free CA like [https://letsencrypt.org/ Let's Encrypt]. In addition, you will almost certainly want spam filtering at the server. More complicated setups also use database tables for users, passwords and domains so that you can host multiple domains on a single server and have email user boxes for people who do not have local logins on the system.<br />
<br />
=Additional Resources=<br />
* [https://help.ubuntu.com/community/PostfixBasicSetupHowto Ubuntu Postfix Basic Setup]<br />
* [https://wiki.debian.org/Postfix Debian Wiki - Postfix Installation]<br />
<br />
==Checking Your Work==<br />
<br><br><br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_09_test.py | python3<br />
</nowiki></code></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_8_mnjk&diff=9559Lab 8 mnjk2021-03-02T22:07:03Z<p>NateHaleen: /* Manually editing a zone file */</p>
<hr />
<div>=Introduction=<br />
In this lab you will perform the following tasks:<br />
*Install BIND and configure as caching plus zones for a local domain<br />
*Learn how to create domains using Webmin<br />
*Learn how to manually edit using a zone file<br />
You will be introduced to the following commands:<br />
*'''[https://linux.die.net/man/1/dig dig]'''<br />
*'''[https://linux.die.net/man/1/nslookup nslookup]'''<br />
*'''[https://www.man7.org/linux/man-pages/man1/systemctl.1.html systemctl]'''<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account.<br />
# Make sure that Webmin is installed on your system. <br />
== Install BIND & Enable Caching ==<br />
'''''[https://www.youtube.com/watch?v=frZ7FrJyjME Video Tutorial - Installing BIND and Enabling Caching]'''''<br><br />
<ol><br />
<li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li><br />
<ul>BIND (Berkeley Internet Name Domain) is one of the available DNS server applications for Linux and the most well known and used nameserver on the Internet.</ul><br />
<li>You will also want to install the '''dnsutils''' package.</li><br />
<ul>In order to use the '''nslookup''' and '''dig''' programs for DNS testing and troubleshooting you'll need dnsutils</ul><br />
<li>Open up ''/etc/bind/named.conf.options'' with your favorite text editor.</li><br />
<ul>Now we will need to enable DNS caching and forwarding on the BIND server. This will allow us to use it for DNS resolving locally, as well as speed up frequent DNS requests.</ul><br />
<ul><br />
* You are now in the local options file for BIND. You will need to uncomment (remove the // from the front of) the following lines:<br />
: [[File:Bind_named_conf.png | 500px]]<br />
* '''NOTE:''' You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul><br />
<ul>The reason we setup a forwarder address is so that domain requests that are not on our system are passed to another DNS server instead of being searched against the root nameservers. You may want to do this in domain or enterprise environments as most large networks have internal domain names setup that only redirect inside of a local LAN. By using a forwarder, as long as the DNS server you push requests to is able to access those internal records, you will be able to access local content from internal domain names instead of needing to rely on IP addresses.</ul><br />
<li>To apply these changes, you will need to restart the BIND server with administrative permissions.</li><br />
<code>sudo service bind9 restart</code><br />
<li>Next, open up your interfaces file (''/etc/network/interfaces'') with your favorite file editor.</li><br />
<ul><br />
* Change the dns server for the primary network interface to ''127.0.0.1''.</ul><br />
<ul>The change to ''/etc/network/interfaces'' will take effect if you restart your system. To avoid doing that right now you can edit the ''/etc/resolv.conf'' file so that it has only one nameserver line like ''nameserver 127.0.0.1'' Note that unless you reboot the system it will eventually get reset back to it's prior setting by a background system process so at some point you will want to reboot your system to make the change permanent.</ul><br />
<li>Run the command:</li><br />
<code>nslookup inverhills.edu</code><br />
<ul>If BIND is working, you should now see the following output:</ul><br />
: [[File:Nslookup_inverhillsedu.png | 500px]]<br />
* Notice how it shows it is using 127.0.0.1 as the server. If you do not see this, then your interface file or resolv.conf file is not set to use the local machine for DNS lookups. Note also that the IP address returned for this domain may vary from the one shown in the output above.</li><br />
<li>Run:</li><br />
<code>dig inverhills.edu</code><br />
<ul>See if you can find where the IP address for the domain is reported in the output as well as where the server IP address is reported in the output.</ul><br />
<li>Now would be a good time to reboot your server to ensure the DNS server network interface configuration changes remain permanent.</li><br />
<code>sudo shutdown -r now</code><br />
<li>Once the system reboots log back in and use '''nslookup''' or '''dig''' to verify the default nameserver being used is ''127.0.0.1''.</li><br />
</ol><br />
<br />
== Create a Domain using Webmin ==<br />
'''''[https://www.youtube.com/watch?v=53aK9FeYz68 Video Tutorial - Create a Domain Using Webmin]'''''<br><br />
Now we are going to use Webmin to create a few different type of domain records and have our system serve as a DNS server for a domain. We will utilize A (Host), AAAA (IPv6 host), MX (Mail Exchange), and CNAME (Canonical Name) records.<br />
<ol><br />
<li>Open up your '''Webmin panel''' and sign in.</li> <br />
<ul>Now that we have BIND installed, you will need to click the Refresh Modules option on the left sidebar to have Webmin recheck the system for installed packages and services so that it will show up as an option in the ''Servers'' tab.</ul><br />
<li>Under the ''Servers'' tab, open up ''BIND DNS Server'', under ''Existing DNS Zones'' click ''Create master zone''.</li><br />
<ul>From here we will create a new domain name for our server to respond to DNS queries for.</ul><br />
<li>Use the following options, '''where * is replaced by your System ID''' that was defined in [[Franske ITC-2480 Lab 5|Lab 5]] (just the letter of your system, for example the domain name would be ''debserv-A.test'' if you had System ID "A").<br />
<pre>Zone type: Forward (Names to Addresses)<br />
Domain name / Network: debserv-*.test<br />
Records file: Automatic<br />
Master server: Leave as your hostname<br />
Email address: root@debserv-*.test</pre></li><br />
<li>Click the ''create'' button to add the domain.</li><br />
<ul> As this point you should now be on the ''Edit Master Zone'' page. From here you can add and edit domain records for this domain name.</ul><br />
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li><br />
* For the ''Name'' enter ''@''. Note: The ''@'' symbol in DNS Zones defines the parent domain (alternatively you could re-enter the parent domain ''debserv-*.test.'' with the period at the end).<br />
* In the ''address'' field enter your VM's static IP set in [[Franske ITC-2480 Lab 5|Lab 5]] and click ''Create''.<br />
<li> Return to the main BIND DNS Server page. Click the ''Apply Configuration'' link (which looks like two arrows chasing each other) in the top right corner. You'll see the "Apply Configuration" text if you hover your mouse over the button.</li><br />
<li> To test the record use '''nslookup''' or '''dig''' to lookup the domain you just created (Replace the * with your letter.)</li><br />
<code>nslookup debserv-*.test</code><br />
<code>dig debserv-*.test</code><br />
* If you have issues looking up the domain, make sure that the system is still using 127.0.0.1 as the DNS server. If not, check your ''/etc/resolv.conf'' file.</li><br />
</ol><br />
<br />
== Additional DNS Record Types ==<br />
'''''[https://www.youtube.com/watch?v=dC6RsYYMk4w Video Tutorial - Additional DNS Record Types]'''''<br><br />
Now we are going to add a few more record types to our Domain. This will include an ''MX'' (Mail Exchange) and ''CNAME'' (Canonical Name) record. We will start with the MX record. MX records are used by email servers to look up where to forward email for a specific domain.<br />
<ol><br />
<li>In Webmin on the '''BIND DNS Server''' page, click the domain on the bottom named ''debserv-*.test'' and then click the '''Mail Server''' button. Under ''name'', enter ''@'' again, and for ''mail server'' enter ''mail.debserv-*.test.'' (with the period at the end). For ''Priority'', enter ''10''.</li><br />
* This entry has said we want other servers trying to send mail to ''users@debserv-*.test'' to actually send it to the server at ''mail.debserv-*.test'' which allows us to use a different server for email than we use fore web serving, etc.<br />
* The Priority entry allows people to define more than one MX record for a name, and the order which the sending service will try to use for contacting the various mail servers at your domain.</li><br />
<li>Go back to the domain zone overview page. Add an ''A'' record for ''mail.debserv-*.test'' which points to the IP of your system.</li><br />
<ul>Because we don't currently have an "A" (address) record for ''mail.debserv-*.test'' the mail would currently go undelivered.</ul><br />
* Reapply configuration settings like you did in the last section of this lab using the button with the two arrows in a circle.<br />
<li> To test an ''MX'' record we need to make multiple queries and ask '''nslookup''' or '''dig''' to fist check for MX records for the domain like:</li><br />
<code>nslookup -type=MX debserv-*.test</code><br />
<ul>or</ul><br />
<code>dig debserv-*.test MX</code><br />
which will return the names of the mail servers for that domain. We then need to do a regular '''nslookup''' or '''dig''' on those names to determine what IP addresses those are pointed to. Of course, for mail to actually work we'd also need to insure mail server software is installed and configured on that server as well.</li><br />
<li>Again return to the domain zone overview page.</li><br />
<ul>We are now going to create a CNAME record. CNAME records are useful as they allow you to create virtual A records (aliases), but point them to another domain or host name instead of to a specific IP address. This allows you to have many hostnames all pointed to the same A record which contains the actual IP address so if the IP address changes you only need to change a single A record and all the hostnames will change. It can also be used to redirect a hostname at one domain to an entirely different domain.</ul><br />
<li>On the ''Edit Master Zone'' page for your domain, click the ''Name Alias'' button. For the ''Name'', enter ''blog'' and for the ''Real Name'', enter your domain ''debserv-*.test.'' but remember to put a period at the end of the domain as this is an ''absolute name''. Press ''create'' to add the record.</li><br />
<li>Click the ''Apply Configuration'' link at the top right of the page again. This will apply the records you have created. Now back in PuTTY, run:<br><br />
<code>nslookup blog.debserv-*.test</code><br />
or the equivalent '''dig''' command.<br> <br />
You should get a response similar to:</li><br />
<pre>Server: 127.0.0.1<br />
Address: 127.0.0.1#53<br />
<br />
blog.debserv-*.test canonical name = debserv-*.test.<br />
Name: debserv-*.test<br />
Address: 172.17.50.XXX<br />
</pre><br />
<ul>One thing we can use CNAMEs for is to create virtual web hosts in Apache that listens for the domain blog.debserv-*.test, and then forwards you directly to your blog folder instead of to our main web page. </ul><br />
<li>In '''Webmin''' under the ''Servers'' tab, select ''Apache Webserver''. Then on the top, click the ''Create virtual host'' button and use the following configuration:<br />
<pre>Handle Connections to Address: any address<br />
Port: 80<br />
Document Root: /var/www/html/blog/<br />
Server Name: blog.debserv-*.test<br />
Add virtual server to file: new file under virtual servers directory<br />
Copy directives from: nowhere<br />
</pre><br />
When done, press ''Create Now''.<br />
<li> When you are back at the ''Apache Webserver'' page, then click ''Apply Changes'' in the top right.</li><br />
<li>Now in a SSH session, open up your favorite command line web browser like '''links''' and visit ''blog.debserv-*.test.'' make special note that when you enter the URL in Links you need to include the extra period at the end.</li><br />
<ul> This is because the .test domain is not a regular TLD like .com .org etc. and the Links browser doesn't know how to handle it unless we force it as a domain name by adding the period at the end. This is not related to it being a CNAME or our Apache configuration and with a regular domain name would not be required. Notice how you are now visiting the blog directly, instead of your modified index.html file. This is because we setup a virtual host in Apache that listens for requests to the CNAME we created and points to the document root where the Wordpress software is installed.<br />
* Note that you will not be able to use this URL to access the blog from your local PC yet because your local PC isn't using your Linux server as it's DNS server and the .test domain isn't registered to your DNS server.</ul><br />
<li>Congrats, at this point you have a basic domain working with a MX, CNAME, and A record.</li><br />
</ol><br />
<br />
== Adding a AAAA record ==<br />
'''''[https://www.youtube.com/watch?v=sql0Wlo8F5g Video Tutorial - Adding an AAAA Record]'''''<br><br />
Now we are going to add an ''AAAA'' (IPv6 host) record to our domain. To do this, we will first need to make sure that IPv6 networking is setup in our virtual machine.<br />
<ol><br />
<li> Use <code>ip address show</code> to check the ''inet6'' address (IPv6 Address) on the primary network interface.</li><br />
<ul> You should have an address starting with ''2607:f930:1c00:50:''. If you do not please check with your instructor. You will need to write down or remember this full address as we will use it in Webmin to create our AAAA record.</ul><br />
<li> Back in '''Webmin''', under the ''BIND DNS Server'' tab, select your ''debserv-*.test'' domain from the bottom and then click the ''IPv6 Address'' button. For the name, enter ''@'' and for the ''address'' enter your IPv6 address WITHOUT the subnet prefix (No /64 on the end).</li><br />
<ul> It should look similar to this: ''2607:f930:1c00:50:xxxx:xxxx:xxxx:xxxx''.</ul><br />
<li>When done click ''create''. Remember to click the ''apply configuration'' link in the top right to apply the changes.</li><br />
<li> In order to verify the AAAA record is working we need to modify the '''nslookup''' or '''dig''' command to check for AAAA records instead of the default of A records. Try:<br><br />
<code>nslookup -type=AAAA debserv-*.test</code><br><br />
and<br><br />
<code>dig debserv-*.test AAAA</code><br><br />
to see the output from AAAA records.</li> <br />
<li>Congratulations, you have now setup a dual-stack DNS records for your Debian server. This means your server is accessible from both IPv4 and IPv6 at the same name because both the A and AAAA records we created have the same host name).</li><br />
</ol><br />
<br />
== Adding a Delegated Domain ==<br />
'''''[https://www.youtube.com/watch?v=Qn45Vv7vuZY Video Tutorial - Adding a Delegated Domain]'''''<br><br />
The problem with the name we have been using so far is that it only works on the DNS server itself. This is because we didn't purchase the name and so no other nameservers know to send requests for it to our server. Normally if you purchase a domain or someone else gives you control of a subdomain it is ''delegated'' to your server meaning that other DNS servers will query your server for addresses related to that name. In order to practice this we are going to add another domain to the system, but this domain will be a delegated domain which is a subdomain of ''itc2480.campus.ihitc.net''. Luckily we can add this to BIND the same way we added our original domain.<br />
<ol><br />
<li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings:<br />
<pre>Zone type: Forward (Names to Addresses)<br />
Domain name / Network: *.itc2480.campus.ihitc.net<br />
Records file: Automatic<br />
Master server: *.itc2480.campus.ihitc.net.<br />
Email address: root@ *.itc2480.campus.ihitc.net</pre><br />
* '''NOTE:''' the * stands for your System ID letter, the same as you used for the previous domain we created.</li><br />
<li> Using webmin, create an ''A'' record for ''@'' the same way as we did for the last domain.</li><br />
<ul> If you need help with this step, you can review the process we did earlier. Make sure to apply your changes after adding the record.</ul><br />
<li>Test that the record and delegation are working correctly. This time you should be able to check from your host computer too!</li><br />
<ul> Windows does not include the '''dig''' command so you'll need to use '''nslookup''' on ''*.itc2480.campus.ihitc.net'' (replace the * with your System ID). Does the correct address come back?</ul><br />
<li> Test your setup using a web browser on your local computer</li><br />
<ul> can you access your webserver by going to http://*.itc2480.campus.ihitc.net (where * is your hostname letter)?</ul><br />
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well just like we did with the test domain (this will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li><br />
<ul>Test that the MX record and associated A record are working correctly. This time you should be able to check from your host computer too! Windows does not include the '''dig''' command so you'll need to use '''nslookup'''. Does the correct mail server name and address come back?</ul><br />
<li>Create a ''CNAME'' record for the blog just like in the previous example (''blog.*.itc2480.campus.ihitc.net''' though) and create a new Apache virtual server just like in the previous example as well.</li><br />
<ul>Test your setup using a web browser on your local computer, can you access your blog directly by going to http://blog.*.itc2480.campus.ihitc.net (where * is your hostname letter)?</ul><br />
</ol><br />
<br />
== Manually editing a zone file ==<br />
'''''[https://www.youtube.com/watch?v=3T7TkE9cRVE Video Tutorial - Manually Editing a Zone File]'''''<br><br />
Lastly we are going to look at the domain zone file. While Webmin provides a nice interface to add records, all it is doing is manually adding our records to our text based zone file. When you use BIND for DNS, every domain created gets its own record file which is called the zone file. In this file all subdomains and records are stored for said domain.<br />
<ol><br />
<li>By default, the location for these records on Debian will be in ''/var/lib/bind'', so go to that directory and list the contents.</li><br />
<li>Now, with your favorite text editor, open up the file which corresponds to the ''debserv-*.test'' domain.<br><br />
It should look similar to this:<br />
<pre>$ttl 38400<br />
debserv-Z.test. IN SOA 2480-Z.itc2480.campus.ihitc.net. root.debserv-Z.test. (<br />
1519434495<br />
10800<br />
3600<br />
604800<br />
38400 )<br />
debserv-Z.test. IN NS 2480-Z.itc2480.campus.ihitc.net.<br />
debserv-Z.test. IN A 172.17.50.36<br />
debserv-Z.test. IN MX 10 mail.debserv-Z.test.<br />
mail.debserv-Z.test. IN A 172.17.50.36<br />
blog.debserv-Z.test. IN CNAME debserv-z.test.<br />
debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756<br />
mail.debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756</pre></li><br />
<ul>Notice the formatting for domain records. Each record is defined by the domain or subdomain name, ''IN'', then the record type (like A, AAAA, NS, or MX), followed by what the record is pointed to. For this example, we want to change the MX priority from 10 to 15.</ul><br />
<li>Using your text editor change the MX record settings priority from 10 to 15.</li><br />
<li>When you are done, '''restart''' the bind9 service to reload the changes.<br><br />
<code>sudo systemctl restart bind9</code><br />
* Note: when restarting bind, if you have any errors restarting the service this normally means you have a typo in one of your zone files. If this is the case, go through the file again in a text editor to make sure you did not add anything extra or remove anything else.</li><br />
<li>Use the '''dig''' tool to check the MX record and see that the new priority is active. You should see something similar to the following response:<br />
<pre>; <<>> DiG 9.10.3-P4-Debian <<>> debserv-z.test MX<br />
;; global options: +cmd<br />
;; Got answer:<br />
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40128<br />
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3<br />
<br />
;; OPT PSEUDOSECTION:<br />
; EDNS: version: 0, flags:; udp: 4096<br />
;; QUESTION SECTION:<br />
;debserv-z.test. IN MX<br />
<br />
;; ANSWER SECTION:<br />
debserv-Z.test. 38400 IN MX 15 mail.debserv-Z.test.<br />
<br />
;; AUTHORITY SECTION:<br />
debserv-Z.test. 38400 IN NS 2480-Z.itc2480.campus.ihitc.net.<br />
<br />
;; ADDITIONAL SECTION:<br />
mail.debserv-Z.test. 38400 IN A 172.17.50.36<br />
mail.debserv-Z.test. 38400 IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756<br />
<br />
;; Query time: 0 msec<br />
;; SERVER: 127.0.0.1#53(127.0.0.1)<br />
;; WHEN: Fri Feb 23 20:15:48 CST 2018<br />
;; MSG SIZE rcvd: 163</pre></li><br />
<ul>Notice how the Answer Section shows the MX record is pointed to the IP of the domain, and that the priority is set to 15.</ul><br />
<li>Congratulations, you have now setup a functional DNS server.</li><br />
<br />
==Checking Your Work==<br />
<br><br><br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_08_test.py | python3<br />
</nowiki></code></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_7_mnjk&diff=9558Lab 7 mnjk2021-03-02T22:06:25Z<p>NateHaleen: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
'''''[https://www.youtube.com/watch?v=dQw4w9WgXcQ Watch the video introduction]'''''<br />
<br />
This lab assumes you know how to install a package from the Debian repository and you have Webmin installed. If you need help please see '''[[Lab_1_mnjk#Installing_sudo_and_checking_your_IP_address | Lab 1]]''' and '''[[Lab_3_mnjk#Install_the_Webmin_Control_Panel | Lab 3]]'''.<br />
<br />
In this lab you will perform the following tasks:<br />
* Install [https://www.samba.org/samba/ Samba]<br />
* Setup a Guest Share<br />
* Share Home Directories<br />
* Setup a group share<br />
<br />
You will not be introduced to new commands.<br />
<br />
= Lab Procedure =<br />
== Prerequisites ==<br />
<ol><br />
<li> Open an SSH console to your Linux system using the PuTTY software, login with your standard user account. </li><br />
<li> Make sure that Webmin is installed on your system. </li><br />
<li> Make sure you have an up-to-date list of packages on your system using the '''apt update''' system. </li><br />
<li> Make sure you have all the latest software upgrades on your system using the '''apt upgrade''' method. </li><br />
</ol><br />
: ''NOTE: This lab sets up Samba with anonymous guest access which is not supported by Windows 10 anymore. You can work around this (directions for doing so are below) but you can't work around it on IHCC campus managed PCs so this lab really requires access to a PC which you have full administrative control over.''<br />
<br />
== Install Samba ==<br />
'''''[https://www.youtube.com/watch?v=h15fXbqYx5Y&feature=youtu.be Video Tutorial - Install Samba]''''' <br><br />
<ol><br />
<li> With your favorite package manager, install the '''samba''' package. </li><br />
<li> After Samba is installed, login into Webmin on your local computer's web browser. </li><br />
<li> Under the servers tab, notice how Samba does not show up. This is because we just installed the package. </li><br />
<li> On the bottom of the left toolbar, click '''refresh modules'''. After a minute, it should refresh the page. Now look under the servers tab again. Does Samba now show up?</li><br />
</ol><br />
<br />
== Setup a Guest Share ==<br />
'''''[https://www.youtube.com/watch?v=BmgKPYIVaPY&feature=youtu.be Video Tutorial - Setup a Guest Share]''''' <br><br />
<br />
The first thing we are going to do is we are going to create a guest share.<br />
This share will allow for all users, even those who have not authenticated, to read files.</li><br />
To help you better understand samba, this first share will be configured from PuTTY and command line.<br />
<ol><br />
<li>Change into the '''/etc/samba/''' directory and view a directory listing.<br />
: In here we have one main file, '''smb.conf''', which holds all of the Samba share and authentication settings. There may also be a few other files and directories which can be used for more advanced Samba features such as TLS certificate based authentication.</li><br />
<li>With your favorite text editor, open up '''smb.conf''' with administrative permission.</li><br />
<li>Scroll to the bottom of the file, and notice how shares are defined. They all have a similar format such as:<br />
<pre><br />
[Share Name]<br />
comment = Share Comment<br />
options....</pre><br />
:'''options''' are the different configuration settings.</li><br />
Let's try creating the guest share folder from the config file manually.<br />
<li>Exit out of the text editor, and create the folder '''/srv/Guest-Files''' as root.<br />
: This will be the folder we are sharing.</li><br />
<li>Open up '''/etc/samba/smb.conf''' in a text editor again as root, and go to the bottom of the file.</li><br />
<li>Enter the following:<br />
<pre>[Guest Share]<br />
comment = Public File Share<br />
public = yes<br />
path = /srv/Guest-Files</pre><br />
You have now created the public share. <br />
</li><br />
<br />
<li>In order to make the share take effect you need to restart the Samba service on your machine with the following command: <br />
<br><br />
<code>service smbd restart</code><br />
<br />
: ''NOTE: Restarting services requires administrative permission.''</li><br />
<li>To test this share, go into '''/srv/Guest-Files''' and create a text file and enter some information.<br />
: We will use this file to test the read-only settings of the share.<br />
: At this point, we should be ready to test out our configuration. </li><br />
<li>On your Local Computer, open up the run dialog box, and enter '''\\172.17.50.xx''' (The IP you setup for the static address of your VM), and press enter.<br />
: You should see a share folder called Guest Share.<br />
:[[file:Samba-windows-guest.png | link= https://wiki.ihitc.net/mediawiki/images/d/d4/Samba-windows-guest.png | 500px]]<br />
:[[media:Samba-windows-guest.png | Click for Larger Image]]</li><br />
: ''NOTE: If you receive an error on your local system and can't access the Samba share, it might be your firewall blocking the connection. This has been the case with non-Windows Firewalls such as BitDefender. If you are using one of these firewalls you may have to make a rule to allow traffic. This link might help: [https://www.bitdefender.com/consumer/support/answer/2397/ https://www.bitdefender.com/consumer/support/answer/2397/]''<br />
<li>Open the Guest Share folder and see if your text file is in the share.</li><br />
<li>Open up the file, and try to edit and save the file. What error do you get?</li><br />
: '''''SPECIAL NOTE for Windows 10 Client PCs:''' If the computer your are using to try and connect to this share is running Windows 10 version 1709 or later [https://support.microsoft.com/en-us/help/4046019/guest-access-smb2-disabled-by-default-in-windows-10-server-2016 Microsoft has disabled SMB guest share access] You have a few different options for completing this:''<br />
:* Use an earlier version of Windows (remember you'll need to install OpenVPN and be connected to ITCnet) such as Windows 10 before version 1709, Windows 8, or Windows 7 to attempt to connect to the share.<br />
:* Follow the instruction on the above Microsoft page to re-enable guest share access on your Windows 10 version 1709 or later system using the group policy editor (requires Windows 10 Professional or Enterprise)<br />
:* Use the registry editor to set the key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters] "AllowInsecureGuestAuth" to dword:1 (Note: editing your registry can cause your system not to boot and other unexpected behavior, so be careful and be sure of what you are doing)<br />
: '''''SPECIAL NOTE for Personal Windows PCs:''' If you are getting an error after hitting enter in the run dialog box, try either disabling your firewall or making a firewall exception for the IP address of your server.''<br />
</ol><br />
<br />
== Share Home Directories ==<br />
'''''[https://www.youtube.com/watch?v=MOJ6wwiQ1mk&feature=youtu.be Video Tutorial - Share Home Directories]''''' <br><br />
Now we are going to setup Home Directory Sharing. By default this is enabled, but write access is not and no users are setup.<br />
First it must be noted that Samba requires separate user accounts from the system, just like MySQL. So first, we are going to add your user account.<br />
<ol><br />
<li> To do this, we are now going to use Webmin to configure the shares.<br />
: Notice also what other shares are enabled in Samba by default when looking at the Webmin page for Samba. </li><br />
:[[file:Webmin-samba-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/9/9d/Webmin-samba-dashboard.png | 500px]]<br />
:[[media:Webmin-samba-dashboard.png | Click for Larger Image]]<br />
<li> On the Webmin Samba configuration page, click '''Samba Users'''.<br />
: Notice how none are currently defined.</li><br />
<li>Go back and click '''Convert Users'''.<br />
: This is the tool we will use to convert/copy the local Unix user accounts to Samba accounts.<br />
<li>Leave the Unix users to convert option set to all except listed users and UID ranges with the option of -499.</li><br />
: This will add all user accounts with a UID of 500 or more to Samba. Lower UID values are typically used on Debian systems as service accounts (like ''www-data'') who should not have Samba permissions. </li><br />
<li> On the bottom, select '''No password'''.<br />
: We are doing this as we will define unique passwords for each user.</li><br />
<li>Click '''Convert Users''' when ready. </li><br />
<li> When you are done, go to the '''Samba Users''' page again.<br />
: Notice how your user account is now listed.</li><br />
<li>From here you can now add passwords to the different user accounts you added in the last step. Be sure to set the passwords for each user you intend to connect with. </li><br />
<br />
Lastly we are going to setup write access to home folders, so you will be able to add files to your home directory over Samba.<br />
<br />
<li> On the Samba config page, under '''Shares''', click the '''home share'''.</li><br />
<li> Click '''Security and Access Control'''.</li><br />
<li> Set the '''Writable''' option to '''Yes''', and then click save. </li><br />
<li> Go back to the Samba config page, and click the '''Restart Samba Servers''' option at the bottom.<br />
: We do this to force samba to load the new configuration. You can also wait a minute or two if you don't want to disconnect any connected users. </li><br />
: At this point, we should be ready to test out our configuration.<br />
<li>On your Local Computer, open up the run dialog box, and enter '''\\172.17.50.xx''' (Your IP you setup for the static address), and press enter.<br />
: Notice how you do not see a home directory share because you are connected without any authentication.</li><br />
<li>In the top URL window, add '''\<username>''' to the path, e.g. '''\\172.17.50.xx\user'''.<br />
: You should now get a login popup.</li><br />
<li>Login as your user, and you should be greeted with your home folder.<br />
: ''NOTE: If your user is unable to login you may have forgotten to set a Samba password for the user as directed above. You need to set a password for each user within Samba.''<br />
: ''NOTE: On local systems running an operating system other than Windows follow whatever process you would normally use to connect to a Windows file share using the IP address of your VM as the server name.'' </li><br />
<li> Test creating and deleting a file to verify write access is working.</li><br />
<li> Try to access a home share of another user that was added to Samba.<br />
: Notice how you do not have permissions.</li><br />
<li>Try logging in with another user account to access a different home share.<br />
: ''NOTE: To use another user account in a samba share, you may have to logout and then back in on your local machine.'' </li><br />
</ol><br />
<br />
== Setup a Group Share ==<br />
'''''[https://www.youtube.com/watch?v=1C7BBUC_V3A&feature=youtu.be Video Tutorial - Setup a Group Share]''''' <br><br />
Now we are going to setup a group folder share that will allow for all samba users to read and write to the folder.<br />
<ol><br />
<li>Go back to the Webmin Samba configuration panel.<br />
: We are going to create a new share.</li><br />
<li>Under '''shares''', select the '''Create a new file share''' link. Use the following base configuration:<br />
<br><br />
<code>Share Name: Share-Files<br><br />
Directory to share: /srv/Group-Share<br><br />
Automatically Create Directory: Yes<br><br />
Create with owner: root<br><br />
Create with permissions: 775<br><br />
Create with group: users<br><br />
Available: yes<br><br />
Browsable: yes<br><br />
Share Comment: group share folder<br />
</code></li><br />
<li>Once the share is setup, click it to edit it.</li><br />
<li>Once you are at the '''Edit File Share''' page, click '''File Permissions'''.<br />
: Notice how the New Unix file and New Unix directory are set to 755 by default, even though we set the share to use 775 to create the directory. This is done for security purposes as it would only allow the owner to have modification privileges for the files and directories they create. We need to modify this so that all users on the system have full access to files in this share.</li><br />
<li>Set the '''New Unix file''' and '''New Unix directory''' mode to 775, and set '''Force Unix group''' to '''users'''. You can now press '''save'''. We do this to allow all authenticated users permission to modify and edit files that may have been added by other users.</li><br />
: Now we will need to enable write access to the folder.<br />
<li>On the '''Edit file share''' page again, click '''Security and Access Control'''.</li><br />
<li>Set the '''Writable''' option to '''Yes''', and press '''save'''.</li><br />
<li>At this point, you can test the share exactly the same way we did with the home folder share.</li><br />
: Notice though how this share is set to '''browsable''', so it shows up in the root share folder. Go ahead and create a file through your host computer. Then use PuTTY to look at the user and group assigned to the files you created.<br />
: It is important to note that even if a user has read or write permission in Samba they must ''also'' have permission to read or write the file/directory on the underlying Linux filesystem. Many problems with making Samba work can be traced to permissions errors where a user does not have correct permission to work with a file or directory either by the Samba software ''or'' by the filesystem.<br />
<li>Look at your '''smb.conf''' file and see what changes Webmin made in order to setup your group share.</li><br />
</ol><br />
<br />
= Checking Your Work =<br />
<br><br><br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_07_test.py | python3<br />
</nowiki></code></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_6_mnjk&diff=9557Lab 6 mnjk2021-03-02T22:05:57Z<p>NateHaleen: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
'''''[https://www.youtube.com/watch?v=dQw4w9WgXcQ Watch the video introduction]'''''<br><br />
In this lab you will perform the following tasks:<br />
*Installing typical website software on your server including a forum and blog software<br />
*Playing with basic PHP web scripting<br />
In all of these cases you should download the latest stable .tar.gz version of the software from the website and install it following the official documentation. <br><br />
'''DO NOT''' install pre-built Debian packages, this is not allowed and will not prepare you properly for installing this type of software in many web hosting environments.<br />
<br />
There are no specific Linux commands needed for this lab, but this lab assumes you can do the following:<br />
*[[Lab_5_mnjk#Experiment_with_Databases | MariaDB database creation]]<br />
*[[Lab_5_mnjk#Experiment_with_Website_PHP | Creating HTML links]]<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software<br />
# Login with your standard user account<br />
# Use FileZilla to transfer files to your system using SCP/SFTP if needed<br />
<br />
== Install Wordpress ==<br />
'''''[https://www.youtube.com/watch?v=Qg5fow1_SCY&feature=youtu.be Video Tutorial - Install Wordpress]'''''<br />
# Download the latest stable version of the [http://wordpress.org/ Wordpress blogging software]<br />
#:[[file:Lab6_links_wordpress.png | link= https://wiki.ihitc.net/mediawiki/images/3/39/Lab6_links_wordpress.png | 500px]]<br />
#:[[media:Lab6_links_wordpress.png| Click for Larger Image]]<br />
# Try following the [http://codex.wordpress.org/Main_Page official installation documentation] to install the software. <br />
#: Your goal is to install the software in the ''/blog/'' directory of your webserver so that you can visit your blog by going to http://''example.com''/blog/ where ''example.com'' is your IP address (we don't have DNS setup).<br />
#: ''HINT: You can use either the mysql command line client or the Webmin interface to do the database setup.''<br />
#* The command to create a database in MariaDB is:<br />
#: <code> CREATE DATABASE <name of database>; </code><br />
#* Once the database is created you will need to create a user:<br />
#: <code> CREATE USER '<username>' @ 'localhost' IDENTIFIED BY '<password>';</code><br />
#* Now grant the newly created user privileges:<br />
#: <code> GRANT ALL PRIVILEGES ON <database> . * TO '<username>'@'localhost';</code><br />
#* Once you've completed these steps return to the Wordpress Installation Guide and complete the installation.<br />
#:[[file:Lab6_WordPress_Installation_mk2.png | link= https://wiki.ihitc.net/mediawiki/images/f/fa/Lab6_WordPress_Installation_mk2.png | 500px]]<br />
#:[[media:Lab6_WordPress_Installation_mk2.png | Click for Larger Image]]<br />
# Once the software is installed make sure that you can successfully log in to the Wordpress web interface and add a few blog posts.<br />
#:[[file:Lab6_wordpress_default_blog_mk2.png | link= https://wiki.ihitc.net/mediawiki/images/9/9b/Lab6_wordpress_default_blog_mk2.png | 500px]]<br />
#:[[media:Lab6_wordpress_default_blog_mk2.png| Click for Larger Image]]<br />
<br />
== Install MyBB ==<br />
'''''[https://www.youtube.com/watch?v=VegevSlCpSQ&feature=youtu.be Video Tutorial - Install MyBB]'''''<br />
# Download and install the latest stable version of the [http://www.mybb.com/ MyBB forum software] following the instructions in their documentation. <br />
#:[[file:lab6_links_mybb.png | link= https://wiki.ihitc.net/mediawiki/images/2/2b/Lab6_links_mybb.png | 500px]]<br />
#:[[media:lab6_links_mybb.png | Click for Larger Image]]<br />
#: Your goal is to install the software in the ''/forum/'' directory of your webserver so that you can visit your forum by going to http://''example.com''/forum/ where ''example.com'' is your IP address (we don't have DNS setup)<br />
#:[[file:lab6_MyBB_Installation.png | link= https://wiki.ihitc.net/mediawiki/images/d/d2/Lab6_MyBB_Installation.png | 500px]]<br />
#:[[media:lab6_MyBB_Installation.png | Click for Larger Image]]<br />
#: ''HINT: If you get an error during installation about PHP XML extensions, use '''apt''' to search for and install php-xml. After that use '''sudo service apache2 restart''' to restart Apache2 and apply the change.<br />
# Make sure that you can create forums, users, and posts once you have installed the software.<br />
#:[[file:lab6_mybb_default.png | link= https://wiki.ihitc.net/mediawiki/images/d/d6/Lab6_mybb_default.png | 500px]]<br />
#:[[media:lab6_mybb_default.png | Click for Larger Image]]<br />
<br />
== Install One Additional PHP Application ==<br />
'''''[https://www.youtube.com/watch?v=X-u9EdQxcxw&feature=youtu.be Video Tutorial - Additional PHP Applications]'''''<br />
# Select One Additional PHP Application from the list below and install it following the official documentation:<br />
#* [http://www.opencart.com/ OpenCart] - Web Store System<br />
#* [https://www.mediawiki.org/ MediaWiki] - Wiki System<br />
#* [https://www.joomla.org/ Joomla!] - Content Management System<br />
#* [https://nextcloud.com NextCloud] - File Management like Google Drive<br />
#* [http://piwigo.org/ Piwigo] - Image Gallery<br />
#* [https://gnu.io/social/ GNU Social] - Microblogging like Twitter<br />
#* [https://www.limesurvey.org/stable-release LimeSurvey] - Run your own site like SurveyMonkey<br />
#* Other PHP applications may be approved by your instructor<br />
# After completing the installation make sure the software works as it should<br />
<br />
== Experiment With PHP ==<br />
# Take a look at the simple [http://www.w3schools.com/php/php_ajax_rss_reader.asp RSS reader on the w3schools site]<br />
# See if you can get the RSS reader working on your own server.<br />
#:[[file:lab6_rss.png | link= https://wiki.ihitc.net/mediawiki/images/a/a0/Lab6_rss.png | 500px]]<br />
#:[[media:lab6_rss.png | Click for Larger Image]]<br />
# Try changing one or both of the RSS feeds from Google and ZDNet to feed(s) of your choice<br />
# Try modifying the code to include more than two RSS feeds<br />
#: ''Hint: The idea in this section of the lab is to see if you can figure out how a simple PHP application works and modify it, not specifically to see if you can run the RSS reader.''<br />
<br />
== Update Your Main Page ==<br />
# Put links on your main INDEX page to everything you have done (your blog, forums, additional PHP software, and RSS reader experimental page)<br />
#: Here is a sample of what your INDEX page might look like, but you are free to customize it however you wish:<br />
#: [[File:Lab6_index_page.png|link=https://wiki.ihitc.net/mediawiki/images/0/00/Lab6_index_page.png | 500px]]<br />
#: [[Media:Lab6_index_page.png| Click here for larger image]]<br />
<br />
=Checking your Work=<br />
Wordpress<br />
# On your host computer navigate to http://''example.com''/blog.<br />
# Make a blog post.<br />
# Reach out to someone else in the class (you can get classmates email addresses from the D2L Classlist) and ask them to comment on your blog post.<br />
#: If you are able to post and see a comment from your classmate you have successfully completed the Wordpress section of the lab.<br />
<br><br />
MyBB<br />
# On your host computer navigate to http://''example.com''/forum.<br />
# Create a forum.<br />
# Create a user account.<br />
# Make a post using your new user account.<br />
#: If you are able to make a post using the new user account you have successfully completed the MyBB section of the lab.<br />
<br><br />
Other PHP Applications<br><br />
: Depending on which PHP application you installed the method of testing will be different<br />
:Use your creativity. Here are some ideas:<br />
*Upload something.<br />
* Post Something.<br />
*Make a new page.<br />
: When you are satisfied that your application is working properly, you have completed the PHP application section of this lab.<br />
<br><br />
RSS Feed Reader<br />
# From your host system navigate to the location of your RSS feed.<br />
#: ''HINT: This should be linked on your index page''<br />
# Use the dropdown bar to select a feed.<br />
#: The most recent posts from that feed should appear.<br />
#:[[file:Lab6_rss_sample.png | link= https://wiki.ihitc.net/mediawiki/images/f/f7/Lab6_rss_sample.png | 500px]]<br />
#:[[media:Lab6_rss_sample.png | Click for Larger Image]]<br />
# Try clicking the link to navigate to the full article.<br />
#: If you are able to complete all these steps you have successfully completed the RSS Reader section of this lab. <br />
<br><br><br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_06_test.py | python3<br />
</nowiki></code><br />
</ol></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_5_mnjk&diff=9556Lab 5 mnjk2021-03-02T22:05:09Z<p>NateHaleen: /* View Logfiles */</p>
<hr />
<div>=Introduction=<br />
In this lab you will perform the following tasks:<br />
*Learn about static network configuration of Debian Linux systems<br />
*Install '''[https://www.php.net PHP]'''<br />
*Install '''[https://www.php.net MariaDB]''' on your server, this is an open-source MySQL alternative<br />
*Experiment with websites and databases<br />
*Explore the standard log files on your system.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/ifup ifup]'''<br />
*'''[https://linux.die.net/man/8/ifdown ifdown]'''<br />
*'''[https://linux.die.net/man/8/ping ping]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://www.commandlinux.com/man-page/man8/a2dissite.8.html a2ensite]'''<br />
*'''[https://www.commandlinux.com/man-page/man8/a2dissite.8.html a2dissite]'''<br />
*'''[https://linux.die.net/man/1/wget wget]'''<br />
*'''[https://linux.die.net/man/1/zcat zcat]'''<br />
*'''[https://linux.die.net/man/8/service service]'''<br />
*'''[https://linux.die.net/man/1/tail tail]'''<br />
<br />
You will also use the following MySQL (MariaDB) commands:<br />
<br />
*'''[https://mariadb.com/kb/en/use USE]'''<br />
*'''[https://mariadb.com/kb/en/show SHOW]'''<br />
*'''[https://mariadb.com/kb/en/select SELECT]'''<br />
*'''[https://mariadb.com/kb/en/drop-database DROP database]'''<br />
<br />
=Lab Procedure=<br />
==Prerequisites==<br />
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account<br />
# Make a note of the static IP address information for your particular system in the table below, it is based on the system name identification letter in vmWare. These IP addresses will ONLY be valid in the ITC vmWare Linux class subnet. If you are working on a local VirtualBox system you will need to select an available static IP from the correct subnet for your system or skip the static IP addressing section. All vmWare systems will use a gateway address of 172.17.50.1 and a subnet mask of 255.255.255.0 with two nameservers 172.17.139.11 and 172.17.139.111<br />
{| {{table}}<br />
| align="center" style="background:#f0f0f0;"|'''System ID'''<br />
| align="center" style="background:#f0f0f0;"|'''Static IP'''<br />
|-<br />
| A||172.17.50.11<br />
|-<br />
| B||172.17.50.12<br />
|-<br />
| C||172.17.50.13<br />
|-<br />
| D||172.17.50.14<br />
|-<br />
| E||172.17.50.15<br />
|-<br />
| F||172.17.50.16<br />
|-<br />
| G||172.17.50.17<br />
|-<br />
| H||172.17.50.18<br />
|-<br />
| I||172.17.50.19<br />
|-<br />
| J||172.17.50.20<br />
|-<br />
| K||172.17.50.21<br />
|-<br />
| L||172.17.50.22<br />
|-<br />
| M||172.17.50.23<br />
|-<br />
| N||172.17.50.24<br />
|-<br />
| O||172.17.50.25<br />
|-<br />
| P||172.17.50.26<br />
|-<br />
| Q||172.17.50.27<br />
|-<br />
| R||172.17.50.28<br />
|-<br />
| S||172.17.50.29<br />
|-<br />
| T||172.17.50.30<br />
|-<br />
| U||172.17.50.31<br />
|-<br />
| V||172.17.50.32<br />
|-<br />
| W||172.17.50.33<br />
|-<br />
| X||172.17.50.34<br />
|-<br />
| Y||172.17.50.35<br />
|-<br />
| Z||172.17.50.36<br />
|}<br />
<br />
<br />
<br />
==Set a static IP==<br />
'''''[https://www.youtube.com/watch?v=VcPA6gJ0Ohw&feature=youtu.be Video Tutorial - Setting a Static IP Address]'''''<br />
<br />
: An important first step is to learn how to diferenciate between network interfaces. Take a look at [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ this site] and [https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-net_id.c#L20 this site] to understand how network interface names in Debian 9 and later are identified.<br />
<ol><br />
<li>Set a static IP for your server</li><br />
* Using your text editor of choice, open up the file ''/etc/network/interfaces''<br />
* Notice how it is currently set to dhcp for the ''ens192'' interface.<br />
* To set a static IP, you will need to change ''iface ens192 inet dhcp'' to ''iface ens192 inet static''.<br />
* Now, under the iface line you just edited, you will need to enter the address, netmask, and gateway for the static network.<br />
:''' Reminder: it is common practice to indent (tab) static network configuration information in the interfaces file.<br />
'' Note: Your configuration should be similar to this:<br />
<pre>allow-hotplug ens192<br />
iface ens192 inet static<br />
address xxx.xxx.xxx.xxx<br />
netmask 255.255.255.0<br />
gateway 172.17.50.1<br />
dns-nameservers 172.17.139.11 172.17.139.111</pre><br />
* Now save the file, and exit your file editor.<br />
<li>Apply your static IP address</li><br />
* Now we are going to apply the static IP change. Try using '''ip address show''' to view your active configuration now and you should see that your old address is still active.<br />
:''NOTE: You should only make network configuration changes when you have physical access to a machine. This way, if you mess up your configuration you will be able to fix it from a local console.''' If you lose working SSH access to your system after making these changes you'll need to connect in through the NetLab console interface (which is equivalent to physical access) and find and correct your configuration issues.<br />
* Using the '''ifdown''' and '''ifup''' command, we are going to restart the network interface, this step is required to apply the change.<br />
:'' Note: A good method to watch this change is to have to ping windows open on your local machine ping both your old IP address and your new IP address with a '''ping 172.17.50.xx -t''' this will allow you to see how quickly the change will happen. The first image below is with the DHCP address, the second is after the static address is applied.<br />
:[[File:Lab5_ping_ifup_ifdown.png|link=https://wiki.ihitc.net/mediawiki/images/2/2f/Lab5_ping_ifup_ifdown.png|500px]]<br />
:[[Media:Lab5_ping_ifup_ifdown.png|Click here for a larger image]]<br />
* In a SSH terminal, run '''sudo ifdown ens192 && sudo ifup ens192'''. Notice the two ''&&'' symbols. This tells the Linux shell that it should run the second command right after the first. If we do not define this, then we would be left with a machine that has its networking turned off.<br />
: <code>sudo ifdown ens192 && sudo ifup ens192</code><br />
'' Note: you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
* At this point, your machine should now be using a static address. You may receive an error message indicating that an address cannot be assigned which is related to your old DHCP address still being on the interface as well. Use '''ip address show''' to verify the new IP address is assigned to the interface.<br />
<li>Verify the new static IP address</li><br />
* Used a '''ping''' command from your local PC to try pinging both the old DHCP address as well as your new static address of your VM. <br />
* Once you have verified the VM is responding on the new static IP address reboot the system to ensure the old DHCP address is removed by restarting your VM with '''sudo shutdown -r now''' Note you will lose your SSH connection because the IP your SSH session is connected to is no longer in use by your VM.<br />
<li>Reconnect through SSH to your new IP address and verify it is now applied using the '''ip address show''' command.</li><br />
</ol><br />
<br />
==Install PHP & MySQL/MariaDB==<br />
<br />
'''''[https://www.youtube.com/watch?v=Az0qtg4LSjA&feature=youtu.be Video Tutorial - Install PHP and MySQL MariaDB]'''''<br />
<ol><br />
<li>Install packages</li><br />
:* Using '''apt''', install the ''php'' and ''mariadb-server'' packages as well as the ''php-mysql'' package which provides the link between php and mysql and the ''libapache2-mod-php'' package which provides a copy of PHP which allows the Apache webserver to run website PHP scripts.<br />
'' Note: Remember to do an '''apt update''' before installing packages to make sure you get the latest versions<br />
'' Note: Maria-DB is a fully compatible replacement for MySQL that isn't controlled by Oracle.<br />
* After the dependencies are found, go ahead and accept them to continue the install.<br />
<li> After the install is complete, '''cd''' to ''/var/www/html'' which is the root directory of your webserver and so where all website files are served from.</li><br />
<li> In order to fully enable the PHP-MySQL module you should restart your Apache webserver. You don't need to restart your entire system to do this. Do some research on the "apache2ctl" or the "service apache2" commands which can be used to do this.<br />
<li> At this point we will test to verify that php is working properly with Apache. Create a new file named ''phptest.php'', and then open it in a text editor.</li><br />
: '' Note: you may have to use sudo to create and edit files in this directory. as your standard user account may not have privilidges to create and edit files in this directory.<br />
:<code>sudo touch phptest.php</code><br />
:<code>sudo nano phptest.php</code><br />
<li>Enter the following into the file:<br />
<pre><?php<br />
phpinfo();<br />
?></pre></li><br />
<li>Now save the file, and on your local machine go to xxx.xxx.xxx.xxx/phptest.php in a web browser where xxx.xxx.xxx.xxx is your VM's static IP. You should now be on a page that shows your PHP Version, and system information.</li> <br />
:[[File:Lab5_php_info.png|500px]]<br />
:[[Media:Lab5_php_info.png|Click here for a larger image]]<br />
<li>Use the "View Source" option in your browser to see what the HTML source code is for the page you're viewing is. Is it the same or different than the .php file you created? Why? How is this different than a standard .html file?</li><br />
:[[File:Lab5_php_info_devtab.png|500px]]<br />
:[[Media:Lab5_php_info_devtab.png|Click here for a larger image]]<br />
</ol><br />
<br />
==Experiment with Website PHP==<br />
<br />
'''''[https://www.youtube.com/watch?v=m_sUrt_quX4&feature=youtu.be Video Tutorial - Experiment with Website PHP]'''''<br />
<ol><br />
<li> Explore Apache symlinks</li><br />
:In a previous lab we learned about editing the ''/var/www/index.html'' file to change the default web page displayed by your server. In a future lab you will install some PHP/MySQL based software which powers many Internet sites with forums, blogs, etc. Before we can do that we need to learn a little more about PHP and about databases. Like most software on Linux the Apache webserver configuration files are stored in the ''/etc'' directory. Specifically, you can find several of them which work together and are called from each other in ''/etc/apache2/'' take a look in the ''/etc/apache2/sites-enabled/'' directory. See how symlinks are used to point to configuration files which actually reside in the ''/etc/apache2/sites-available/'' directory? This allows us to turn off and on various sites by creating or removing a symlink rather than by deleting the actual configuration file, a handy thing if we just want to temporarily disable a site. In fact Apache provides a utility to automatically add and remove these links called '''a2ensite''' and '''a2dissite'''. Check the '''man''' pages for these commands to see how they work.<br />
<li>Explore '''/etc/apche2/sites-enabled'''</li><br />
:As you might have guessed the default site for your system is configured by the file linked to at ''/etc/apache2/sites-enabled/000-default'' If you open this file in your favorite text editor you will see a series of what Apache calls "directives" which explain how the webserver should function, what port it should listen on, where the website files will reside (''/var/www/html''), etc. <br />
:'' NOTE: Going into all of the different Apache directives is outside of the scope of this course but you will find a lot of documentation about them on the Internet.<br />
<li>Explore the Apache configuration files in Webmin</li><br />
:In addition to configuring Apache directly through it's configuration files you can also configure it through an interface like Webmin which we installed in a previous lab. Bring up the Webmin configuration page for Apache and take a look at the settings for the default site. Note how the things you saw directly in the configuration file match up with what you see in Webmin. One of the things you may be interested in seeing is how the webserver knows to display the index.html file from a directory if it exists and no specific file is requested in the URL. Take a look on the "Directory Indexing" page for the default virtualhost and see if you can find this information. You'll notice that there is a list of files, not just index.html which the server will display.<br />
:'' NOTE: You may need to refresh your Webmin modules or "scan for new modules" if you haven't done that since installing Apache and Webmin. Webmin scans your system for compatible server software packages (like Apache) when it is installed but needs to re-scan it's modules after you install new server software before you can configure it through Webmin.<br />
<li>Expiriment with and learn PHP basics</li><br />
:In another section of this lab you created a basic ''phptest.php'' file and saw how the server executed the PHP code and turned it into an HTML page your browser could display. Because PHP offers an easy way to write web applications it powers much of the Internet. To prepare us for setting up some PHP applications in a future lab it will be helpful to know a little about how PHP scripts work. Read through the [http://www.w3schools.com/php/default.asp W3 Schools PHP Basics Tutorial] (PHP Intro through PHP Superglobals) and try creating some PHP scripts on your own Linux server like the examples given in the tutorial pages to see if you can get them to run, try modifying them a little bit and see what the results are. There are many great Internet resources devoted to understanding how to do things with PHP so take some time to see how this language can be easily integrated in websites. You should definitely be familiar with editing PHP files to change variables, echo statements, etc. work which are all skills you'll need when installing PHP based website software.<br />
<li>Create your own PHP files</li><br />
:*Try writing some simple PHP scripts on your own using variables and echo statements and make them available through your webserver.<br />
:*A good place to create these would be in your home directory, using your favorite text editor.<br />
<li>Create your own "home" page by editing your ''index.html'' file located in the '''/var/www/html''' directory.</li><br />
:''NOTE: You will need to be familiar with the very basics of editing HTML files in order to create links, etc. If you haven't done this before there are many introductory HTML tutorials available online. A good starting place is [https://www.w3schools.com/html/html_basic.asp W3 Schools HTML Basics Examples]<br />
:'' NOTE:It is importatnt to know that an '''html''' file must include the <!DOCTYPE HTML> tag. Additionally, you will notice that all tags have an opening tag and a closing tag. The information between the tags is what will have the features of the tag<br />
:*Backup your ''index.html'' file by copying to a new file name.<br />
:<code>sudo cp /var/www/html/index.html /var/www/html/index.html.bak</code><br />
:*Edit your ''index.html'' file (or create a new ''index.php'' file which will be loaded instead if it exists) so there is a list and links to the various scripts you have created as part of your PHP experimentation.<br />
:* Open your index.html file in your favorite text editor,<br />
:<code>sudo nano /var/www/html/index.html</code><br />
:*Since you have backed up the original index.html file I would edit this file to only include the basics.<br />
<pre> <br />
<!DOCTYPE HTML><br />
<html><br />
<body><br />
<h1>My ITC-2480 Server</h1><br />
<p>This is a server on Pod-R in NetLab at 172.17.50.XX</p><br />
<br><br />
<p>Here are some of the Projects I am working on:</p><br />
<a href="http://172.17.50.XX/phptest.php">PHP Version Information</a><br />
</body><br />
</html><br />
</pre><br />
:'' NOTE: Make sure to replace the XX in the IP with the IP address of your server.<br />
:<br />
:[[File:Lab5_basic_html.png|link=https://wiki.ihitc.net/mediawiki/images/2/29/Lab5_basic_html.png|500px]]<br />
:[[Media:Lab5_basic_html.png|Click here for a larger image]]<br />
:A first look for a basic page<br />
:[[File:Lab5_initial_home.png|link=https://wiki.ihitc.net/mediawiki/images/9/92/Lab5_initial_home.png|500px]]<br />
:[[Media:Lab5_initial_home.png|Click for a larger image]]<br />
<li>Try to add additional features to your "home" page.</li><br />
:''NOTE: You may get some ideas of features you might like to add by looking at the original ''index.html'' file that we backed up in step 6 of this lab.<br />
:*As you complete your labs consider what you can add to this page.<br />
:*Add links to the PHP scripts you created<br />
:*A few good chalanges would be to add a title, change font size, style or color.<br />
<br />
</ol><br />
<br />
==Experiment with Databases==<br />
<br />
'''''[https://www.youtube.com/watch?v=1zYXiWLoGdM&feature=youtu.be Video Tutorial - Experiment with Databases]'''''<br />
<ol><br />
: In order to do really powerful things with a website we need a database where we can store dynamic content which can be queried to automatically build site pages from a template. One of the most common databases is an SQL database, and MySQL has long been the most prevalent Linux SQL software. These days MariaDB, which we installed, has been taking some MySQL marketshare because it is a community developed program instead of MySQL which is now owned by Oracle. The MariaDB software and MySQL software are essentially equivalent, especially for small sites/databases, and the same commands are used interchangeably including using the '''mysql''' command to access them. SQL itself is a standard language for interacting with a specific type of database called a relational database, we'll see why it's called a relational database in a minute. Each database is a collection of data stored in tables. You can think of a table as something like a spreadsheet with rows and columns, except we call the columns fields and the rows records (sometimes we actually call them rows too). The different tables are often related to one another, of course they are usually being used by the same web application, but usually the relationship goes deeper than that as we'll see in a little bit.<br />
<li>Download a sample database</li><br />
: To jumpstart our exploration of databases we'll download a pre-built sample database with a few tables and many records already in it and import it into our MySQL database server. Download the employees database file [https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2 employees_db-full-1.0.6.tar.bz2] (about 26MB) and get it into your home directory. Instead of using the '''links''' browser to do this or downloading to your computer and then pushing this large file back across the Internet with an SCP/SFTP client like FileZilla a better choice might be to learn about the '''wget''' program which can be used like "'''wget https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2'''" to download the file into your current working directory.<br />
<code>wget https://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2</code><br />
<li>Unpack the database file</li><br />
: Figure out how to use the '''tar''' program to unpack this .tar.bz2 file. Note that this file uses bz2 compression which takes longer to compress than gzip but can compress the files more. Once unpacked you should have an "employees_db" folder.<br />
<li>Explore the files included with sample database</li><br />
: Inside the ''employees_db'' folder you should have a number of ''.sql'' script files and dump files which can be used to restore the database to your system.<br />
:*Take a look at the ''employees.sql'' file, it's just a text file, which describes the format of the database. <br />
:*Also take a look at the ''load_employees.dump'' file, also just a text file, which contains all of the records from the employees table of the database. :'' NOTE: there are 300,000 some employee records in this database so you probably don't want to just use '''cat''' to view these files as it could take a while to print them out to your screen. Using the '''less''' program would be a better choice as it will allow you to exit viewing the file by pressing q at any time.<br />
<li>Open the MySQL (MariaDB) command line</li><br />
: We can interact with the MySQL/MariaDB server in many different ways. The first way we'll take a look at is through the command line '''mysql''' program. Run the "'''sudo mysql'''" command. <br />
:'' NOTE: that we are running this command with system administrator permissions which allows us to log in to the MySQL server with database administrator permissions as well. The MySQL program actually stores it's own usernames and passwords as a MySQL database itself, you can create and modify these permissions from the mysql command line but we'll learn more about modifying them through the Webmin interface later.<br />
:<code>sudo MySQL</code><br />
<br><br />
:[[File:Lab5_mariadb_cli.png|link=https://wiki.ihitc.net/mediawiki/images/4/4f/Lab5_mariadb_cli.png|500px]]<br />
:[[Media:Lab5_mariadb_cli.png|Click here for a larger image]]<br />
<li>Explore MySQL (MariaDB) Commands</li><br />
: MySQL has it's own command line language the you can use through the "mysql>" prompt you are now running. For example, if we want to see a list of databases on the system we can run "'''SHOW databases;'''" run the command and note the databases that already exist by default.<br />
<code>SHOW databases;</code><br />
:'' NOTE: Each MySQL/MariaDB statement ends with a semicolon (;) if you do not put the semicolon at the end of the line the command will not execute when you press enter and you will be able to continue to add more commands to the statement before finishing with a semicolon. If you accidentally press enter without ending with a semicolon you can just enter a semicolon on the next line and press enter.<br />
<li>Import the sample database</li><br />
: To import the employee database we can use the "'''source employees.sql;'''" command (assuming we were already working in the directory which contains the employees.sql file when we launched mysql. Import the employee database and verify the system now has an employees database.<br />
<code>SOURCE employees.sql;</code><br />
<li>Use the employees database</li><br />
<code>USE employees;</code><br />
: If we want to see all of the tables in the employees database we must first select the database we want to work on using the "'''USE employees;'''" command.<br />
<li>Explore the employee table</li><br />
: Use the "'''SHOW tables;'''" command to see a list of tables.<br />
<code>SHOW tables;</code><br />
<li>View a list of employees in table</li><br />
: To see a list of all the records in a table we need to run a SELECT query "'''SELECT * from ''<tablename>'''''" like "'''SELECT * from employees'''" which will list all the records in the ''employees'' table of the employees database and display them.<br />
<code>SELECT * from employees;</code><br />
<br><br />
:[[File:Lab5_mariadb_show_tables.png|link=https://wiki.ihitc.net/mediawiki/images/d/d5/Lab5_mariadb_show_tables.png|350px]]<br />
:[[Media:Lab5_mariadb_show_tables.png|Click here for a larger image]]<br />
:* Remember that we previously selected to USE the ''employees'' database, this will be remembered until we USE a different database. Try displaying the records in a couple of different tables like employees and departments.<br />
:'' NOTE: The output can be broken by using CTRL-C on your local machine if you do not wish to wait for all of the records to be displayed.<br />
:<br />
: There is much more that we can do from the MySQL/MariaDB command line but that would be a whole class or more itself. The MySQL/MariaDB programs are well documented on the Internet and with these basic skills you should be able to figure out most of it. Remember, the vast majority of what you read about MySQL will also work in MariaDB and vice-versa.<br />
<li>Explore the MySQL interface in Webmin<br />
: Now that you have learned a bit about MySQL databases from the command line let's see how they look in the Webmin web management interface. Log back in to your Webmin interface through a browser on your host system.<br />
:* Because MySQL was not installed when we first setup Webmin you need to "scan for new modules" first. Once that process has finished refresh the page to see that MySQL has been added to the server section of Webmin.<br />
:* Take a look at the Webmin MySQL module and see how MySQL users and permissions are configured.<br />
:* Try browsing through the ''employees'' database using the Webmin interface including viewing tables and records inside of the tables.<br />
<li>Drop database and exit MySQL (MariaDB)</li><br />
:* Go back to your MySQL command line window and run the command "'''DROP DATABASE employees;'''" to delete the entire database.<br />
:* Type "'''exit;'''" to quit the MySQL program and return to a Linux shell.<br />
<br />
:'' NOTE: Obviously, the DROP command is one to be careful with as you can easily wipe out a huge database with one line! <br />
</ol><br />
<br />
==View Logfiles==<br />
<br />
'''''[https://www.youtube.com/watch?v=cxIOQF-eMy0&feature=youtu.be Video Tutorial - Tutorial 5 View Logfiles]'''''<br />
<br />
<ol><br />
: Linux stores most of log files in the ''/var/log'' directory so change your working directory to ''/var/log''.<br />
: Some log files are viewable by all users on the system but other log files may be restricted and you will need to use '''sudo''' to view them.<br />
<li>View last 20 lines in '''/var/log/syslog'''</li><br />
:<code>tail -20 /var/log/syslog</code><br />
:[[File:Lab5_tail.png|link=https://wiki.ihitc.net/mediawiki/images/8/88/Lab5_tail.png|500px]]<br />
:[[Media:Lab5_tail.png|Click here for a larger image]]<br />
: Linux log files are typically standard text files and can be read with standard text file utilities like cat or less. One additional utility which comes in hand is the '''tail''' program which displays the last 10 lines (by default) of a text file and which can be configured to display more or less lines using a command like '''tail -20 /var/log/syslog''' which will display the last 20 lines of the main system log file. The manual page for the '''tail''' command contains additional information like how to use the ''-f'' option to view a log in realtime (exit with Ctrl-C).<br />
<li>Save the tail output to a file</li><br />
: Often we may want to save the output from a '''tail''' command to share with others or document an issue. This can easily be done using redirection we learned in a previous lab. Experiment with how to save some tail commands. Keep in mind you may need to escalate privileges for some files to be redirected. Try the following:<br />
: <code>sudo tail -20 /var/log/syslog > logtail.txt</code><br />
<li>Explore some other log files</li><br />
: Take a look at some of the log files on your system and see what kinds of information they contain specifically you should probably look at ''syslog'', ''auth.log'', ''kern.log'', ''apache2/access.log'', and ''apache2/error.log'' <br />
:* Use the tail command to explore these logs<br />
: In order to prevent log files from completely filling your drive old log files are eventually rotated on the system and compressed and then finally deleted. Take a look at some of the rotated log files like ''/var/log/syslog.1'' or ''/var/log/kern.log.1'' which will contain slightly older log entries.<br />
:'' Note: After the first rotated file other files are usually compressed with gzip. You can decompress and view these on the fly using the '''zcat''' program.<br />
</ol><br />
==Checking Your Work==<br />
<br><br><br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_05_test.py | python3<br />
</nowiki></code></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_4_mnjk&diff=9555Lab 4 mnjk2021-03-02T22:04:03Z<p>NateHaleen: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
Linux is a very text file-oriented operating system. As we've learned most of the settings for the operating system are held in text files in the /etc directory and most of the commands that are used to manipulate the system take text input or give text output. Beause of this it's very important to be able to edit and manipulate text on the system which will be a key focus of this lab. In addition, we'll practice creating compressed files, which is useful for backing up files, and creating links between locations on the system.<br />
<br />
In this lab you will perform the following tasks:<br />
* Edit text files using nano and vi<br />
* Learn how to manipulate command output<br />
* Search for files<br />
* Archive and Compress files using tar<br />
* Create links between directories<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://linux.die.net/man/1/vi vi]'''<br />
*'''[https://linux.die.net/man/1/nano nano]'''<br />
*'''[https://linux.die.net/man/1/less less]'''<br />
*'''[https://linux.die.net/man/1/find find]'''<br />
*'''[https://linux.die.net/man/1/locate locate]'''<br />
*'''[https://linux.die.net/man/8/updatedb updatedb]'''<br />
*'''[https://linux.die.net/man/1/ln ln]'''<br />
<br />
=Lab Procedure=<br />
==Prerequisites==<br />
Open an SSH console to your Linux system using the PuTTY software, login with your standard user account<br />
<br />
==Text File Editing==<br />
'''''[https://www.youtube.com/watch?v=LnVsTA8_mQo Video Tutorial - Text File Editing]'''''<br />
<ol><br />
<li> Change to the ''/var/www/html'' directory which is where the Apache webserver stores it's site files by default.</li><br />
<ul> Verify you can see an ''index.html'' file inside of this directory by listing the contents of the directory. Note who the ''owner'' and ''group owner'' of the file are.</ul><br />
<li> Open up a web browser on your host computer and verify that you can browse to the IP address of your Linux system and still see the "It works" page that you saw in [[Franske ITC-2480 Lab 2#Install the Apache 2 Webserver|lab 2]] after installing Apache.</li><br />
<ul> Before we start making any changes it's a good idea to save an unmodified copy of the file you'll be working on so make a copy of the ''index.html'' file and name the copy ''index.html.orig'' so that you can always copy it back if you make a mistake.</ul><br />
<ul> There are many different text editors available for Linux but systems almost always include some version of '''vi''' or '''nano''' so those are the two we'll focus on.</ul><br />
<li> In your ssh window open the ''index.html'' file in nano.</li><br />
<ul>NOTE: Because your user does not own this file you may need to edit the file as the superuser.</ul><br />
<code>nano index.html</code><br />
<ul>[[File:nano_index_html.png|link=https://wiki.ihitc.net/mediawiki/images/d/d3/Nano_index_html.png|250px]]</ul><br />
<ul>[[Media:nano_index_html.png|Click for Larger Image]]</ul><br />
<li> Try navigating around the file with your arrow keys and changing the "Apache2 Debian Default Page" text at the top of the page to "Welcome to My Linux Webserver"<br />
<ul> Basic instructions for using nano abound on the Internet. You can get a basic introduction [http://staffwww.fullcoll.edu/sedwards/Nano/IntroToNano.html here] but it basically comes down to the menu lines at the bottom of the screen showing what your options are. The ^ character is commonly used to indicate the CTRL key so to exit the program (you will be prompted to save changes if you have made any) press CTRL-X or to save without exiting press CTRL-O and follow the prompts at the bottom of the screen.</ul><br />
<li> Save your file with the changed text and then reload the page in your browser on your host system to see if the changes have taken effect.</li><br />
<ul> Experiment with some of the nano menu options such as cutting and "un-cutting" lines of text and searching/replacing text. Once you are comfortable with the nano editor save your changes and exit.</ul><br />
<ul> Make a note of which user and group owns your ''index.html'' file.</ul><br />
<li> Delete your ''index.html'' file and copy your ''index.html.orig'' file back to ''index.html''</li><br />
<ul> Try loading the website again and see if it's back to the original text. If you encounter an error it's possible that your ''index.html'' file is not readable by the webserver account so you should use the appropriate command to set the ''index.html'' file back to the owner and group of the original file.</ul><br />
<li> Now open the ''index.html'' file in vi</li><br />
<code> vi index.html</code><br />
<ul>[[File:vi_index_html.png|link=https://wiki.ihitc.net/mediawiki/images/f/fd/Vi_index_html.png|250px]]</ul><br />
<ul>[[Media:vi_index_html.png| Click for Larger Image]]</ul><br />
<ul> The vi editor is probably considered more powerful than nano but is less user friendly without the menu at the bottom and a COMMAND mode as well as an INSERT mode. In the COMMAND mode you cannot directly change the text of the file by typing which can be frustrating to new users. Read through the vi tutorial [http://www.washington.edu/computing/unix/vi.html here] and try making some edits to your webpage. Once you are familiar with how the vi editor works save your file and exit.</ul><br />
</ol><br />
<br />
==Command Output Manipulation==<br />
'''''[https://www.youtube.com/watch?v=dgC1r0rXTpA Video Tutorial - Command Output Manipulation]'''''<br />
<ol><br />
<li> Change back to your home directory.</li><br />
<code> cd ~</code><br />
<li> Print out the files in your home directory.</li><br />
<code> ls -al</code><br />
<li> Now, run '''ls -al''' but redirect the output to a file using ''> filename''.</li><br />
<code> ls -al > listfiles.txt</code><br />
<ul> Notice how there is no command output. This is normal as you redirected the command output to the file ''listfiles.txt''</ul><br />
<li> verify the contents of ''listfiles.txt''</li><br />
<code> cat listfiles.txt</code><br />
<ul>[[File:cat_listfiles_txt.png|link=https://wiki.ihitc.net/mediawiki/images/e/e1/Cat_listfiles_txt.png|250px]]</ul><br />
<ul>[[Media:cat_listfiles_txt.png|Click for Larger Image]]</ul><br />
<ul> Notice how it contains the exact same output as running '''ls -al''' on the command line.</ul><br />
<li> Now, run:</li><br />
<code>ls -al /var/log</code> <br />
<ul>Notice how many files there are in the ''/var/log'' directory. Lets say we wanted to just know the information of the ''debug'' log files. For this, we would use a pipe and the grep command.</ul><br />
<li> So, now run:</li><br />
<code> ls -al /var/log | grep debug</code><br />
<ul>[[File:var_log_grep_debug.png|link=https://wiki.ihitc.net/mediawiki/images/7/74/Var_log_grep_debug.png|250px]]</ul><br />
<ul>[[Media:var_log_grep_debug.png|Click for Larger Image]]</ul><br />
<ul>Notice how the output is limited to all files that contain the string ''debug''.</ul><br />
<ul> TIP: Grep is very powerful. Here we're just using it to search for a string but you can use it to search regular expressions as well. We mentioned these in a previous lab too. You can learn more about regular expressions at [https://regexone.com RegexOne] and [https://www.regular-expressions.info Regular-Expressions.info] among many other places. These are frequently used in system administration and programming so it's worth your while to get at least a basic understanding of them.</ul><br />
<ul> Whats nice about pipes and redirects is that they can be used back to back on a command line creating a chain of programs which accept data as standard input and output it to the next program as standard output.</ul><br />
<li> So lets say we have a scenario where we want to get a file that contains all of the information from all ''.gz'' files in ''/var/log''. To do this, we would run:</li><br />
<code> ls -al /var/log | grep .gz > gzlogfiles.txt</code><br />
<li> Now pipe the file into '''less'''</li><br />
<code>cat gzlogfiles.txt | less</code><br />
<ul> NOTE: Remember that you are now viewing the file in the less program and will need to quite the program to return to a command line. Type the letter "q" to quit the less program.</ul><br />
<ul> In this case the piped '''cat''' command is the exact same as running '''less gzlogfiles.txt''' however there are many times where you need to connect two programs together with pipes in order to accomplish something which is otherwise not possible. Also, standard output can be non-text data as well. For example, it's possible to use pipes to pass audio data between programs such as one that scans a WAV file and adjusts the volume before piping it to an MP3 compression utility which saves the result as an MP3 file.</ul><br />
<li> See if you can figure out how to view the output of '''ls -al /var/log | grep .gz''' one page at a time without dumping it to a text file first.</li><br />
<li> Now remove the files ''gzlogfiles.txt'' and ''listfiles.txt'' that were created from this part of the lab.</li><br />
</ol><br />
<br />
==Searching for Files in Linux==<br />
'''''[https://www.youtube.com/watch?v=WSd6fq-jDyE Video Tutorial - Searching for Files in Linux]'''''<br><br />
There are several ways to search for files on a Linux system. The simplest is to use the '''find''' command which searches through the system directory by directory for files which match your search string. You can specify many options for the find command which do things such as restrict to searching in one particular directory and it's sub-directories, etc.<br />
<ol><br />
<li> Try searching your entire drive for files with syslog in the name. <br />
<code> find / -name syslog 2> /dev/null</code><br />
<ul>[[File:find_syslog.png|link=https://wiki.ihitc.net/mediawiki/images/9/96/Find_syslog.png|250px]]</ul><br />
<ul>[[Media:find_syslog.png|Click for Larger Image]]</ul><br />
<ul> Notice the ''2> /dev/null'' on the end of the command. This redirects error messages ( ''2>'' redirected stderr, ''>'' redirects stdout as discussed above) to the location ''/dev/null'' which is non-existing location/file where bits are just dropped from the system. The reason we're redirecting the error messages is that there are a number of files or directories which you may not have permission to access. Each attempt to access these by the '''find''' program would create an error message (so lots of errors). We're basically telling the system to hide these error messages from us.</ul><br />
<ul> You should see some files identified which contain the name ''syslog''. The problem is that the find command is very slow at moving through all the files on the system, in fact it may even appear to be frozen while searching slowly though the drive. If you have waited a while and are still not getting back to a command prompt you can press CTRL-C to force the find program to quit and return to a command prompt. This means the find program works just fine for searching through a few directories/files (such as your home directory might contain) but is not the best choice for searching the entire system. If you want to learn more about advanced uses of the find command take a look at [http://content.hccfl.edu/pollock/unix/findcmd.htm this tutorial].</ul><br />
<li> A faster way to search the entire system is to use the ''locate'' command. Install the '''locate''' program</li><br />
<ul>This command searches a pre-built database of all files on the system which means it operates much faster than searching though files one at a time. There are two downsides to locate. First, it may not be pre-installed on many Linux systems so you may have to install it. Second, you need to build or update the database before you can search for files. New files are not automatically updated to the database so this only really works if you periodically remember to update the database. We'll explain how you can schedule that automatically in the future (hint, see the '''cron''' program).</ul><br />
<code> sudo apt-get install locate</code><br />
<li> Create an updated database of files on your system</li><br />
<code>sudo updatedb</code><br />
<ul>Note, it will take a while for this program to find and index all the files on your system so give it a while to run. The advantage is after you do this you can search the database for many different files very quickly instead of waiting for each search as with the find command. We need to run the '''updatedb''' program as an administrator so that it can search though all locations on the system, including ones your user does not normally have access to.</ul><br />
<ul> Note: Programs that may need to run for a long time and do not require user input (like '''updatedb''') can be run in the background by placing an ampersand at the end of the command line like '''sudo updatedb&'''. This will immediately return you to a command prompt so you can continue to work on other things while the command finishes running.</ul><br />
<li> Search for files with ''syslog'' in the name again but now using the command ''locate''</li><br />
<code> locate syslog</code> <br />
<ul>[[File:locate_syslog.png|link=https://wiki.ihitc.net/mediawiki/images/1/17/Locate_syslog.png|250px]]</ul><br />
<ul>[[Media:locate_syslog.png|Click for Larger Image]]</ul><br />
<ul> You should see many files found with this name and it should happen quickly, much faster than with the find command.</ul><br />
</ol><br />
<br />
==Creating Archived/Compressed Files==<br />
'''''[https://www.youtube.com/watch?v=iBsHKvNP88E Video Tutorial - Creating Archived Compressed Files]'''''<br><br />
If you get stuck or have any problems understanding why '''tar''' is functioning in a certain way you can find a number of introductory tutorials [http://www.thegeekstuff.com/2010/04/unix-tar-command-examples/ like this one] about using '''tar''' on the Internet by [https://www.google.com/#q=tar+tutorial searching for them]<br />
<ol><br />
<li> Create a new directory ''experiments'' in your home directory.</li><br />
<li> Create a GZipped TAR file of everything in your system log directory called ''logbackup1.tar.tz'' and save it to the ''experiments'' directory in your home directory by first changing your working directory to ''/var/log'' and then using the command:</li><br><br />
<code>tar -czvf ~/experiments/logbackup1.tar.gz *</code> <br />
<ul> Note that you will need to use root privileges to create all of the log backups in this section of the lab because some log files can not be read by a standard user.</ul><br />
<ul> Note the asterisk (*) which is used to select all files in the current directory for inclusion in the TAR file. This is a type of wildcard character.</ul><br />
<li> Change your working directory to the ''experiments'' directory in your home directory.</li><br />
<li> Try extracting the files into your ''experiments'' directory, show a list of files as they are extracted (''verbose'')</li><br />
<ul> Check the contents of your ''experiments'' directory. What happened? What kind of mess could this make when you extract a TAR file when it was created this way?</ul><br />
<li> Delete all files and subdirectories from inside the ''experiments'' directory.</li><br />
<li> Try again to create a GZipped TAR file of everything in your system log directory called ''logbackup2.tar.tz'' and save it to the ''experiments'' directory in your home directory. By running the command from inside the ''experiments'' directory.</li><br />
<code> tar -czvf logbackup2.tar.gz /var/log</code><br />
<ul> Note that you will need to use root privileges to create all of the log backups in this section of the lab because some log files can not be read by a standard user.</ul><br />
<ul> Note the lack of a slash at the end of the directory we are putting into the TAR file. In some older versions of TAR putting a slash on the end meant to put the files from that directory into the file but not the directory itself (just like when we created logbackup1.tar.gz with the asterisk wildcard). By leaving the slash off the end we are telling TAR to put the log directory,as well as it's contents, into the TAR file so that when we extract it we will get a log directory made with the files going into it. Even though new versions of TAR automatically prevent you from creating TAR files without a directory path it is still best practice to make sure that you are including a directory as part of the TAR file.</ul><br />
<li> Try extracting the files into your ''experiments'' directory, show a list of files as they are extracted (''verbose'')</li><br />
<li> Check the contents of your ''experiments'' directory.</li><br />
<ul> What happened? If you extracted a tar file made this way you could potentially end up with several more levels of directories than you really want. In this case we got an extra var directory inside of experiments but if we were archiving something with a deeper path we would have even more extra subdirectories. You can actually see this during the tar file creation if you have verbose output enabled you saw that all the files being added to the tar had var/log/ in front of the filename. There are at least two ways to handle this which we will look at.</ul><br />
<li> Delete all files and subdirectories from inside the ''experiments'' directory.</li><br />
<ul> If we are creating the TAR file manually we can avoid these extra parts to the path by paying attention to what directory we are in when we create the TAR file.</ul><br />
<li> This time change your working directory to ''/var'' first and then run the command.</li><br />
<code> tar -czvf ~/experiments/logbackup3.tar.gz log</code><br />
<ul> Note the different output from the tar command. This time the filenames are prefixed only by ''log/''.</ul><br />
<li> Switch back to your ''experiments'' directory and then try extracting the files from ''logbackup3.tar.gz'' into your experiments directory, do not show a list of files as they are extracted this time.</li><br />
<ul> Check the contents of your experiments directory. This time you should see that there is just one new subdirectory called log and all of the files are neatly placed inside of it. This is the type of extraction people normally want and expect from a tar file that is distributed.</ul><br />
<li> Empty your ''experiments'' directory</li><br />
<li> If you want to have the same effect without changing your working directory that is possible too. Try running the command below.</li><br />
<code>tar -czvf ~/experiments/logbackup4.tar.gz -C /var log</code> <br />
<ul>This time it doesn't make any difference which directory on the system because we have again specified a full path for where to save the tar file and we have also told tar to change to the ''/var'' directory before adding the log directory to the file using the -C argument. This automates the process of manually changing directories like we did above.</ul><br />
<li> Switch back to your ''experiments'' directory and then try extracting the files from ''logbackup4.tar.gz'' into your experiments directory, do not show a list of files as they are extracted this time.</li><br />
<ul> Check the contents of your experiments directory. This time you should again see that there is just one new subdirectory called ''log'' and all of the files are neatly placed inside of it.</ul><br />
<ul> There are a number of other things you can do with '''tar''' such as creating slower but more highly compressed .bz2 bzip files, extracting single files (or directories or groups of files) from an archive, listing the contents of an archive without extracting (which can show you if a new subdirectory will be created), adding files to an existing archive, and preserving file ownership (only by extracting on the same system though) and permissions. You should read the manual page for tar and then try practicing some of these and be familiar with the many ways that '''tar''' can be used.</ul><br />
</ol><br />
<br />
==Working With Filesystem Links==<br />
'''''[https://www.youtube.com/watch?v=vBorZKMmvIk Video Tutorial - Working With Filesystem Links]'''''<br><br />
If you get stuck or have any problems understanding how links are functioning in a certain way you can find a number of introductory tutorials [http://www.nixtutor.com/freebsd/understanding-symbolic-links/ like this one] or [http://www.thegeekstuff.com/2010/10/linux-ln-command-examples/ more advanced tutorials] on the Internet by searching for them.<br />
<ol><br />
<li> Use root privileges to create a new directory inside the ''var'' directory called ''system-documentation'' and change the ownership permissions so that your standard user has permission to read, write, and execute as a member of a group which owns the documentation directory. You will also need to make sure that all system users have execute permission for the parent directory (''/var'') in order to access anything in it including the ''system-documentation'' directory.</li><br />
<ul> Instead of needing to go into the ''/var/-system-documentation'' directory all the time it would be more convenient if your user was able to reach that directory through a link in their own home directory.</ul><br />
<li> Run the command below inside your regular user's home directory</li><br />
<code>ln -s /var/system-documentation documentation</code> <br />
<ul>[[File:ln_documentation.png|link=https://wiki.ihitc.net/mediawiki/images/9/97/Ln_documentation.png|250px]]</ul><br />
<ul>[[Media:ln_documentation.png|Click for Larger Image]]</ul><br />
<ul>Or if you're in a different working directory you can run the command as '''ln -s /var/system-documentation ~/documentation''' Do you understand why?</ul><br />
<ul> You should now see a soft link (also called symlink) in your home directory called documentation which points to the ''/var/system-documentation'' folder.</ul><br />
<li> '''cd''' into the link just like it was a real directory.</li><br />
<ul> If you use the '''pwd''' command to print your working directory while inside the link it will look like it's a directory. Almost all software on the system will interact with the link just as if it's a real directory.</ul><br />
<li> Try creating some files and subdirectories inside of the link and then verify they are showing up in the real ''/var/system-documentation'' location as well. This should work correctly if your permissions are all set correctly.</li><br />
<li> Remove the link</li><br />
<code>rm ~/documentation</code><br />
<ul> You should see that all of the files you created are still in ''/var/system-documentation''</ul><br />
<ul> If you re-create the link you should be able to go back into ''~/documentation'' and remove files and directories and see they are removed from the actual ''/var/system-documentation'' directory as well</ul><br />
<ul> You can also practice creating links to specific files as well as directories. Links do not override permissions so you need to have permission to read, write or execute the file or directory you are linking to just like if you actually changed to the real location of the item. Go ahead and practice creating and removing links until you have a good understanding of how links can be used.</ul><br />
</ol><br />
Note: If you are using '''tar''' to back up data, depending on exactly what you want to do you may want to use the ''-h'' or ''--dereference'' option which will follow the symlink and backup the data it contains. Normal behavior for tar would just be to back up the link itslef, not the file(s) pointed to by the link. You should try creating some tar files of directories which contain symlinks, deleting the data the symlink points to and the extracting the tar file to some new location to see this in action if you are not confident that you understand this.<br />
<br />
=Checking your Work=<br />
<ol><br />
<li> Testing your work goes here</li><br />
<code> Commands to use</code><br />
<ul> Description of what you should see</ul><br />
<br />
<br><br><br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_04_test.py | python3<br />
</nowiki></code><br />
</ol></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_3_mnjk&diff=9554Lab 3 mnjk2021-03-02T22:03:03Z<p>NateHaleen: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
'''''[https://www.youtube.com/watch?v=dQw4w9WgXcQ Watch the video introduction]'''''<br />
<br />
This lab assumes that you know the IP address of your Linux system and are connected to the ITCnet VPN network. If you need help with these steps please see [[ITC_VPN_Instructions | the VPN instructions]] and [[Lab_1_mnjk#Installing_sudo_and_checking_your_IP_address | Lab 1]].<br />
<br />
In this lab you will perform the following tasks:<br />
*Create a new user account<br />
*Change the ownership and permissions on files and directories<br />
*Install the '''[https://www.webmin.com/ Webmin]''' package.<br />
You will be introduced to the following commands:<br />
*'''[https://www.commandlinux.com/man-page/man8/addgroup.8.html addgroup]'''<br />
*'''[https://linux.die.net/man/1/cat cat]'''<br />
*'''[https://linux.die.net/man/1/more more]'''<br />
*'''[https://linux.die.net/man/1/touch touch]'''<br />
*'''[https://linux.die.net/man/1/chown chown]'''<br />
*'''[https://linux.die.net/man/1/chgrp chgrp]'''<br />
*'''[https://linux.die.net/man/1/dpkg dpkg]'''<br />
<br />
= Lab Procedure =<br />
== Prerequisites ==<br />
<ol><br />
<li> Make sure you have an active connection to the ITCnet either by VPN or by directly connectiong to an ITCnet switch on campus</li><br />
<li> Open an SSH console to your Linux system using the PuTTY software, login with your standard user account</li><br />
</ol><br />
<br />
== Creating Users and Groups ==<br />
'''''[https://www.youtube.com/watch?v=q_tYhIVlhCU&feature=youtu.be Video Tutorial - Creating Users and Groups]''''' <br><br />
<ol><br />
<li> Create a new user account '''jsmith''' using the '''adduser''' program</li><br />
<code> adduser jsmith </code><br />
<li> Create a new group '''redteam''' using the '''addgroup''' program</li><br />
<code> addgroup redteam </code> <br />
<li> Add the '''jsmith''' account as well as your own user account to the '''redteam''' group</li><br />
<li> Close your SSH session and open two new SSH sessions</li><br />
: ''NOTE: In order for your user accounts to receive their new group permissions they need to be logged out and logged back in.''<br />
<li> Login as your regular user on one and '''jsmith''' on the other</li><br />
<li> View a list of all the user accounts on your system by looking at the '''/etc/passwd'''. To output the contents of the '''/etc/passwd''' file you can use the following command:</li><br />
<code>cat /etc/passwd</code><br />
: The /etc/passwd file is a plain text file on your system.<br />
<li> View a list of the password data on your system by viewing the '''/etc/shadow''' file</li><br />
<li> View a list of groups and group members on your system in the '''/etc/group''' file<br />
: ''NOTE: The group list may be longer than one full screen of text (the same is true of the '''/etc/passwd''' or '''/etc/shadow''' file depending on your screen resolution.''<br />
* To output the contents of the file while pausing after each page of output use the following command:<br />
: <code>more /etc/group</code><br />
* To output the contents of the file while pausing after each page of output and being able to scroll up and down through the output use the following command:<br />
: <code>less /etc/group</code><br />
* Press '''q''' to return to the command line<br />
* It may be helpful to try these commands to display an even longer text file like one of the Shakespeare texts you downloaded in an earlier lab in the '''~/sample-files''' directory. You may have to un-tar the files again first.</li><br />
</ol><br />
</ol><br />
<br />
== Practice Filesystem Permissions and Ownership ==<br />
'''''[https://www.youtube.com/watch?v=5-6dRHTbJfM&feature=youtu.be Video Tutorial - Practice Filesystem Permissions and Ownership]''''' <br><br />
''NOTE: Working with file and directory ownership and permissions is tricky and there are many, many possible combinations of users, groups, and permissions which can be assigned to both files and folders. The goal of this section of the lab is to familiarize you with how to use the commands for changing ownership and permissions, not to teach you how to read or understand Linux file permissions (see your readings for this, it is important!) Once you understand how to use the commands you should experiment with setting different owners and permissions on a several different files and folders and subfolders until you have a good understanding of how permissions work. The only way to understand these relationships well is to read about it and then try it out. You should be able to set all of these permissions just as regular users (assuming you have access to both of the user accounts) '''you should not need sudo access to change the permissions because one of the the two users owns all the files and directories we're working in. You will need sudo access to change the owner of the files because otherwise it would be possible to accidentally lock yourself out of a file.'''''<br />
<br />
''ADDITIONALLY: This table may be helpful:''<br />
: {| class="wikitable"<br />
|+Linux Permissions<br />
!|Octal<br />
!|Binary<br />
!|File Mode<br />
|-<br />
| 0<br />
| 000<br />
| ---<br />
|-<br />
| 1<br />
| 001<br />
| --x<br />
|-<br />
| 2<br />
| 010<br />
| -w-<br />
|-<br />
| 3<br />
| 011<br />
| -wx<br />
|-<br />
| 4<br />
| 100<br />
| r--<br />
|-<br />
| 5<br />
| 101<br />
| r-x<br />
|-<br />
| 6<br />
| 110<br />
| rw-<br />
|-<br />
| 7<br />
| 111<br />
| rwx<br />
|}<br />
''This '''[http://permissions-calculator.org/ permissions calculator]''' may also be helpful.''<br />
<ol><br />
<li> Change to the '''/home''' directory.</li><br />
<li> Check the ownership and permissions on the subdirectories inside of '''/home'''</li><br />
<li> Try to create new files using the '''touch''' command called '''foo''' and '''foo2''' in the '''/home/jsmith''' directory.<br />
*Try as both your regular user and as '''jsmith''' respectively<br />
: <code>touch foo</code><br />
: <code>touch foo2</code></li><br />
<li> Try removing the '''foo''' and/or '''foo2''' files using both your regular user account and '''jsmith'''</li><br />
<li> Use the '''jsmith''' user to create a new directory '''/home/jsmith/redteam/'''</li><br />
<li> Use the '''jsmith''' user to create some files: '''/home/jsmith/redteam/theplan''' and '''/home/jsmith/redteam/yours''' '''/home/jsmith/redteam/mine''' and '''/home/jsmith/ours'''</li><br />
<li> In order to find out more about the '''chown''' and '''chgrp''' programs which you'll use to change the owners and groups for files and directories use the following commands to view the built in manual pages:<br />
: <code>man chown</code><br />
: <code>man chgrp</code><br />
: ''NOTE: Almost every command line tool in Linux has a manual page you can view in this way, try accessing a few other man pages for some of the other tools we've been using. You can scroll through the manual pages using the arrow keys and page up/down. To return to the command line press the q key.''</li><br />
<li> Change the permissions on the '''/home/jsmith/redteam/''' directory so that the group '''redteam''' is the group owner of the directory</li><br />
: [[File:Change-ownership-directory.png | link=https://wiki.ihitc.net/mediawiki/images/6/61/Change-ownership-directory.png | 500px]]<br />
: [[media:Change-ownership-directory.png | Click for Larger Image]]<br />
<li> Add write permission for the group to the '''/home/jsmith/redteam/''' directory</li><br />
<li> Change the ownership of the '''yours''' file so that it is owned by your regular user account instead of '''jsmith'''</li><br />
<li> Change the group owner of the '''ours''' file so that it is controlled by the '''redteam''' group</li><br />
<li> Experiment with creating and removing files and subdirectories inside of the '''/home/jsmith/redteam/''' directory as well as listing the contents of directories with various permissions applied to them until you have a good understanding of how permissions work.</li><br />
</ol><br />
<br />
== Install the Webmin Control Panel ==<br />
'''''[https://www.youtube.com/watch?v=tfthl4jH-jg&feature=youtu.be Video Tutorial - Install the Webmin Control Panel]''''' <br><br />
<ol><br />
<li> Use the '''links''' browser to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
<code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
= Checking Your Work =<br />
<ol><br />
<li> Run the following command:<br />
<br><br />
<code> ls -al /home/jsmith/redteam </code><br />
* Verify the following directories are present:<br />
*: '''/theplan'''<br />
*: '''/yours'''<br />
*: '''/mine'''<br />
*: '''/ours'''</li><br />
* Verify the '''redteam''' group owns the '''/ours''' directory.<br />
<li>Run the following command:<br />
<br><br />
<code> ls -al /home/jsmith </code><br />
* Verify the '''redteam''' group owns and has write permissions of the '''/redteam''' directory.</li><br />
<br><br><br />
<li> Automatically check your results by running this command:</li><br />
<br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_03_test.py | python3<br />
</nowiki></code></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_3_mnjk&diff=9553Lab 3 mnjk2021-03-02T22:02:48Z<p>NateHaleen: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
'''''[https://www.youtube.com/watch?v=dQw4w9WgXcQ Watch the video introduction]'''''<br />
<br />
This lab assumes that you know the IP address of your Linux system and are connected to the ITCnet VPN network. If you need help with these steps please see [[ITC_VPN_Instructions | the VPN instructions]] and [[Lab_1_mnjk#Installing_sudo_and_checking_your_IP_address | Lab 1]].<br />
<br />
In this lab you will perform the following tasks:<br />
*Create a new user account<br />
*Change the ownership and permissions on files and directories<br />
*Install the '''[https://www.webmin.com/ Webmin]''' package.<br />
You will be introduced to the following commands:<br />
*'''[https://www.commandlinux.com/man-page/man8/addgroup.8.html addgroup]'''<br />
*'''[https://linux.die.net/man/1/cat cat]'''<br />
*'''[https://linux.die.net/man/1/more more]'''<br />
*'''[https://linux.die.net/man/1/touch touch]'''<br />
*'''[https://linux.die.net/man/1/chown chown]'''<br />
*'''[https://linux.die.net/man/1/chgrp chgrp]'''<br />
*'''[https://linux.die.net/man/1/dpkg dpkg]'''<br />
<br />
= Lab Procedure =<br />
== Prerequisites ==<br />
<ol><br />
<li> Make sure you have an active connection to the ITCnet either by VPN or by directly connectiong to an ITCnet switch on campus</li><br />
<li> Open an SSH console to your Linux system using the PuTTY software, login with your standard user account</li><br />
</ol><br />
<br />
== Creating Users and Groups ==<br />
'''''[https://www.youtube.com/watch?v=q_tYhIVlhCU&feature=youtu.be Video Tutorial - Creating Users and Groups]''''' <br><br />
<ol><br />
<li> Create a new user account '''jsmith''' using the '''adduser''' program</li><br />
<code> adduser jsmith </code><br />
<li> Create a new group '''redteam''' using the '''addgroup''' program</li><br />
<code> addgroup redteam </code> <br />
<li> Add the '''jsmith''' account as well as your own user account to the '''redteam''' group</li><br />
<li> Close your SSH session and open two new SSH sessions</li><br />
: ''NOTE: In order for your user accounts to receive their new group permissions they need to be logged out and logged back in.''<br />
<li> Login as your regular user on one and '''jsmith''' on the other</li><br />
<li> View a list of all the user accounts on your system by looking at the '''/etc/passwd'''. To output the contents of the '''/etc/passwd''' file you can use the following command:</li><br />
<code>cat /etc/passwd</code><br />
: The /etc/passwd file is a plain text file on your system.<br />
<li> View a list of the password data on your system by viewing the '''/etc/shadow''' file</li><br />
<li> View a list of groups and group members on your system in the '''/etc/group''' file<br />
: ''NOTE: The group list may be longer than one full screen of text (the same is true of the '''/etc/passwd''' or '''/etc/shadow''' file depending on your screen resolution.''<br />
* To output the contents of the file while pausing after each page of output use the following command:<br />
: <code>more /etc/group</code><br />
* To output the contents of the file while pausing after each page of output and being able to scroll up and down through the output use the following command:<br />
: <code>less /etc/group</code><br />
* Press '''q''' to return to the command line<br />
* It may be helpful to try these commands to display an even longer text file like one of the Shakespeare texts you downloaded in an earlier lab in the '''~/sample-files''' directory. You may have to un-tar the files again first.</li><br />
</ol><br />
</ol><br />
<br />
== Practice Filesystem Permissions and Ownership ==<br />
'''''[https://www.youtube.com/watch?v=5-6dRHTbJfM&feature=youtu.be Video Tutorial - Practice Filesystem Permissions and Ownership]''''' <br><br />
''NOTE: Working with file and directory ownership and permissions is tricky and there are many, many possible combinations of users, groups, and permissions which can be assigned to both files and folders. The goal of this section of the lab is to familiarize you with how to use the commands for changing ownership and permissions, not to teach you how to read or understand Linux file permissions (see your readings for this, it is important!) Once you understand how to use the commands you should experiment with setting different owners and permissions on a several different files and folders and subfolders until you have a good understanding of how permissions work. The only way to understand these relationships well is to read about it and then try it out. You should be able to set all of these permissions just as regular users (assuming you have access to both of the user accounts) '''you should not need sudo access to change the permissions because one of the the two users owns all the files and directories we're working in. You will need sudo access to change the owner of the files because otherwise it would be possible to accidentally lock yourself out of a file.'''''<br />
<br />
''ADDITIONALLY: This table may be helpful:''<br />
: {| class="wikitable"<br />
|+Linux Permissions<br />
!|Octal<br />
!|Binary<br />
!|File Mode<br />
|-<br />
| 0<br />
| 000<br />
| ---<br />
|-<br />
| 1<br />
| 001<br />
| --x<br />
|-<br />
| 2<br />
| 010<br />
| -w-<br />
|-<br />
| 3<br />
| 011<br />
| -wx<br />
|-<br />
| 4<br />
| 100<br />
| r--<br />
|-<br />
| 5<br />
| 101<br />
| r-x<br />
|-<br />
| 6<br />
| 110<br />
| rw-<br />
|-<br />
| 7<br />
| 111<br />
| rwx<br />
|}<br />
''This '''[http://permissions-calculator.org/ permissions calculator]''' may also be helpful.''<br />
<ol><br />
<li> Change to the '''/home''' directory.</li><br />
<li> Check the ownership and permissions on the subdirectories inside of '''/home'''</li><br />
<li> Try to create new files using the '''touch''' command called '''foo''' and '''foo2''' in the '''/home/jsmith''' directory.<br />
*Try as both your regular user and as '''jsmith''' respectively<br />
: <code>touch foo</code><br />
: <code>touch foo2</code></li><br />
<li> Try removing the '''foo''' and/or '''foo2''' files using both your regular user account and '''jsmith'''</li><br />
<li> Use the '''jsmith''' user to create a new directory '''/home/jsmith/redteam/'''</li><br />
<li> Use the '''jsmith''' user to create some files: '''/home/jsmith/redteam/theplan''' and '''/home/jsmith/redteam/yours''' '''/home/jsmith/redteam/mine''' and '''/home/jsmith/ours'''</li><br />
<li> In order to find out more about the '''chown''' and '''chgrp''' programs which you'll use to change the owners and groups for files and directories use the following commands to view the built in manual pages:<br />
: <code>man chown</code><br />
: <code>man chgrp</code><br />
: ''NOTE: Almost every command line tool in Linux has a manual page you can view in this way, try accessing a few other man pages for some of the other tools we've been using. You can scroll through the manual pages using the arrow keys and page up/down. To return to the command line press the q key.''</li><br />
<li> Change the permissions on the '''/home/jsmith/redteam/''' directory so that the group '''redteam''' is the group owner of the directory</li><br />
: [[File:Change-ownership-directory.png | link=https://wiki.ihitc.net/mediawiki/images/6/61/Change-ownership-directory.png | 500px]]<br />
: [[media:Change-ownership-directory.png | Click for Larger Image]]<br />
<li> Add write permission for the group to the '''/home/jsmith/redteam/''' directory</li><br />
<li> Change the ownership of the '''yours''' file so that it is owned by your regular user account instead of '''jsmith'''</li><br />
<li> Change the group owner of the '''ours''' file so that it is controlled by the '''redteam''' group</li><br />
<li> Experiment with creating and removing files and subdirectories inside of the '''/home/jsmith/redteam/''' directory as well as listing the contents of directories with various permissions applied to them until you have a good understanding of how permissions work.</li><br />
</ol><br />
<br />
== Install the Webmin Control Panel ==<br />
'''''[https://www.youtube.com/watch?v=tfthl4jH-jg&feature=youtu.be Video Tutorial - Install the Webmin Control Panel]''''' <br><br />
<ol><br />
<li> Use the '''links''' browser to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
<code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
= Checking Your Work =<br />
<ol><br />
<li> Run the following command:<br />
<br><br />
<code> ls -al /home/jsmith/redteam </code><br />
* Verify the following directories are present:<br />
*: '''/theplan'''<br />
*: '''/yours'''<br />
*: '''/mine'''<br />
*: '''/ours'''</li><br />
* Verify the '''redteam''' group owns the '''/ours''' directory.<br />
<li>Run the following command:<br />
<br><br />
<code> ls -al /home/jsmith </code><br />
* Verify the '''redteam''' group owns and has write permissions of the '''/redteam''' directory.</li><br />
<br />
<li> Automatically check your results by running this command:</li><br />
<br><br><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_03_test.py | python3<br />
</nowiki></code></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_3_mnjk&diff=9552Lab 3 mnjk2021-03-02T22:02:27Z<p>NateHaleen: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
'''''[https://www.youtube.com/watch?v=dQw4w9WgXcQ Watch the video introduction]'''''<br />
<br />
This lab assumes that you know the IP address of your Linux system and are connected to the ITCnet VPN network. If you need help with these steps please see [[ITC_VPN_Instructions | the VPN instructions]] and [[Lab_1_mnjk#Installing_sudo_and_checking_your_IP_address | Lab 1]].<br />
<br />
In this lab you will perform the following tasks:<br />
*Create a new user account<br />
*Change the ownership and permissions on files and directories<br />
*Install the '''[https://www.webmin.com/ Webmin]''' package.<br />
You will be introduced to the following commands:<br />
*'''[https://www.commandlinux.com/man-page/man8/addgroup.8.html addgroup]'''<br />
*'''[https://linux.die.net/man/1/cat cat]'''<br />
*'''[https://linux.die.net/man/1/more more]'''<br />
*'''[https://linux.die.net/man/1/touch touch]'''<br />
*'''[https://linux.die.net/man/1/chown chown]'''<br />
*'''[https://linux.die.net/man/1/chgrp chgrp]'''<br />
*'''[https://linux.die.net/man/1/dpkg dpkg]'''<br />
<br />
= Lab Procedure =<br />
== Prerequisites ==<br />
<ol><br />
<li> Make sure you have an active connection to the ITCnet either by VPN or by directly connectiong to an ITCnet switch on campus</li><br />
<li> Open an SSH console to your Linux system using the PuTTY software, login with your standard user account</li><br />
</ol><br />
<br />
== Creating Users and Groups ==<br />
'''''[https://www.youtube.com/watch?v=q_tYhIVlhCU&feature=youtu.be Video Tutorial - Creating Users and Groups]''''' <br><br />
<ol><br />
<li> Create a new user account '''jsmith''' using the '''adduser''' program</li><br />
<code> adduser jsmith </code><br />
<li> Create a new group '''redteam''' using the '''addgroup''' program</li><br />
<code> addgroup redteam </code> <br />
<li> Add the '''jsmith''' account as well as your own user account to the '''redteam''' group</li><br />
<li> Close your SSH session and open two new SSH sessions</li><br />
: ''NOTE: In order for your user accounts to receive their new group permissions they need to be logged out and logged back in.''<br />
<li> Login as your regular user on one and '''jsmith''' on the other</li><br />
<li> View a list of all the user accounts on your system by looking at the '''/etc/passwd'''. To output the contents of the '''/etc/passwd''' file you can use the following command:</li><br />
<code>cat /etc/passwd</code><br />
: The /etc/passwd file is a plain text file on your system.<br />
<li> View a list of the password data on your system by viewing the '''/etc/shadow''' file</li><br />
<li> View a list of groups and group members on your system in the '''/etc/group''' file<br />
: ''NOTE: The group list may be longer than one full screen of text (the same is true of the '''/etc/passwd''' or '''/etc/shadow''' file depending on your screen resolution.''<br />
* To output the contents of the file while pausing after each page of output use the following command:<br />
: <code>more /etc/group</code><br />
* To output the contents of the file while pausing after each page of output and being able to scroll up and down through the output use the following command:<br />
: <code>less /etc/group</code><br />
* Press '''q''' to return to the command line<br />
* It may be helpful to try these commands to display an even longer text file like one of the Shakespeare texts you downloaded in an earlier lab in the '''~/sample-files''' directory. You may have to un-tar the files again first.</li><br />
</ol><br />
</ol><br />
<br />
== Practice Filesystem Permissions and Ownership ==<br />
'''''[https://www.youtube.com/watch?v=5-6dRHTbJfM&feature=youtu.be Video Tutorial - Practice Filesystem Permissions and Ownership]''''' <br><br />
''NOTE: Working with file and directory ownership and permissions is tricky and there are many, many possible combinations of users, groups, and permissions which can be assigned to both files and folders. The goal of this section of the lab is to familiarize you with how to use the commands for changing ownership and permissions, not to teach you how to read or understand Linux file permissions (see your readings for this, it is important!) Once you understand how to use the commands you should experiment with setting different owners and permissions on a several different files and folders and subfolders until you have a good understanding of how permissions work. The only way to understand these relationships well is to read about it and then try it out. You should be able to set all of these permissions just as regular users (assuming you have access to both of the user accounts) '''you should not need sudo access to change the permissions because one of the the two users owns all the files and directories we're working in. You will need sudo access to change the owner of the files because otherwise it would be possible to accidentally lock yourself out of a file.'''''<br />
<br />
''ADDITIONALLY: This table may be helpful:''<br />
: {| class="wikitable"<br />
|+Linux Permissions<br />
!|Octal<br />
!|Binary<br />
!|File Mode<br />
|-<br />
| 0<br />
| 000<br />
| ---<br />
|-<br />
| 1<br />
| 001<br />
| --x<br />
|-<br />
| 2<br />
| 010<br />
| -w-<br />
|-<br />
| 3<br />
| 011<br />
| -wx<br />
|-<br />
| 4<br />
| 100<br />
| r--<br />
|-<br />
| 5<br />
| 101<br />
| r-x<br />
|-<br />
| 6<br />
| 110<br />
| rw-<br />
|-<br />
| 7<br />
| 111<br />
| rwx<br />
|}<br />
''This '''[http://permissions-calculator.org/ permissions calculator]''' may also be helpful.''<br />
<ol><br />
<li> Change to the '''/home''' directory.</li><br />
<li> Check the ownership and permissions on the subdirectories inside of '''/home'''</li><br />
<li> Try to create new files using the '''touch''' command called '''foo''' and '''foo2''' in the '''/home/jsmith''' directory.<br />
*Try as both your regular user and as '''jsmith''' respectively<br />
: <code>touch foo</code><br />
: <code>touch foo2</code></li><br />
<li> Try removing the '''foo''' and/or '''foo2''' files using both your regular user account and '''jsmith'''</li><br />
<li> Use the '''jsmith''' user to create a new directory '''/home/jsmith/redteam/'''</li><br />
<li> Use the '''jsmith''' user to create some files: '''/home/jsmith/redteam/theplan''' and '''/home/jsmith/redteam/yours''' '''/home/jsmith/redteam/mine''' and '''/home/jsmith/ours'''</li><br />
<li> In order to find out more about the '''chown''' and '''chgrp''' programs which you'll use to change the owners and groups for files and directories use the following commands to view the built in manual pages:<br />
: <code>man chown</code><br />
: <code>man chgrp</code><br />
: ''NOTE: Almost every command line tool in Linux has a manual page you can view in this way, try accessing a few other man pages for some of the other tools we've been using. You can scroll through the manual pages using the arrow keys and page up/down. To return to the command line press the q key.''</li><br />
<li> Change the permissions on the '''/home/jsmith/redteam/''' directory so that the group '''redteam''' is the group owner of the directory</li><br />
: [[File:Change-ownership-directory.png | link=https://wiki.ihitc.net/mediawiki/images/6/61/Change-ownership-directory.png | 500px]]<br />
: [[media:Change-ownership-directory.png | Click for Larger Image]]<br />
<li> Add write permission for the group to the '''/home/jsmith/redteam/''' directory</li><br />
<li> Change the ownership of the '''yours''' file so that it is owned by your regular user account instead of '''jsmith'''</li><br />
<li> Change the group owner of the '''ours''' file so that it is controlled by the '''redteam''' group</li><br />
<li> Experiment with creating and removing files and subdirectories inside of the '''/home/jsmith/redteam/''' directory as well as listing the contents of directories with various permissions applied to them until you have a good understanding of how permissions work.</li><br />
</ol><br />
<br />
== Install the Webmin Control Panel ==<br />
'''''[https://www.youtube.com/watch?v=tfthl4jH-jg&feature=youtu.be Video Tutorial - Install the Webmin Control Panel]''''' <br><br />
<ol><br />
<li> Use the '''links''' browser to download the '''DEB''' package file from '''[https://www.webmin.com www.webmin.com]'''</li><br />
: ''NOTE: Because this DEB file was downloaded directly instead of automatically by APT from a package repository the installation command is slightly different and some other commands such as '''apt show''' will not work.''<br />
<li>Install the package with '''apt install'''<br />
<code>apt install ./<filename.deb></code><br />
: Don't forget that installation of software must be done with system administrator permissions.''</li><br />
:[[File:Apt-install-webmin.png | link= https://wiki.ihitc.net/mediawiki/images/f/f8/Apt-install-webmin.png | 500px]]<br />
:[[Media:Apt-install-webmin.png | Click for Larger Image]]<br />
: ''NOTE: You can get similar information to what you can get with '''apt show''' from a '''DEB''' package file using the following command:''<br />
: <code>dpkg -I <filename></code><br />
<li> Notice the additional packages which are required by Webmin (dependencies) which will be downloaded and installed by '''apt''' from a repository in order to complete the installation.</li><br />
<li> Open a web browser on your host system and visit https://xxx.xxx.xxx.xxx:10000 where your IP replaces xxx.xxx.xxx.xxx</li><br />
<li> Login using your Debian username and password </li><br />
<li> Explore the Webmin interface<br />
:[[file:Webmin-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/0/0f/Webmin-dashboard.png | 500px]]<br />
:[[media:Webmin-dashboard.png | Click for Larger Image]]</li><br />
</ol><br />
<br />
= Checking Your Work =<br />
<ol><br />
<li> Run the following command:<br />
<br><br />
<code> ls -al /home/jsmith/redteam </code><br />
* Verify the following directories are present:<br />
*: '''/theplan'''<br />
*: '''/yours'''<br />
*: '''/mine'''<br />
*: '''/ours'''</li><br />
* Verify the '''redteam''' group owns the '''/ours''' directory.<br />
<li>Run the following command:<br />
<br><br />
<code> ls -al /home/jsmith </code><br />
* Verify the '''redteam''' group owns and has write permissions of the '''/redteam''' directory.</li><br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_02_test.py | python3<br />
</nowiki></code></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_2_mnjk&diff=9551Lab 2 mnjk2021-03-02T22:01:53Z<p>NateHaleen: /* Checking Your Work */</p>
<hr />
<div>=Introduction=<br />
'''''[https://www.youtube.com/watch?v=dQw4w9WgXcQ Watch the video introduction]'''''<br />
<br />
In this lab you will perform the following tasks:<br />
*Installing the ''links'' web browser<br />
*Downloading a compressed file<br />
*Creating a directory<br />
*Copying and moving files<br />
*Extracting a .tar.tz "tarball" file<br />
*Removing files and directories<br />
*Installing the [https://httpd.apache.org/ Apache] webserver<br />
*Installing [https://www.python.org/ Python] and its dependencies<br />
<br />
This lab assumes that you know the IP address of your Linux system and are connected to the ITCnet VPN network. If you need help with these steps please see [[ITC_VPN_Instructions | the VPN instructions]] and [[Lab_1_mnjk#Installing_sudo_and_checking_your_IP_address | the previous lab]].<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://linux.die.net/man/1/ls ls]'''<br />
*'''[https://linux.die.net/man/1/cd cd]'''<br />
*'''[https://linux.die.net/man/1/cp cp]'''<br />
*'''[http://linux.die.net/man/1/mv mv]'''<br />
*'''[https://linux.die.net/man/1/man man]'''<br />
*'''[http://linux.die.net/man/1/links links]'''<br />
*'''[http://linux.die.net/man/1/mkdir mkdir]'''<br />
*'''[http://linux.die.net/man/1/pwd pwd]'''<br />
*'''[http://linux.die.net/man/1/rm rm]'''<br />
*'''[http://linux.die.net/man/1/rmdir rmdir]'''<br />
*'''[http://linux.die.net/man/1/tar tar]'''<br />
<br />
=Lab Procedure=<br />
==Preliminaries==<br />
# Ensure your VM is powered on in Netlab<br />
#:''NOTE: you should have shut it down at the end of the last lab, but you will leave it on from now on. <br />
#:''NOTE: you will need to make a reservation in Netlab to power on your VM.<br />
# Make sure you have the current IP address of your Linux system<br />
#: If your Linux VM has been powered off for some time since you checked the IP address in a previous lab you may have received a new IP address, so be sure to check your IP address again and use that IP address in this lab. <br />
# Open an SSH console to your Linux system using the [https://www.putty.org/ PuTTY] software<br />
#: [[File:Lab2_putty.png |link=https://wiki.ihitc.net/mediawiki/images/6/6f/Lab2_putty.png|500px]]<br />
#: [[Media:Lab2_putty.png | Click for larger image]]<br />
# Log in with your standard user account<br />
#: From this point on we will be working only through an SSH connection to the server so unless you have a problem with network access to your VM, or you need to power it on again you should not need to make Netlab reservations or use the Netlab interface for quite some time.<br />
<br />
==Install the Links Web Browser Package==<br />
'''''[https://www.youtube.com/watch?v=2Ikzy23WuqQ&feature=youtu.be Video Tutorial - Installing the Links Web Browser]'''''<br />
<ol><br />
<li> Update your package lists using the following command:</li><br />
<code>sudo apt update</code><br />
: Because software installation and updates need to be done as an administrator we need to put '''sudo''' in front of these commands. You will likely need to enter your password again unless you've recently used sudo for something else and your session has not timed out yet.<br />
<li> Search for a description of the ''links'' package using the following '''apt''' command to search for packages with links in the package name.</li><br />
<code> apt search --names-only links</code><br />
<ul> ''TIP: You could further restrict your search using regular expressions instead of just searching for "links" such as '''apt search --names-only ^links''' which will only search for packages that ''start'' with the word links. You can learn more about regular expressions at [https://regexone.com RegexOne] and [https://www.regular-expressions.info Regular-Expressions.info] among many other places. These are frequently used in system administration and programming so it's worth your while to get at least a basic understanding of them.''</ul><br />
<ul> ''TIP: You can also expand your search to include searching the full package descriptions instead of just the names like '''apt search links''' which returns many more results.''</ul><br />
<li> Check the details of the ''links'' software package using the following command: </li><br />
<code>apt show links</code><br />
<li> Install the ''links'' web browser package using the following aptitude command: </li><br />
<code>sudo apt install links</code><br />
<li> Run the links program using the following command:</li><br />
<code>links</code><br />
<ul> [[File:Links.png|link=https://wiki.ihitc.net/mediawiki/images/6/6e/Links.png|500px]]</ul><br />
<ul> [[Media:Links.png | Click for Larger Image]]</ul><br />
<li> Try browsing to a website such as ''www.google.com'' or ''www.debian.org''. </li><br />
<ul> ''Hint: Pressing CTRL-G lets you enter a URL. Alternatively, you can enter a URL from the command line such as '''links google.com'''''</ul><br />
<ul> ''Hint: Press ALT-F to get a menu bar to appear on your screen which you can then go through using arrow keys.''</ul><br />
<li> Press the letter "q" on your keyboard to quit links.</li><br />
</ol><br />
<br><br />
There are many other text-based browsers to choose from. Some of these are more recent and have advanced features like handling SSL and cookies better. If you are interested check out [http://w3m.sourceforge.net/ w3m] or [https://lynx.invisible-island.net/ lynx]<br />
<br />
==Basic File Management and Navigation==<br />
'''''[https://www.youtube.com/watch?v=v0rm7Iab624&feature=youtu.be Video Tutorial - Basic File Management and Navigation]'''''<br />
<ol><br />
<li> Use the links web browser to open the page ''http://www.franske.com/shakespeare.tar.gz'' </li><br />
<li> Download the ''shakespeare.tar.gz'' file from that page. </li><br />
<li> Exit the links browser and verify the file has downloaded into your current directory with the following command:</li><br />
<code>ls -al</code><br />
<ul> This command lists the files in the current directory.</ul><br />
<li> Create a new directory called ''sample-files'' using the following command:</li><br />
<code>mkdir sample-files</code><br />
<li> Copy the ''shakespeare.tar.gz'' file from the current directory into the ''sample-files'' directory using:</li><br />
<code>cp shakespeare.tar.gz sample-files/ </code><br />
<ul> Note the / on the end of the command which indicates we want to place the file ''into'' a subdirectory and not make a new copy of the file in the same directory but with a different name. Pay attention to case, Linux is a case sensitive operating system. You can actually have two different files in the same directory, one called ''Shakespeare.tar.gz'' and one called ''shakespeare.tar.gz''</ul><br />
<li> Change your current directory to the ''sample-files'' directory using: </li><br />
<code>cd sample-files</code><br />
<li>verify your directory change using the print working directory command:</li><br />
<code>pwd</code><br />
<li>Verify the file has been copied by using the following command inside the ''sample-files'' directory:</li><br />
<code>ls -al</code> <br />
<li> Delete (remove) the file from the current directory by using:</li><br />
<code> rm shakespeare.tar.gz</code><br />
<li>Change your directory back to your user's home directory (one level above the subdirectory you're currently in. </li><br />
<ul> There are many ways to do this but a common shortcut to move one directory up in the tree is to use the ".." shortcut which means one directory above the current directory so '''cd ..''' will change your working directory up one level.</ul><br />
<ul> This time we want to move the ''shakespeare.tar.gz'' file into the ''sample-files'' directory instead of copying it. </ul><br />
<li>Use the following command to do this:</li><br />
<code>mv shakespeare.tar.gz sample-files/</code><br />
<ul> Again, note the / on the end of sample-files/ indicating we want to put it in a ''directory'' named ''sample-files'' instead of renaming ''shakespeare.tar.gz'' to a ''file'' called ''sample-files''.</ul><br />
<li> Verify the ''shakespeare.tar.gz'' file is no longer in your current directory then change your working directory to ''sample-files'' again and verify that the file has been moved there.</li><br />
<ul> The ''.tar.gz'' type files are sometimes called a "tarball" and they are a common way to distribute files on *NIX (UNIX/Linux/BSD/POSIX) based systems. These files really have two parts. The first is a TAR file which is a way to pack multiple files and directories into a single file for archival an distribution purposes but does not compress the file in any way, the size will be essentially the same as if you added together all of the files it contains. After the files are put into a TAR file they can be compressed with the '''gzip''' program so we add the ''.gz'' extension to the filename to indicate this TAR file has been compressed. Other compression programs such as '''bzip2''' can also be used, in that case it would be a ''.tar.bz2'' file. Because TAR files are so frequently gzipped to compress them the command to compress or uncompress a file as been added to the TAR program itself so we don't need to go through two steps. In this case we can uncompress and extract the files using the ''tar -zxf shakespeare.tar.gz'' command or to see the list of files as they are extracted we can add the -v argument to the command to make the output verbose '''tar -zxvf shakespeare.tar.gz''' </ul><br />
<li> Run the command to extract and uncompress the file. </li><br />
<li> Verify it by listing the directory contents. </li><br />
<ul> You should see a new subdirectory, it's common and good practice to always include the files in a TAR in their own subdirectory so that when they are extracted they don't clutter the current working directory. </ul><br />
<li> Enter the new subdirectory and list the contents to verify the extraction, you should see several files.</li><br />
<li> Try removing one of the files that was extracted. </li><br />
<ul>You might encounter an error if the filename includes a space. Although spaces are allowed in filenames on Linux, it's not recommended because you will need to either quote or escape filenames in some way in order to work with the files. For example if you wanted to remove a file called ''a file with spaces.txt'' you would either need to enter the command as '''rm "a file with spaces.txt"''' (with the quotes) or as ''rm a\ file\ with\ spaces.txt'' where the backslash character is used to "escape" the special characters in the filename (in this case spaces, but other characters, like exclamation points, are special as well). Make sure you can remove a file with spaces in the name. </ul><br />
<li> Move up one directory (back to the ''sample-files'' directory). </li><br />
<ul> Let's say we want to remove the entire Shakespeare directory now. </ul><br />
<li> Try using the following command to do that: </li><br />
<code> rm Shakespeare</code><br />
<ul> The '''rm''' command will give you an error because it is designed for removing files, not directories. To remove directories you can use the '''rmdir''' command such as '''rmdir Shakespeare''' but this will also give you an error. </ul><br />
<li> Try it! </li><br />
<code> rmdir Shakespeare </code><br />
<ul> The '''rmdir''' command requires that a directory be empty before it can be removed. You now have a choice, you could go back into the directory and clear it out, one file at a time using the rm command. Or you could speed things up by removing all the files in it at once using the '''rm *''' command, which includes a special character, called a wildcard, which stands for all files in the directory. This would work but it still requires a second step and if there were even more levels of directories inside the one you wanted to remove you would have to go through all of them as well. Luckily, Linux has a powerful (but obviously dangerous) command the "recursive remove" command which removes a directory as well as all of the files and subdirectories it contains. You must be careful with this command because, used incorrectly, you could obviously delete everything on your hard drive with a single command. We want to remove the Shakespeare directory and everything it contains so we can use the '''rm -r Shakespeare''' command. </ul><br />
<li> Do this and then verify the directory has been removed.</li><br />
<li> Navigate back to your user's home directory before continuing.</li></ol><br />
<br />
==Install the Apache 2 Webserver==<br />
'''''[https://www.youtube.com/watch?v=56iOrpFbHOM&feature=youtu.be Video Tutorial - Installing Apache 2]<br />
<ol><li> On your HOST system open a web browser and try browsing to the IP address of your Linux system. </li><br />
<ul> You should get some kind of server unreachable error because there is currently no webserver running on your system. </ul><br />
<li> Use the '''apt show''' command to review details of the ''apache2'' package</li><br />
<ul> [https://httpd.apache.org/ Apache] is one of the most popular webserver programs on the Internet. </ul><br />
<li> After reading through the information go ahead and install the '''apache2''' package using '''apt install'''. </li><br />
<ul> You'll notice this time, because it's a more complex program than links, you will be prompted to install several other packages that apache relies on to run, we call these packages "dependencies". One key advantage of using a "package manager" like '''apt''', '''apt-get''', or '''aptitude''' is that they automatically keep track of dependencies and install packages needed to make the one you're trying to install function properly.</ul><br />
<li> Once the installation process for Apache 2 is complete you should be able to go back to your host system and try visiting the IP address of your Linux system again or reloading the page. </li><br />
<ul> You should now see a basic welcome page which indicates you have a webserver up and running on your Linux system. Obviously we haven't done anything exciting with the page yet or setup much security but it really is that simple to turn a Linux system into a basic webserver.</ul><br />
<ul> [[File:Lab2_apache2.png|link=https://wiki.ihitc.net/mediawiki/images/b/bc/Lab2_apache2.png|500px]]</ul><br />
<ul> [[Media:Lab2_apache2.png | Click for Larger Image]]</ul><br />
</ol><br />
<br />
''NOTE: You can leave your VM running from this point on''<br />
<br />
=Checking Your Work=<br />
<ol><li> Return to your home directory and run:</li><br />
<code>ls -al</code><br />
<ul> If you see the ''shakespeare.tar.gz'' file you haven't followed all the directions.</ul><br />
<li> List the files in the sample-files directory:</li><br />
<ul> If you only see the ''shakespeare.tar.gz'' file you have successfully completed that section of the lab.</ul><br />
<li> Run the following command:</li><br />
<code> links</code><br />
<ul> If the Links browser opens you have successfully installed it.</ul><br />
<li> Navigate to your ip address using the Links browser; does the website look like this?</li><br />
<ul>[[file:Links_apache2.png | link= https://wiki.ihitc.net/mediawiki/images/1/12/Links_apache2.png | 500px]]</ul><br />
<ul>[[media:Links_apache2.png| Click for Larger Image]]</ul><br />
<br />
<li> Run the following command; does the output look like this?</li><br />
<code background-color: #f1f1f1>python3 --version</code><br />
<ul> [[File:Python_version.png|link=https://wiki.ihitc.net/mediawiki/images/7/70/Python_version.png|500px]]</ul><br />
<ul> [[Media:Python_version.png | Click for Larger Image]]</ul><br />
<ul> If your results match the screenshots, you have successfully completed the lab! </ul><br />
<br><br />
<br><br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_02_test.py | python3<br />
</nowiki></code><br />
</ol></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_1_mnjk&diff=9550Lab 1 mnjk2021-03-02T21:59:53Z<p>NateHaleen: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
:In this lab you will perform the following tasks:<br />
*Access NetLab to access the environment for you virtual machine<br />
*Install the latest version of Debian Linux in a virtual machine<br />
*Learn how to login and check the IP address of the system<br />
*Learn to remotely access the system with SSH and SFTP.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/apt apt]'''<br />
*'''[https://linux.die.net/man/8/sudo sudo]'''<br />
*'''[https://linux.die.net/man/8/useradd adduser]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://linux.die.net/man/8/ip ip address show]'''<br />
<br />
=Lab Procedure=<br />
==Netlab Access==<br />
'''''[https://www.youtube.com/watch?v=-hLejbDfPGM&feature=youtu.be Video Tutorial - NetLab Access]'''''<br />
<ol><br />
<li> Connect to the ITCnet </li> <br />
: This can be accomplished by directly plugging into an ITCnet port in one of the ITC labs or by connecting to the [[ITC_VPN_Instructions|VPN]].<br />
:'' Note: If you want to connect using a wireless connection on campus you need to [[Connecting to Eduroam|connect to the eduroam network]] before connecting to the VPN.<br />
<li> After you are connected to ITCnet (by VPN or wired connection) you simply need to open a web browser and access https://ihcc-netlab.campus.ihitc.net</li><br />
* The first time you visit this site in a browser you may need to accept a self-signed security certificate<br />
* You will need to log in with a username and password established by your instructor.<br />
* The first time you log in you will need to change your password and set your timezone. Make sure your timezone is set correctly so you can schedule reservations to work with equipment at convenient times.<br />
<li> Once you are logged in click the blue "New Lab Reservation" button</li><br />
: Next, in the lower left corner of the screen, select "Schedule a Lab for Myself". Reservations are used to hold a place on the Netlab system to work on labs during a specific time. You only need reservations in this class when working with the GUI, which will come later in the class, if you need to turn the power back on to your VM, or during the installation process. The rest of the time you will be able to connect directly to your Linux server using the SSH protocol, but more on that in a bit.<br />
:'' Note: If you are enrolled in more than one class that is using Netlab you will be presented with a list of classes you are enrolled in, click on your Linux System Administration course of you see this screen.<br />
: All of our lab work in this class is done in a single "Lab Environment" and your progress will be saved from one reservation to another. As a result there is only one lab listed in this course "Linux System Administration Labs". Click on this lab title.<br />
<li> Use the calendar to choose a date, time, and specific pod to reserve for your lab activity (when you will begin your Debian server installation).</li><br />
: The red line on this screen indicates the current time. If you want to get started right away you can click just below this line. Pay attention to the title of the column at the top, it will say something like "LSA Pod Z". The letter at the end of this pod name is your "pod letter" which you will use to set the host name and IP address of your machine in the future so make note of it.<br />
: You will be presented with a summary screen for your reservation where you can set the end time of your reservation (up to a maximum). It is suggested to make your reservation a couple hours long the first time you plan to install Debian, though you can extend it if needed. Click submit once you are ready to make the reservation.<br />
<li>You will see a confirmation screen that your reservation has been made.</li><br />
: You are now ready to progress on to the Debian Linux Installation (as long as your reservation is right away).<br />
</ol><br />
<br />
==Debian Linux Installation==<br />
'''''[https://www.youtube.com/watch?v=H0DcdEytpFQ&feature=youtu.be Video Tutorial - Debian Linux Installation]'''''<br />
<ol><br />
<li> Log in to the Netlab system</li><br />
: Access this using a web browser at https://ihcc-netlab.campus.ihitc.net if you are not already logged in.<br />
: If you have a currently active reservation you will see a green "Enter Lab" button on your list of reservations. Click the green "Enter Lab" button. If not, you will need to make a reservation (see above) and then click the "Enter Lab" button.<br />
: Your virtual machines (VMs) will automatically power on when your reservation begins and because there is no operating system currently installed to their virtual hard drives they will boot from their virtual CD/DVD drives which have been pre-loaded with the installation discs for Linux.<br />
<li> Access you virtual machine console</li><br />
: Once you are in your pod you can either click on the image of the "Linux Server" on the topology diagram or use the tabs across the top of your screen to access the console of your Linux Server VM.<br />
: The console shows the display of your VM and allows you to type and interact with your VM just as if you were physically sitting down in front of a server with a monitor, keyboard, and mouse attached. Just like a separate physical machine you will not be able to copy and paste text or drag and drop files in and out of this console window. We will use other utilities across the network connection to do those things just like we would with a physical server.<br />
<li>Learn to "Power Cycle" your virtual machine</li><br />
: By now your VM has likely already booted from it's virtual CD/DVD drive and should be at the "Debian GNU/Linux installer menu". Before continuing let's practice rebooting your system so you can watch the system boot and see how to reboot the system if needed. Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power Off" then click the red "Power Off" button on the popup to power off your VM. This is the equivalent of just pulling out the power cord, at least until we install the VMware Tools software which allows for a graceful shutdown, so you'll want to be careful to only do this if absolutely needed until then.<br />
<li>Power on you Virtual machine</li><br />
: Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power On", or press the blue "Power On" button in the middle of your screen, then press the green "Power On" button to boot your system.<br />
<li>Install Debian Linux</li><br />
: Once the system has rebooted and is back to the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Installing sudo and Checking Your IP Address==<br />
'''''[https://www.youtube.com/watch?v=TwXp5YfAvlw&feature=youtu.be Video Tutorial - Installing sudo and checking your IP address]'''''<br />
<ol><br />
<li>Log in to NetLab</li><br />
: Login through the Netlab local console with your root account and password (username ''root'', password as set during the installation)<br />
:'' Note: When entering a password on the command line of a Linux system it is normal that nothing should appear and the cursor will not move when you are typing. This prevents someone who is able to see your computer screen from seeing what your password is or even how long it is. Just type your password and trust that the system is receiving it, press enter to submit your password.<br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
<code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
[[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
<code>sudo ip address show</code><br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
</ol><br />
<br />
==Logging in to a Remote Terminal==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Logging into a remote terminal]'''''<br />
<br />
A faster way to interact with your system is not through the Netlab local console but through a remote SSH session over the network directly to your server. Once you have mastered this you will be able to copy and paste text to your Linux server and will not need to make a reservation in Netlab to work on labs. For our purposes you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install Putty</li><br />
: Assuming you are running Windows, install the PuTTY software on your home PC from [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html this website].<br />
: '' Note: For other operating systems there are other ways and software you can use to make an SSH connection, you will need to research what tools are used for making SSH connections from your particular operating system.<br />
<li>Open an SSH session</li><br />
:* Run the PuTTY software on your computer and enter in the IP address of your VM in the "Host Name" box and click the "Open" button.<br />
:[[File:Lab1_putty.png|link=https://wiki.ihitc.net/mediawiki/images/f/f5/Lab1_putty.png|500px]]<br />
:[[Media:Lab1_putty.png| Click here for larger image]]<br />
:* Click Yes to save the host key on your system<br />
: [[File:Lab1_puttycert.png|link=https://wiki.ihitc.net/mediawiki/images/4/4b/Lab1_puttycert.png|500px]]<br />
: [[Media:Lab1_puttycert.png|Click here for larger image]]<br />
:* Enter the standard username and password for your Linux system to connect.<br />
: '' Note: You should receive a prompt just like the one you had on the Netlab local console but it is now a direct connection from your computer over the ITCnet to your server.<br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Remote File Transfer==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Remote File Transfer]'''''<br />
<br />
The easiest way to transfer files to and from your VM is with SFTP software. For our purposes, you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install FileZilla</li><br />
: Install the FileZilla client software on your home PC from [https://filezilla-project.org/download.php?type=client this website]<br />
<li>Open a SFTP session to your server</li><br />
: Run FileZilla and use the Quick Connect bar at the top of the screen to access your system. <br />
:* Enter the IP address of your Linux system in the "Host:" box<br />
:* Enter your standard username and password in the appropriate boxes<br />
:* Enter ''22'' in the "Port:" box<br />
:* Click the "Quickconnect" button.<br />
: [[File:Lab1_filezillanew.png|link=https://wiki.ihitc.net/mediawiki/images/b/b1/Lab1_filezillanew.png|500px]]<br />
: [[Media:Lab1_filezillanew.png|Click here for larger image]]<br />
: You should see some connection text scroll on the top of the screen and some files on the right side of the screen now such as ''.bashrc'' and ''.profile'' The right side of the screen is the drive on your Linux system and the left side of the screen is the drive on your home system. Files and folders can be dragged between the two sides to transfer them back and forth.<br />
: [[File:Lab1_filezillaconnected.png|link=https://wiki.ihitc.net/mediawiki/images/c/ca/Lab1_filezillaconnected.png|500px]]<br />
: [[Media:Lab1_filezillaconnected.png|Click here for larger image]]<br />
<li>Close the FileZilla software to disconnect.</li><br />
</ol><br />
<br />
==Install VM Tools==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Install VM Tools]'''''<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect into your system using the remote SSH console method explained above.<br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<code>sudo apt install open-vm-tools</code><br />
</ol><br />
<br />
==Install Python==<br />
In order to check your work in the labs of this course you will need to have an application called [https://www.python.org/ Python] installed on your Linux system.<br />
<ol><br />
<li> Download ''python3'' using '''apt'''</li><br />
* When prompted type Y to install the app and its dependencies</li><br />
<ul>''NOTE: This may take a while.''</ul><br />
* When prompted to specify the name of the host where the TANGO database server is running, just select ok.</li><br />
<ul> [[File:Python_tango.png|link=https://wiki.ihitc.net/mediawiki/images/4/4c/Python_tango.png|500px]]</ul><br />
<ul> [[Media:Python_tango.png | Click for Larger Image]]</ul><br />
<li> Run the following command to verify that python version 3.6 is installed.</li><br />
<code>python3 --version</code><br />
<ul> [[File:Python_version.png|link=https://wiki.ihitc.net/mediawiki/images/7/70/Python_version.png|500px]]</ul><br />
<ul> [[Media:Python_version.png | Click for Larger Image]]</ul><br />
</ol><br />
<br />
==Install Nmap==<br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:* ''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Run the following command at the command line.<br />
<code>sudo apt install nmap</code><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
</ol><br />
<br />
==Install Curl==<br />
:Curl is a tool that lets you run scripts that are not saved to your virtual machine. It will be used to check the labs for completion while working through the course. <br />
<ol><br />
<li> Run the following command at the command line. </li><br />
<code>sudo apt install curl</code><br />
: If prompted to install additional packages type "y"<br />
<br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Safely Shutdown==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Safely Shutdown]'''''<br />
:We will normally leave our VM running but it is important that you know how to shutdown a Linux system correctly so this time we'll turn it off.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect in to your system using the remote SSH console method explained above.<br />
<li> Safely shutdown you server</li><br />
:* Run the '''sudo shutdown -h now''' at the command line to safely shutdown the system.<br />
<code>sudo shutdown -h now</code><br />
: You should soon get a message that PuTTY has lost it's connection. Click OK and then you can close the PuTTY window.<br />
<li>End NetLab Reservation</li><br />
: If you still have time left in your reservation in Netlab it's polite to end the reservation so other users can work on the system, only a limited number of reservations can be made at one time. You can do this by logging into Netlab, opening your lab, and clicking the "Reservation" menu at the top of the screen and choose to "End Reservation Now" followed by confirming that you want to end the reservation.<br />
</ol><br />
<br />
=Checking your Work=<br />
<ol><br />
<li> Testing your work goes here</li><br />
<code> Commands to use</code><br />
<ul> Description of what you should see</ul><br />
<br />
<li> Automatically check your results by running this command:</li><br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_01_revised.py | python3<br />
</nowiki></code><br />
</ol></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_1_mnjk&diff=9549Lab 1 mnjk2021-03-02T21:58:51Z<p>NateHaleen: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
:In this lab you will perform the following tasks:<br />
*Access NetLab to access the environment for you virtual machine<br />
*Install the latest version of Debian Linux in a virtual machine<br />
*Learn how to login and check the IP address of the system<br />
*Learn to remotely access the system with SSH and SFTP.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/apt apt]'''<br />
*'''[https://linux.die.net/man/8/sudo sudo]'''<br />
*'''[https://linux.die.net/man/8/useradd adduser]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://linux.die.net/man/8/ip ip address show]'''<br />
<br />
=Lab Procedure=<br />
==Netlab Access==<br />
'''''[https://www.youtube.com/watch?v=-hLejbDfPGM&feature=youtu.be Video Tutorial - NetLab Access]'''''<br />
<ol><br />
<li> Connect to the ITCnet </li> <br />
: This can be accomplished by directly plugging into an ITCnet port in one of the ITC labs or by connecting to the [[ITC_VPN_Instructions|VPN]].<br />
:'' Note: If you want to connect using a wireless connection on campus you need to [[Connecting to Eduroam|connect to the eduroam network]] before connecting to the VPN.<br />
<li> After you are connected to ITCnet (by VPN or wired connection) you simply need to open a web browser and access https://ihcc-netlab.campus.ihitc.net</li><br />
* The first time you visit this site in a browser you may need to accept a self-signed security certificate<br />
* You will need to log in with a username and password established by your instructor.<br />
* The first time you log in you will need to change your password and set your timezone. Make sure your timezone is set correctly so you can schedule reservations to work with equipment at convenient times.<br />
<li> Once you are logged in click the blue "New Lab Reservation" button</li><br />
: Next, in the lower left corner of the screen, select "Schedule a Lab for Myself". Reservations are used to hold a place on the Netlab system to work on labs during a specific time. You only need reservations in this class when working with the GUI, which will come later in the class, if you need to turn the power back on to your VM, or during the installation process. The rest of the time you will be able to connect directly to your Linux server using the SSH protocol, but more on that in a bit.<br />
:'' Note: If you are enrolled in more than one class that is using Netlab you will be presented with a list of classes you are enrolled in, click on your Linux System Administration course of you see this screen.<br />
: All of our lab work in this class is done in a single "Lab Environment" and your progress will be saved from one reservation to another. As a result there is only one lab listed in this course "Linux System Administration Labs". Click on this lab title.<br />
<li> Use the calendar to choose a date, time, and specific pod to reserve for your lab activity (when you will begin your Debian server installation).</li><br />
: The red line on this screen indicates the current time. If you want to get started right away you can click just below this line. Pay attention to the title of the column at the top, it will say something like "LSA Pod Z". The letter at the end of this pod name is your "pod letter" which you will use to set the host name and IP address of your machine in the future so make note of it.<br />
: You will be presented with a summary screen for your reservation where you can set the end time of your reservation (up to a maximum). It is suggested to make your reservation a couple hours long the first time you plan to install Debian, though you can extend it if needed. Click submit once you are ready to make the reservation.<br />
<li>You will see a confirmation screen that your reservation has been made.</li><br />
: You are now ready to progress on to the Debian Linux Installation (as long as your reservation is right away).<br />
</ol><br />
<br />
==Debian Linux Installation==<br />
'''''[https://www.youtube.com/watch?v=H0DcdEytpFQ&feature=youtu.be Video Tutorial - Debian Linux Installation]'''''<br />
<ol><br />
<li> Log in to the Netlab system</li><br />
: Access this using a web browser at https://ihcc-netlab.campus.ihitc.net if you are not already logged in.<br />
: If you have a currently active reservation you will see a green "Enter Lab" button on your list of reservations. Click the green "Enter Lab" button. If not, you will need to make a reservation (see above) and then click the "Enter Lab" button.<br />
: Your virtual machines (VMs) will automatically power on when your reservation begins and because there is no operating system currently installed to their virtual hard drives they will boot from their virtual CD/DVD drives which have been pre-loaded with the installation discs for Linux.<br />
<li> Access you virtual machine console</li><br />
: Once you are in your pod you can either click on the image of the "Linux Server" on the topology diagram or use the tabs across the top of your screen to access the console of your Linux Server VM.<br />
: The console shows the display of your VM and allows you to type and interact with your VM just as if you were physically sitting down in front of a server with a monitor, keyboard, and mouse attached. Just like a separate physical machine you will not be able to copy and paste text or drag and drop files in and out of this console window. We will use other utilities across the network connection to do those things just like we would with a physical server.<br />
<li>Learn to "Power Cycle" your virtual machine</li><br />
: By now your VM has likely already booted from it's virtual CD/DVD drive and should be at the "Debian GNU/Linux installer menu". Before continuing let's practice rebooting your system so you can watch the system boot and see how to reboot the system if needed. Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power Off" then click the red "Power Off" button on the popup to power off your VM. This is the equivalent of just pulling out the power cord, at least until we install the VMware Tools software which allows for a graceful shutdown, so you'll want to be careful to only do this if absolutely needed until then.<br />
<li>Power on you Virtual machine</li><br />
: Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power On", or press the blue "Power On" button in the middle of your screen, then press the green "Power On" button to boot your system.<br />
<li>Install Debian Linux</li><br />
: Once the system has rebooted and is back to the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Installing sudo and Checking Your IP Address==<br />
'''''[https://www.youtube.com/watch?v=TwXp5YfAvlw&feature=youtu.be Video Tutorial - Installing sudo and checking your IP address]'''''<br />
<ol><br />
<li>Log in to NetLab</li><br />
: Login through the Netlab local console with your root account and password (username ''root'', password as set during the installation)<br />
:'' Note: When entering a password on the command line of a Linux system it is normal that nothing should appear and the cursor will not move when you are typing. This prevents someone who is able to see your computer screen from seeing what your password is or even how long it is. Just type your password and trust that the system is receiving it, press enter to submit your password.<br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
<code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
[[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
<code>sudo ip address show</code><br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
</ol><br />
<br />
==Logging in to a Remote Terminal==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Logging into a remote terminal]'''''<br />
<br />
A faster way to interact with your system is not through the Netlab local console but through a remote SSH session over the network directly to your server. Once you have mastered this you will be able to copy and paste text to your Linux server and will not need to make a reservation in Netlab to work on labs. For our purposes you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install Putty</li><br />
: Assuming you are running Windows, install the PuTTY software on your home PC from [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html this website].<br />
: '' Note: For other operating systems there are other ways and software you can use to make an SSH connection, you will need to research what tools are used for making SSH connections from your particular operating system.<br />
<li>Open an SSH session</li><br />
:* Run the PuTTY software on your computer and enter in the IP address of your VM in the "Host Name" box and click the "Open" button.<br />
:[[File:Lab1_putty.png|link=https://wiki.ihitc.net/mediawiki/images/f/f5/Lab1_putty.png|500px]]<br />
:[[Media:Lab1_putty.png| Click here for larger image]]<br />
:* Click Yes to save the host key on your system<br />
: [[File:Lab1_puttycert.png|link=https://wiki.ihitc.net/mediawiki/images/4/4b/Lab1_puttycert.png|500px]]<br />
: [[Media:Lab1_puttycert.png|Click here for larger image]]<br />
:* Enter the standard username and password for your Linux system to connect.<br />
: '' Note: You should receive a prompt just like the one you had on the Netlab local console but it is now a direct connection from your computer over the ITCnet to your server.<br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Remote File Transfer==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Remote File Transfer]'''''<br />
<br />
The easiest way to transfer files to and from your VM is with SFTP software. For our purposes, you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install FileZilla</li><br />
: Install the FileZilla client software on your home PC from [https://filezilla-project.org/download.php?type=client this website]<br />
<li>Open a SFTP session to your server</li><br />
: Run FileZilla and use the Quick Connect bar at the top of the screen to access your system. <br />
:* Enter the IP address of your Linux system in the "Host:" box<br />
:* Enter your standard username and password in the appropriate boxes<br />
:* Enter ''22'' in the "Port:" box<br />
:* Click the "Quickconnect" button.<br />
: [[File:Lab1_filezillanew.png|link=https://wiki.ihitc.net/mediawiki/images/b/b1/Lab1_filezillanew.png|500px]]<br />
: [[Media:Lab1_filezillanew.png|Click here for larger image]]<br />
: You should see some connection text scroll on the top of the screen and some files on the right side of the screen now such as ''.bashrc'' and ''.profile'' The right side of the screen is the drive on your Linux system and the left side of the screen is the drive on your home system. Files and folders can be dragged between the two sides to transfer them back and forth.<br />
: [[File:Lab1_filezillaconnected.png|link=https://wiki.ihitc.net/mediawiki/images/c/ca/Lab1_filezillaconnected.png|500px]]<br />
: [[Media:Lab1_filezillaconnected.png|Click here for larger image]]<br />
<li>Close the FileZilla software to disconnect.</li><br />
</ol><br />
<br />
==Install VM Tools==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Install VM Tools]'''''<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect into your system using the remote SSH console method explained above.<br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<code>sudo apt install open-vm-tools</code><br />
</ol><br />
<br />
==Install Python==<br />
In order to check your work in the labs of this course you will need to have an application called [https://www.python.org/ Python] installed on your Linux system.<br />
<ol><br />
<li> Download ''python3'' using '''apt'''</li><br />
* When prompted type Y to install the app and its dependencies</li><br />
<ul>''NOTE: This may take a while.''</ul><br />
* When prompted to specify the name of the host where the TANGO database server is running, just select ok.</li><br />
<ul> [[File:Python_tango.png|link=https://wiki.ihitc.net/mediawiki/images/4/4c/Python_tango.png|500px]]</ul><br />
<ul> [[Media:Python_tango.png | Click for Larger Image]]</ul><br />
<li> Run the following command to verify that python version 3.6 is installed.</li><br />
<code>python3 --version</code><br />
<ul> [[File:Python_version.png|link=https://wiki.ihitc.net/mediawiki/images/7/70/Python_version.png|500px]]</ul><br />
<ul> [[Media:Python_version.png | Click for Larger Image]]</ul><br />
</ol><br />
<br />
==Install Nmap==<br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:* ''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Run the following command at the command line.<br />
<code>sudo apt install nmap</code><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
</ol><br />
<br />
==Install Curl==<br />
:Curl is a tool that lets you run scripts that are not saved to your virtual machine. It will be used to check the labs for completion while working through the course. <br />
<ol><br />
<li> Run the following command at the command line. </li><br />
<code>sudo apt install curl</code><br />
: If prompted to install additional packages type "y"<br />
<br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Safely Shutdown==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Safely Shutdown]'''''<br />
:We will normally leave our VM running but it is important that you know how to shutdown a Linux system correctly so this time we'll turn it off.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect in to your system using the remote SSH console method explained above.<br />
<li> Safely shutdown you server</li><br />
:* Run the '''sudo shutdown -h now''' at the command line to safely shutdown the system.<br />
<code>sudo shutdown -h now</code><br />
: You should soon get a message that PuTTY has lost it's connection. Click OK and then you can close the PuTTY window.<br />
<li>End NetLab Reservation</li><br />
: If you still have time left in your reservation in Netlab it's polite to end the reservation so other users can work on the system, only a limited number of reservations can be made at one time. You can do this by logging into Netlab, opening your lab, and clicking the "Reservation" menu at the top of the screen and choose to "End Reservation Now" followed by confirming that you want to end the reservation.<br />
</ol><br />
<br />
=Checking your Work=<br />
<ol><br />
<li> Testing your work goes here</li><br />
<code> Commands to use</code><br />
<ul> Description of what you should see</ul><br />
</ol><br />
<br />
Automatically check your results by running this command:<br />
<code><nowiki><br />
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_01_revised.py | python3<br />
</nowiki></code></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_10_mnjk&diff=9548Lab 10 mnjk2021-03-02T01:37:58Z<p>NateHaleen: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
'''''[https://www.youtube.com/watch?v=dQw4w9WgXcQ Watch the video introduction]'''''<br />
<br />
This lab assumes you have successfully set up [[Lab_8_mnjk#Install_BIND_.26_Enable_Caching | DNS]] and [[Lab_9_mnjk#Install_the_Postfix_MTA |email]]. If you had any issues with those labs, you should resolve them before attempting this lab, since you will be unable to properly test the tasks in this lab if those are not fully functional.<br />
<br />
In this lab you will perform the following tasks:<br />
*Configuring a [https://firewalld.org/ Firewall]<br />
*Enabling a 2nd interface<br />
*Configuring [https://en.wikipedia.org/wiki/Network_address_translation NAT]<br />
*Setting up [https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP]<br />
*Installing [https://linuxmint.com/ Linux Mint] on a second VM<br />
*Enabling [https://en.wikipedia.org/wiki/Port_forwarding Port Forwarding]<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://firewalld.org/documentation/man-pages/firewall-cmd.html firewall-cmd]'''<br />
*'''[https://linux.die.net/man/1/echo echo]'''<br />
*'''[https://linux.die.net/man/8/ifconfig ifconfig]'''<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software.<br />
# Login with your standard user account.<br />
# Have a browser window set to the webmin interface for your linux VM.<br />
<br />
== Configure a Firewall ==<br />
''NOTE: It is suggested that instead of managing a firewall directly using nftables tools (which would also require us to create a script to reload our rules each time the system is restarted) we use a firewall daemon program to manage it based on a set of rules we create and automatically setup the firewall based on those rules each time the system boots. There are many command line firewall management programs out there but for this lab we will use the [https://firewalld.org/ firewalld] package suggested by Debian. ''<br />
<ol><br />
<li>Begin by installing the ''firewalld'' package on your system.</li><br />
<li>First, let's check to see if the firewall is now up and running using the following command:</li><br />
<code>firewall-cmd --state</code><br />
: The firewall has been pre-configured with a couple of rules in it to prevent us from getting locked out. <br />
: [[File:Lab10_firewalld_state.png | link=https://wiki.ihitc.net/mediawiki/images/1/11/Lab10_firewalld_state.png|500px]]<br />
: [[Media:Lab10_firewalld_state.png | Click for larger image]]<br />
<li>Let's see what those rules are by using this command: </li><br />
<code>firewall-cmd --list-all</code><br />
: [[File:Lab10_firewalld_initial_rules.png | link=https://wiki.ihitc.net/mediawiki/images/1/14/Lab10_firewalld_initial_rules.png|500px]]<br />
: [[Media:Lab10_firewalld_initial_rules.png | Click for larger image]]<br />
: By default all interfaces are in the public zone (this is set in the ''/etc/firewalld/firewalld.conf'' file). <br />
: Before we start working on rules for our firewall we should assign our outside interface to the external zone which is designed for NAT routing which we'll be setting up shortly. <br />
<li> We can do this with the command:</li><br />
<code>firewall-cmd --zone=external --add-interface=ens192</code><br />
: We can create custom zones or use pre-defined security zones which will speed up configuring the firewall. Learn more about the [https://firewalld.org/documentation/zone/predefined-zones.html pre-defined zones in firewalld documentation].<br />
<li>Since we have changed zones on our interface let's check and see what rules we have started with. Let's see what those rules are:</li><br />
<code>firewall-cmd --zone=external --list-all</code><br />
: ''NOTE: You can also use the '''firewall-cmd --list-all-zones''' command to see a list of all available zones and their rules.</li>''<br />
: If you were watching carefully you may have noted that the dhcpv6-client service which was allowed in the public zone but is not allowed by default on the external zone. <br />
<li>In our case we want to allow DHCPv6 to operate on our outside interface so we can re-enable it with the following command: </li><br />
<code> firewall-cmd --zone=external --add-service="dhcpv6-client"</code><br />
<li>Check to see what other services can be allowed on an interface with:</li><br />
<code>firewall-cmd --get-services</code><br />
: If you check you will see that although you can connect with ssh (by default it's on the allowed service list you saw above) you can't connect to your webserver or Webmin anymore. Webmin is not a pre-defined service in the list we saw above so we could either set it up as a new service and then allow it or we could create a manual rule to allow the TCP traffic on port 10000 needed to access Webmin. In this case because the service only uses a single port and to see how manual rules can be created let's manually create a rule to allow access to TCP port 10000. <br />
<li>Do this by running this command: </li><br />
<code>firewall-cmd --zone=external --add-port=10000/tcp </code><br />
:You should now be able to access Webmin again.<br />
<li> Using either service rules or manual port rules create additional rules so that the other services on your VM are again accessible from the outside (such as from your home PC over the VPN). </li><br />
:''HINT: Services we have setup so far include SSH, DNS, SMTP, IMAP, Samba, and HTTP.''<br />
: Make sure to test and ensure they are all working again!<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code> firewall-cmd --runtime-to-permanent </code><br />
</ol><br />
<br />
== Setup a 2nd NIC Interface ==<br />
To start this lab we will need to configure a second network interface, named ens224 on our virtual machines. In our simulated setup our existing ens192 interface will be our WAN interface and ens224 will be our LAN interface which could be connected to a switch and then to multiple allow other computers which will connect to the Internet through our server.<br />
<ol><br />
<li> Open ''/etc/network/interfaces'' with your favorite text editor. </li><br />
* Go to the bottom of the file.<br />
: [[File:Lab10_network_interfaces_before.png | link=https://wiki.ihitc.net/mediawiki/images/f/f8/Lab10_network_interfaces_before.png|500px]]<br />
: [[Media:Lab10_network_interfaces_before.png | Click for larger image]]<br />
* Add the following to configure the second interface with a static IP of 192.168.1.1/24:<br />
<pre>auto ens224<br />
iface ens224 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0</pre></li><br />
<br />
: [[File:Lab10_network_interfaces_after.png | link=https://wiki.ihitc.net/mediawiki/images/8/80/Lab10_network_interfaces_after.png|500px]]<br />
: [[Media:Lab10_network_interfaces_after.png | Click for larger image]]<br />
: ''NOTE: As this is a LAN only interface, we do not need to define a gateway for the server VM, as the server VM itself will be the gateway for this network.''<br />
<li>Once this is done, save the file <br />
<li> Run the following command to enable the new interface.</li><br />
<code>ifup ens224</code><br />
<li>Verify the second interface is up and running with the correct IP address</li><br />
</ol><br />
<br />
== Enable Routing ==<br />
Now we will need to enable NAT so we can route LAN traffic to the Internet and responding Internet traffic back to our LAN interface.<br />
<ol><br />
<li>In your console, you will need to edit ''/etc/sysctl.conf''. This file is used to change and tweak multiple system variables. </li><br />
* Scroll down until you find the following:<br />
<pre># Uncomment the next line to enable packet forwarding for IPv4<br />
#net.ipv4.ip_forward=1<br />
</pre><br />
* Follow the instructions in the file to enable packet forwarding in the kernel. <br />
: [[File:Lab10_sysctl_after.png | link=https://wiki.ihitc.net/mediawiki/images/1/1e/Lab10_sysctl_after.png|500px]]<br />
: [[Media:Lab10_sysctl_after.png | Click for larger image]]<br />
* When you are done, save the file.<br />
: Changes to the ''sysctl.conf'' file require a reboot, but most can be set without a reboot by echoing response codes to "files" in ''/proc''. <br />
<li> We will get into that more in a later chapter, but for now run the following command to enable ip_forwarding without rebooting the machine: </li><br />
<code>'''echo 1 > /proc/sys/net/ipv4/ip_forward</code><br />
: ''NOTE: If you are receiving an error when trying to run that command it's likely that the user you are running it as does not have permission to modify the '''/proc/sys/net/ipv4/ip_forward''' file (check the permissions by using '''ls'''). Read [http://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr this similar question] for more details and possible solutions.''<br />
</ol><br />
<br />
== Setup a DHCP Server ==<br />
To setup a DHCP server, we will first need to install the required software. <br />
<ol><br />
<li>In your SSH console use your favorite package manager to install the ''isc-dhcp-server'' package.</li><br />
: After you install the package you may get a warning about ''isc-dhcp-server'' being unable to start. This is normal as we have yet to define the interface and settings we want used.<br />
<li>Now back in Webmin, select the Refresh Modules option. .</li><br />
* After it is done, go to Servers, then DHCP Server<br />
: Before we define our DHCP range, we need to set our listening interface. <br />
* Click on the ''Edit Network Interface'' option. <br />
*Select ''ens224''. <br />
* Press save.<br />
<li>Now under Subnets and Shared Networks, select Add a new subnet. </li><br />
* Use the following settings:<br />
<pre>Subnet description: LAN DHCP Range<br />
Network Address: 192.168.1.0<br />
Netmask: 255.255.255.0<br />
Address Ranges: 192.168.1.100-192.168.1.254</pre><br />
: [[File:Lab10_webmin_dhcp_create_subnet.png | link=https://wiki.ihitc.net/mediawiki/images/4/4e/Lab10_webmin_dhcp_create_subnet.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_create_subnet.png | Click for larger image]]<br />
* When you are done, press Create. <br />
* Now, click on the network you just created to review the settings, then press Edit Client Options at the bottom.<br />
: From here we will setup the default gateway and DNS servers for the clients to use. <br />
<li> Under Default Routers, set the option to 192.168.1.1 <br />
* Under DNS servers, set it to 192.168.1.1. <br />
: [[File:Lab10_webmin_dhcp_client_options.png | link=https://wiki.ihitc.net/mediawiki/images/d/d7/Lab10_webmin_dhcp_client_options.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_client_options.png | Click for larger image]]<br />
: Notice how we are setting these options to the IP of ens224 that we setup. This is because our Linux VM will act as the router and DNS for our clients as well.<br />
* When you are done, press save<br />
* Then on the Edit Subnet page, press save again.<br />
<li>Now that you are back on the DHCP server page, press the Start Server button. <br />
: If all goes well, the button should change to "Stop Server". If this does not happen, then the server was unable start. If that happens, re-check your DHCP server configurations to make sure everything is correct.<br />
</ol><br />
<br />
== Enabling NAT and Firewall Rules for the LAN ==<br />
Now we will use firewalld to setup NAT so that we can use private addresses on our internal LAN but still have access to the public Internet. <br />
<ol><br />
<li>First, let's set our ens224 interface (LAN) to be in the internal zone with the following command.</li><br />
<code>firewall-cmd --zone=internal --add-interface=ens224</code><br />
<li>You should now take a minute to allow all of the same services and ports on the internal network that you have allowed on the external network. </li><br />
:In other words, make sure that Webmin, Samba, DNS, etc. are also allowed on the internal zone.<br />
:In order to activate NAT you need to turn on the "masquerade" feature on your outside interface. This is probably already done if you correctly assigned your outside interface to the pre-defined external zone (it's one of the features of that zone). <br />
: ''HINT: you can do this manually as well in case you setup a custom zone by running the '''firewall-cmd --add-masquerade --zone=external''' command.''<br />
: While routing and NAT should be working for hosts on your LAN interface now they probably still can't get an IP address! Just like all the other services being blocked by the firewall DHCP is also blocked unless you specifically allow it. <br />
<li>To do this run the following command:</li><br />
<code>firewall-cmd --add-service=dhcp --zone=internal</code><br />
<li>Once you are satisfied your firewall is running correctly you can use this command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code></ol><br />
<br />
== Setup a 2nd VM as a LAN Host ==<br />
Now we are going to setup a 2nd VM on the VMware server so we can have a client to connect to the LAN network segment we just created. For this though, we will be using Linux Mint instead of Debian so we have a graphical user interface to help us with testing.<br />
<ol><br />
<li> You'll need to make a Netlab reservation to work with your Mint system's GUI so go ahead and do that. </li><br />
* Enter the lab on Netlab<br />
* Click the "Linux Desktop" tab to access your Mint machine.<br />
: The VM should be booting from a Linux Mint virtual CD image. <br />
<li> Get Linux Mint installed using the link on the desktop.</li><br />
: Installation settings are not critical as we'll be using the system primarily to explore a Linux GUI and to test web browsing capability from our private network.<br />
: [[File:Lab10_linux_mint_desktop.png | link=https://wiki.ihitc.net/mediawiki/images/f/f1/Lab10_linux_mint_desktop.png|500px]]<br />
: [[Media:Lab10_linux_mint_desktop.png | Click for larger image]]<br />
: ''NOTE: By default Linux Mint will boot into a "Live CD" environment where you can use the system without installing. However, the Live CD environment is much slower and memory limited compared with a full installation to the hard drive so be sure to start an installation and reboot into the installed copy instead of from the Live CD. You will know you're working from an installed copy if you are prompted for your username and password when logging in and don't see a link on the desktop to Install Linux Mint anymore.''<br />
<li> Once you have Linux Mint installed, reboot the machine and login. </li><br />
: Hopefully the machine is able to connect to the Internet through your Debian server which is acting as a DHCP server and router (see the topology diagram tab in Netlab to see a diagram of how they are connected).<br />
<li> Press the Menu icon in the lower left corner, and enter "Terminal". </li><br />
* Then, open the terminal application.<br />
<li> You now have a shell on the system. From here, use the following command to check your network settings. </li><br />
<code>ip address show</code><br />
: Notice how you have a IP from the DHCP pool we created earlier. <br />
<li> Now try pinging ''172.17.50.1''. </li><br />
: Are you able to ping? If so, NAT is working properly on your network because the 172.17.50.0/24 network is outside of the LAN segment this machine is attached to (192.168.1.0/24).<br />
: ''NOTE: Notice how some Linux distributions like Mint haven't switched from the old naming of network interfaces with ''eth'' to the new ''ens'' style. You can also try using the older '''ifconfig''' way of checking the IP address and compare the output to the new '''ip address show''' method which we have been using so far in Debian.''<br />
<li> Now run '''ping google.com'''. </li><br />
: If you are able to ping, this shows that not only is NAT working, but DNS resolving as well.<br />
<li> Open a web browser on the system (you can use a graphical browser this time since you have a GUI) and test browsing to a few websites.</li><br />
: At this point we have a fully functional LAN environment.<br />
<li> In order to allow automatic safe shutdown of your Linux Mint system and improve speed/efficiency use the package manager to install the ''open-vm-tools-desktop'' package. </li><br />
:This provides better drivers and integration between the vmWare host which is running your Linux Mint virtual machine and the virtual machine itself.<br />
<li> Finally, in the next section we'll be setting up SSH access to Mint through the Firewall so you'll want to install the ''openssh-server package'' through the package manager. </li><br />
: Once you've done this you should be able to use the ssh program on the command line in Debian to access your Mint system like '''ssh mintusername@192.168.1.x''' where you are using a valid username on the Mint system and the IP address of the Mint system.<br />
<li> Spend a few more minutes exploring the functionality of the Linux GUI and desktop.</li></ol><br />
<br />
== Port Forwarding and Firewalling ==<br />
Now we are going to enable port forwarding to our VM. This will allow you to access the 2nd VM from the ITC network and VPN.<br />
Because we are already using port 22 on our outside interface to provide SSH access to our main Debian system we need to use a different port to access the Mint system. Instead of changing the port number in the SSH server software on Mint we can have our firewall do it at the same time the NAT masquerading is occurring. <br />
<ol><br />
<li>Set up a rule by running the following command:</li><br />
<code>firewall-cmd --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.1.100 --zone=external</code><br />
:NOTE: this rule is a little unstable because it forwards the port to 192.168.1.100 which is currently the IP of our Mint system (if yours has a different IP you should change it in the command) but because that system gets an IP from DHCP it is subject to change which would break the rule. Therefore, if we wanted this to be stable in the long term, we would want to set up a static IP on any machines we were forwarding ports to.<br />
:''HINT: If your connection is refused, it may be because SSH is not installed in Mint. Try installing SSH using the package manager or apt.''<br />
<li> From a computer on the ITC network, such as one connected to the VPN, try to SSH to port 2222 on the outside (172.17.50.xx) IP address of your Debian system. </li><br />
:If everything was set up successfully, you should be able to sign into the Mint VM based on the port forwarding rule we have put in place.<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code><br><br />
</ol><br />
When you are done testing this section of the lab please power off your new Linux Mint VM as these require far more resources to run than the Debian VMs on our servers.<br><br />
: [[File:Lab10_linux_mint_shutdown.png | link=https://wiki.ihitc.net/mediawiki/images/1/1c/Lab10_linux_mint_shutdown.png|500px]]<br />
: [[Media:Lab10_linux_mint_shutdown.png | Click for larger image]]<br />
<br />
=Checking your Work=<br />
For this lab there are many things you need to check.<br />
<br />
#Firewall - attempt to connect using FTP on port 21, this should fail<br />
#SSH - connect using FTP on port 22<br />
#DNS - navigate to url of server<br />
#SMTP - send a mail to auto-respond server<br />
#IMAP - receive a mail from auto-respond server<br />
#Samba - Create a file on server using file sharing<br />
#HTTP - Navigate to ip address of server<br />
#Webmin - Navigate to <your-ip>:10000<br />
#PuTTY into linux mint using your ip address and port 2222<br />
#Linux Mint DNS/NAT - ping google.com from within Linux Mint<br><br><br />
<br><br />
Run this script to automatically check your lab<br><br />
<br />
<code><br />
<nowiki> curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_10_test.py | sudo python3 </nowiki><br />
</code></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_10_mnjk&diff=9532Lab 10 mnjk2021-02-27T22:40:13Z<p>NateHaleen: /* Checking your Work */</p>
<hr />
<div>=Introduction=<br />
'''''[https://www.youtube.com/watch?v=dQw4w9WgXcQ Watch the video introduction]'''''<br />
<br />
This lab assumes you have successfully set up [[Lab_8_mnjk#Install_BIND_.26_Enable_Caching | DNS]] and [[Lab_9_mnjk#Install_the_Postfix_MTA |email]]. If you had any issues with those labs, you should resolve them before attempting this lab, since you will be unable to properly test the tasks in this lab if those are not fully functional.<br />
<br />
In this lab you will perform the following tasks:<br />
*Configuring a [https://firewalld.org/ Firewall]<br />
*Enabling a 2nd interface<br />
*Configuring [https://en.wikipedia.org/wiki/Network_address_translation NAT]<br />
*Setting up [https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP]<br />
*Installing [https://linuxmint.com/ Linux Mint] on a second VM<br />
*Enabling [https://en.wikipedia.org/wiki/Port_forwarding Port Forwarding]<br />
<br />
You will be introduced to the following commands:<br />
*'''[https://firewalld.org/documentation/man-pages/firewall-cmd.html firewall-cmd]'''<br />
*'''[https://linux.die.net/man/1/echo echo]'''<br />
*'''[https://linux.die.net/man/8/ifconfig ifconfig]'''<br />
<br />
=Lab Procedure=<br />
== Prerequisites ==<br />
# Open an SSH console to your Linux system using the PuTTY software.<br />
# Login with your standard user account.<br />
# Have a browser window set to the webmin interface for your linux VM.<br />
<br />
== Configure a Firewall ==<br />
''NOTE: It is suggested that instead of managing a firewall directly using nftables tools (which would also require us to create a script to reload our rules each time the system is restarted) we use a firewall daemon program to manage it based on a set of rules we create and automatically setup the firewall based on those rules each time the system boots. There are many command line firewall management programs out there but for this lab we will use the [https://firewalld.org/ firewalld] package suggested by Debian. ''<br />
<ol><br />
<li>Begin by installing the ''firewalld'' package on your system.</li><br />
<li>First, let's check to see if the firewall is now up and running using the following command:</li><br />
<code>firewall-cmd --state</code><br />
: The firewall has been pre-configured with a couple of rules in it to prevent us from getting locked out. <br />
: [[File:Lab10_firewalld_state.png | link=https://wiki.ihitc.net/mediawiki/images/1/11/Lab10_firewalld_state.png|500px]]<br />
: [[Media:Lab10_firewalld_state.png | Click for larger image]]<br />
<li>Let's see what those rules are by using this command: </li><br />
<code>firewall-cmd --list-all</code><br />
: [[File:Lab10_firewalld_initial_rules.png | link=https://wiki.ihitc.net/mediawiki/images/1/14/Lab10_firewalld_initial_rules.png|500px]]<br />
: [[Media:Lab10_firewalld_initial_rules.png | Click for larger image]]<br />
: By default all interfaces are in the public zone (this is set in the ''/etc/firewalld/firewalld.conf'' file). <br />
: Before we start working on rules for our firewall we should assign our outside interface to the external zone which is designed for NAT routing which we'll be setting up shortly. <br />
<li> We can do this with the command:</li><br />
<code>firewall-cmd --zone=external --add-interface=ens192</code><br />
: We can create custom zones or use pre-defined security zones which will speed up configuring the firewall. Learn more about the [https://firewalld.org/documentation/zone/predefined-zones.html pre-defined zones in firewalld documentation].<br />
<li>Since we have changed zones on our interface let's check and see what rules we have started with. Let's see what those rules are:</li><br />
<code>firewall-cmd --zone=external --list-all</code><br />
: ''NOTE: You can also use the '''firewall-cmd --list-all-zones''' command to see a list of all available zones and their rules.</li>''<br />
: If you were watching carefully you may have noted that the dhcpv6-client service which was allowed in the public zone but is not allowed by default on the external zone. <br />
<li>In our case we want to allow DHCPv6 to operate on our outside interface so we can re-enable it with the following command: </li><br />
<code> firewall-cmd --zone=external --add-service="dhcpv6-client"</code><br />
<li>Check to see what other services can be allowed on an interface with:</li><br />
<code>firewall-cmd --get-services</code><br />
: If you check you will see that although you can connect with ssh (by default it's on the allowed service list you saw above) you can't connect to your webserver or Webmin anymore. Webmin is not a pre-defined service in the list we saw above so we could either set it up as a new service and then allow it or we could create a manual rule to allow the TCP traffic on port 10000 needed to access Webmin. In this case because the service only uses a single port and to see how manual rules can be created let's manually create a rule to allow access to TCP port 10000. <br />
<li>Do this by running this command: </li><br />
<code>firewall-cmd --zone=external --add-port=10000/tcp </code><br />
:You should now be able to access Webmin again.<br />
<li> Using either service rules or manual port rules create additional rules so that the other services on your VM are again accessible from the outside (such as from your home PC over the VPN). </li><br />
:''HINT: Services we have setup so far include SSH, DNS, SMTP, IMAP, Samba, and HTTP.''<br />
: Make sure to test and ensure they are all working again!<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code> firewall-cmd --runtime-to-permanent </code><br />
</ol><br />
<br />
== Setup a 2nd NIC Interface ==<br />
To start this lab we will need to configure a second network interface, named ens224 on our virtual machines. In our simulated setup our existing ens192 interface will be our WAN interface and ens224 will be our LAN interface which could be connected to a switch and then to multiple allow other computers which will connect to the Internet through our server.<br />
<ol><br />
<li> Open ''/etc/network/interfaces'' with your favorite text editor. </li><br />
* Go to the bottom of the file.<br />
: [[File:Lab10_network_interfaces_before.png | link=https://wiki.ihitc.net/mediawiki/images/f/f8/Lab10_network_interfaces_before.png|500px]]<br />
: [[Media:Lab10_network_interfaces_before.png | Click for larger image]]<br />
* Add the following to configure the second interface with a static IP of 192.168.1.1/24:<br />
<pre>auto ens224<br />
iface ens224 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0</pre></li><br />
<br />
: [[File:Lab10_network_interfaces_after.png | link=https://wiki.ihitc.net/mediawiki/images/8/80/Lab10_network_interfaces_after.png|500px]]<br />
: [[Media:Lab10_network_interfaces_after.png | Click for larger image]]<br />
: ''NOTE: As this is a LAN only interface, we do not need to define a gateway for the server VM, as the server VM itself will be the gateway for this network.''<br />
<li>Once this is done, save the file <br />
<li> Run the following command to enable the new interface.</li><br />
<code>ifup ens224</code><br />
<li>Verify the second interface is up and running with the correct IP address</li><br />
</ol><br />
<br />
== Enable Routing ==<br />
Now we will need to enable NAT so we can route LAN traffic to the Internet and responding Internet traffic back to our LAN interface.<br />
<ol><br />
<li>In your console, you will need to edit ''/etc/sysctl.conf''. This file is used to change and tweak multiple system variables. </li><br />
* Scroll down until you find the following:<br />
<pre># Uncomment the next line to enable packet forwarding for IPv4<br />
#net.ipv4.ip_forward=1<br />
</pre><br />
* Follow the instructions in the file to enable packet forwarding in the kernel. <br />
: [[File:Lab10_sysctl_after.png | link=https://wiki.ihitc.net/mediawiki/images/1/1e/Lab10_sysctl_after.png|500px]]<br />
: [[Media:Lab10_sysctl_after.png | Click for larger image]]<br />
* When you are done, save the file.<br />
: Changes to the ''sysctl.conf'' file require a reboot, but most can be set without a reboot by echoing response codes to "files" in ''/proc''. <br />
<li> We will get into that more in a later chapter, but for now run the following command to enable ip_forwarding without rebooting the machine: </li><br />
<code>'''echo 1 > /proc/sys/net/ipv4/ip_forward</code><br />
: ''NOTE: If you are receiving an error when trying to run that command it's likely that the user you are running it as does not have permission to modify the '''/proc/sys/net/ipv4/ip_forward''' file (check the permissions by using '''ls'''). Read [http://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr this similar question] for more details and possible solutions.''<br />
</ol><br />
<br />
== Setup a DHCP Server ==<br />
To setup a DHCP server, we will first need to install the required software. <br />
<ol><br />
<li>In your SSH console use your favorite package manager to install the ''isc-dhcp-server'' package.</li><br />
: After you install the package you may get a warning about ''isc-dhcp-server'' being unable to start. This is normal as we have yet to define the interface and settings we want used.<br />
<li>Now back in Webmin, select the Refresh Modules option. .</li><br />
* After it is done, go to Servers, then DHCP Server<br />
: Before we define our DHCP range, we need to set our listening interface. <br />
* Click on the ''Edit Network Interface'' option. <br />
*Select ''ens224''. <br />
* Press save.<br />
<li>Now under Subnets and Shared Networks, select Add a new subnet. </li><br />
* Use the following settings:<br />
<pre>Subnet description: LAN DHCP Range<br />
Network Address: 192.168.1.0<br />
Netmask: 255.255.255.0<br />
Address Ranges: 192.168.1.100-192.168.1.254</pre><br />
: [[File:Lab10_webmin_dhcp_create_subnet.png | link=https://wiki.ihitc.net/mediawiki/images/4/4e/Lab10_webmin_dhcp_create_subnet.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_create_subnet.png | Click for larger image]]<br />
* When you are done, press Create. <br />
* Now, click on the network you just created to review the settings, then press Edit Client Options at the bottom.<br />
: From here we will setup the default gateway and DNS servers for the clients to use. <br />
<li> Under Default Routers, set the option to 192.168.1.1 <br />
* Under DNS servers, set it to 192.168.1.1. <br />
: [[File:Lab10_webmin_dhcp_client_options.png | link=https://wiki.ihitc.net/mediawiki/images/d/d7/Lab10_webmin_dhcp_client_options.png|500px]]<br />
: [[Media:Lab10_webmin_dhcp_client_options.png | Click for larger image]]<br />
: Notice how we are setting these options to the IP of ens224 that we setup. This is because our Linux VM will act as the router and DNS for our clients as well.<br />
* When you are done, press save<br />
* Then on the Edit Subnet page, press save again.<br />
<li>Now that you are back on the DHCP server page, press the Start Server button. <br />
: If all goes well, the button should change to "Stop Server". If this does not happen, then the server was unable start. If that happens, re-check your DHCP server configurations to make sure everything is correct.<br />
</ol><br />
<br />
== Enabling NAT and Firewall Rules for the LAN ==<br />
Now we will use firewalld to setup NAT so that we can use private addresses on our internal LAN but still have access to the public Internet. <br />
<ol><br />
<li>First, let's set our ens224 interface (LAN) to be in the internal zone with the following command.</li><br />
<code>firewall-cmd --zone=internal --add-interface=ens224</code><br />
<li>You should now take a minute to allow all of the same services and ports on the internal network that you have allowed on the external network. </li><br />
:In other words, make sure that Webmin, Samba, DNS, etc. are also allowed on the internal zone.<br />
:In order to activate NAT you need to turn on the "masquerade" feature on your outside interface. This is probably already done if you correctly assigned your outside interface to the pre-defined external zone (it's one of the features of that zone). <br />
: ''HINT: you can do this manually as well in case you setup a custom zone by running the '''firewall-cmd --add-masquerade --zone=external''' command.''<br />
: While routing and NAT should be working for hosts on your LAN interface now they probably still can't get an IP address! Just like all the other services being blocked by the firewall DHCP is also blocked unless you specifically allow it. <br />
<li>To do this run the following command:</li><br />
<code>firewall-cmd --add-service=dhcp --zone=internal</code><br />
<li>Once you are satisfied your firewall is running correctly you can use this command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code></ol><br />
<br />
== Setup a 2nd VM as a LAN Host ==<br />
Now we are going to setup a 2nd VM on the VMware server so we can have a client to connect to the LAN network segment we just created. For this though, we will be using Linux Mint instead of Debian so we have a graphical user interface to help us with testing.<br />
<ol><br />
<li> You'll need to make a Netlab reservation to work with your Mint system's GUI so go ahead and do that. </li><br />
* Enter the lab on Netlab<br />
* Click the "Linux Desktop" tab to access your Mint machine.<br />
: The VM should be booting from a Linux Mint virtual CD image. <br />
<li> Get Linux Mint installed using the link on the desktop.</li><br />
: Installation settings are not critical as we'll be using the system primarily to explore a Linux GUI and to test web browsing capability from our private network.<br />
: [[File:Lab10_linux_mint_desktop.png | link=https://wiki.ihitc.net/mediawiki/images/f/f1/Lab10_linux_mint_desktop.png|500px]]<br />
: [[Media:Lab10_linux_mint_desktop.png | Click for larger image]]<br />
: ''NOTE: By default Linux Mint will boot into a "Live CD" environment where you can use the system without installing. However, the Live CD environment is much slower and memory limited compared with a full installation to the hard drive so be sure to start an installation and reboot into the installed copy instead of from the Live CD. You will know you're working from an installed copy if you are prompted for your username and password when logging in and don't see a link on the desktop to Install Linux Mint anymore.''<br />
<li> Once you have Linux Mint installed, reboot the machine and login. </li><br />
: Hopefully the machine is able to connect to the Internet through your Debian server which is acting as a DHCP server and router (see the topology diagram tab in Netlab to see a diagram of how they are connected).<br />
<li> Press the Menu icon in the lower left corner, and enter "Terminal". </li><br />
* Then, open the terminal application.<br />
<li> You now have a shell on the system. From here, use the following command to check your network settings. </li><br />
<code>ip address show</code><br />
: Notice how you have a IP from the DHCP pool we created earlier. <br />
<li> Now try pinging ''172.17.50.1''. </li><br />
: Are you able to ping? If so, NAT is working properly on your network because the 172.17.50.0/24 network is outside of the LAN segment this machine is attached to (192.168.1.0/24).<br />
: ''NOTE: Notice how some Linux distributions like Mint haven't switched from the old naming of network interfaces with ''eth'' to the new ''ens'' style. You can also try using the older '''ifconfig''' way of checking the IP address and compare the output to the new '''ip address show''' method which we have been using so far in Debian.''<br />
<li> Now run '''ping google.com'''. </li><br />
: If you are able to ping, this shows that not only is NAT working, but DNS resolving as well.<br />
<li> Open a web browser on the system (you can use a graphical browser this time since you have a GUI) and test browsing to a few websites.</li><br />
: At this point we have a fully functional LAN environment.<br />
<li> In order to allow automatic safe shutdown of your Linux Mint system and improve speed/efficiency use the package manager to install the ''open-vm-tools-desktop'' package. </li><br />
:This provides better drivers and integration between the vmWare host which is running your Linux Mint virtual machine and the virtual machine itself.<br />
<li> Finally, in the next section we'll be setting up SSH access to Mint through the Firewall so you'll want to install the ''openssh-server package'' through the package manager. </li><br />
: Once you've done this you should be able to use the ssh program on the command line in Debian to access your Mint system like '''ssh mintusername@192.168.1.x''' where you are using a valid username on the Mint system and the IP address of the Mint system.<br />
<li> Spend a few more minutes exploring the functionality of the Linux GUI and desktop.</li></ol><br />
<br />
== Port Forwarding and Firewalling ==<br />
Now we are going to enable port forwarding to our VM. This will allow you to access the 2nd VM from the ITC network and VPN.<br />
Because we are already using port 22 on our outside interface to provide SSH access to our main Debian system we need to use a different port to access the Mint system. Instead of changing the port number in the SSH server software on Mint we can have our firewall do it at the same time the NAT masquerading is occurring. <br />
<ol><br />
<li>Set up a rule by running the following command:</li><br />
<code>firewall-cmd --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.1.100 --zone=external</code><br />
:NOTE: this rule is a little unstable because it forwards the port to 192.168.1.100 which is currently the IP of our Mint system (if yours has a different IP you should change it in the command) but because that system gets an IP from DHCP it is subject to change which would break the rule. Therefore, if we wanted this to be stable in the long term, we would want to set up a static IP on any machines we were forwarding ports to.<br />
:''HINT: If your connection is refused, it may be because SSH is not installed in Mint. Try installing SSH using the package manager or apt.''<br />
<li> From a computer on the ITC network, such as one connected to the VPN, try to SSH to port 2222 on the outside (172.17.50.xx) IP address of your Debian system. </li><br />
:If everything was set up successfully, you should be able to sign into the Mint VM based on the port forwarding rule we have put in place.<br />
<li> Once you are satisfied your firewall is running correctly you can use the following command to set these rules to automatically load each time the system is started.</li><br />
<code>firewall-cmd --runtime-to-permanent</code><br><br />
</ol><br />
When you are done testing this section of the lab please power off your new Linux Mint VM as these require far more resources to run than the Debian VMs on our servers.<br><br />
: [[File:Lab10_linux_mint_shutdown.png | link=https://wiki.ihitc.net/mediawiki/images/1/1c/Lab10_linux_mint_shutdown.png|500px]]<br />
: [[Media:Lab10_linux_mint_shutdown.png | Click for larger image]]<br />
<br />
=Checking your Work=<br />
For this lab there are many things you need to check.<br />
<br />
#Firewall - attempt to connect using FTP on port 21, this should fail<br />
#SSH - connect using FTP on port 22<br />
#DNS - navigate to url of server<br />
#SMTP - send a mail to auto-respond server<br />
#IMAP - receive a mail from auto-respond server<br />
#Samba - Create a file on server using file sharing<br />
#HTTP - Navigate to ip address of server<br />
#Webmin - Navigate to <your-ip>:10000<br />
#PuTTY into linux mint using your ip address and port 2222<br />
#Linux Mint DNS/NAT - ping google.com from within Linux Mint<br><br><br />
<br><br />
Run this script to automatically check your lab<br><br />
<code> curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_10_test.py | sudo python3 </code></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_7_mnjk&diff=9531Lab 7 mnjk2021-02-27T20:16:23Z<p>NateHaleen: /* Setup a Guest Share */</p>
<hr />
<div>=Introduction=<br />
'''''[https://www.youtube.com/watch?v=dQw4w9WgXcQ Watch the video introduction]'''''<br />
<br />
This lab assumes you know how to install a package from the Debian repository and you have Webmin installed. If you need help please see '''[[Lab_1_mnjk#Installing_sudo_and_checking_your_IP_address | Lab 1]]''' and '''[[Lab_3_mnjk#Install_the_Webmin_Control_Panel | Lab 3]]'''.<br />
<br />
In this lab you will perform the following tasks:<br />
* Install [https://www.samba.org/samba/ Samba]<br />
* Setup a Guest Share<br />
* Share Home Directories<br />
* Setup a group share<br />
<br />
You will not be introduced to new commands.<br />
<br />
= Lab Procedure =<br />
== Prerequisites ==<br />
<ol><br />
<li> Open an SSH console to your Linux system using the PuTTY software, login with your standard user account. </li><br />
<li> Make sure that Webmin is installed on your system. </li><br />
<li> Make sure you have an up-to-date list of packages on your system using the '''apt update''' system. </li><br />
<li> Make sure you have all the latest software upgrades on your system using the '''apt upgrade''' method. </li><br />
</ol><br />
: ''NOTE: This lab sets up Samba with anonymous guest access which is not supported by Windows 10 anymore. You can work around this (directions for doing so are below) but you can't work around it on IHCC campus managed PCs so this lab really requires access to a PC which you have full administrative control over.''<br />
<br />
== Install Samba ==<br />
'''''[https://www.youtube.com/watch?v=h15fXbqYx5Y&feature=youtu.be Video Tutorial - Install Samba]''''' <br><br />
<ol><br />
<li> With your favorite package manager, install the '''samba''' package. </li><br />
<li> After Samba is installed, login into Webmin on your local computer's web browser. </li><br />
<li> Under the servers tab, notice how Samba does not show up. This is because we just installed the package. </li><br />
<li> On the bottom of the left toolbar, click '''refresh modules'''. After a minute, it should refresh the page. Now look under the servers tab again. Does Samba now show up?</li><br />
</ol><br />
<br />
== Setup a Guest Share ==<br />
'''''[https://www.youtube.com/watch?v=BmgKPYIVaPY&feature=youtu.be Video Tutorial - Setup a Guest Share]''''' <br><br />
<br />
The first thing we are going to do is we are going to create a guest share.<br />
This share will allow for all users, even those who have not authenticated, to read files.</li><br />
To help you better understand samba, this first share will be configured from PuTTY and command line.<br />
<ol><br />
<li>Change into the '''/etc/samba/''' directory and view a directory listing.<br />
: In here we have one main file, '''smb.conf''', which holds all of the Samba share and authentication settings. There may also be a few other files and directories which can be used for more advanced Samba features such as TLS certificate based authentication.</li><br />
<li>With your favorite text editor, open up '''smb.conf''' with administrative permission.</li><br />
<li>Scroll to the bottom of the file, and notice how shares are defined. They all have a similar format such as:<br />
<pre><br />
[Share Name]<br />
comment = Share Comment<br />
options....</pre><br />
:'''options''' are the different configuration settings.</li><br />
Let's try creating the guest share folder from the config file manually.<br />
<li>Exit out of the text editor, and create the folder '''/srv/Guest-Files''' as root.<br />
: This will be the folder we are sharing.</li><br />
<li>Open up '''/etc/samba/smb.conf''' in a text editor again as root, and go to the bottom of the file.</li><br />
<li>Enter the following:<br />
<pre>[Guest Share]<br />
comment = Public File Share<br />
public = yes<br />
path = /srv/Guest-Files</pre><br />
You have now created the public share. <br />
</li><br />
<br />
<li>In order to make the share take effect you need to restart the Samba service on your machine with the following command: <br />
<br><br />
<code>service smbd restart</code><br />
<br />
: ''NOTE: Restarting services requires administrative permission.''</li><br />
<li>To test this share, go into '''/srv/Guest-Files''' and create a text file and enter some information.<br />
: We will use this file to test the read-only settings of the share.<br />
: At this point, we should be ready to test out our configuration. </li><br />
<li>On your Local Computer, open up the run dialog box, and enter '''\\172.17.50.xx''' (The IP you setup for the static address of your VM), and press enter.<br />
: You should see a share folder called Guest Share.<br />
:[[file:Samba-windows-guest.png | link= https://wiki.ihitc.net/mediawiki/images/d/d4/Samba-windows-guest.png | 500px]]<br />
:[[media:Samba-windows-guest.png | Click for Larger Image]]</li><br />
: ''NOTE: If you receive an error on your local system and can't access the Samba share, it might be your firewall blocking the connection. This has been the case with non-Windows Firewalls such as BitDefender. If you are using one of these firewalls you may have to make a rule to allow traffic. This link might help: [https://www.bitdefender.com/consumer/support/answer/2397/ https://www.bitdefender.com/consumer/support/answer/2397/]''<br />
<li>Open the Guest Share folder and see if your text file is in the share.</li><br />
<li>Open up the file, and try to edit and save the file. What error do you get?</li><br />
: '''''SPECIAL NOTE for Windows 10 Client PCs:''' If the computer your are using to try and connect to this share is running Windows 10 version 1709 or later [https://support.microsoft.com/en-us/help/4046019/guest-access-smb2-disabled-by-default-in-windows-10-server-2016 Microsoft has disabled SMB guest share access] You have a few different options for completing this:''<br />
:* Use an earlier version of Windows (remember you'll need to install OpenVPN and be connected to ITCnet) such as Windows 10 before version 1709, Windows 8, or Windows 7 to attempt to connect to the share.<br />
:* Follow the instruction on the above Microsoft page to re-enable guest share access on your Windows 10 version 1709 or later system using the group policy editor (requires Windows 10 Professional or Enterprise)<br />
:* Use the registry editor to set the key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters] "AllowInsecureGuestAuth" to dword:1 (Note: editing your registry can cause your system not to boot and other unexpected behavior, so be careful and be sure of what you are doing)<br />
: '''''SPECIAL NOTE for Personal Windows PCs:''' If you are getting an error after hitting enter in the run dialog box, try either disabling your firewall or making a firewall exception for the IP address of your server.''<br />
</ol><br />
<br />
== Share Home Directories ==<br />
'''''[https://www.youtube.com/watch?v=MOJ6wwiQ1mk&feature=youtu.be Video Tutorial - Share Home Directories]''''' <br><br />
Now we are going to setup Home Directory Sharing. By default this is enabled, but write access is not and no users are setup.<br />
First it must be noted that Samba requires separate user accounts from the system, just like MySQL. So first, we are going to add your user account.<br />
<ol><br />
<li> To do this, we are now going to use Webmin to configure the shares.<br />
: Notice also what other shares are enabled in Samba by default when looking at the Webmin page for Samba. </li><br />
:[[file:Webmin-samba-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/9/9d/Webmin-samba-dashboard.png | 500px]]<br />
:[[media:Webmin-samba-dashboard.png | Click for Larger Image]]<br />
<li> On the Webmin Samba configuration page, click '''Samba Users'''.<br />
: Notice how none are currently defined.</li><br />
<li>Go back and click '''Convert Users'''.<br />
: This is the tool we will use to convert/copy the local Unix user accounts to Samba accounts.<br />
<li>Leave the Unix users to convert option set to all except listed users and UID ranges with the option of -499.</li><br />
: This will add all user accounts with a UID of 500 or more to Samba. Lower UID values are typically used on Debian systems as service accounts (like ''www-data'') who should not have Samba permissions. </li><br />
<li> On the bottom, select '''No password'''.<br />
: We are doing this as we will define unique passwords for each user.</li><br />
<li>Click '''Convert Users''' when ready. </li><br />
<li> When you are done, go to the '''Samba Users''' page again.<br />
: Notice how your user account is now listed.</li><br />
<li>From here you can now add passwords to the different user accounts you added in the last step. Be sure to set the passwords for each user you intend to connect with. </li><br />
<br />
Lastly we are going to setup write access to home folders, so you will be able to add files to your home directory over Samba.<br />
<br />
<li> On the Samba config page, under '''Shares''', click the '''home share'''.</li><br />
<li> Click '''Security and Access Control'''.</li><br />
<li> Set the '''Writable''' option to '''Yes''', and then click save. </li><br />
<li> Go back to the Samba config page, and click the '''Restart Samba Servers''' option at the bottom.<br />
: We do this to force samba to load the new configuration. You can also wait a minute or two if you don't want to disconnect any connected users. </li><br />
: At this point, we should be ready to test out our configuration.<br />
<li>On your Local Computer, open up the run dialog box, and enter '''\\172.17.50.xx''' (Your IP you setup for the static address), and press enter.<br />
: Notice how you do not see a home directory share because you are connected without any authentication.</li><br />
<li>In the top URL window, add '''\<username>''' to the path, e.g. '''\\172.17.50.xx\user'''.<br />
: You should now get a login popup.</li><br />
<li>Login as your user, and you should be greeted with your home folder.<br />
: ''NOTE: If your user is unable to login you may have forgotten to set a Samba password for the user as directed above. You need to set a password for each user within Samba.''<br />
: ''NOTE: On local systems running an operating system other than Windows follow whatever process you would normally use to connect to a Windows file share using the IP address of your VM as the server name.'' </li><br />
<li> Test creating and deleting a file to verify write access is working.</li><br />
<li> Try to access a home share of another user that was added to Samba.<br />
: Notice how you do not have permissions.</li><br />
<li>Try logging in with another user account to access a different home share.<br />
: ''NOTE: To use another user account in a samba share, you may have to logout and then back in on your local machine.'' </li><br />
</ol><br />
<br />
== Setup a Group Share ==<br />
'''''[https://www.youtube.com/watch?v=1C7BBUC_V3A&feature=youtu.be Video Tutorial - Setup a Group Share]''''' <br><br />
Now we are going to setup a group folder share that will allow for all samba users to read and write to the folder.<br />
<ol><br />
<li>Go back to the Webmin Samba configuration panel.<br />
: We are going to create a new share.</li><br />
<li>Under '''shares''', select the '''Create a new file share''' link. Use the following base configuration:<br />
<br><br />
<code>Share Name: Share-Files<br><br />
Directory to share: /srv/Group-Share<br><br />
Automatically Create Directory: Yes<br><br />
Create with owner: root<br><br />
Create with permissions: 775<br><br />
Create with group: users<br><br />
Available: yes<br><br />
Browsable: yes<br><br />
Share Comment: group share folder<br />
</code></li><br />
<li>Once the share is setup, click it to edit it.</li><br />
<li>Once you are at the '''Edit File Share''' page, click '''File Permissions'''.<br />
: Notice how the New Unix file and New Unix directory are set to 755 by default, even though we set the share to use 775 to create the directory. This is done for security purposes as it would only allow the owner to have modification privileges for the files and directories they create. We need to modify this so that all users on the system have full access to files in this share.</li><br />
<li>Set the '''New Unix file''' and '''New Unix directory''' mode to 775, and set '''Force Unix group''' to '''users'''. You can now press '''save'''. We do this to allow all authenticated users permission to modify and edit files that may have been added by other users.</li><br />
: Now we will need to enable write access to the folder.<br />
<li>On the '''Edit file share''' page again, click '''Security and Access Control'''.</li><br />
<li>Set the '''Writable''' option to '''Yes''', and press '''save'''.</li><br />
<li>At this point, you can test the share exactly the same way we did with the home folder share.</li><br />
: Notice though how this share is set to '''browsable''', so it shows up in the root share folder. Go ahead and create a file through your host computer. Then use PuTTY to look at the user and group assigned to the files you created.<br />
: It is important to note that even if a user has read or write permission in Samba they must ''also'' have permission to read or write the file/directory on the underlying Linux filesystem. Many problems with making Samba work can be traced to permissions errors where a user does not have correct permission to work with a file or directory either by the Samba software ''or'' by the filesystem.<br />
<li>Look at your '''smb.conf''' file and see what changes Webmin made in order to setup your group share.</li><br />
</ol><br />
<br />
= Checking Your Work =</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_7_mnjk&diff=9530Lab 7 mnjk2021-02-27T20:15:45Z<p>NateHaleen: /* Setup a Guest Share */</p>
<hr />
<div>=Introduction=<br />
'''''[https://www.youtube.com/watch?v=dQw4w9WgXcQ Watch the video introduction]'''''<br />
<br />
This lab assumes you know how to install a package from the Debian repository and you have Webmin installed. If you need help please see '''[[Lab_1_mnjk#Installing_sudo_and_checking_your_IP_address | Lab 1]]''' and '''[[Lab_3_mnjk#Install_the_Webmin_Control_Panel | Lab 3]]'''.<br />
<br />
In this lab you will perform the following tasks:<br />
* Install [https://www.samba.org/samba/ Samba]<br />
* Setup a Guest Share<br />
* Share Home Directories<br />
* Setup a group share<br />
<br />
You will not be introduced to new commands.<br />
<br />
= Lab Procedure =<br />
== Prerequisites ==<br />
<ol><br />
<li> Open an SSH console to your Linux system using the PuTTY software, login with your standard user account. </li><br />
<li> Make sure that Webmin is installed on your system. </li><br />
<li> Make sure you have an up-to-date list of packages on your system using the '''apt update''' system. </li><br />
<li> Make sure you have all the latest software upgrades on your system using the '''apt upgrade''' method. </li><br />
</ol><br />
: ''NOTE: This lab sets up Samba with anonymous guest access which is not supported by Windows 10 anymore. You can work around this (directions for doing so are below) but you can't work around it on IHCC campus managed PCs so this lab really requires access to a PC which you have full administrative control over.''<br />
<br />
== Install Samba ==<br />
'''''[https://www.youtube.com/watch?v=h15fXbqYx5Y&feature=youtu.be Video Tutorial - Install Samba]''''' <br><br />
<ol><br />
<li> With your favorite package manager, install the '''samba''' package. </li><br />
<li> After Samba is installed, login into Webmin on your local computer's web browser. </li><br />
<li> Under the servers tab, notice how Samba does not show up. This is because we just installed the package. </li><br />
<li> On the bottom of the left toolbar, click '''refresh modules'''. After a minute, it should refresh the page. Now look under the servers tab again. Does Samba now show up?</li><br />
</ol><br />
<br />
== Setup a Guest Share ==<br />
'''''[https://www.youtube.com/watch?v=BmgKPYIVaPY&feature=youtu.be Video Tutorial - Setup a Guest Share]''''' <br><br />
<br />
The first thing we are going to do is we are going to create a guest share.<br />
This share will allow for all users, even those who have not authenticated, to read files.</li><br />
To help you better understand samba, this first share will be configured from PuTTY and command line.<br />
<ol><br />
<li>Change into the '''/etc/samba/''' directory and view a directory listing.<br />
: In here we have one main file, '''smb.conf''', which holds all of the Samba share and authentication settings. There may also be a few other files and directories which can be used for more advanced Samba features such as TLS certificate based authentication.</li><br />
<li>With your favorite text editor, open up '''smb.conf''' with administrative permission.</li><br />
<li>Scroll to the bottom of the file, and notice how shares are defined. They all have a similar format such as:<br />
<pre><br />
[Share Name]<br />
comment = Share Comment<br />
options....</pre><br />
:'''options''' are the different configuration settings.</li><br />
Let's try creating the guest share folder from the config file manually.<br />
<li>Exit out of the text editor, and create the folder '''/srv/Guest-Files''' as root.<br />
: This will be the folder we are sharing.</li><br />
<li>Open up '''/etc/samba/smb.conf''' in a text editor again as root, and go to the bottom of the file.</li><br />
<li>Enter the following:<br />
<pre>[Guest Share]<br />
comment = Public File Share<br />
public = yes<br />
path = /srv/Guest-Files</pre><br />
You have now created the public share. <br />
</li><br />
<br />
<li>In order to make the share take effect you need to restart the Samba service on your machine with the following command: <br />
<br><br />
<code>service smbd restart</code><br />
<br />
: ''NOTE: Restarting services requires administrative permission.''</li><br />
<li>To test this share, go into '''/srv/Guest-Files''' and create a text file and enter some information.<br />
: We will use this file to test the read-only settings of the share.<br />
: At this point, we should be ready to test out our configuration. </li><br />
<li>On your Local Computer, open up the run dialog box, and enter '''\\172.17.50.xx''' (The IP you setup for the static address of your VM), and press enter.<br />
: You should see a share folder called Guest Share.<br />
:[[file:Samba-windows-guest.png | link= https://wiki.ihitc.net/mediawiki/images/d/d4/Samba-windows-guest.png | 500px]]<br />
:[[media:Samba-windows-guest.png | Click for Larger Image]]</li><br />
: ''NOTE: If you receive an error on your local system and can't access the Samba share, it might be your firewall blocking the connection. This has been the case with non-Windows Firewalls such as BitDefender. If you are using one of these firewalls you may have to make a rule to allow traffic. This link might help: [https://www.bitdefender.com/consumer/support/answer/2397/]''<br />
<li>Open the Guest Share folder and see if your text file is in the share.</li><br />
<li>Open up the file, and try to edit and save the file. What error do you get?</li><br />
: '''''SPECIAL NOTE for Windows 10 Client PCs:''' If the computer your are using to try and connect to this share is running Windows 10 version 1709 or later [https://support.microsoft.com/en-us/help/4046019/guest-access-smb2-disabled-by-default-in-windows-10-server-2016 Microsoft has disabled SMB guest share access] You have a few different options for completing this:''<br />
:* Use an earlier version of Windows (remember you'll need to install OpenVPN and be connected to ITCnet) such as Windows 10 before version 1709, Windows 8, or Windows 7 to attempt to connect to the share.<br />
:* Follow the instruction on the above Microsoft page to re-enable guest share access on your Windows 10 version 1709 or later system using the group policy editor (requires Windows 10 Professional or Enterprise)<br />
:* Use the registry editor to set the key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters] "AllowInsecureGuestAuth" to dword:1 (Note: editing your registry can cause your system not to boot and other unexpected behavior, so be careful and be sure of what you are doing)<br />
: '''''SPECIAL NOTE for Personal Windows PCs:''' If you are getting an error after hitting enter in the run dialog box, try either disabling your firewall or making a firewall exception for the IP address of your server.''<br />
</ol><br />
<br />
== Share Home Directories ==<br />
'''''[https://www.youtube.com/watch?v=MOJ6wwiQ1mk&feature=youtu.be Video Tutorial - Share Home Directories]''''' <br><br />
Now we are going to setup Home Directory Sharing. By default this is enabled, but write access is not and no users are setup.<br />
First it must be noted that Samba requires separate user accounts from the system, just like MySQL. So first, we are going to add your user account.<br />
<ol><br />
<li> To do this, we are now going to use Webmin to configure the shares.<br />
: Notice also what other shares are enabled in Samba by default when looking at the Webmin page for Samba. </li><br />
:[[file:Webmin-samba-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/9/9d/Webmin-samba-dashboard.png | 500px]]<br />
:[[media:Webmin-samba-dashboard.png | Click for Larger Image]]<br />
<li> On the Webmin Samba configuration page, click '''Samba Users'''.<br />
: Notice how none are currently defined.</li><br />
<li>Go back and click '''Convert Users'''.<br />
: This is the tool we will use to convert/copy the local Unix user accounts to Samba accounts.<br />
<li>Leave the Unix users to convert option set to all except listed users and UID ranges with the option of -499.</li><br />
: This will add all user accounts with a UID of 500 or more to Samba. Lower UID values are typically used on Debian systems as service accounts (like ''www-data'') who should not have Samba permissions. </li><br />
<li> On the bottom, select '''No password'''.<br />
: We are doing this as we will define unique passwords for each user.</li><br />
<li>Click '''Convert Users''' when ready. </li><br />
<li> When you are done, go to the '''Samba Users''' page again.<br />
: Notice how your user account is now listed.</li><br />
<li>From here you can now add passwords to the different user accounts you added in the last step. Be sure to set the passwords for each user you intend to connect with. </li><br />
<br />
Lastly we are going to setup write access to home folders, so you will be able to add files to your home directory over Samba.<br />
<br />
<li> On the Samba config page, under '''Shares''', click the '''home share'''.</li><br />
<li> Click '''Security and Access Control'''.</li><br />
<li> Set the '''Writable''' option to '''Yes''', and then click save. </li><br />
<li> Go back to the Samba config page, and click the '''Restart Samba Servers''' option at the bottom.<br />
: We do this to force samba to load the new configuration. You can also wait a minute or two if you don't want to disconnect any connected users. </li><br />
: At this point, we should be ready to test out our configuration.<br />
<li>On your Local Computer, open up the run dialog box, and enter '''\\172.17.50.xx''' (Your IP you setup for the static address), and press enter.<br />
: Notice how you do not see a home directory share because you are connected without any authentication.</li><br />
<li>In the top URL window, add '''\<username>''' to the path, e.g. '''\\172.17.50.xx\user'''.<br />
: You should now get a login popup.</li><br />
<li>Login as your user, and you should be greeted with your home folder.<br />
: ''NOTE: If your user is unable to login you may have forgotten to set a Samba password for the user as directed above. You need to set a password for each user within Samba.''<br />
: ''NOTE: On local systems running an operating system other than Windows follow whatever process you would normally use to connect to a Windows file share using the IP address of your VM as the server name.'' </li><br />
<li> Test creating and deleting a file to verify write access is working.</li><br />
<li> Try to access a home share of another user that was added to Samba.<br />
: Notice how you do not have permissions.</li><br />
<li>Try logging in with another user account to access a different home share.<br />
: ''NOTE: To use another user account in a samba share, you may have to logout and then back in on your local machine.'' </li><br />
</ol><br />
<br />
== Setup a Group Share ==<br />
'''''[https://www.youtube.com/watch?v=1C7BBUC_V3A&feature=youtu.be Video Tutorial - Setup a Group Share]''''' <br><br />
Now we are going to setup a group folder share that will allow for all samba users to read and write to the folder.<br />
<ol><br />
<li>Go back to the Webmin Samba configuration panel.<br />
: We are going to create a new share.</li><br />
<li>Under '''shares''', select the '''Create a new file share''' link. Use the following base configuration:<br />
<br><br />
<code>Share Name: Share-Files<br><br />
Directory to share: /srv/Group-Share<br><br />
Automatically Create Directory: Yes<br><br />
Create with owner: root<br><br />
Create with permissions: 775<br><br />
Create with group: users<br><br />
Available: yes<br><br />
Browsable: yes<br><br />
Share Comment: group share folder<br />
</code></li><br />
<li>Once the share is setup, click it to edit it.</li><br />
<li>Once you are at the '''Edit File Share''' page, click '''File Permissions'''.<br />
: Notice how the New Unix file and New Unix directory are set to 755 by default, even though we set the share to use 775 to create the directory. This is done for security purposes as it would only allow the owner to have modification privileges for the files and directories they create. We need to modify this so that all users on the system have full access to files in this share.</li><br />
<li>Set the '''New Unix file''' and '''New Unix directory''' mode to 775, and set '''Force Unix group''' to '''users'''. You can now press '''save'''. We do this to allow all authenticated users permission to modify and edit files that may have been added by other users.</li><br />
: Now we will need to enable write access to the folder.<br />
<li>On the '''Edit file share''' page again, click '''Security and Access Control'''.</li><br />
<li>Set the '''Writable''' option to '''Yes''', and press '''save'''.</li><br />
<li>At this point, you can test the share exactly the same way we did with the home folder share.</li><br />
: Notice though how this share is set to '''browsable''', so it shows up in the root share folder. Go ahead and create a file through your host computer. Then use PuTTY to look at the user and group assigned to the files you created.<br />
: It is important to note that even if a user has read or write permission in Samba they must ''also'' have permission to read or write the file/directory on the underlying Linux filesystem. Many problems with making Samba work can be traced to permissions errors where a user does not have correct permission to work with a file or directory either by the Samba software ''or'' by the filesystem.<br />
<li>Look at your '''smb.conf''' file and see what changes Webmin made in order to setup your group share.</li><br />
</ol><br />
<br />
= Checking Your Work =</div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_1_mnjk&diff=9529Lab 1 mnjk2021-02-27T20:05:48Z<p>NateHaleen: /* Install curl */</p>
<hr />
<div>=Introduction=<br />
:In this lab you will perform the following tasks:<br />
*Access NetLab to access the environment for you virtual machine<br />
*Install the latest version of Debian Linux in a virtual machine<br />
*Learn how to login and check the IP address of the system<br />
*Learn to remotely access the system with SSH and SFTP.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/apt apt]'''<br />
*'''[https://linux.die.net/man/8/sudo sudo]'''<br />
*'''[https://linux.die.net/man/8/useradd adduser]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://linux.die.net/man/8/ip ip address show]'''<br />
<br />
=Lab Procedure=<br />
==Netlab Access==<br />
'''''[https://www.youtube.com/watch?v=-hLejbDfPGM&feature=youtu.be Video Tutorial - NetLab Access]'''''<br />
<ol><br />
<li> Connect to the ITCnet </li> <br />
: This can be accomplished by directly plugging into an ITCnet port in one of the ITC labs or by connecting to the [[ITC_VPN_Instructions|VPN]].<br />
:'' Note: If you want to connect using a wireless connection on campus you need to [[Connecting to Eduroam|connect to the eduroam network]] before connecting to the VPN.<br />
<li> After you are connected to ITCnet (by VPN or wired connection) you simply need to open a web browser and access https://ihcc-netlab.campus.ihitc.net</li><br />
* The first time you visit this site in a browser you may need to accept a self-signed security certificate<br />
* You will need to log in with a username and password established by your instructor.<br />
* The first time you log in you will need to change your password and set your timezone. Make sure your timezone is set correctly so you can schedule reservations to work with equipment at convenient times.<br />
<li> Once you are logged in click the blue "New Lab Reservation" button</li><br />
: Next, in the lower left corner of the screen, select "Schedule a Lab for Myself". Reservations are used to hold a place on the Netlab system to work on labs during a specific time. You only need reservations in this class when working with the GUI, which will come later in the class, if you need to turn the power back on to your VM, or during the installation process. The rest of the time you will be able to connect directly to your Linux server using the SSH protocol, but more on that in a bit.<br />
:'' Note: If you are enrolled in more than one class that is using Netlab you will be presented with a list of classes you are enrolled in, click on your Linux System Administration course of you see this screen.<br />
: All of our lab work in this class is done in a single "Lab Environment" and your progress will be saved from one reservation to another. As a result there is only one lab listed in this course "Linux System Administration Labs". Click on this lab title.<br />
<li> Use the calendar to choose a date, time, and specific pod to reserve for your lab activity (when you will begin your Debian server installation).</li><br />
: The red line on this screen indicates the current time. If you want to get started right away you can click just below this line. Pay attention to the title of the column at the top, it will say something like "LSA Pod Z". The letter at the end of this pod name is your "pod letter" which you will use to set the host name and IP address of your machine in the future so make note of it.<br />
: You will be presented with a summary screen for your reservation where you can set the end time of your reservation (up to a maximum). It is suggested to make your reservation a couple hours long the first time you plan to install Debian, though you can extend it if needed. Click submit once you are ready to make the reservation.<br />
<li>You will see a confirmation screen that your reservation has been made.</li><br />
: You are now ready to progress on to the Debian Linux Installation (as long as your reservation is right away).<br />
</ol><br />
<br />
==Debian Linux Installation==<br />
'''''[https://www.youtube.com/watch?v=H0DcdEytpFQ&feature=youtu.be Video Tutorial - Debian Linux Installation]'''''<br />
<ol><br />
<li> Log in to the Netlab system</li><br />
: Access this using a web browser at https://ihcc-netlab.campus.ihitc.net if you are not already logged in.<br />
: If you have a currently active reservation you will see a green "Enter Lab" button on your list of reservations. Click the green "Enter Lab" button. If not, you will need to make a reservation (see above) and then click the "Enter Lab" button.<br />
: Your virtual machines (VMs) will automatically power on when your reservation begins and because there is no operating system currently installed to their virtual hard drives they will boot from their virtual CD/DVD drives which have been pre-loaded with the installation discs for Linux.<br />
<li> Access you virtual machine console</li><br />
: Once you are in your pod you can either click on the image of the "Linux Server" on the topology diagram or use the tabs across the top of your screen to access the console of your Linux Server VM.<br />
: The console shows the display of your VM and allows you to type and interact with your VM just as if you were physically sitting down in front of a server with a monitor, keyboard, and mouse attached. Just like a separate physical machine you will not be able to copy and paste text or drag and drop files in and out of this console window. We will use other utilities across the network connection to do those things just like we would with a physical server.<br />
<li>Learn to "Power Cycle" your virtual machine</li><br />
: By now your VM has likely already booted from it's virtual CD/DVD drive and should be at the "Debian GNU/Linux installer menu". Before continuing let's practice rebooting your system so you can watch the system boot and see how to reboot the system if needed. Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power Off" then click the red "Power Off" button on the popup to power off your VM. This is the equivalent of just pulling out the power cord, at least until we install the VMware Tools software which allows for a graceful shutdown, so you'll want to be careful to only do this if absolutely needed until then.<br />
<li>Power on you Virtual machine</li><br />
: Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power On", or press the blue "Power On" button in the middle of your screen, then press the green "Power On" button to boot your system.<br />
<li>Install Debian Linux</li><br />
: Once the system has rebooted and is back to the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Installing sudo and Checking Your IP Address==<br />
'''''[https://www.youtube.com/watch?v=TwXp5YfAvlw&feature=youtu.be Video Tutorial - Installing sudo and checking your IP address]'''''<br />
<ol><br />
<li>Log in to NetLab</li><br />
: Login through the Netlab local console with your root account and password (username ''root'', password as set during the installation)<br />
:'' Note: When entering a password on the command line of a Linux system it is normal that nothing should appear and the cursor will not move when you are typing. This prevents someone who is able to see your computer screen from seeing what your password is or even how long it is. Just type your password and trust that the system is receiving it, press enter to submit your password.<br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
<code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
[[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
<code>sudo ip address show</code><br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
</ol><br />
<br />
==Logging in to a Remote Terminal==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Logging into a remote terminal]'''''<br />
<br />
A faster way to interact with your system is not through the Netlab local console but through a remote SSH session over the network directly to your server. Once you have mastered this you will be able to copy and paste text to your Linux server and will not need to make a reservation in Netlab to work on labs. For our purposes you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install Putty</li><br />
: Assuming you are running Windows, install the PuTTY software on your home PC from [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html this website].<br />
: '' Note: For other operating systems there are other ways and software you can use to make an SSH connection, you will need to research what tools are used for making SSH connections from your particular operating system.<br />
<li>Open an SSH session</li><br />
:* Run the PuTTY software on your computer and enter in the IP address of your VM in the "Host Name" box and click the "Open" button.<br />
:[[File:Lab1_putty.png|link=https://wiki.ihitc.net/mediawiki/images/f/f5/Lab1_putty.png|500px]]<br />
:[[Media:Lab1_putty.png| Click here for larger image]]<br />
:* Click Yes to save the host key on your system<br />
: [[File:Lab1_puttycert.png|link=https://wiki.ihitc.net/mediawiki/images/4/4b/Lab1_puttycert.png|500px]]<br />
: [[Media:Lab1_puttycert.png|Click here for larger image]]<br />
:* Enter the standard username and password for your Linux system to connect.<br />
: '' Note: You should receive a prompt just like the one you had on the Netlab local console but it is now a direct connection from your computer over the ITCnet to your server.<br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Remote File Transfer==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Remote File Transfer]'''''<br />
<br />
The easiest way to transfer files to and from your VM is with SFTP software. For our purposes, you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install FileZilla</li><br />
: Install the FileZilla client software on your home PC from [https://filezilla-project.org/download.php?type=client this website]<br />
<li>Open a SFTP session to your server</li><br />
: Run FileZilla and use the Quick Connect bar at the top of the screen to access your system. <br />
:* Enter the IP address of your Linux system in the "Host:" box<br />
:* Enter your standard username and password in the appropriate boxes<br />
:* Enter ''22'' in the "Port:" box<br />
:* Click the "Quickconnect" button.<br />
: [[File:Lab1_filezillanew.png|link=https://wiki.ihitc.net/mediawiki/images/b/b1/Lab1_filezillanew.png|500px]]<br />
: [[Media:Lab1_filezillanew.png|Click here for larger image]]<br />
: You should see some connection text scroll on the top of the screen and some files on the right side of the screen now such as ''.bashrc'' and ''.profile'' The right side of the screen is the drive on your Linux system and the left side of the screen is the drive on your home system. Files and folders can be dragged between the two sides to transfer them back and forth.<br />
: [[File:Lab1_filezillaconnected.png|link=https://wiki.ihitc.net/mediawiki/images/c/ca/Lab1_filezillaconnected.png|500px]]<br />
: [[Media:Lab1_filezillaconnected.png|Click here for larger image]]<br />
<li>Close the FileZilla software to disconnect.</li><br />
</ol><br />
<br />
==Install VM Tools==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Install VM Tools]'''''<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect into your system using the remote SSH console method explained above.<br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<code>sudo apt install open-vm-tools</code><br />
</ol><br />
<br />
==Install Python==<br />
In order to check your work in the labs of this course you will need to have an application called [https://www.python.org/ Python] installed on your Linux system.<br />
<ol><br />
<li> Download ''python3'' using '''apt'''</li><br />
* When prompted type Y to install the app and its dependencies</li><br />
<ul>''NOTE: This may take a while.''</ul><br />
* When prompted to specify the name of the host where the TANGO database server is running, just select ok.</li><br />
<ul> [[File:Python_tango.png|link=https://wiki.ihitc.net/mediawiki/images/4/4c/Python_tango.png|500px]]</ul><br />
<ul> [[Media:Python_tango.png | Click for Larger Image]]</ul><br />
<li> Run the following command to verify that python version 3.6 is installed.</li><br />
<code>python3 --version</code><br />
<ul> [[File:Python_version.png|link=https://wiki.ihitc.net/mediawiki/images/7/70/Python_version.png|500px]]</ul><br />
<ul> [[Media:Python_version.png | Click for Larger Image]]</ul><br />
</ol><br />
<br />
==Install Nmap==<br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:* ''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Run the following command at the command line.<br />
<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
</ol><br />
<br />
==Install Curl==<br />
:Curl is a tool that lets you run scripts that are not saved to your virtual machine. It will be used to check the labs for completion while working through the course. <br />
<ol><br />
<li> Run the following command at the command line. </li><br />
<code>sudo apt install curl</code><br />
: If prompted to install additional packages type "y"<br />
<br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Safely Shutdown==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Safely Shutdown]'''''<br />
:We will normally leave our VM running but it is important that you know how to shutdown a Linux system correctly so this time we'll turn it off.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect in to your system using the remote SSH console method explained above.<br />
<li> Safely shutdown you server</li><br />
:* Run the '''sudo shutdown -h now''' at the command line to safely shutdown the system.<br />
<code>sudo shutdown -h now</code><br />
: You should soon get a message that PuTTY has lost it's connection. Click OK and then you can close the PuTTY window.<br />
<li>End NetLab Reservation</li><br />
: If you still have time left in your reservation in Netlab it's polite to end the reservation so other users can work on the system, only a limited number of reservations can be made at one time. You can do this by logging into Netlab, opening your lab, and clicking the "Reservation" menu at the top of the screen and choose to "End Reservation Now" followed by confirming that you want to end the reservation.<br />
</ol><br />
<br />
=Checking your Work=<br />
<ol><br />
<li> Testing your work goes here</li><br />
<code> Commands to use</code><br />
<ul> Description of what you should see</ul><br />
</ol></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_1_mnjk&diff=9528Lab 1 mnjk2021-02-27T20:05:15Z<p>NateHaleen: /* Install Nmap */</p>
<hr />
<div>=Introduction=<br />
:In this lab you will perform the following tasks:<br />
*Access NetLab to access the environment for you virtual machine<br />
*Install the latest version of Debian Linux in a virtual machine<br />
*Learn how to login and check the IP address of the system<br />
*Learn to remotely access the system with SSH and SFTP.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/apt apt]'''<br />
*'''[https://linux.die.net/man/8/sudo sudo]'''<br />
*'''[https://linux.die.net/man/8/useradd adduser]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://linux.die.net/man/8/ip ip address show]'''<br />
<br />
=Lab Procedure=<br />
==Netlab Access==<br />
'''''[https://www.youtube.com/watch?v=-hLejbDfPGM&feature=youtu.be Video Tutorial - NetLab Access]'''''<br />
<ol><br />
<li> Connect to the ITCnet </li> <br />
: This can be accomplished by directly plugging into an ITCnet port in one of the ITC labs or by connecting to the [[ITC_VPN_Instructions|VPN]].<br />
:'' Note: If you want to connect using a wireless connection on campus you need to [[Connecting to Eduroam|connect to the eduroam network]] before connecting to the VPN.<br />
<li> After you are connected to ITCnet (by VPN or wired connection) you simply need to open a web browser and access https://ihcc-netlab.campus.ihitc.net</li><br />
* The first time you visit this site in a browser you may need to accept a self-signed security certificate<br />
* You will need to log in with a username and password established by your instructor.<br />
* The first time you log in you will need to change your password and set your timezone. Make sure your timezone is set correctly so you can schedule reservations to work with equipment at convenient times.<br />
<li> Once you are logged in click the blue "New Lab Reservation" button</li><br />
: Next, in the lower left corner of the screen, select "Schedule a Lab for Myself". Reservations are used to hold a place on the Netlab system to work on labs during a specific time. You only need reservations in this class when working with the GUI, which will come later in the class, if you need to turn the power back on to your VM, or during the installation process. The rest of the time you will be able to connect directly to your Linux server using the SSH protocol, but more on that in a bit.<br />
:'' Note: If you are enrolled in more than one class that is using Netlab you will be presented with a list of classes you are enrolled in, click on your Linux System Administration course of you see this screen.<br />
: All of our lab work in this class is done in a single "Lab Environment" and your progress will be saved from one reservation to another. As a result there is only one lab listed in this course "Linux System Administration Labs". Click on this lab title.<br />
<li> Use the calendar to choose a date, time, and specific pod to reserve for your lab activity (when you will begin your Debian server installation).</li><br />
: The red line on this screen indicates the current time. If you want to get started right away you can click just below this line. Pay attention to the title of the column at the top, it will say something like "LSA Pod Z". The letter at the end of this pod name is your "pod letter" which you will use to set the host name and IP address of your machine in the future so make note of it.<br />
: You will be presented with a summary screen for your reservation where you can set the end time of your reservation (up to a maximum). It is suggested to make your reservation a couple hours long the first time you plan to install Debian, though you can extend it if needed. Click submit once you are ready to make the reservation.<br />
<li>You will see a confirmation screen that your reservation has been made.</li><br />
: You are now ready to progress on to the Debian Linux Installation (as long as your reservation is right away).<br />
</ol><br />
<br />
==Debian Linux Installation==<br />
'''''[https://www.youtube.com/watch?v=H0DcdEytpFQ&feature=youtu.be Video Tutorial - Debian Linux Installation]'''''<br />
<ol><br />
<li> Log in to the Netlab system</li><br />
: Access this using a web browser at https://ihcc-netlab.campus.ihitc.net if you are not already logged in.<br />
: If you have a currently active reservation you will see a green "Enter Lab" button on your list of reservations. Click the green "Enter Lab" button. If not, you will need to make a reservation (see above) and then click the "Enter Lab" button.<br />
: Your virtual machines (VMs) will automatically power on when your reservation begins and because there is no operating system currently installed to their virtual hard drives they will boot from their virtual CD/DVD drives which have been pre-loaded with the installation discs for Linux.<br />
<li> Access you virtual machine console</li><br />
: Once you are in your pod you can either click on the image of the "Linux Server" on the topology diagram or use the tabs across the top of your screen to access the console of your Linux Server VM.<br />
: The console shows the display of your VM and allows you to type and interact with your VM just as if you were physically sitting down in front of a server with a monitor, keyboard, and mouse attached. Just like a separate physical machine you will not be able to copy and paste text or drag and drop files in and out of this console window. We will use other utilities across the network connection to do those things just like we would with a physical server.<br />
<li>Learn to "Power Cycle" your virtual machine</li><br />
: By now your VM has likely already booted from it's virtual CD/DVD drive and should be at the "Debian GNU/Linux installer menu". Before continuing let's practice rebooting your system so you can watch the system boot and see how to reboot the system if needed. Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power Off" then click the red "Power Off" button on the popup to power off your VM. This is the equivalent of just pulling out the power cord, at least until we install the VMware Tools software which allows for a graceful shutdown, so you'll want to be careful to only do this if absolutely needed until then.<br />
<li>Power on you Virtual machine</li><br />
: Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power On", or press the blue "Power On" button in the middle of your screen, then press the green "Power On" button to boot your system.<br />
<li>Install Debian Linux</li><br />
: Once the system has rebooted and is back to the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Installing sudo and Checking Your IP Address==<br />
'''''[https://www.youtube.com/watch?v=TwXp5YfAvlw&feature=youtu.be Video Tutorial - Installing sudo and checking your IP address]'''''<br />
<ol><br />
<li>Log in to NetLab</li><br />
: Login through the Netlab local console with your root account and password (username ''root'', password as set during the installation)<br />
:'' Note: When entering a password on the command line of a Linux system it is normal that nothing should appear and the cursor will not move when you are typing. This prevents someone who is able to see your computer screen from seeing what your password is or even how long it is. Just type your password and trust that the system is receiving it, press enter to submit your password.<br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
<code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
[[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
<code>sudo ip address show</code><br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
</ol><br />
<br />
==Logging in to a Remote Terminal==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Logging into a remote terminal]'''''<br />
<br />
A faster way to interact with your system is not through the Netlab local console but through a remote SSH session over the network directly to your server. Once you have mastered this you will be able to copy and paste text to your Linux server and will not need to make a reservation in Netlab to work on labs. For our purposes you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install Putty</li><br />
: Assuming you are running Windows, install the PuTTY software on your home PC from [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html this website].<br />
: '' Note: For other operating systems there are other ways and software you can use to make an SSH connection, you will need to research what tools are used for making SSH connections from your particular operating system.<br />
<li>Open an SSH session</li><br />
:* Run the PuTTY software on your computer and enter in the IP address of your VM in the "Host Name" box and click the "Open" button.<br />
:[[File:Lab1_putty.png|link=https://wiki.ihitc.net/mediawiki/images/f/f5/Lab1_putty.png|500px]]<br />
:[[Media:Lab1_putty.png| Click here for larger image]]<br />
:* Click Yes to save the host key on your system<br />
: [[File:Lab1_puttycert.png|link=https://wiki.ihitc.net/mediawiki/images/4/4b/Lab1_puttycert.png|500px]]<br />
: [[Media:Lab1_puttycert.png|Click here for larger image]]<br />
:* Enter the standard username and password for your Linux system to connect.<br />
: '' Note: You should receive a prompt just like the one you had on the Netlab local console but it is now a direct connection from your computer over the ITCnet to your server.<br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Remote File Transfer==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Remote File Transfer]'''''<br />
<br />
The easiest way to transfer files to and from your VM is with SFTP software. For our purposes, you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install FileZilla</li><br />
: Install the FileZilla client software on your home PC from [https://filezilla-project.org/download.php?type=client this website]<br />
<li>Open a SFTP session to your server</li><br />
: Run FileZilla and use the Quick Connect bar at the top of the screen to access your system. <br />
:* Enter the IP address of your Linux system in the "Host:" box<br />
:* Enter your standard username and password in the appropriate boxes<br />
:* Enter ''22'' in the "Port:" box<br />
:* Click the "Quickconnect" button.<br />
: [[File:Lab1_filezillanew.png|link=https://wiki.ihitc.net/mediawiki/images/b/b1/Lab1_filezillanew.png|500px]]<br />
: [[Media:Lab1_filezillanew.png|Click here for larger image]]<br />
: You should see some connection text scroll on the top of the screen and some files on the right side of the screen now such as ''.bashrc'' and ''.profile'' The right side of the screen is the drive on your Linux system and the left side of the screen is the drive on your home system. Files and folders can be dragged between the two sides to transfer them back and forth.<br />
: [[File:Lab1_filezillaconnected.png|link=https://wiki.ihitc.net/mediawiki/images/c/ca/Lab1_filezillaconnected.png|500px]]<br />
: [[Media:Lab1_filezillaconnected.png|Click here for larger image]]<br />
<li>Close the FileZilla software to disconnect.</li><br />
</ol><br />
<br />
==Install VM Tools==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Install VM Tools]'''''<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect into your system using the remote SSH console method explained above.<br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<code>sudo apt install open-vm-tools</code><br />
</ol><br />
<br />
==Install Python==<br />
In order to check your work in the labs of this course you will need to have an application called [https://www.python.org/ Python] installed on your Linux system.<br />
<ol><br />
<li> Download ''python3'' using '''apt'''</li><br />
* When prompted type Y to install the app and its dependencies</li><br />
<ul>''NOTE: This may take a while.''</ul><br />
* When prompted to specify the name of the host where the TANGO database server is running, just select ok.</li><br />
<ul> [[File:Python_tango.png|link=https://wiki.ihitc.net/mediawiki/images/4/4c/Python_tango.png|500px]]</ul><br />
<ul> [[Media:Python_tango.png | Click for Larger Image]]</ul><br />
<li> Run the following command to verify that python version 3.6 is installed.</li><br />
<code>python3 --version</code><br />
<ul> [[File:Python_version.png|link=https://wiki.ihitc.net/mediawiki/images/7/70/Python_version.png|500px]]</ul><br />
<ul> [[Media:Python_version.png | Click for Larger Image]]</ul><br />
</ol><br />
<br />
==Install Nmap==<br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:* ''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Run the following command at the command line.<br />
<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
</ol><br />
<br />
==Install curl==<br />
:Curl is a tool that lets you run scripts that are not saved to your virtual machine. It will be used to check the labs for completion while working through the course. <br />
<ol><br />
: Run the following command at the command line.<br />
<code>sudo apt install curl</code><br />
: If prompted to install additional packages type "y"<br />
<br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Safely Shutdown==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Safely Shutdown]'''''<br />
:We will normally leave our VM running but it is important that you know how to shutdown a Linux system correctly so this time we'll turn it off.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect in to your system using the remote SSH console method explained above.<br />
<li> Safely shutdown you server</li><br />
:* Run the '''sudo shutdown -h now''' at the command line to safely shutdown the system.<br />
<code>sudo shutdown -h now</code><br />
: You should soon get a message that PuTTY has lost it's connection. Click OK and then you can close the PuTTY window.<br />
<li>End NetLab Reservation</li><br />
: If you still have time left in your reservation in Netlab it's polite to end the reservation so other users can work on the system, only a limited number of reservations can be made at one time. You can do this by logging into Netlab, opening your lab, and clicking the "Reservation" menu at the top of the screen and choose to "End Reservation Now" followed by confirming that you want to end the reservation.<br />
</ol><br />
<br />
=Checking your Work=<br />
<ol><br />
<li> Testing your work goes here</li><br />
<code> Commands to use</code><br />
<ul> Description of what you should see</ul><br />
</ol></div>NateHaleenhttps://wiki.ihitc.net/mediawiki/index.php?title=Lab_1_mnjk&diff=9516Lab 1 mnjk2021-02-19T22:04:08Z<p>NateHaleen: /* Install Python */</p>
<hr />
<div>=Introduction=<br />
:In this lab you will perform the following tasks:<br />
*Access NetLab to access the environment for you virtual machine<br />
*Install the latest version of Debian Linux in a virtual machine<br />
*Learn how to login and check the IP address of the system<br />
*Learn to remotely access the system with SSH and SFTP.<br />
<br />
You will be introduced to the following commands:<br />
<br />
*'''[https://linux.die.net/man/8/apt apt]'''<br />
*'''[https://linux.die.net/man/8/sudo sudo]'''<br />
*'''[https://linux.die.net/man/8/useradd adduser]'''<br />
*'''[https://linux.die.net/man/8/shutdown shutdown]'''<br />
*'''[https://linux.die.net/man/8/ip ip address show]'''<br />
<br />
=Lab Procedure=<br />
==Netlab Access==<br />
'''''[https://www.youtube.com/watch?v=-hLejbDfPGM&feature=youtu.be Video Tutorial - NetLab Access]'''''<br />
<ol><br />
<li> Connect to the ITCnet </li> <br />
: This can be accomplished by directly plugging into an ITCnet port in one of the ITC labs or by connecting to the [[ITC_VPN_Instructions|VPN]].<br />
:'' Note: If you want to connect using a wireless connection on campus you need to [[Connecting to Eduroam|connect to the eduroam network]] before connecting to the VPN.<br />
<li> After you are connected to ITCnet (by VPN or wired connection) you simply need to open a web browser and access https://ihcc-netlab.campus.ihitc.net</li><br />
* The first time you visit this site in a browser you may need to accept a self-signed security certificate<br />
* You will need to log in with a username and password established by your instructor.<br />
* The first time you log in you will need to change your password and set your timezone. Make sure your timezone is set correctly so you can schedule reservations to work with equipment at convenient times.<br />
<li> Once you are logged in click the blue "New Lab Reservation" button</li><br />
: Next, in the lower left corner of the screen, select "Schedule a Lab for Myself". Reservations are used to hold a place on the Netlab system to work on labs during a specific time. You only need reservations in this class when working with the GUI, which will come later in the class, if you need to turn the power back on to your VM, or during the installation process. The rest of the time you will be able to connect directly to your Linux server using the SSH protocol, but more on that in a bit.<br />
:'' Note: If you are enrolled in more than one class that is using Netlab you will be presented with a list of classes you are enrolled in, click on your Linux System Administration course of you see this screen.<br />
: All of our lab work in this class is done in a single "Lab Environment" and your progress will be saved from one reservation to another. As a result there is only one lab listed in this course "Linux System Administration Labs". Click on this lab title.<br />
<li> Use the calendar to choose a date, time, and specific pod to reserve for your lab activity (when you will begin your Debian server installation).</li><br />
: The red line on this screen indicates the current time. If you want to get started right away you can click just below this line. Pay attention to the title of the column at the top, it will say something like "LSA Pod Z". The letter at the end of this pod name is your "pod letter" which you will use to set the host name and IP address of your machine in the future so make note of it.<br />
: You will be presented with a summary screen for your reservation where you can set the end time of your reservation (up to a maximum). It is suggested to make your reservation a couple hours long the first time you plan to install Debian, though you can extend it if needed. Click submit once you are ready to make the reservation.<br />
<li>You will see a confirmation screen that your reservation has been made.</li><br />
: You are now ready to progress on to the Debian Linux Installation (as long as your reservation is right away).<br />
</ol><br />
<br />
==Debian Linux Installation==<br />
'''''[https://www.youtube.com/watch?v=H0DcdEytpFQ&feature=youtu.be Video Tutorial - Debian Linux Installation]'''''<br />
<ol><br />
<li> Log in to the Netlab system</li><br />
: Access this using a web browser at https://ihcc-netlab.campus.ihitc.net if you are not already logged in.<br />
: If you have a currently active reservation you will see a green "Enter Lab" button on your list of reservations. Click the green "Enter Lab" button. If not, you will need to make a reservation (see above) and then click the "Enter Lab" button.<br />
: Your virtual machines (VMs) will automatically power on when your reservation begins and because there is no operating system currently installed to their virtual hard drives they will boot from their virtual CD/DVD drives which have been pre-loaded with the installation discs for Linux.<br />
<li> Access you virtual machine console</li><br />
: Once you are in your pod you can either click on the image of the "Linux Server" on the topology diagram or use the tabs across the top of your screen to access the console of your Linux Server VM.<br />
: The console shows the display of your VM and allows you to type and interact with your VM just as if you were physically sitting down in front of a server with a monitor, keyboard, and mouse attached. Just like a separate physical machine you will not be able to copy and paste text or drag and drop files in and out of this console window. We will use other utilities across the network connection to do those things just like we would with a physical server.<br />
<li>Learn to "Power Cycle" your virtual machine</li><br />
: By now your VM has likely already booted from it's virtual CD/DVD drive and should be at the "Debian GNU/Linux installer menu". Before continuing let's practice rebooting your system so you can watch the system boot and see how to reboot the system if needed. Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power Off" then click the red "Power Off" button on the popup to power off your VM. This is the equivalent of just pulling out the power cord, at least until we install the VMware Tools software which allows for a graceful shutdown, so you'll want to be careful to only do this if absolutely needed until then.<br />
<li>Power on you Virtual machine</li><br />
: Click the down arrow button on the right side of the "Linux Server" tab at the top of your screen and choose "Power On", or press the blue "Power On" button in the middle of your screen, then press the green "Power On" button to boot your system.<br />
<li>Install Debian Linux</li><br />
: Once the system has rebooted and is back to the "Debian GNU/Linux installer menu" choose "Install" and '''not''' "Graphical Install". If you make an incorrect choice you can reboot your virtual machine (power off and on) before installing to get back to the menu.<br />
: In the installer you will use the space bar to select and unselect "checkboxes", the tab key to move between fields and buttons, and the enter key to continue. You will be prompted for the following choices<br />
* Select ''English'' as the language, ''United States'' as your location, and ''American English'' as the keymap.<br />
* Set ''ens192'' as your primary network interface.<br />
* Set a hostname for the system to 2480 followed by a dash and then your pod ID letter, like ''2480-Z'' for LSA Pod Z. If you have forgotten your pod ID letter look up at the top of your screen above the line with the "Topology" and "Linux Server" tabs and you should see a line with "LSA Pod" followed by a letter, that letter is your pod ID letter.<br />
:'' Note: These steps are critical to future success in labs, check your spelling carefully'' <br />
: [[File:Lab1_hostname.png|link=https://wiki.ihitc.net/mediawiki/images/5/57/Lab1_hostname.png|500px]]<br />
: [[Media:Lab1_hostname.png|Click here for a larger image]]<br />
* Set the domain name to ''itc2480.campus.ihitc.net''<br />
: [[File:Lab1_domainname.png|link=https://wiki.ihitc.net/mediawiki/images/5/5a/Lab1_domainname.png|500px]]<br />
: [[Media:Lab1_domainname.png|Click here for a larger images]]<br />
* Set the root password to something you will NOT FORGET, this is the administrator account, ''cisco'' might be a good choice for our purposes though that would not be secure for a system directly accessible from the Internet (we are protected by a firewall which you are bypassing via the VPN connection)<br />
* Create a new user account by entering your name. The system will automatically use your first name (all lowercase) as the username and then you should set the password to another password you will not forget<br />
* Select your timezone<br />
* Choose "Guided - Use entire disk" as the partitioning method and select the ''sda'' drive and "All files in one partition" as the partitioning scheme, "Finish partitioning and write the changes to the disk", and then finally confirm you want to write the changes.<br />
* You do not want to scan any other CDs or DVDs at this time.<br />
* You want to select a mirror located close to you with good speed. Because your VM is actually running from the campus and is connected to the campus Internet connection a good option is "debian.uchicago.edu" with no http proxy.<br />
* Choose whether you want to participate in the package usage survey, for our purposes either choice is just fine.<br />
* On the software selection screen UNSELECT "Debian desktop environment" and "Print server" and make sure that "SSH server" and "Standard system utilities" are the only two selected options.<br />
:'' Note: To select and unselect options move your cursor over the option and press the space bar.<br />
* Choose that yes you want to install GRUB to the master boot record on the ''/dev/sda'' device.<br />
<li>Complete the installation</li><br />
: When the installation is complete you can select continue to "eject" the virtual CD and reboot into the new install<br />
</ol><br />
<br />
==Installing sudo and Checking Your IP Address==<br />
'''''[https://www.youtube.com/watch?v=TwXp5YfAvlw&feature=youtu.be Video Tutorial - Installing sudo and checking your IP address]'''''<br />
<ol><br />
<li>Log in to NetLab</li><br />
: Login through the Netlab local console with your root account and password (username ''root'', password as set during the installation)<br />
:'' Note: When entering a password on the command line of a Linux system it is normal that nothing should appear and the cursor will not move when you are typing. This prevents someone who is able to see your computer screen from seeing what your password is or even how long it is. Just type your password and trust that the system is receiving it, press enter to submit your password.<br />
<li>Install '''sudo''' from the command line using:<br />
: ''Note: A good practice is to update your system before installing any packages, this should be completed using '''apt update''', ensure to use '''sudo''' when not logged in as root.<br />
: <code>apt update</code><br />
: <code>apt install sudo</code></li><br />
: For security purposes it is usually the case that you do not want to log in as the root user. Instead, best practice is to log in as a standard user and then execute specific commands that require root access with administrative privileges through the '''sudo''' program. The '''sudo''' program is not installed by default so after you have logged in to the root account enter '''apt update''' and press enter which will update the list of software available for installation and then '''apt install sudo''' and press enter to install the sudo software.<br />
<li>Add sudo privileges to our standard user account.<br />
<code>adduser <username> sudo</code></li><br />
: We now need to add our standard user account to the group which is allowed to have administrative access to do this enter the command '''sudo adduser ''<username>'' sudo''' and press enter, replacing ''<username>'' with the name of your standard user account (set during the setup process, probably your first name in lowercase). We'll learn more about these commands later in the course.<br />
<li>Reboot system</li><br />
<code>shutdown -r now</code><br />
: Reboot your system using the '''shutdown -r now''' command to apply the changes<br />
<li>Log in as your standard user account, determine system IP address.<br />
: Once you are logged in use the following command at the command line to determine the IP address of your system<br />
<code>ip address show</code></li><br />
: Using the '''ip address show''' command will allow you to check the IP address of your system. The IP address should be something like ''172.17.50.xxx'' and be an ''inet'' address on the ''ens192'' adapter.<br />
[[File:Lab1_ip_address_show2.PNG|500px]]<br />
<li>Test sudo privileges</li><br />
: Try running the same command as the administrator by typing '''sudo ip address show''', you will need to enter in your password again when you run this command.<br />
<code>sudo ip address show</code><br />
<li>Exit from the local console</li><br />
: To log out of the console type '''exit''' and press enter.<br />
</ol><br />
<br />
==Logging in to a Remote Terminal==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Logging into a remote terminal]'''''<br />
<br />
A faster way to interact with your system is not through the Netlab local console but through a remote SSH session over the network directly to your server. Once you have mastered this you will be able to copy and paste text to your Linux server and will not need to make a reservation in Netlab to work on labs. For our purposes you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install Putty</li><br />
: Assuming you are running Windows, install the PuTTY software on your home PC from [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html this website].<br />
: '' Note: For other operating systems there are other ways and software you can use to make an SSH connection, you will need to research what tools are used for making SSH connections from your particular operating system.<br />
<li>Open an SSH session</li><br />
:* Run the PuTTY software on your computer and enter in the IP address of your VM in the "Host Name" box and click the "Open" button.<br />
:[[File:Lab1_putty.png|link=https://wiki.ihitc.net/mediawiki/images/f/f5/Lab1_putty.png|500px]]<br />
:[[Media:Lab1_putty.png| Click here for larger image]]<br />
:* Click Yes to save the host key on your system<br />
: [[File:Lab1_puttycert.png|link=https://wiki.ihitc.net/mediawiki/images/4/4b/Lab1_puttycert.png|500px]]<br />
: [[Media:Lab1_puttycert.png|Click here for larger image]]<br />
:* Enter the standard username and password for your Linux system to connect.<br />
: '' Note: You should receive a prompt just like the one you had on the Netlab local console but it is now a direct connection from your computer over the ITCnet to your server.<br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Remote File Transfer==<br />
'''''[https://www.youtube.com/watch?v=JEiDkrlPMNw&feature=youtu.be Video Tutorial - Remote File Transfer]'''''<br />
<br />
The easiest way to transfer files to and from your VM is with SFTP software. For our purposes, you will always need to connect to the ITCnet VPN before doing this so that you have access to the 172.17.50.0 network.<br />
<ol><br />
<li>Install FileZilla</li><br />
: Install the FileZilla client software on your home PC from [https://filezilla-project.org/download.php?type=client this website]<br />
<li>Open a SFTP session to your server</li><br />
: Run FileZilla and use the Quick Connect bar at the top of the screen to access your system. <br />
:* Enter the IP address of your Linux system in the "Host:" box<br />
:* Enter your standard username and password in the appropriate boxes<br />
:* Enter ''22'' in the "Port:" box<br />
:* Click the "Quickconnect" button.<br />
: [[File:Lab1_filezillanew.png|link=https://wiki.ihitc.net/mediawiki/images/b/b1/Lab1_filezillanew.png|500px]]<br />
: [[Media:Lab1_filezillanew.png|Click here for larger image]]<br />
: You should see some connection text scroll on the top of the screen and some files on the right side of the screen now such as ''.bashrc'' and ''.profile'' The right side of the screen is the drive on your Linux system and the left side of the screen is the drive on your home system. Files and folders can be dragged between the two sides to transfer them back and forth.<br />
: [[File:Lab1_filezillaconnected.png|link=https://wiki.ihitc.net/mediawiki/images/c/ca/Lab1_filezillaconnected.png|500px]]<br />
: [[Media:Lab1_filezillaconnected.png|Click here for larger image]]<br />
<li>Close the FileZilla software to disconnect.</li><br />
</ol><br />
<br />
==Install VM Tools==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Install VM Tools]'''''<br />
: Because your Debian Linux server is running as a virtual machine on a vmWare host system in order to achieve the best performance and driver integration we should install the vmWare Tools software package in your virtual machine.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect into your system using the remote SSH console method explained above.<br />
<li>Install '''open-vm-tools'''</li><br />
: Run the '''sudo apt install open-vm-tools''' command to install the vmWare Tools. You will be prompted about several additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<code>sudo apt install open-vm-tools</code><br />
</ol><br />
<br />
==Install Python==<br />
In order to check your work in the labs of this course you will need to have an application called [https://www.python.org/ Python] installed on your Linux system.<br />
<ol><br />
<li> Download ''python3'' using '''apt'''</li><br />
* When prompted type Y to install the app and its dependencies</li><br />
<ul>''NOTE: This may take a while.''</ul><br />
* When prompted to specify the name of the host where the TANGO database server is running, just select ok.</li><br />
<ul> [[File:Python_tango.png|link=https://wiki.ihitc.net/mediawiki/images/4/4c/Python_tango.png|500px]]</ul><br />
<ul> [[Media:Python_tango.png | Click for Larger Image]]</ul><br />
<li> Run the following command to verify that python version 3.6 is installed.</li><br />
<code>python3 --version</code><br />
<ul> [[File:Python_version.png|link=https://wiki.ihitc.net/mediawiki/images/7/70/Python_version.png|500px]]</ul><br />
<ul> [[Media:Python_version.png | Click for Larger Image]]</ul><br />
</ol><br />
<br />
==Install Nmap==<br />
:Nmap is a tool we will learn more about later in the course but it will likely be used to check many of the labs for completion while working through the course. This course's labwork often builds upon the work you have done in previous labs. The self-check scripts are to assist you in ensuring you have not missed any ''critical'' steps in your work that would affect your success in subsequent labs.<br />
<br />
:* ''NOTE: Before we begin the installation of this tool it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!<br />
:*At this time all you will be doing is installing the tool as it will be used to self-check your lab work to verify you are ready to move on to the next lab.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Run the following command at the command line.<br />
<pre>sudo apt install nmap</pre><br />
: Run the '''sudo apt install nmap''' command to install the nmap tool. You will be prompted about additional software packages required to be installed, type '''y''' and press enter to install the software.<br />
<br />
<li>Close the SSH session</li><br />
: Type '''exit''' to close the connection while leaving your VM running.<br />
</ol><br />
<br />
==Safely Shutdown==<br />
'''''[https://www.youtube.com/watch?v=gLC1liwVJ8s&feature=youtu.be Video Tutorial - Safely Shutdown]'''''<br />
:We will normally leave our VM running but it is important that you know how to shutdown a Linux system correctly so this time we'll turn it off.<br />
<ol><br />
<li>Open a SSH session to your server</li><br />
: Connect in to your system using the remote SSH console method explained above.<br />
<li> Safely shutdown you server</li><br />
:* Run the '''sudo shutdown -h now''' at the command line to safely shutdown the system.<br />
<code>sudo shutdown -h now</code><br />
: You should soon get a message that PuTTY has lost it's connection. Click OK and then you can close the PuTTY window.<br />
<li>End NetLab Reservation</li><br />
: If you still have time left in your reservation in Netlab it's polite to end the reservation so other users can work on the system, only a limited number of reservations can be made at one time. You can do this by logging into Netlab, opening your lab, and clicking the "Reservation" menu at the top of the screen and choose to "End Reservation Now" followed by confirming that you want to end the reservation.<br />
</ol><br />
<br />
=Checking your Work=<br />
<ol><br />
<li> Testing your work goes here</li><br />
<code> Commands to use</code><br />
<ul> Description of what you should see</ul><br />
</ol></div>NateHaleen