NETW240 Week 5 Lab: Secure FTP and Secure Shell (SSH)

Lab ScenarioAssignment Learn about secure ftp, secure shell (SSH), and secure copy (SCP).

Story On host11, you will configure a secure ftp server and set its security policies, start the SSH daemon, and use the SSH and SCP client tools. Near the end, you will log into host12 and ftp into your host11 ftp server.

Conditions You have remote access to host11 and host12; host12 is already configured and there is nothing for you to do to it. Both host11 and host12 use DHCP on their first interface (eth0). This interface is used by the lab environment and should not be modified. Both host11 and host 12 are unable to communicate over this interface. Virtual machine Login Information:Username: vlab Password: password

Lab Diagram

During your session you will have access to the following lab configuration.

Connecting to your lab

In this module you will be working on the following equipment to carry out the steps defined in each exercise.

1

WINCONSOLE (Management Server)

HOST11 (Linux Server)

HOST12 (Linux Server)

Each exercise will detail which console you are required to work on to carry out the steps.

To start simply click on the named Server from the device list (located on the left hand side of the screen) and click the Power on from the in tools bar. In some cases the devices may power on automatically.

During the boot up process an activity indicator will be displayed in the name tab:

Black - Powered Off

Orange - Working on your request

Green - Ready to access

If the remote console is not displayed automatically in the main window (or popup) click the Connect icon located in the tools bar to start your session.

If the remote console does not appear please try the following option:

Switch between the HTML 5 and Java client versions in the tools bar.

In the event this does not resolve your connectivity problems please visit our Help / Support pages for additional resolution options.

Suggested ApproachThe following is a list of high-level steps needed to complete this lab.

Update /etc/hosts to identify local (host11) and remote (host12) hosts and servers. Identify critical system files for configuring and displaying site messages. Install and configure a secure ftp server. Perform a secure telnet session to an nfs server. Fill out and turn in your Lab Report document.

Task 1 Read the background information here2

Step 1: Background Information

Action We will continue to learn to install and configure TCP/IP-dependent servers. Each server allows local, remote, and guest user access. It is our responsibility as system administrators to safeguard our system's resources and information. A legal statement should be displayed to users accessing the system. Legal messages should be approved by your organization's legal department. An example of a warning message follows:

Warning: You are accessing a secure site and confidential information. Access is restricted to authorized persons ONLY. Unauthorized access or use is not permitted and constitutes a crime punishable by law. Violators will be prosecuted.

Warning messages should be displayed before a user logs into the system. We will learn to add warning messages in today's lab. This is only one part of an effective security policy.

File Transfer Protocol File transfer protocol (FTP) is a TCP/IP application designed to transfer files across a network from one host to another. The first implementation of FTP was in 1971 for minicomputers and mainframes running the UNIX operating system. FTP works on the client/server model by allowing remote clients to move up and down a server's directory structure to find and download files of interest. Today, WWW search engines find files on Internet servers running FTP. By clicking on a link, we are actually using FTP to transfer files to our computer. Any Linux system can operate as an ftp server by running the ftp daemon. A special user account in /etc/passwd will allow remote users to log in as anonymous. The password for anonymous is the remote user's e-mail address. A major disadvantage of FTP is the fact that it does not encrypt an authorized user's name and password, leaving it open to sniffer capture and unauthorized use. To prevent this from occurring, we will be installing a version of FTP named Very Secure FTP (vsFTP).

As a Linux system administrator, it is your responsibility to set up FTP directories so that files people need are accessible without compromising the security on the rest of your system.

ResultYou have been given some background on the use of legal statements through warnings to users accessing remote systems. You have also been given some very high-level information on the FTP.

Note about text editors in SkillSoft: All text editor tasks in this lab are shown using the

3

nano text editor but you are also free to use the vi text editor as an option if you know the more complex command hierarchy. If you are using nano as your text editor and Internet Explorer or Chrome as your browser, you cannot use <Ctrl>O to save your file. This hot key is used by IE and Chrome to open files. You will have to exit and save as follows: press <Ctrl>X (exit), and at the Save Modified Buffer prompt, press Y and then Enter. This will save the file and exit the text editor. Mozilla Firefox does not have this issue with <Ctrl>O.

Task 2 Open a Terminal and become the superuser

Step 1: Log in to host11

Action

Ensure you have powered on the required devices and click WINCONSOLE.

You will be logged into the WINCONSOLE and should now see the desktop. Double-click TigerVNC.

Enter host11:1 if already not entered in the VNC server text box.

Click Connect.

Enter password in the Password text box. Click Ok, Fedora desktop is now displayed and you are now logged on as vlab user.

Step 2: Open a Terminal and logon as root

Action Menu::Application->System Tools->Terminal

Step 3: Become the superuser (root)

ActionUsing the switch user command, switch from casual user mode to the superuser mode. Remember to use the dash (-) option after keying in the su command and before hitting the Enter key. The root password is password.

Result You will have become root and your command prompt will now be shown as

[root@host11~]#.

Task 3 Update /etc/hosts

4

Step 1: Add host11 and host12 to /etc/hosts Action Open /etc/hosts in nano (or vi if you prefer) and add the lines below.

192.168.240.11 host11.linux.net host11192.168.240.12 host12.linux.net host12

Save the /etc/hosts file changes and exit nano (or vi).

Step 2: Verify that you can now ping your own host11 PC and the host12 PC using the hostnames. Use the –c 3 switch to limit the ping to three echo responses.Action

Explanation Linux PCs use the /etc/hosts file before using DNS to resolve hostnames to IP addresses.

5

Task 4 Configure the ftp server

Step 1: ftp user in /etc/passwd

Action Verify that the ftp user account is listed in /etc/passwd. This user account assigns anonymous (or guest) FTP users to user ID 14 and group ID 50. This restricts their permissions and their ability to "cd" out of the ftp directory. grep ftp /etc/passwd

Result The following entry should be displayed: ftp:x:14:50:ftp user:/var/ftp:/sbin/nologin.

Note: Users who are classified as "real users" already have a legitimate user account on an ftp server. These users can log into the ftp site using their assigned user name and password.

Step 2: Verify and/or install vsFTP package

Action Verify whether the vsFTP package is installed by trying to restart its service vsftpd. If the vsftpd package is not installed, the vsftpd service will be unrecognized.

If the vsFTP package is not installed, cd to the /home/vlab (if you are not in that directory) and list the files with the ls command.

Use the rpm -ivh vsftpd-2.3.4-1.fc13.i686.rpm command to install it. Press Tab after you have typed vsftpd- to complete the rest of the rpm file name.

6

Result vsFTP is now installed.Step 3: Configure vsftp

Action Use the check configuration (chkconfig) command to enable error checking for the vsftpd configuration file.

Note: chkconfig can be used with many services such as dhcpd and smb to provide error checking of service configuration files. If the service fails to start, chkconfig causes a message to be displayed indicating where the the error was detected in the service configuration file.

Start the vsFTP service with the command service vsftpd start.

After the service starts successfully, ftp to your Linux PC with one of the following commands. When you make the FTP connection, log in with the username anonymous. You can press Enter when prompted for the anonymous password.

ftp localhostftp 127.0.0.1ftp host11ftp 192.168.240.11

Note: Localhost resolves to the 127.0.0.1 loopback address and host11 resolves to the eth1 address configured on this computer. The loopback address is a convenient way to test local services on computers.

7

After successfully logging in, execute the ls command. Note that you see a single directory name pub. This is the only directory an anonymous user will have access to. The actual path of the pub directory on your computer is /var/ftp/pub.

Type ? or help and press Enter. Listed are the available FTP commands. Other than the standard navigation and file commands (cd, lcd, pwd, ls, rm, rmdir), the most commonly used FTP commands are get and mget for downloading single or multiple files, put and mput for uploading single and multiple files, binary or ascii to specify the file format, and prompt to turn off or turn on interactive prompting.

Exit the ftp connection by entering the bye, quit or exit commands.

Result vsftp was started and you verified its operation on your computer.

Step 4: Adding a warning message to ftp clients

Action In the previous step, remember that we did not see a warning message to alert users that unauthorized activity on our ftp site is illegal. To display a message, use nano (or vi) to edit or create the file /var/ftp/.message. Note the (.) prefix for message, files, and directories that begin with (.) are hidden from a standard ls command.

Type in the warning message in the nano (or vi) text editor and save the file.

8

To test your message, log into the ftp site as anonymous again. You should see your message after entering a password. Exit the FTP connection after seeing your warning message.

Capture the SkillSoft desktop showing this warning message displayed when you logged into your vsFTP server. Paste this image into the text box provided in your Lab Report document.

Note: Under U.S. federal Law, a company is responsible for all content posted on its ftp or website.

9

Result A prelogin warning message has been added to the ftp service on host11.

Step 5: Examine vsftpd.conf, user_list, and ftpusers configuration files

Action A file named "vsftpd.conf" is located in the "/etc/vsftpd" directory. Use the cat command to view the contents of this configuration file. Pipe (|) the output of the cat command to less so you can browse through the configuration file.

cat /etc/vsftpd/vsftpd.conf | less

Notice that its parameters can be uncommented to activate certain services.

Two more files, user_list and ftpusers, can be used to restrict specific users from accessing the vsftp site. Use the cat command ( and less command) to view the content and makeup of these files.

cat /etc/vsftpd/user_list | lesscat /etc/vsftpd/ftpusers | less

Result You have examined the vsftp configuration files.

Step 6: Configure TCP Wrappers for ftp access

Action TCP Wrappers is a Linux/UNIX security mechanism that will deny or allow access to TCP services. We can prevent unauthorized access to our vsftp server using TCP Wrappers. TCP Wrappers consists of two files located in the /etc directory. The hosts.deny file prevents certain users from accessing TCP services while the hosts.allow authorizes users to access TCP services.

Use the nano (or vi) test editor to add an implicit deny statement to the hosts.deny file. After modifying the hosts.deny file, save the file and exit your text editor session.

ALL: ALL

Note: this statement denies access to all TCP services for all users. It follows the implicit deny statement found in a firewall access control list. All users are denied access if not granted access in the hosts.allow file.

Try to log into the local vsftp server as anonymous.

10

Note: The hosts.deny statement ALL: ALL blocked your attempt to log into the ftp server. A Service Not Available error message appeared.

Using nano (or vi), modify the hosts.allow file to allow access to localhost. Modify the hosts.allow file by adding the following content.

ALL: localhost.localdomain

Note: The hosts.allow file grants access to all FTP services for the user localhost.localdomain. All other users attempting to ftp in will be denied access by the hosts.deny statement ALL: ALL.

After modifying the hosts.allow file, save the file and exit your editor session.

Try to log into the local vsftp server again as anonymous:

Note: This time you were able to log into the ftp server.

Using the online UNIX help utility (man), view other suggestions for writing allow and deny statements for TCP Wrappers. mancommandcommand hosts.allow

Note: Try adding - ALL: 192.168.240.0/24. See if you can access your ftp service running on host11 from host12 (i.e., log into host12, open a Terminal, and ftp to host11).

Find a solution that allows users on host12 to access your ftp server on host11.

11

Step 7: Logon host12 and ftp to host11

Log in to host12

Action

On the WINCONSOLE desktop, re-arrange the host11 VNC window so you can see the icon TigerVNC

Double-click TigerVNC.

Enter host12:1 if already not entered in the VNC server text box.

Click Connect.

Enter password in the Password text box. Click Ok, Fedora desktop is now displayed and you are now logged on as vlab user.

Open a Terminal and logon as root

Action Menu::Application->System Tools->Terminal

Step 3: Become the superuser (root)

ActionUsing the switch user command, switch from casual user mode to the superuser mode. Remember to use the dash (-) option after keying in the su command and before hitting the Enter key. The root password is password.

Note: You now have two open windows, one for host11 and one for host12. To help you keep track of which is which you can use command ifconfig to show the ip address. Host11 ipaddress is 192.168.240.11 and host12’s ip address is 192.168.240.12

12

Result TCP Wrappers is configured for ftp access.

Capture the SkillSoft desktop from host12 showing a successfullogin to the vsFTP server on host11. Paste this image into the

text box provided in your Lab Report document.

13

Task 5 Perform a secure remote session on host11 to host12.

Step 1: Start the ssh daemons on both host11 and host12

Action On host12, execute the service sshd restart command. Return to host11 and repeat this command. Your command output will be one of those shown below depending on whether the service was currently running or not. service sshd restart

Result The ssh daemon is started.

Step 2: Use ssh and secure copy

Action On host11, enter the exit command to reassume the role as the vlab user. Enter cd ~ to make sure you are in the vlab home directory. Clear the screen and complete the steps below.

1. ssh to host12 using ssh vlab@192.168.240.12 or ssh –l vlab 192.168.240.12 (where –l is lowercase L).

2. Enter yes when you see, “Do you want to to continue connecting (yes/no)?”3. Enter the vlab password when prompted.4. Use echo to create the message Hello from Host12, redirecting the output to

the file host12.msg.5. Use the cat command to view the host12.msg file contents.6. Copy the host12.msg file to the vlab home directory on host11 by entering the

command scp host12.msg vlab@192.168.240.11:~.7. Exit the ssh remote connection and return to host11.8. Use ls to display the files in /home/vlab/.9. Use the cat command to display the contents of the host12.msg file.

14

Capture the SkillSoft desktop from host11 showing the completion of all nine commands specified in Step 2 of Task 5 above. Paste this image

into the text box provided in your Lab Report document.

Result You have gained experience with ssh and secure copy.

This concludes your lab. Complete the Lab Report document for this lab and submit it to the Dropbox for Week 5.

15