Lab Questions

1. 

You want to set up an RHEL computer as a secure Web server. To keep that system secure, you'll want to configure an appropriate firewall and disable any services that you don't need. What should you do?

1. 

If you want to set up an RHEL computer as a secure Web server, it's a straightforward process. You'll want to set up a firewall to block all but the most essential ports. This should include TCP/IP ports 80 and 443, which allow outside computers to access your regular and secure Web services.

The easiest way to set this up is with the Red Hat Security Level Configuration tool, which you can start with the system-config-securitylevel command. Once you're in the Red Hat tool, take the following steps:

1. Enable the firewall. This configures a basic set of firewall rules that prohibits access except for requests that come from inside the firewall.

2. Scroll down the Trusted Services window. (If you're in the text-based tool, click Customize to open the Firewall Configuration - Customize window.) Activate the WWW (HTTP) option. This allows access from outside the local computer to your regular Web site. Activate the Secure WWW (HTTPS) services as well.

3. Click OK to exit from the Security Level Configuration tool.

4. Enter the following command to check your resulting firewall.

    # iptables -L 

5. Once you've configured a Web service as described in Chapter 9, you'll be able to access both the regular and secure Web servers from remote computers, while retaining a firewall that protects the other services on your system.

2. 

You want to set up Telnet service on your internal LAN, accessible only to one specific IP address. You want to block access from outside the LAN. Assume that your LAN's network address is 192.168.1.0, and the IP address of the computer that should get access is 192.168.1.33. For the purpose of this lab, feel free to substitute the IP address of a second Linux computer on your network. What do you do?

2. 

Several steps are required to set up any xinetd service such as Telnet. You'll need to modify the xinetd Telnet configuration file and set up filtering in one of three ways: in the /etc/xinetd.d/krb5-telnet configuration file, through tcp_wrappers, or with the appropriate firewall commands.

1. First, you want to enable Telnet. Make sure that the krb5-telnet RPM is installed.

2. Activate Telnet. Use the chkconfig krb5-telnet on command to revise the /etc/xinetd.d/krb5-telnet configuration script.

3. Edit the /etc/xinetd.d/krb5-telnet configuration file. Add the only_from = 192.168.1.33 line. (If you have another computer on your network with a private IP address, substitute accordingly in all steps in this lab.)

4. Save the configuration file and reload the xinetd service script with the service xinetd reload command. Try accessing Telnet from the local computer. What happens?

5. Try accessing Telnet from the computer with the IP address of 192.168.1.33. What happens? Try again from a different computer on your LAN.

6. Restore the previous /etc/xinetd.d/krb5-telnet configuration file. Don't forget to reload the xinetd service script with the service xinetd reload command.

7. Edit /etc/hosts.deny. Add the telnetd : ALL EXCEPT 192.168.1.33 line.

8. Try accessing Telnet from the computer with the IP address of 192.168.1.33. What happens? Try again from a different computer on your LAN.

9. Restore the previous /etc/hosts.deny file.

10. Save any existing iptables chains. Back up /etc/sysconfig/iptables, if that file currently exists to ~/bak.iptables.

11. Flush current firewall rules with the iptables -F command.

12. Block the Telnet port, 23, for all IP addresses except 192.168.1.33 with the iptables -A INPUT -s ! 192.168.1.33 -p tcp --dport 23 -j DROP command.

13. Try accessing the Telnet server from the computer with the IP address of 192.168.1.33. What happens? Try again from a different computer on your LAN.

14. Flush current firewall rules with the iptables -F command.

15. Restore any previous firewall rules with the iptables-restore < ~/bak.iptables command.

16. Bonus: Repeat these commands for other services and networks.

3. 

You want to set up a secure Web server on your corporate LAN that supports inbound requests from your LAN and the Internet, but you do not want any of these requests from the Internet to get into your intranet. What can you do?

There are three scenarios in this lab. First, assume cost is no object, and there are three computers available-two for firewalls and one for the Web server. Second, assume a cost-conscious situation where you need to configure the firewalls and Web server on the same system. Third, repeat scenarios one and two, with SELinux in enforcing mode.

3. 

Scenario 1: Cost is not an object. This means you can build a DMZ using two firewalls and a separate Web server, all running Linux. You should have the Web server dedicated only to the Web. You configure two more Linux hosts, each with two network cards, and essentially isolate the intranet behind one firewall. You then put the Web server in the middle, placing the second firewall between the Web server and the Internet. You configure the firewall on the intranet with IP masquerading to ensure anonymity for all your intranet hosts.

Scenario 2: You have one old computer available, and the Web server is a separate computer. Use your one computer as the firewall between you and the Internet and only forward HTTP packets to the Web server IP address directly; use NAT for all intranet requests going out to the Internet for HTTP and FTP. Disallow all other services.

Scenario 3: Repeat scenarios 1 and 2; configure SELinux in enforcing mode and activate the appropriate booleans for the scenarios.

4. 

You want to work with SELinux, but you are unsure about how it will affect the dozen services that you run from your system. What can you do and what should you monitor to try out SELinux, without affecting any services that are currently running? How can you monitor the process? Test all configured services, and use Setroubleshoot Browser suggestions to configure your system. When you're confident that everything will work, activate SELinux in enforcing mode.

4. 

The simplest way to experiment with SELinux is to set it to permissive mode. All violations of SELinux are logged in /var/log/messages with the avc label. You can set SELinux to permissive mode with the SELinux Management Tool or by setting SELINUX=permissive in /etc/sysconfig/selinux. Open the Setroubleshoot Browser, and try out various services-locally and remotely. Follow any suggestions made by the browser. When you're confident that your configured network services will work with SELinux, set SELinux=enforcing in /etc/sysconfig/selinux, reboot, and test configured network services again.