1. | You want to set up an RHEL computer as a secure Web server. To keep that system secure, you'll want to configure an appropriate firewall and disable any services that you don't need. What should you do? |
|
Answers
1. | If you want to set up an RHEL computer as a secure Web server, it's a straightforward process. You'll want to set up a firewall to block all but the most essential ports. This should include TCP/IP ports 80 and 443, which allow outside computers to access your regular and secure Web services. The easiest way to set this up is with the Red Hat Security Level Configuration tool, which you can start with the system-config-securitylevel command. Once you're in the Red Hat tool, take the following steps:
|
2. | You want to set up Telnet service on your internal LAN, accessible only to one specific IP address. You want to block access from outside the LAN. Assume that your LAN's network address is 192.168.1.0, and the IP address of the computer that should get access is 192.168.1.33. For the purpose of this lab, feel free to substitute the IP address of a second Linux computer on your network. What do you do? |
|
Answers
2. | Several steps are required to set up any xinetd service such as Telnet. You'll need to modify the xinetd Telnet configuration file and set up filtering in one of three ways: in the /etc/xinetd.d/krb5-telnet configuration file, through tcp_wrappers, or with the appropriate firewall commands.
|
3. | You want to set up a secure Web server on your corporate LAN that supports inbound requests from your LAN and the Internet, but you do not want any of these requests from the Internet to get into your intranet. What can you do? There are three scenarios in this lab. First, assume cost is no object, and there are three computers available-two for firewalls and one for the Web server. Second, assume a cost-conscious situation where you need to configure the firewalls and Web server on the same system. Third, repeat scenarios one and two, with SELinux in enforcing mode. |
|
Answers
3. | Scenario 1: Cost is not an object. This means you can build a DMZ using two firewalls and a separate Web server, all running Linux. You should have the Web server dedicated only to the Web. You configure two more Linux hosts, each with two network cards, and essentially isolate the intranet behind one firewall. You then put the Web server in the middle, placing the second firewall between the Web server and the Internet. You configure the firewall on the intranet with IP masquerading to ensure anonymity for all your intranet hosts. Scenario 2: You have one old computer available, and the Web server is a separate computer. Use your one computer as the firewall between you and the Internet and only forward HTTP packets to the Web server IP address directly; use NAT for all intranet requests going out to the Internet for HTTP and FTP. Disallow all other services. Scenario 3: Repeat scenarios 1 and 2; configure SELinux in enforcing mode and activate the appropriate booleans for the scenarios. |
4. | You want to work with SELinux, but you are unsure about how it will affect the dozen services that you run from your system. What can you do and what should you monitor to try out SELinux, without affecting any services that are currently running? How can you monitor the process? Test all configured services, and use Setroubleshoot Browser suggestions to configure your system. When you're confident that everything will work, activate SELinux in enforcing mode. |
|
Answers
4. | The simplest way to experiment with SELinux is to set it to permissive mode. All violations of SELinux are logged in /var/log/messages with the avc label. You can set SELinux to permissive mode with the SELinux Management Tool or by setting SELINUX=permissive in /etc/sysconfig/selinux. Open the Setroubleshoot Browser, and try out various services-locally and remotely. Follow any suggestions made by the browser. When you're confident that your configured network services will work with SELinux, set SELinux=enforcing in /etc/sysconfig/selinux, reboot, and test configured network services again. |