NETW240 Week 5 Lab: Secure FTP and Secure Shell (SSH)

Lab ScenarioLaunching Your Lab The status of your Lab is displayed at the top of the left navigation column.

Click the Start Lab Now button. A progress bar displays while the lab is being initialized. During this time, you can view items under the Content area of the left navigation bar.

When initialization is complete, the status changes to In Progress. The clock starts and a lab diagram displays in the main content area.

Click on the diagram that appears and your virtual lab experience will begin.

If your connection isn't working, verify connectivity by clicking Verify Connection in the Tools section on the left navigation bar.

Assignment Learn about secure ftp, secure shell (SSH), and secure copy (SCP).

Story On host11, you will configure a secure ftp server and set its security policies, start the SSH daemon, and use the SSH and SCP client tools. Near the end, you will log into host12 and ftp into your host11 ftp server.

Conditions You have remote access to host11 and host12; host12 is already configured and there is nothing for you to do to it. Both host11 and host12 use DHCP on their first interface (eth0). This interface is used by the lab environment and should not be modified. Both host11 and host 12 are unable to communicate over this interface. Virtual machine Login Information:Username: vlab Password: password

Diagram

1

Suggested ApproachThe following is a list of high-level steps needed to complete this lab.

Update /etc/hosts to identify local (host11) and remote (host12) hosts and servers. Identify critical system files for configuring and displaying site messages. Install and configure a secure ftp server. Perform a secure telnet session to an nfs server. Fill out and turn in your Lab Report document.

Task 1 Read the background information here

Step 1: Background Information

Action We will continue to learn to install and configure TCP/IP-dependent servers. Each server allows local, remote, and guest user access. It is our responsibility as system administrators to safeguard our system's resources and information. A legal statement should be displayed to users accessing the system. Legal messages should be approved by your organization's legal department. An example of a warning message follows:

Warning: You are accessing a secure site and confidential information. Access is restricted to authorized persons ONLY. Unauthorized access or use is not permitted and constitutes a crime punishable by law. Violators will be prosecuted.

Warning messages should be displayed before a user logs into the system. We will learn to add warning messages in today's lab. This is only one part of an effective security policy.

File Transfer Protocol File transfer protocol (FTP) is a TCP/IP application designed to transfer files across a network from one host to another. The first implementation of FTP was in 1971 for minicomputers and mainframes running the UNIX operating system. FTP works on the client/server model by allowing remote clients to move up and down a server's directory structure to find and download files of interest. Today, WWW search engines find files on Internet servers running FTP. By clicking on a link, we are actually using FTP to transfer files to our computer. Any Linux system can operate as an ftp server by running the ftp daemon. A special user account in /etc/passwd will allow remote users to log in as anonymous. The password for anonymous is the remote user's e-mail address. A major disadvantage of FTP is the fact that it does not encrypt an authorized user's name and password, leaving it open to sniffer capture and unauthorized use. To prevent this from occurring, we will be installing a version of FTP named Very Secure FTP (vsFTP).

As a Linux system administrator, it is your responsibility to set up FTP directories so that files people need are accessible without compromising the security on the rest of your system.

2

ResultYou have been given some background on the use of legal statements through warnings to users accessing remote systems. You have also been given some very high-level information on the FTP.

Note about text editors in Element K: All text editor tasks in this lab are shown using the nano text editor but you are also free to use the vi text editor as an option if you know the more complex command hierarchy. If you are using nano as your text editor and Internet Explorer or Chrome as your browser, you cannot use <Ctrl>O to save your file. This hot key is used by IE and Chrome to open files. You will have to exit and save as follows: press <Ctrl>X (exit), and at the Save Modified Buffer prompt, press Y and then Enter. This will save the file and exit the text editor. Mozilla Firefox does not have this issue with <Ctrl>O.

Task 2 Open a Terminal and become the superuser

Step 1: Log in to host11

Action Click on the link for host11 in the network diagram. Once given access to the machine, log in as vlab with a password of password.

Step 2: Open a Terminal

Action Menu::Application->System Tools->Terminal

Step 3: Become the superuser (root)

ActionUsing the switch user command, switch from casual user mode to the superuser mode. Remember to use the dash (-) option after keying in the su command and before hitting the Enter key. The root password is the same as the student password.

Result You will have become root and your command prompt will now be shown as[root@host11~]#.

3

Task 3 Update /etc/hosts

Step 1: Add host11 and host12 to /etc/hosts Action Open /etc/hosts in nano (or vi if you prefer) and add the lines below.

192.168.240.11commandhost11.linux.netcommandhost11192.168.240.12commandhost12.linux.netcommandhost12

Save the /etc/hosts file changes and exit nano (or vi).

Verify that you can now ping your own host11 PC and the host12 PC using the hostnames. Use the –c 3 switch to limit the ping to three echo responses.

Explanation Linux PCs use the /etc/hosts file before using DNS to resolve hostnames to IP addresses.

4

Task 4 Configure the ftp server

Step 1: ftp user in /etc/passwd

Action Verify that the ftp user account is listed in /etc/passwd. This user account assigns anonymous (or guest) FTP users to user ID 14 and group ID 50. This restricts their permissions and their ability to "cd" out of the ftp directory. grep ftp /etc/passwd

Result The following entry should be displayed: ftp:x:14:50:ftp user:/var/ftp:/sbin/nologin.

Note: Users who are classified as "real users" already have a legitimate user account on an ftp server. These users can log into the ftp site using their assigned user name and password.

Step 2: Verify and/or install vsFTP package

Action Verify whether the vsFTP package is installed by trying to restart its service vsftpd. If the vsftpd package is not installed, the vsftpd service will be unrecognized.

If the vsFTP package is not installed, cd to the /home/vlab (if you are not in that directory) and list the files with the ls command.

Use the rpm -ivh vsftpd-2.3.4-1.i386.rpm command to install it. Press Tab after you have typed vsftpd- to complete the rest of the rpm file name.

5

Result vsFTP is now installed.Step 3: Configure vsftp

Action Use the check configuration (chkconfig) command to enable error checking for the vsftpd configuration file.

Note: chkconfig can be used with many services such as dhcpd and smb to provide error checking of service configuration files. If the service fails to start, chkconfig causes a message to be displayed indicating where the the error was detected in the service configuration file.

Start the vsFTP service with the command service vsftpd start.

After the service starts successfully, ftp to your Linux PC with one of the following commands. When you make the FTP connection, log in with the username anonymous. You can press Enter when prompted for the anonymous password.

ftp localhostftp 127.0.0.1ftp host11ftp 192.168.240.11

Note: Localhost resolves to the 127.0.0.1 loopback address and host11 resolves to the eth1 address configured on this computer. The loopback address is a convenient way to test local services on computers.

6

After successfully logging in, execute the ls command. Note that you see a single directory name pub. This is the only directory an anonymous user will have access to. The actual path of the pub directory on your computer is /var/ftp/pub.

Type ? or help and press Enter. Listed are the available FTP commands. Other than the standard navigation and file commands (cd, lcd, pwd, ls, rm, rmdir), the most commonly used FTP commands are get and mget for downloading single or multiple files, put and mput for uploading single and multiple files, binary or ascii to specify the file format, and prompt to turn off or turn on interactive prompting.

Exit the ftp connection by entering the bye, quit or exit commands.

Result vsftp was started and you verified its operation on your computer.

Step 4: Adding a warning message to ftp clients

Action In the previous step, remember that we did not see a warning message to alert users that unauthorized activity on our ftp site is illegal. To display a message, use nano (or vi) to edit or create the file /var/ftp/.message. Note the (.) prefix for message, files, and directories that begin with (.) are hidden from a standard ls command.

Type in the warning message in the nano (or vi) text editor and save the file.

7

To test your message, log into the ftp site as anonymous again. You should see your message after entering a password. Exit the FTP connection after seeing your warning message.

Capture the Element K desktop showing this warning messagedisplayed when you logged into your vsFTP server. Paste thisimage into the text box provided in your Lab Report document.

Note: Under U.S. federal Law, a company is responsible for all content posted on its ftp or website.

8

Result A prelogin warning message has been added to the ftp service on host11.

Step 5: Examine vsftpd.conf, user_list, and ftpusers configuration files

Action A file named "vsftpd.conf" is located in the "/etc/vsftpd" directory. Use the cat command to view the contents of this configuration file. Pipe (|) the output of the cat command to less so you can browse through the configuration file.

cat /etc/vsftpd/vsftpd.conf | less

Notice that its parameters can be uncommented to activate certain services.

Two more files, user_list and ftpusers, can be used to restrict specific users from accessing the vsftp site. Use the cat command ( and less command) to view the content and makeup of these files.

cat /etc/vsftpd/user_list | lesscat /etc/vsftpd/ftpuserscommand| less

Result You have examined the vsftp configuration files.

Step 6: Configure TCP Wrappers for ftp access

Action TCP Wrappers is a Linux/UNIX security mechanism that will deny or allow access to TCP services. We can prevent unauthorized access to our vsftp server using TCP Wrappers. TCP Wrappers consists of two files located in the /etc directory. The hosts.deny file prevents certain users from accessing TCP services while the hosts.allow authorizes users to access TCP services.

Use the nano (or vi) test editor to add an implicit deny statement to the hosts.deny file. After modifying the hosts.deny file, save the file and exit your text editor session.

ALL: ALL

Note: this statement denies access to all TCP services for all users. It follows the implicit deny statement found in a firewall access control list. All users are denied access if not granted access in the hosts.allow file.

Try to log into the local vsftp server as anonymous.

9

Note: The hosts.deny statement ALL: ALL blocked your attempt to log into the ftp server. A Service Not Available error message appeared.

Using nano (or vi), modify the hosts.allow file to allow access to localhost. Modify the hosts.allow file by adding the following content.

ALL: localhost.localdomain

Note: The hosts.allow file grants access to all FTP services for the user localhost.localdomain. All other users attempting to ftp in will be denied access by the hosts.deny statement ALL: ALL.

After modifying the hosts.allow file, save the file and exit your editor session.

Try to log into the local vsftp server again as anonymous:

Note: This time you were able to log into the ftp server.

Using the online UNIX help utility (man), view other suggestions for writing allow and deny statements for TCP Wrappers. mancommandcommand hosts.allow

Note: Try adding - ALL: 192.168.240.0/24. See if you can access your ftp service running on host11 from host12 (i.e., log into host12, open a Rerminal, and ftp to host11).

10

Find a solution that allows users on host12 to access your ftp server on host11.

Result TCP Wrappers is configured for ftp access.

Capture the Element K desktop from host12 showing a successfullogin to the vsFTP server on host11. Paste this image into the

text box provided in your Lab Report document.

11

Task 5 Perform a secure remote session on host11 to host12.

Step 1: Start the ssh daemons

Action On Host 12, execute the service sshd restart command. Return to Host11 and repeat this command. Your command output will be one of those shown below depending on whether the service was currently running or not. servicecommandcommandsshdcommandcommandstart

Result The ssh daemon is started.

Step 2: Use ssh and secure copy

passwordAction Enter the exit command to reassume the role as the vlab user. Enter cd ~ to make sure you are in the vlab home directory. Clear the screen and complete the steps below.

1. ssh to host12 using ssh vlab@192.168.240.12 or ssh –l vlab 192.168.240.12 (where –l is lowercase L).

2. Enter yes when you see, “Do you want to to continue connecting (yes/no)?”3. Enter the vlab password when prompted.4. Use echo to create the message Hello from Host12, redirecting the output to

the file host12.msg.5. Use the cat command to view the host12.msg file contents.6. Copy the host12.msg file to the vlab home directory on host11 by entering the

command scp host12.msg vlab@192.168.240.11:~.7. Exit the ssh remote connection and return to host11.8. Use ls to display the files in /home/vlab/.9. Use the cat command to display the contents of the host12.msg file.

12

Capture the Element K desktop from host11 showing the completion of all nine commands specified in Step 2 of Task 5 above. Paste this image

into the text box provided in your Lab Report document.

Result You have gained experience with ssh and secure copy.

This concludes your lab. Complete the Lab Report document for this lab and submit it to the Dropbox for Week 5.

13