Linux Foundation LFCS – Domain No. 5 – Service Configuration

1. The SSH server configuration

Hello and welcome students. In this lecture we’re going to talk about Configuring SSH server which is a secure shell. And this is how you log in from a Windows machine to the Linux machine or between two Linux machines. SSH is a secure way to login. It runs on 422 by default. However you can change it and some people do change it in order to improve security. So in order to find out what version of secure shell are you running, type SSH capital V. It tells us that openness 7. 17. 4 P, one OpenSSL and then the rest of the information about it.

And the most file that is used to configure SSH is etsy SSH. And then you do an LS and there’s file SSH underscore config. If you do a VI this is what the file looked like. And the interesting stuff for us is going to be first one is going to be protocol. So if you want to search something in the VI editor you do a backslash like I’ve just done if you look at the bottom and it lets you search. So I’m going to type protocol with a capital P and it takes me to the first instance of protocol. So as you can see protocol two is commented out. So if I uncommented then it’s going to force the system to use protocol two. Otherwise you can use protocol one or two. And two is supposed to be more secure than two. So two is supposed to be more secure than one. So you should always try to use two.

And if it’s commented out you can force your system to use two and port. As you can see it’s port 22 right now. And this also if you want to change it, you can change it to any other port that you want, any other port that is not getting used on your system before. One more thing you can do, if it’s not automatically or by default in the SSHD config file then you can add this line that says permit root login. It says no for that. So that way if I’m doing an SSH from another system, this system will force me to log in as a non root user first and that way it provides you a layer of security.

You have to log in as non root user. So anytime if there’s an audit is done for the system you can tell who logged in because if you logged in as root directly then it’s hard to tell who actually logged in because root password is going to be the same. But if you are, say, John, and you logged in as John, and then you assumed to root, then it’ll be easy to detect that somebody named John first logged in and then he did a switch user and became root.

And then it can be audited and find out what John did if he did something disruptive to take care of that. And once you have made your changes although I have not made any changes so far, I just did them to show them to you. You can run systemctl because it is a service and like we have done previously in other examples SSHD service. And in my case, since I didn’t make any changes, it didn’t have to start anything, otherwise it’ll shut down and restart the SSHD service and it will say okay, that means everything went well on the chain, just that you made.

2. installing Apache server

Hello students and welcome. In this lecture we’re going to talk about installing Apache web server on Centaus seven or Red Hat seven. Apache is a free open source and popular Http server that runs on Unixlike operating systems including Linux and also Windows OS. It has been the most popular web server powering several sites on the internet. It is easy to install and configure to host single or multiple websites on the same Linux or Windows server. So before we install Http, let’s update our system itself. Yum, update. So it has done doing an inventory of the system and seems like I currently don’t need any new packages and seems like everything is that I needed is installed already. So let’s do a clear here and next step is yum, install Httpdpd that’s going to install the Http demon on the system and things like that is also installed. This is the actual version but in your case may not be by default it’s installed and it’s going to ask you if you want to go ahead or you want to go ahead and install it. Next thing we’re going to do is once Apache web server is installed we want to start it first time and enable it to start automatically a system boot time.

So we’ll do systemctl start Httpd, okay it started and then we’ll do systemctl enable Httpd, okay, it created this link so that way it’s enable and it’ll start at boot time. And let’s check the status system CTL status Httpd. And as you can see it’s active and it’s running. So by default the firewall d is supposed to block the Http or the web traffic so we need to allow the patchy traffic. And the way you do it is there are a few commands that you’re going to have to run. Firewall CMD zone equals public permanent add service equals Http enter oh, so it says firewall d is not running. Say in our case it’s not running but I still want to give you the command so in case on your system it is running then this is how you take care of it. The next command you’re going to run is firewall CMD zone equals public permanent add service equals Https. So https is a secure http okay and in my case firewall d is not running so it’s not really going to make a difference. And the last command is firewall CMD reload. So of course you won’t be getting any of these slides messages that I’m getting if firewall d is running on your machine.

3. Restrict access to a web page

Hello students. In this lecture we are going to cover how to protect your apache web directories. So there might be occasions where you have some content on a website that you want a certain group of people to access, but you don’t want the entire group or the entire team or the entire company to access. It might have some HR related data or some secure data that you just want a few specific people to get access to. So we’re going to cover how do you accomplish that? So the main file that we’re going to get going to is going to be the etsy, etc. Httpd and we can look par dub gov, sorry VAR HTML and you see this directory here, we can add press iHTML and then hit escape.

And the other files you’re supposed to have in this is you add another line that is options indexes, include, follow, SIM links, multiviews, multi m is capital and capital d also. So you include that one line and then you leave the rest as it is except for allow overwrite. You change that to all and require all. Granted, just leave it like that and then save and exit. And then we’re going to restart system CTL restart httpd now we’re going to use the HT password d or HT password htpswdc.

So the general format is going to be HT password dash and then the file name and then the user name. Okay, so this is how we can accomplish it. First what we’ll do is we’ll make a directory under home and let’s call it student. That’s our directory. So our password file needs to be located out of the Apache web accessible directory, so it is well protected.

And for that purpose we have created this directory. Okay? And after that we will generate our username and password that will be stored in that directory. So do HT p a sswdcholm student webpass, and let’s call the password our username student as well. Okay, new password. I’m going to give it a password. The password has been added and after that we’ll need to make sure that the apache is able to read the web pass file. And for that purpose we’ll need to change the ownership of that file. With this command we’ll do chow. That’s how you change ownership apache home student webpass. Okay, I was supposed to have a space in between which I didn’t have the first time, so that’s why I got this error. So I did it the second time and it took it. Then we’re going to change the we’ll do the chimed and do the permission, sorry, six, four, zerowebpass. So at this point our new user and password ready. Now we need to tell apache to request password when accessing our targeted directory. And for that purpose we’re going to create file called HT access in varw. So we’ll do a viuir dev HTML HT access and we can add the following code in it. So this is what the file is going to look like. First line is auto type basic. The next one is auth name restricted access. Third one is auth user file which is home is student webpass and it’s going to require user student. We have saved and exited. Let’s go to the website.

4. Email aliases

Hello students and welcome. In this lecture we’re going to deal with adding email aliases in Linux specifically sent to us or Red Hat Linux. So why do you want to use aliases? The reason we use aliases in Windows or Linux is so that way a message sent via via email can be sent to a group of people. For instance there are two or three users who want to get a certain message either sent by a machine or sent by a person. Then you can group them together and it will send it to that group and all the users who are part of that group or part of that alias will receive that message. So the file that we deal with in that case is Etsy post fix and there’s a file called Alias is in here and since in our case it doesn’t exist so we’re going to create one. And just to use as an example we’ll say user one is the name of the alias or actually let’s call them something more meaningful. The students is our alias and it has user one, user two, user three in it.

So there are three students who want to get any message that is sent to students. Suppose there’s a class that only has three students, then you have created this alias file and the next thing that we’re going to do that we have to make sure of course that the user that’s what I was checking that user one and user two are created on our system. So user one was already there. User two I just added. So we have both of these users in there. In order to have the alias’s file actually read by the system and refreshed we need to run postalias. So from here on any message sent to say student at a certain address, say school at@gmail. com any message that’s sent to that will go to student one and student two and student three all three of them will receive it. That’s all you have to do is just like a two step process. But you just have to make sure that students are already added on the system itself.