RH134 - ch11s02

From workstation, run the lab netsecurity-firewalls start command. The command runs a start script to determine whether the servera host is reachable on the network.

[student@workstation ~]$ lab netsecurity-firewalls start

From workstation, use SSH to log in to servera as student user. The systems are configured to use SSH keys for authentication, so a password is not required.
```
[student@workstation ~]$ ssh student@servera
...output omitted...
[student@servera ~]$ 
```
On the servera system, ensure that both httpd and mod_ssl packages are installed. These packages provide the Apache web server you will protect with a firewall, and the necessary extensions for the web server to serve content over SSL.
```
[student@servera ~]$ sudo yum install httpd mod_ssl
[sudo] password for student: student
...output omitted...
Is this ok [y/N]: y
...output omitted...
Complete!
```
As the student user on servera, create the /var/www/html/index.html file. Add one line of text that reads: I am servera.
```
[student@servera ~]$ sudo bash -c \
"echo 'I am servera.' > /var/www/html/index.html"
```

Start and enable the httpd service on your servera system.

[student@servera ~]$ sudo systemctl enable --now httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.

Exit from servera.

[student@servera ~]$ exit
logout
Connection to servera closed.
[student@workstation ~]$

From workstation, attempt to access your web server on servera using both the cleartext port 80/TCP and the SSL encapsulated port 443/TCP. Both attempts should fail.

This command should fail:

[student@workstation ~]$ curl http://servera.lab.example.com
curl: (7) Failed to connect to servera.lab.example.com port 80: No route to host

This command should also fail:

[student@workstation ~]$ curl -k https://servera.lab.example.com
curl: (7) Failed to connect to servera.lab.example.com port 443: No route to host

[student@workstation ~]$ ssh student@servera
...output omitted...
[student@servera ~]$

On servera, make sure that the nftables service is masked and the firewalld service is enabled and running.

Determine whether the status of the nftables service is masked.

[student@servera ~]$ sudo systemctl status nftables
[sudo] password for student: student
● nftables.service - Netfilter Tables
   Loaded: loaded (/usr/lib/systemd/system/nftables.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:nft(8)

The results show that nftables is disabled and inactive but not masked. Run the following command to mask the service.

[student@servera ~]$ sudo systemctl mask nftables
Created symlink /etc/systemd/system/nftables.service → /dev/null.

Verify that the status of the nftables service is masked.

[student@servera ~]$ sudo systemctl status nftables
● nftables.service
   Loaded: masked (Reason: Unit nftables.service is masked.)
   Active: inactive (dead)

Verify that the status of the firewalld service is enabled and running.

[student@servera ~]$ sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2019-05-22 15:36:02 CDT; 5min ago
     Docs: man:firewalld(1)
 Main PID: 703 (firewalld)
    Tasks: 2 (limit: 11405)
   Memory: 29.8M
   CGroup: /system.slice/firewalld.service
           └─703 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid

May 22 15:36:01 servera.lab.example.com systemd[1]: Starting firewalld - dynamic firewall daemon...
May 22 15:36:02 servera.lab.example.com systemd[1]: Started firewalld - dynamic firewall daemon.

Exit from servera.

[student@servera ~]$ exit
logout
Connection to servera closed.
[student@workstation ~]$

From workstation, open Firefox and log in to the Web Console running on servera to add the httpd service to the public network zone.
1. Open Firefox and browse to https://servera.lab.example.com:9090 to access the Web Console. Accept the self-signed certificate used by servera by adding an exception.
2. Select the check box next to Reuse my password for privileged tasks to ensure administrative privileges.
  Log in as student user with student as the password.
3. Click Networking in the left navigation bar.
4. Click the Firewall link in main Networking page.
5. Click the Add Services... button located in the upper right side of the Firewall page.
6. In the Add Services user interface, scroll down or use Filter Services to locate and select the check box next to the Secure WWW (HTTPS) service.
7. Click the Add Services button located at the lower right side of the Add Services user interface.
Return to a terminal on workstation and verify your work by attempting to view the web server contents of servera.
1. This command should fail:
```
[student@workstation ~]$ curl http://servera.lab.example.com
curl: (7) Failed to connect to servera.lab.example.com port 80: No route to host
```
2. This command should succeed:
```
[student@workstation ~]$ curl -k https://servera.lab.example.com
I am servera.
```
Note
If you use Firefox to connect to the web server, it will prompt for verification of the host certificate if it successfully gets past the firewall.

Finish

On workstation, run the lab netsecurity-firewalls finish script to complete this exercise.

[student@workstation ~]$ lab netsecurity-firewalls finish

This concludes the guided exercise.

Discuss Red Hat System Administration II

Go to community

Is It possible to reset root password when the system is on multi-user.target?

jennifer1987

27 lip 2023

Hi thereWell, i have a question, Is It possible to reset root password when the system is on multi-user.target? I was not be able to found a foro o some information related with this and another question that I have, If the grub menu dont show up, is it posible to reset the root password?

991

Red Hat System Administration II (RH134)

Haley_Ruccio

21 lip 2023

Build the skills to perform the key tasks needed to become a full-time Linux administratorRed Hat System Administration II (RH134) is the second part of the RHCSA training track for IT professionals who have already attended Red Hat System Administration I. The course goes deeper into core Linux system administration skills in storage configuration and management, installation and deployment of Red Hat Enterprise Linux, management of security features such as SELinux, control of recurring system tasks, management of the boot process and troubleshooting, basic system tuning, and command-line automation and productivity. This course assumes that students have attended Red Hat System Administration I (RH124).Experienced Linux administrators who seek rapid preparation for the RHCSA certification should instead start with RHCSA Rapid Track (RH199).This course is based on Red Hat Enterprise Linux 9.0.Course summaryInstall Red Hat Enterprise Linux using scalable methodsAccess security files, file systems, and networksExecute shell scripting and automation techniquesManage storage devices, logical volumes, and file systemsManage security and system accessControl the boot process and system servicesRun containersAudience for this courseThis course is geared toward Windows system administrators, network administrators, and other system administrators who are interested in supplementing current skills or backstopping other team members, in addition to Linux system administrators who are responsible for these tasks:Configuring, installing, upgrading, and maintaining Linux systems using established standards and proceduresProviding operational supportManaging systems for monitoring system performance and availabilityWriting and deploying scripts for task automation and system administrationRecommended trainingSuccessful completion of Red Hat System Administration I (RH124) is recommended.Experienced Linux administrators seeking to accelerate their path toward becoming a Red Hat Certified System Administrator should start with the RHCSA Rapid Track course (RH199).Take our free assessment to gauge whether this offering is the best fit for your skills.Technology considerationsThere are no special technology requirements.This course is not designed for bring your own device (BYOD).Internet access is not required, but is recommended to allow students to research and access Red Hat online resources.

Welcome to the Red Hat System Administration II (RH134) group in the Red Hat Learning Community!

Deanna

18 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat System Administration II! To gain the most value from this group - click the "Join Group" button in the upper right hand corner.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH134.Read more about Red Hat System Administration II here.

417

Revision: rh134-8.2-f0a9756

Red Hat System Administration II

Guided Exercise: Managing Server Firewalls

Note